I'm not a network engineer, so this must be a noob question.
My task is simple, I need all clients to have internet access. Both EX2200 were configured before as layer 2 switches, so i assume their configuration is fine.
On SRX240 i was able to setup internet access. If i connect my laptop to it, the internet works fine. But connection to EX2200 doesn't work. I tried different guides from the internet, but nothing seems to work.
How should i configure SRX240, so all EX2200 clients have internet access. Ideally, i would love all clients to get ip from SRX240 DHCP and be in the same subnet.
Current config.
SRX240
version 11.2R4.3;
system {
name-server {
208.67.222.222;
208.67.220.220;
}
services {
ssh;
telnet;
xnm-clear-text;
web-management {
http {
interface vlan.0;
}
https {
system-generated-certificate;
interface vlan.0;
}
}
dhcp {
router {
192.168.1.1;
}
pool 192.168.1.0/24 {
address-range low 192.168.1.2 high 192.168.1.254;
}
propagate-settings ge-0/0/0.0;
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
dhcp;
}
}
}
ge-0/0/1 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/2 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/3 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/4 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/5 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/6 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/7 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/8 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/9 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/10 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/11 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/12 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/13 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/14 {
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/15 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
vlan {
unit 0 {
family inet {
address 192.168.1.1/24;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 10.129.152.129;
}
}
protocols {
stp;
}
security {
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set trust-to-untrust {
from zone trust;
to zone untrust;
rule source-nat-rule {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}
policies {
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
vlan.0;
}
}
security-zone untrust {
screen untrust-screen;
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
dhcp;
tftp;
}
}
}
}
}
}
}
vlans {
vlan-trust {
vlan-id 3;
l3-interface vlan.0;
}
}
EX2200 – 24
version 11.4R7.5;
system {
ports {
console {
log-out-on-disconnect;
type vt100;
}
}
login {
user admin {
uid 2000;
class super-user;
}
}
services {
ssh {
root-login allow;
}
telnet;
}
syslog {
user * {
any emergency;
}
file messages {
any notice;
authorization info;
}
file interactive-commands {
interactive-commands any;
}
}
}
chassis {
alarm {
management-ethernet {
link-down ignore;
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family ethernet-switching {
vlan {
members public-eth;
}
}
}
}
ge-0/0/1 {
unit 0 {
family ethernet-switching {
vlan {
members public-eth;
}
}
}
}
ge-0/0/2 {
unit 0 {
family ethernet-switching {
vlan {
members public-eth;
}
}
}
}
ge-0/0/3 {
unit 0 {
family ethernet-switching {
vlan {
members public-eth;
}
}
}
}
ge-0/0/4 {
unit 0 {
family ethernet-switching {
vlan {
members public-eth;
}
}
}
}
ge-0/0/5 {
unit 0 {
family ethernet-switching {
vlan {
members public-eth;
}
}
}
}
ge-0/0/6 {
unit 0 {
family ethernet-switching {
vlan {
members public-eth;
}
}
}
}
ge-0/0/7 {
unit 0 {
family ethernet-switching {
vlan {
members public-eth;
}
}
}
}
ge-0/0/8 {
unit 0 {
family ethernet-switching {
vlan {
members public-eth;
}
}
}
}
ge-0/0/9 {
unit 0 {
family ethernet-switching {
vlan {
members public-eth;
}
}
}
}
ge-0/0/10 {
unit 0 {
family ethernet-switching {
vlan {
members public-eth;
}
}
}
}
ge-0/0/11 {
unit 0 {
family ethernet-switching {
vlan {
members public-eth;
}
}
}
}
ge-0/0/12 {
unit 0 {
family ethernet-switching {
vlan {
members public-eth;
}
}
}
}
ge-0/0/13 {
unit 0 {
family ethernet-switching {
vlan {
members public-eth;
}
}
}
}
ge-0/0/14 {
unit 0 {
family ethernet-switching {
vlan {
members public-eth;
}
}
}
}
ge-0/0/15 {
unit 0 {
family ethernet-switching {
vlan {
members public-eth;
}
}
}
}
ge-0/0/16 {
unit 0 {
family ethernet-switching {
vlan {
members public-eth;
}
}
}
}
ge-0/0/17 {
unit 0 {
family ethernet-switching {
vlan {
members public-eth;
}
}
}
}
ge-0/0/18 {
unit 0 {
family ethernet-switching {
vlan {
members public-eth;
}
}
}
}
ge-0/0/19 {
unit 0 {
family ethernet-switching {
vlan {
members public-eth;
}
}
}
}
ge-0/0/20 {
unit 0 {
family ethernet-switching {
vlan {
members public-eth;
}
}
}
}
ge-0/0/21 {
unit 0 {
family ethernet-switching {
vlan {
members public-eth;
}
}
}
}
ge-0/0/22 {
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members all;
}
}
}
}
ge-0/0/23 {
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members all;
}
}
}
}
ge-0/1/0 {
unit 0 {
family ethernet-switching;
}
}
ge-0/1/1 {
unit 0 {
family ethernet-switching;
}
}
ge-0/1/2 {
unit 0 {
family ethernet-switching;
}
}
ge-0/1/3 {
unit 0 {
family ethernet-switching;
}
}
vlan {
unit 10 {
family inet {
address 192.168.1.2/24;
}
}
unit 100 {
family inet {
address 10.129.152.135/25;
}
}
}
}
snmp {
community school-ro {
authorization read-only;
clients {
10.143.255.0/24;
}
}
trap-group ESMA {
targets {
10.143.255.2;
10.143.255.6;
10.143.255.10;
10.143.255.14;
10.143.255.42;
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 10.129.152.129;
}
}
protocols {
igmp-snooping {
vlan all;
}
rstp;
lldp {
interface all;
}
lldp-med {
interface all;
}
}
ethernet-switching-options {
storm-control {
interface all;
}
}
vlans {
management {
vlan-id 10;
l3-interface vlan.10;
}
private-eth {
vlan-id 20;
}
public-eth {
vlan-id 30;
}
wan {
vlan-id 100;
l3-interface vlan.100;
}
}
Best Answer
To answer this question, I'll go through your configuration piece by piece.
Your SRX240 configuration is essentially correct and should work, with one small issue, that is your WAN/Internet interface (ge-0/0/0) appears to be using DHCP:
SRX:
While you've got a default gateway defined:
SRX:
Likely, your default gateway is provided by DHCP, so you probably don't need/want to define it statically. If 10.129.152.129 is not in your dhcp address/netmask though, JunOS is probably ignoring it, and since you also said that you were able to successfully get Internet connectivity when directly plugged into the SRX, this is probably not causing a problem. To get rid of this for cleanliness, issue the following commands on the SRX240:
SRX:
On to the switches. You didn't tell us which port on the SRX240 is connected to which port on the EX2200, so this is hard to answer, but based on the configuration provided I can deduce that your WAN/Internet link is ge-0/0/0 on the SRX240, and that at least one switch is plugged into one of the other interfaces on the SRX (ge-0/0/1 through 15.)
With the configuration you provided (for only the EX2200-24, and not the EX2200-48), your topology should work as long as port ge-0/0/0 through 21 are connected to the SRX. If, however the SRX is plugged into ports 22 or 23 on the the EX, you have a problem, because those ports are in trunk mode and the SRX isn't configured for or expecting VLAN-tagged ethernet frames.
EX:
Also, if all you really wanted was a flat L2 topology, you have some configuration left over from someone that didn't:
EX:
and
EX:
and
EX:
You can see several IP addresses, vlans and such configured. To get back to the most basic of L2 functionality, we should remove some of that old unnecessary configuration (as long as you're sure that this is your network and you're not a rogue going against the wishes of your network admin.)
EX:
The above commands do the following:
You'll probably want to do something similar for the EX2200-48 that you didn't give the configuration for, but hopefully you can look at the commands above and perform a similar procedure. If you flatten the topology as I've described, all of your clients will get their IP addresses from the SRX240 and will get internet access.