Junos OS

last person joined: 22 hours ago 

Ask questions and share experiences about Junos OS.
Expand all | Collapse all

A few questions about VLANs

  • 1.  A few questions about VLANs

    Posted 09-26-2013 10:56

    First thing, my configuration

    ## Last changed: 2013-09-26 19:30:45 CEST
    version 11.2R4.3;
    system {
        host-name router;
        domain-name ---;
        time-zone Europe/Amsterdam;
        root-authentication {
            encrypted-password ---;
        }
        name-server {
            208.67.222.222;
            208.67.220.220;
        }
        services {
            ssh;
            telnet;
            xnm-clear-text;
            web-management {
                http {
                    interface [ vlan.0 vlan.1 ];
                }
                https {
                    system-generated-certificate;
                    interface vlan.0;
                }
            }
            dhcp {
                router {
                    192.168.1.1;
                }
                pool 192.168.1.0/24 {
                    address-range low 192.168.1.2 high 192.168.1.254;
                }
                pool 10.10.2.0/24 {
                    address-range low 10.10.2.2 high 10.10.2.254;
                }
                propagate-settings ge-0/0/0.0;
            }
        }
        syslog {
            archive size 100k files 3;
            user * {
                any emergency;
            }
            file messages {
                any critical;
                authorization info;
            }
            file interactive-commands {
                interactive-commands error;
            }
        }
        max-configurations-on-flash 5;
        max-configuration-rollbacks 5;
        license {
            autoupdate {
                url https://ae1.juniper.net/junos/key_retrieval;
            }
        }
    }
    interfaces {
        ge-0/0/0 {
            unit 0 {
                family inet {
                    dhcp;
                }
            }
        }
        ge-0/0/1 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members vlan-trust;
                    }
                }
            }
        }
        ge-0/0/2 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members vlan-wired;
                    }
                }
            }
        }
        ge-0/0/3 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members vlan-trust;
                    }
                }
            }
        }
        ge-0/0/4 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members vlan-trust;
                    }
                }
            }
        }
        ge-0/0/5 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members vlan-trust;
                    }
                }
            }
        }
        ge-0/0/6 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members vlan-trust;
                    }
                }
            }
        }
        ge-0/0/7 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members vlan-trust;
                    }
                }
            }
        }
        vlan {
            unit 0 {
                family inet {
                    address 192.168.1.1/24;
                }
            }
            unit 1 {
                family inet {
                    address 10.10.2.1/24;
                }
            }
        }
    }
    protocols {
        stp;
    }
    security {
        screen {
            ids-option untrust-screen {
                icmp {
                    ping-death;
                }
                ip {
                    source-route-option;
                    tear-drop;
                }
                tcp {
                    syn-flood {
                        alarm-threshold 1024;
                        attack-threshold 200;
                        source-threshold 1024;
                        destination-threshold 2048;
                        timeout 20;
                    }
                    land;
                }
            }
        }
        nat {
            source {
                rule-set trust-to-untrust {
                    from zone trust;
                    to zone untrust;
                    rule source-nat-rule {
                        match {
                            source-address 0.0.0.0/0;
                        }
                        then {
                            source-nat {
                                interface;
                            }
                        }
                    }
                }
                rule-set trust-any {
                    from zone trust;
                    to zone trust;
                    rule any-address {
                        match {
                            source-address 0.0.0.0/32;
                            destination-address 0.0.0.0/32;
                        }
                        then {
                            source-nat {
                                interface;
                            }
                        }
                    }
                }
            }
        }
        policies {
            from-zone trust to-zone untrust {
                policy trust-to-untrust {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
        }
        zones {
            security-zone trust {
                host-inbound-traffic {
                    system-services {
                        all;
                    }
                    protocols {
                        all;
                    }
                }
                interfaces {
                    vlan.0;
                    vlan.1;
                }
            }
            security-zone untrust {
                screen untrust-screen;
                interfaces {
                    ge-0/0/0.0 {
                        host-inbound-traffic {
                            system-services {
                                dhcp;
                                tftp;
                            }
                        }
                    }
                }
            }
        }
    }
    vlans {
        vlan-trust {
            vlan-id 3;
            l3-interface vlan.0;
        }
        vlan-wired {
            vlan-id 2;
            l3-interface vlan.1;
        }
    }
    

     This is the default configuration of my SRX220, with an extra vlan (vlan-wired), that has a new interface vlan.1 with addresses 10.10.2.x. It's in the trust zone, and its only interface is ge-0/0/2. I also added a NAT from the trust zone to the trust zone (ruleset trust-any), in attempt to solve my problem. My problem is: if I connect a computer to ge-0/0/2, it gets a 10.10.2.x address, but can't reach the router. The error I get if I try to ssh is "no route to host". No problems from ge-0/0/1.

    I would assume it's a routing problem, as the new vlan is in another subnet, but I don't know how to solve it.

     

    Also, the computer on ge-0/0/2 doesn't appear in the arp:

    root@router> show arp    
    MAC Address       Address         Name                      Interface           Flags
    94:de:80:6e:8b:05 192.168.1.2     192.168.1.2               vlan.0              none
    

     but it does appear in the dhcp bindings, and twice, with two addresses from two subnets:

    root@router> show system services dhcp binding    
    IP address       Hardware address   Type     Lease expires at
    192.168.1.3      5c:26:0a:18:47:01  dynamic  2013-09-27 20:41:36 CEST
    10.10.2.2        5c:26:0a:18:47:01  dynamic  2013-09-27 19:19:22 CEST
    192.168.1.2      94:de:80:6e:8b:05  dynamic  2013-09-27 20:42:34 CEST
    

    Why is that? Did I miss anything?


    As a last question: what is the purpose of the default vlan (that is, the vlan with name "default")? Doesn't seem to work in a normal way. After all, if it did there probably wouldn't be a vlan-trust in the default configuration. Can I use the default?

     

    Many thanks



  • 2.  RE: A few questions about VLANs

    Posted 09-27-2013 07:04

    Well the first thing that leaps out is that you do not have a policy allowing "intra-zone" traffic - IE traffic across the interfaces in your trust zone. Fix that and your traffic should flow. No need for a NAT rule.

     

    Just define from-zone trust to-zone trust policy allow-intra-zone: any, any, any = permit 

     

    The "default" vlan in the world of Juniper is a vlan that is untagged. It is the default vlan on switches and all ports are in that vlan meaning you can just power it up and use it. 



  • 3.  RE: A few questions about VLANs

    Posted 09-27-2013 09:59

    Thanks for coming back, but I'm afraid you are underestimating my commitment, and my need for a working router Smiley Happy

     

    Don't think I didn't try it. This is a configuration I just made. removed the NAT, added a trust-to-trust policy with any,any,any,permit:

    ## Last changed: 2013-09-27 18:36:29 CEST
    version 11.2R4.3;
    system {
        host-name router;
        domain-name ---;
        time-zone Europe/Amsterdam;
        root-authentication {
            encrypted-password ---
        }
        name-server {
            208.67.222.222;
            208.67.220.220;
        }
        services {
            ssh;
            telnet;
            xnm-clear-text;
            web-management {
                http {
                    interface [ vlan.0 vlan.1 ];
                }
                https {
                    system-generated-certificate;
                    interface vlan.0;
                }
            }
            dhcp {
                router {
                    192.168.1.1;
                }
                pool 192.168.1.0/24 {
                    address-range low 192.168.1.2 high 192.168.1.254;
                }
                pool 10.10.2.0/24 {
                    address-range low 10.10.2.2 high 10.10.2.254;
                }
                propagate-settings ge-0/0/0.0;
            }
        }
        syslog {
            archive size 100k files 3;
            user * {
                any emergency;
            }
            file messages {
                any critical;
                authorization info;
            }
            file interactive-commands {
                interactive-commands error;
            }
        }
        max-configurations-on-flash 5;
        max-configuration-rollbacks 5;
        license {
            autoupdate {
                url https://ae1.juniper.net/junos/key_retrieval;
            }
        }
    }
    interfaces {
        ge-0/0/0 {
            unit 0 {
                family inet {
                    dhcp;
                }
            }
        }
        ge-0/0/1 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members vlan-trust;
                    }
                }
            }
        }
        ge-0/0/2 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members vlan-wired;
                    }
                }
            }
        }
        ge-0/0/3 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members vlan-trust;
                    }
                }
            }
        }
        ge-0/0/4 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members vlan-trust;
                    }
                }
            }
        }
        ge-0/0/5 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members vlan-trust;
                    }
                }
            }
        }
        ge-0/0/6 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members vlan-trust;
                    }
                }
            }
        }
        ge-0/0/7 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members vlan-trust;
                    }
                }
            }
        }
        vlan {
            unit 0 {
                family inet {
                    address 192.168.1.1/24;
                }
            }
            unit 1 {
                family inet {
                    address 10.10.2.1/24;
                }
            }
        }
    }
    protocols {
        stp;
    }
    security {
        screen {
            ids-option untrust-screen {
                icmp {
                    ping-death;
                }
                ip {
                    source-route-option;
                    tear-drop;
                }
                tcp {
                    syn-flood {
                        alarm-threshold 1024;
                        attack-threshold 200;
                        source-threshold 1024;
                        destination-threshold 2048;
                        timeout 20;
                    }
                    land;
                }
            }
        }
        nat {
            source {
                rule-set trust-to-untrust {
                    from zone trust;
                    to zone untrust;
                    rule source-nat-rule {
                        match {
                            source-address 0.0.0.0/0;
                        }
                        then {
                            source-nat {
                                interface;
                            }
                        }
                    }
                }
            }
        }
        policies {
            from-zone trust to-zone untrust {
                policy trust-to-untrust {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
            from-zone trust to-zone trust {
                policy trust-to-trust {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
        }
        zones {
            security-zone trust {
                host-inbound-traffic {
                    system-services {
                        all;
                    }
                    protocols {
                        all;
                    }
                }
                interfaces {
                    vlan.0;
                    vlan.1;
                }
            }
            security-zone untrust {
                screen untrust-screen;
                interfaces {
                    ge-0/0/0.0 {
                        host-inbound-traffic {
                            system-services {
                                dhcp;
                                tftp;
                            }
                        }
                    }
                }
            }
        }
    }
    vlans {
        vlan-trust {
            vlan-id 3;
            l3-interface vlan.0;
        }
        vlan-wired {
            vlan-id 2;
            l3-interface vlan.1;
        }
    }

     I'm not sure this is what you mean, or maybe I made a mistake, but this doesn't work. I also did a clear system services dhcp binding to remove that stale binding.

    Uhmmm... the router (192.168.1.1) is not in the trust interface. Maybe I should try an untrust-to-trust policy. I don't think I tried that, actually.

     

    But isn't the fact that I don't have 10.10.2.2 (the address I get on the second VLAN) in the ARP weird?

     

    EDIT: an untrust-trust policy didn't work either.

     

    EDIT2: but wait... I don't have no route to host this time. I have connection timed out, on both ssh and http. Am I onto something?

     

    EDIT3: coming to think about it, the router is not in the untrusted either. Can I do anything for that?



  • 4.  RE: A few questions about VLANs

    Posted 09-28-2013 09:33

    At the end I gave up. I'm using only one VLAN, which is good enough. I also noticed that some configurations I submit give me problems. For example, I noticed I can't change the vlan.x interface used by a vlan. I lose any contact with the server. I'm using the web interface to submit configurations, not sure how it works from the command line.

    This might actually be the cause of the problem, but I'll investigate it further later



  • 5.  RE: A few questions about VLANs

     
    Posted 10-06-2013 18:53

    If you need to have ssh enabled on interfaces your should do so in the zone.

    If the traffic crosses several zone policies should be created to allow the traffic.

     



  • 6.  RE: A few questions about VLANs

    Posted 10-08-2013 11:06

    @TRK-NKA wrote:

    If you need to have ssh enabled on interfaces your should do so in the zone.

    If the traffic crosses several zone policies should be created to allow the traffic.

     


    Well, I was actually thinking that using vlans I can do that with IP addresses, which would be nicer. But coming to think about it, I guess I can use vlan interfaces. Might be an option. But can I have more interfaces per vlan?



  • 7.  RE: A few questions about VLANs

     
    Posted 10-08-2013 11:13

    Normal a VLAN just one RVI/L3 interface if you enable that as you had already done previously. I suppose you might be able to setup more address for the l3 interfaces if you need more than one IP in a VLAN.

     



  • 8.  RE: A few questions about VLANs
    Best Answer

    Posted 04-29-2014 20:56

    Sir,

     

    I believe the reason why your pc on vlan.1 can't get any connectivity, is because in your DHCP settings you've specified that 192.168.1.1 is the "router" or gateway globally for both DHCP scopes.  So even if your PC grabs a 10.x.x.x address, the srx is still handing that same host a default gateway of 192.168.1.1.  You need to configure "router" under each pool, not globally on top of the dhcp hierarchy.  Your "router" or gateway for the 10.x.x.x scope needs to be the IP you set for the vlan.1 l3-interface.  Your config should change to something like this:

     

    dhcp {
                           }
                pool 192.168.1.0/24 {
                    address-range low 192.168.1.2 high 192.168.1.254;
                router {
                         192.168.1.1;}
                
                pool 10.10.2.0/24 {
                    address-range low 10.10.2.2 high 10.10.2.254;
                }
                 router {
                          10.10.2.1
    }
    
    
    This way each dhcp scope will give out its respective default gateway for hosts.  However, what you REALLY should do is stop using the "set system dhcp" hierarchy altogether and start using "set access address-assignment pool" hierarchy to configure DHCP pools.  Here's an example:
    
    pool wired {
            family inet {
                network 10.10.2.0/24;
                range wired {
                    low 10.10.2.2;
                    high 10.10.2.254;
                }
                dhcp-attributes {
                    name-server {
                        209.18.47.61;
                    }                       
                    router {
                        10.10.2.1;       (assuming .1 is your Layer 3 gateway)
                    }
                }
            }
        }
    }


    Then under "system services dhcp-local-server, put in the logical or physical interface participating in DHCP:

    dhcp-local-server {
    group wired {
    interface vlan.1;
    }

     



  • 9.  RE: A few questions about VLANs

    Posted 05-05-2014 10:18

    Problem solved, thank you. I guess I should have thought of it. I now have a wireless vlan and a wired vlan. The wireless vlan is assigned to the ge-0/0/0, which is where the access point is

    My latest config, aside from some static bindings:

     

    ## Last changed: 2014-05-05 18:57:08 CEST
    version 11.4R10.3;
    system {
        host-name router;
        time-zone Europe/Amsterdam;
        root-authentication {
            encrypted-password "$1$B7/2/cCS$0Sn41FhjXDkaxwl1uniGL/";
        }
        services {
            ssh;
            xnm-clear-text;
            web-management {
                http {
                    interface [ vlan.0 vlan.1 ];
                }
                https {
                    system-generated-certificate;
                    interface [ vlan.0 vlan.1 ];
                }
            }
            dhcp {
                pool 10.10.1.0/24 {
                    router {
                        10.10.1.1;
                    }
                }
                pool 10.10.2.0/24 {
                    router {
                        10.10.2.1;
                    }
                }
                propagate-settings at-2/0/0.0;
            }
        }
        syslog {
            archive size 100k files 3;
            user * {
                any emergency;
            }
            file messages {
                any critical;
                authorization info;
            }
            file interactive-commands {
                interactive-commands error;
            }
        }
        max-configurations-on-flash 5;
        max-configuration-rollbacks 5;
        license {
            autoupdate {
                url https://ae1.juniper.net/junos/key_retrieval;
            }
        }
        ntp {
            server 88.198.36.4;
            server 81.89.63.67;
            server 193.225.14.181;
            server 62.2.207.91;
        }
    }
    interfaces {
        ge-0/0/0 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members vlan-wireless;
                    }
                }
            }
        }
        ge-0/0/1 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members vlan-wired;
                    }
                }
            }
        }
        ge-0/0/2 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members vlan-wired;
                    }
                }
            }
        }
        ge-0/0/3 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members vlan-wired;
                    }
                }
            }
        }
        ge-0/0/4 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members vlan-wired;
                    }
                }
            }
        }
        ge-0/0/5 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members vlan-wired;
                    }
                }
            }
        }
        ge-0/0/6 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members vlan-wired;
                    }
                }
            }
        }
        ge-0/0/7 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members vlan-wired;
                    }
                }
            }
        }
        at-2/0/0 {
            encapsulation ethernet-over-atm;
            atm-options {
                vpi 0;
            }
            dsl-options {
                operating-mode auto;
            }
            unit 0 {
                encapsulation ether-over-atm-llc;
                vci 0.34;
                family inet {
                    dhcp {
                        update-server;
                    }
                }
            }
        }
        vlan {
            unit 0 {
                family inet {
                    address 10.10.1.1/24;
                }
            }
            unit 1 {
                family inet {
                    address 10.10.2.1/24;
                }
            }
        }
    }
    protocols {
        stp;
    }
    security {
        screen {
            ids-option untrust-screen {
                icmp {
                    ping-death;
                }
                ip {
                    source-route-option;
                    tear-drop;
                }
                tcp {
                    syn-flood {
                        alarm-threshold 1024;
                        attack-threshold 200;
                        source-threshold 1024;
                        destination-threshold 2048;
                        timeout 20;
                    }
                    land;
                }
            }
        }
        nat {
            source {
                rule-set trust-to-untrust {
                    from zone trust;
                    to zone untrust;
                    rule source-nat-rule {
                        match {
                            source-address 0.0.0.0/0;
                        }
                        then {
                            source-nat {
                                interface;
                            }
                        }
                    }
                }
            }
        }
        policies {
            from-zone trust to-zone untrust {
                policy trust-to-untrust {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
            from-zone trust to-zone trust {
                policy trust-to-trust {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
        }
        zones {
            security-zone trust {
                host-inbound-traffic {
                    system-services {
                        all;
                    }
                    protocols {
                        all;
                    }
                }
                interfaces {
                    vlan.0;
                    vlan.1;
                }
            }
            security-zone untrust {
                screen untrust-screen;
                interfaces {
                    at-2/0/0.0 {
                        host-inbound-traffic {
                            system-services {
                                dhcp;
                            }
                        }
                    }
                }
            }
        }
    }
    vlans {
        vlan-wired {
            vlan-id 4;
            l3-interface vlan.0;
        }
        vlan-wireless {
            vlan-id 5;
            l3-interface vlan.1;
        }
    }

     Just a couple of things.

     

    First, an article that basically explains the same thing, also including trunks:

     

    http://www.mustbegeek.com/configure-vlans-in-juniper-switch/

     

    Also, it was important to insert a trust to trust policy, or the 2 vlans can't talk to each other. That is also explained here:

     

    http://serverfault.com/questions/334447/configuring-routing-in-juniper-router

     

    Besides that, I have been looking at this access address-assignment pool, and I wonder if I really should stop using the system services dhcp completely. If I use access address-assignment pool, how do I get the propagate-settings and the static bindings?

     

    Thanks again



  • 10.  RE: A few questions about VLANs

    Posted 05-08-2014 12:53

    Well since both your vlans are already in the same security zone, you don't need a policy to govern traffic between them.  I've got a wired and wireless vlan at home as well and they're both in my trust zone and they can talk to each other just fine without a trust-to-trust policy.  At that point, its just basic layer2/3 routing taking place, using directly connected routes and any trunk links that it may need to traverse.  However if I were to put them in their own respective zones, then yes I would need policies to govern the traffic between them.  Security policies govern traffic between zones, not vlans specifically.

     

    As for your static binding question, take a look at this other thread I assisted in:

     

    http://forums.juniper.net/t5/SRX-Services-Gateway/DHCP-static-binding-not-working/m-p/240398#M29528

     

    You'll see that the static bindings are configured under the "edit access address-assignment pool wired family inet host" hierarchy.  The "propagate settings" issue is also addressed in that same post where you basically tell the srx which interfaces are participating in DHCP, in our cases, its the l3-interfaces for our vlans. 



  • 11.  RE: A few questions about VLANs

    Posted 05-10-2014 23:30

    No, I'm afraid without the policy it doesn't work. If I do:

     

    edit security policies
    delete from-zone trust to-zone trust

    I can't ssh to 10.10.1.1. I have to put it back. It's exactly as described in the stackoverflow post I linked.

    Concerning the DHCP settings, I have to say that I have now a clearer idea, but I'm still missing the meaning of the name-server element. It looks like it's needed, which would mean I lose some of the DHCP advantage. Do I need to add my own name server?



  • 12.  RE: A few questions about VLANs

    Posted 05-12-2014 11:22

    I haven't gotten an actual technical explanation of the significance of using the dhcp-local-server command other than it tells the srx which interfaces are participating in DHCP, if anyone else knows any other use cases feel free to post them here. 

     

    Back to your trust-to-trust security policy, (not to beat a dead horse), but I'd like for you to explain to me then how my configuration works without that policy?  I have no static routes configured, just directly connected routes.  My trust zone looks exactly the same as yours, with both vlan l3-interfaces in the zone, host inbound traffic system services all, protocols all. 

     

    That article you linked to was from quite a few years ago which makes me question the code level they were running plus the code level you're running, plus it just doesn't make logical sense given the behavior of an SRX.  Your vlans are in the SAME zone, policies govern TRANSIT traffic between zones, not traffic within the same zone.  Unless you have some static routes or firewall filters getting in the way, I'll stand by my earlier statement that you should not need this. 



  • 13.  RE: A few questions about VLANs

     
    Posted 05-12-2014 11:36

    If I remember correct regarding zone and policies:

     

    SRX blocks intra-zone traffic by default

    policies are needed to allow intra-zone traffic.

     

     



  • 14.  RE: A few questions about VLANs

    Posted 05-12-2014 12:02

    Yes I did find this:

     

    http://kb.juniper.net/InfoCenter/index?page=content&id=KB16553&smlogin=true

     

    And yes the default action is to deny all traffic, apparently even trust-to-trust bound traffic since there is a default-policy set to "deny-all".  I have not disabled this default policy on my SRX, its still at the top of the >show security policies | no-more command, and is set to "deny-all", yet traffic from wireless (vlan.30) to wired (vlan.20) does work.  The wireless clients can stream media from my Plex Media server with no issues.  Maybe someone can explain that?

     

    EDIT:

    I looked into my setup a bit more thoroughly and i found the the sessions that shows how my plex traffic was flowing.  It was actually taking the trust-to-untrust policy out to the internet and back in.......so the jokes on me.  I have since reorganized and segmented my wired and wireless zones with the necessary policy between them.  It is now taking the proper path.