Juniper Switch – How to Configure 2 LAN as Input and One Output Ports

juniperjuniper-junosjuniper-srxswitch

i would like to know how i can configure juniper "SRX100" switch such that there i can connect two LAN's for inbound traffic and one outbound traffic.

Best Answer

The basic process is as follows:

Configure your VLANs

set vlans v100-INTERNAL1 vlan-id 100
set vlans v101-INTERNAL2 vlan-id 101
set vlans v102-EXTERNAL vlan-id 102

Attach VLANs to switch ports

set interfaces fe-0/0/0 unit 0 family ethernet-switching vlan-members v100-INTERNAL1
set interfaces fe-0/0/1 unit 0 family ethernet-switching vlan-members v101-INTERNAL2
set interfaces fe-0/0/2 unit 0 family ethernet-switching vlan-members v102-EXTERNAL

Configure IP Interfaces

set interfaces vlan unit 100 family inet address 192.168.100.1/24
set interfaces vlan unit 101 family inet address 192.168.101.1/24
set interfaces vlan unit 102 family inet address 192.168.102.1/24

Attach IP interfaces to VLANs

set vlans v100-INTERNAL1 l3-interface vlan.100
set vlans v101-INTERNAL2 l3-interface vlan.101
set vlans v102-EXTERNAL l3-interface vlan.102

Configure a default route

set routing-options static route 0.0.0.0/0 next-hop 192.168.102.254

Create Security Zones

set security zones security-zone INTERNAL host-inbound-traffic system-services all
set security zones security-zone EXTERNAL host-inbound-traffic ping

Attach IP Interfaces to Security Zones

set security zones security-zone EXTERNAL interfaces vlan.102
set security zones security-zone INTERNAL interfaces vlan.100
set security zones security-zone INTERNAL interfaces vlan.101

Create security policies

set security policies from-zone INTERNAL to-zone EXTERNAL policy PERMIT-OUTBOUND match source-address any destination-address any application any
set security policies from-zone INTERNAL to-zone EXTERNAL policy PERMIT-OUTBOUND then permit
set security policies from-zone INTERNAL to-zone INTERNAL policy PERMIT-INTERNAL match source-address any destination-address any application any
set security policies from-zone INTERNAL to-zone INTERNAL policy PERMIT-INTERNAL then permit

Hopefully the topology is fairly self-explanatory - just substitute the IP Addresses you wish to use.

If you are connecting to the Internet on the EXTERNAL network, I would recommend tightening up the security policies to only allow specific subnets out, and specific applications

Related Solutions

SRX DHCP client compatibility with HP Procurve DHCP Relay

I opened a case with HP concerning this issue. After escalating past the useless Level 1 tech, the Level 2 tech very alertly spotted something that I had not.

The SRX is sending its DHCPDISCOVER packet with a TTL of 1. The Procurve's apparently will decrement the TTL and use the resulting TTL in the relay'ed packet to the DHCP server. In this case, the decrement leaves the TTL at 0 meaning the packet gets dropped on the floor.

This is actually in spec for DHCP/BOOTP relay, though clearly it causes reduced interoperability. I have asked HPNetworking to treat this as a bug/RFE and change the behavior. No immediate response to that request in the case.

The SRX sending the DHCPDISCOVER with a TTL of 1 is also probably within spec, but, again, a choice of reduced interoperability, so I plan to open a case with JTAC on the same basis.

I'll add more info on the response of Juniper and HP as it becomes available.

Incidentally, I have tested the relay behavior of a Cisco 4506 (firmware version not immediately available), and a Brocade/Foundry FastIron Edge X (7.2 or 7.3 firmware, I believe, don't have immediate access to confirm) and they both handle relaying the request with TTL 1 without issue.

UPDATE There is a way to change the TTL value that the SRX uses on its DHCP requests, but its not from within the JunOS cli...its done from the underlying Unix OS.

root@% sysctl -w net.inet.ip.mcast_ttl=64

I have opened an RFE with HP to make their relaying function more resilient, but not response from them yet on if/when that will be worked on.

Switch – What do input discards on switch ports indicate and how can one track down their cause

Unknown VLANs are the primary cause of Input Discards (ifInDiscards) in my environment; usually from inappropriate VLANs spanning a trunk port. Depending on the services active in the VLAN in question, those counters can increase exponentially over short periods of time.

Keep in mind that Input Discards are the result of valid frames being dropped due to an internal forwarding issue. Another thing to note: Input Discards encompass a drastically smaller amount of issues, most everything else results in an interface error.

Best Answer

Related Solutions

SRX DHCP client compatibility with HP Procurve DHCP Relay

Switch – What do input discards on switch ports indicate and how can one track down their cause

Related Topic