Recently we've got a SRX240 router, and I'm doing first steps in understanding JunOS.
I want to make really damn simple thing, here is the situation.
We've got a huge intranet in our organization, every sub-organization has it's own subnet, and should use addresses from it only without any additional NATs or something else, but, still, we can restrict access from subnets from other sub-organizations to prevent unnecessary activity from it.
For the first time I simplified task as much as possible (I'm configuring device from console port) — block ALL incoming traffic to configured VLAN, but unfortunately all I got is losing access to assigned to VLAN IP-address, but NOT to the hosts connected to this VLAN. They are still accessible from anywhere, and this is wrong.
Topology is pretty simple too — one VLAN from 0 to 15 port, uplink might be connected to any of them. More details here: http://i.imgur.com/AGf1bVB.png
Here is the configuration:
version 12.1X44-D60.2;
system {
time-zone Europe/Moscow;
root-authentication {
encrypted-password "HIDDED_DATA"; ## SECRET-DATA
}
services {
ssh;
telnet;
xnm-clear-text;
web-management {
http {
interface vlan.0;
}
https {
system-generated-certificate;
interface vlan.0;
}
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
ntp {
server 10.20.30.51 version 1 prefer;
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members MAIN_VLAN;
}
}
}
}
ge-0/0/1 {
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members MAIN_VLAN;
}
}
}
}
ge-0/0/2 {
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members MAIN_VLAN;
}
}
}
}
ge-0/0/3 {
unit 0 {
family ethernet-switching {
vlan {
members MAIN_VLAN;
}
}
}
}
ge-0/0/4 {
unit 0 {
family ethernet-switching {
vlan {
members MAIN_VLAN;
}
}
}
}
ge-0/0/5 {
unit 0 {
family ethernet-switching {
vlan {
members MAIN_VLAN;
}
}
}
}
ge-0/0/6 {
unit 0 {
family ethernet-switching {
vlan {
members MAIN_VLAN;
}
}
}
}
ge-0/0/7 {
unit 0 {
family ethernet-switching {
vlan {
members MAIN_VLAN;
}
}
}
}
ge-0/0/8 {
unit 0 {
family ethernet-switching {
vlan {
members MAIN_VLAN;
}
}
}
}
ge-0/0/9 {
unit 0 {
family ethernet-switching {
vlan {
members MAIN_VLAN;
}
}
}
}
ge-0/0/10 {
unit 0 {
family ethernet-switching {
vlan {
members MAIN_VLAN;
}
}
}
}
ge-0/0/11 {
unit 0 {
family ethernet-switching {
vlan {
members MAIN_VLAN;
}
}
}
}
ge-0/0/12 {
unit 0 {
family ethernet-switching {
vlan {
members MAIN_VLAN;
}
}
}
}
ge-0/0/13 {
unit 0 {
family ethernet-switching {
vlan {
members MAIN_VLAN;
}
}
}
}
ge-0/0/14 {
unit 0 {
family ethernet-switching {
vlan {
members MAIN_VLAN;
}
}
}
}
ge-0/0/15 {
unit 0 {
family ethernet-switching {
vlan {
members MAIN_VLAN;
}
}
}
}
vlan {
unit 0 {
family inet {
filter {
input TestBlock;
output TestBlock;
}
address 10.20.30.99/24;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 10.20.30.1;
}
}
security {
policies;
zones {
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
vlan.0;
}
}
}
}
firewall {
family inet {
filter TestBlock {
term blockall {
then {
discard;
}
}
}
}
}
vlans {
MAIN_VLAN {
vlan-id 10;
interface {
ge-0/0/1.0;
ge-0/0/2.0;
ge-0/0/3.0;
ge-0/0/4.0;
ge-0/0/5.0;
ge-0/0/6.0;
ge-0/0/7.0;
ge-0/0/8.0;
ge-0/0/9.0;
ge-0/0/10.0;
ge-0/0/11.0;
ge-0/0/12.0;
ge-0/0/13.0;
ge-0/0/14.0;
ge-0/0/15.0;
ge-0/0/0.0;
}
l3-interface vlan.0;
}
}
What did I miss? Or maybe I use completely wrong approach to achieve this goal?..
Best Answer
If I understand your topology correctly, you are using the SRX as a layer-2 device between your ISP router and the hosts in the branch (in place of the managed switch in the drawing).
In this case you will have to run the SRX in "Transparent Mode", in stead of the default "Routed Mode". This has a couple of caveats and limitations, so be sure to check the documentation first.
You have to do a couple of things to make this work.
First of all, get rid of all the "VLAN" configuration, and start using a bridge domain:
Next, you must add interfaces to security zones. Normally I would recommend to put the "uplink" in a seperate zone, because that will make your policies much easier. I will assume that the uplink is in ge-0/0/0. If it really is impossible to predict in which port the uplink will be, you will have to put all interfaces in the same zone and figure it out with the policies.
Now you can set policies on traffic to and from the intranet
These security policies have an implicit "deny", so all traffic not specified is dropped.
When you're this far, the SRX is working as transparent firewall, but unfortunately you can no longer manage it remotely since we didn't specify any rules for that. Assuming you would want to manage the device from the "Intranet" side only, we need to allow traffic to the SRX device (host-inbound-traffic) in the intranet zone:
You will need to reboot the switch after you commit the configuration (you'll get a warning to do this):