For my private office I needed to radically improve my security capabilities, hence the introduction of an SRX300.
I am trying to get basic functionality sorted before expanding my use of VPNs and introducing vSRX to my remote environments. As a non-Juniper non-network administrator person, my approach has been to try and get a basic configuration using J-Web, and then to modify that to achieve my goals - hence my switch to D-90.7, which is actually capable of generating a configuration through J-Web that is valid and accepted.
I have two main problems right now.
- A device that expects encrypted multicast IPv4 packets, 802.1P priority 0 and 802.1Q VLAN ID tagged 101. The 802.1 related information is not being passed through the SRX300, although the Meraki switch (in default ex factory mode) does pass this information through when connected to the ISP supplied router, so I'm reasonably confident that the problem is SRX300 related, not switch related.
- A number of devices that have ethernet connectivity, and need to be able to access the internet, that I perceive as "risky", in the way that virtually all IOT devices are risky. Mostly my secure devices communicate with them through non-ethernet interfaces (usually HDMI 2), although there are some grey areas (Sony AV equipment and Sony computers talk to each other in so many ways).
The SRX300 is in Ethernet switching mode. I have a default VLAN and irb configured.
Ideally, I would like to attach the multicast device to a separate port on the SRX, in a zone of its own, and not worry about it. I'm not sure how to set up a static route that would work, that passes through the 802.1 info unchanged from the remote site. So that everything else is isolated from it.
I'd like to put the questionably insecure devices into isolation, from which they can go out to the internet but not elsewhere, but I'd prefer to retain the present "casting" capability.
However, there are updates which are pushed to these devices, to add to the difficulties. I imagine I can whitelist who is doing the pushing.
I'd be extremely grateful for some pointers to help with making these configuration changes. What is obvious to networking engineers isn't always obvious to me.
Incidentally, anybody in Britain should be aware that Open Reach FTTC cabinets are now mostly capable of handling Baby Jumbo and Jumbo frames (<9000), although I haven't tried anything at the larger end of the scale.