This must be insanely simple, but I get errors every time.
I have a very basic setup.
SRX 300
ge-0/0/0
= untrust
ge-0/0/1
though ge-0/0/5
= trust
ge-0/0/0
and 0/0/4
are in use.
I have an access point that can host several SSIDs with a VLAN assigned to each SSID.
I would like to create a VLAN with an assigned DHCP server for unsecured guest Internet only access.
Ideally, this VLAN can be assigned to ge-0/0/4
.
I have rolled back all of my changes thus far.
I've tried to include as much relevant information as I could.
root@HSRX300# show interfaces
ge-0/0/0 {
unit 0 {
family inet {
address xxx.xxx.xxx.xxx/xx;
address xxx.xxx.xxx.xxx/xx;
}
}
}
ge-0/0/1 {
unit 0 {
family inet {
address 192.168.1.1/24;
}
}
}
ge-0/0/2 {
unit 0 {
family inet {
address 192.168.2.1/24;
}
}
}
ge-0/0/3 {
unit 0 {
family inet {
address 192.168.3.1/24;
}
}
}
ge-0/0/4 {
unit 0 {
family inet {
address 192.168.4.1/24;
}
}
}
ge-0/0/5 {
unit 0 {
family inet {
address 192.168.5.1/24;
}
}
}
ge-0/0/6 {
unit 0;
}
ge-0/0/7 {
unit 0;
}
st0 {
unit 1 {
family inet {
mtu 1436;
address xxx.xxx.xxx.xxx/xx;
}
}
unit 2 {
family inet {
mtu 1436;
address xxx.xxx.xxx.xxx/xx;
}
}
}
root@HSRX300# show protocols
l2-learning {
global-mode switching;
}
root@HSRX300# show security zones
security-zone trust {
address-book {
address Some-Server xxx.xxx.xxx.xxx/xx;
address Some-Server-II xxx.xxx.xxx.xxx/xx;
}
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
bgp;
}
}
interfaces {
ge-0/0/1.0;
ge-0/0/2.0;
ge-0/0/3.0;
ge-0/0/4.0;
ge-0/0/5.0;
st0.1;
st0.2;
}
}
security-zone untrust {
screen untrust-screen;
host-inbound-traffic {
system-services {
ike;
}
}
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
dhcp;
tftp;
}
}
}
}
}
Best Answer
Okay, from the top:
I would highly recommend you upgrade code to
15.1X49-D60.7
before you get started.You'll need to enable switching mode globally on the box (this will require a restart but save it until you've added all the config):
set protocols l2-learning global-mode switching
set vlans WLAN-HOME vlan-id 4
set vlans WLAN-HOME l3-interface irb.4
set interfaces irb unit 4 family inet address 192.168.4.1/24
set security zones security-zone trust interface irb.4
ge-0/0/4
, remove it from the trust security zone and re-create it as a switching interface in the new VLAN. NOTE: This assumes that your AP is expecting VLAN 4 to be tagged towards it - you may lose access to the management interface unless you also add a native-vlan-id to this port, which will require another separate VLAN:delete interfaces ge-0/0/4
delete security zones security-zone trust interface ge-0/0/4.0
set interfaces ge-0/0/4 unit 0 family ethernet-switching interface-mode trunk
set interfaces ge-0/0/4 unit 0 family ethernet-switching vlan members WLAN-HOME
set system services dhcp-local-server group jdhcp-group interface irb.4
set access address-assignment pool WLAN-HOME-POOL family inet network 192.168.4.0/24
set access address-assignment pool WLAN-HOME-POOL family inet range junosRange low 192.168.4.10
set access address-assignment pool WLAN-HOME-POOL family inet range junosRange high 192.168.4.80
set access address-assignment pool WLAN-HOME-POOL family inet dhcp-attributes router 192.168.4.1
set access address-assignment pool WLAN-HOME-POOL family inet dhcp-attributes maximum-lease-time 3600
set access address-assignment pool WLAN-HOME-POOL family inet dhcp-attributes name-server 192.168.1.10