Vlan – Configure VLANs on Juniper SRX – cannot figure it out

junipersrxvlan

This must be insanely simple, but I get errors every time.

I have a very basic setup.

SRX 300

ge-0/0/0 = untrust

ge-0/0/1 though ge-0/0/5 = trust

ge-0/0/0 and 0/0/4 are in use.

I have an access point that can host several SSIDs with a VLAN assigned to each SSID.

I would like to create a VLAN with an assigned DHCP server for unsecured guest Internet only access.

Ideally, this VLAN can be assigned to ge-0/0/4.

I have rolled back all of my changes thus far.

I've tried to include as much relevant information as I could.

root@HSRX300# show interfaces
        ge-0/0/0 {
            unit 0 {
                family inet {
                    address xxx.xxx.xxx.xxx/xx;
                    address xxx.xxx.xxx.xxx/xx;
                }
            }
        }
        ge-0/0/1 {
            unit 0 {
                family inet {
                    address 192.168.1.1/24;
                }
            }
        }
        ge-0/0/2 {
            unit 0 {
                family inet {
                    address 192.168.2.1/24;
                }
            }
        }
        ge-0/0/3 {
            unit 0 {
                family inet {
                    address 192.168.3.1/24;
                }
            }
        }
        ge-0/0/4 {
            unit 0 {
                family inet {
                    address 192.168.4.1/24;
                }
            }
        }
        ge-0/0/5 {
            unit 0 {
                family inet {
                    address 192.168.5.1/24;
                }
            }
        }
        ge-0/0/6 {
            unit 0;
        }
        ge-0/0/7 {
            unit 0;
        }
        st0 {
            unit 1 {
                family inet {
                    mtu 1436;
                    address xxx.xxx.xxx.xxx/xx;
                }
            }
            unit 2 {
                family inet {
                    mtu 1436;
                    address xxx.xxx.xxx.xxx/xx;
                }
            }
        }


        root@HSRX300# show protocols
        l2-learning {
            global-mode switching;
        }

    root@HSRX300# show security zones
    security-zone trust {
        address-book {
            address Some-Server xxx.xxx.xxx.xxx/xx;
            address Some-Server-II xxx.xxx.xxx.xxx/xx;
        }
        host-inbound-traffic {
            system-services {
                all;
            }
            protocols {
                all;
                bgp;
            }
        }
        interfaces {
            ge-0/0/1.0;
            ge-0/0/2.0;
            ge-0/0/3.0;
            ge-0/0/4.0;
            ge-0/0/5.0;
            st0.1;
            st0.2;
        }
    }
    security-zone untrust {
        screen untrust-screen;
        host-inbound-traffic {
            system-services {
                ike;
            }
        }
        interfaces {
            ge-0/0/0.0 {
                host-inbound-traffic {
                    system-services {
                        dhcp;
                        tftp;
                    }
                }
            }
        }
    }

Best Answer

Okay, from the top:

I would highly recommend you upgrade code to 15.1X49-D60.7 before you get started.
You'll need to enable switching mode globally on the box (this will require a restart but save it until you've added all the config):

set protocols l2-learning global-mode switching

Next, create your VLAN - let's assume VLAN-ID 4 and a matching irb (routed) interface to go with it. We'll also put the irb interface into the trust security zone so that the host-inbound configuration applies to it:

set vlans WLAN-HOME vlan-id 4

set vlans WLAN-HOME l3-interface irb.4

set interfaces irb unit 4 family inet address 192.168.4.1/24

set security zones security-zone trust interface irb.4

Now, delete your current interface ge-0/0/4, remove it from the trust security zone and re-create it as a switching interface in the new VLAN. NOTE: This assumes that your AP is expecting VLAN 4 to be tagged towards it - you may lose access to the management interface unless you also add a native-vlan-id to this port, which will require another separate VLAN:

delete interfaces ge-0/0/4

delete security zones security-zone trust interface ge-0/0/4.0

set interfaces ge-0/0/4 unit 0 family ethernet-switching interface-mode trunk

set interfaces ge-0/0/4 unit 0 family ethernet-switching vlan members WLAN-HOME

Set up a DHCP scope for your new subnet and configure it to serve addresses on irb.4:

set system services dhcp-local-server group jdhcp-group interface irb.4

set access address-assignment pool WLAN-HOME-POOL family inet network 192.168.4.0/24

set access address-assignment pool WLAN-HOME-POOL family inet range junosRange low 192.168.4.10

set access address-assignment pool WLAN-HOME-POOL family inet range junosRange high 192.168.4.80

set access address-assignment pool WLAN-HOME-POOL family inet dhcp-attributes router 192.168.4.1

set access address-assignment pool WLAN-HOME-POOL family inet dhcp-attributes maximum-lease-time 3600

set access address-assignment pool WLAN-HOME-POOL family inet dhcp-attributes name-server 192.168.1.10

Done.

Related Solutions

How to log out of state sessions on Juniper SRX platform

Packets should be classified regardless of the TCP handshake being watched or not. If there isn't a session defined for that flow (fast path) a new one should be created (first path).

Do you have any screen configured?? Maybe it's the screen that's dropping the traffic.

More details on Troubleshooting Traffic Flows and Session Establishment

Maybe you can configure a log file with traceoptions:

security {
  flow {
        traceoptions {
            file trace_file;
            flag basic-datapath;
            packet-filter Match {
                protocol tcp;
                source-prefix <source-ip>;
                destination-prefix <dest-ip>;
                destination-port <tcp-port>;
            }
        }
    }
}

Beware of these traces, since it can cause high CPU load on the SRX if it's carrying a lot of traffic. Limit the filter as much as possible and run it during a maintenance window.

Routing – Juniper SRX One VLAN Across Multiple reth Interfaces without Intra-zone Policy

Ethernet switching on Juniper SRX firewalls in Chassis Cluster is not done through reth interfaces, but by creating a "switching fabric" accross the cluster. In this switching fabric you can create vlans and RVI's as ususal, but this does require a sslight redesign of your configuration. You would need to:

Create an additional link between the nodes: swfab interface. This link carries the switching fabric traffic between the nodes, and is in addition to the control- and fabric-links between the nodes.
Add vlans.
Change your reth.X interfaces (redundant ethernet) to vlan.X interfaces (RVI).

Juniper explains this a lot better than I do, in KB21422 (http://kb.juniper.net/InfoCenter/index?page=content&id=KB21422)

Best Answer

Related Solutions

How to log out of state sessions on Juniper SRX platform

Routing – Juniper SRX One VLAN Across Multiple reth Interfaces without Intra-zone Policy

Related Topic