SRX

I have this simple topology:

Where J-SRX210H is the Juniper Gateway SRX210H. It has an access to the Internet (which works good). JSRX is connected to the Dell Switch, PC6224 fully configured with vlans and trunking port. Now, I would like to be able to access computers on VLANs 2 and 254 through the Internet. How can I achieve this?

Should I ONLY configure vlans on SRX? I dont need to add any vlans on SRX, just configure GE-0/0/1 as trunking port for VLANs 2 and 254? CHEERS 🙂

P.S. I know I need NAT also but it will come a time for this 😉

you will need to create sub interfaces on ge-0/0/1 for both vlans and assign the matching tag value to the Dell switch.

You probably also want to add the ip address gateway for those vlans to these interfaces as family inet so that the SRX will be your gateway for the the vlan.

You will need to assign those new interfaces to a zone on the SRX, probably "trust"  or two different zones if you need to write policies between the two vlans.

Write a policy for the vlans to permit traffic from trust to trust or the two new zones.

Then you add your internet allow policy along with a nat rule for outbound internet access.

Thank you for the answer. I will try to do this in a few days.

Can you please give me some links/online books/tutorials to Juniper docs where VLANs configuration is desribed? I looked almost everywhere but could not find any docs which cover the vlan trunk topic.

I will come up with some IP addresses and will ask further questions (there will be plenty I guess). Just let me think of some questions to ask for few days 😉 (I definitely need to read some Juniper docs first!)

For your specific question, the SRX switching guide I think is what you want.  Trunk port configuration starts on with an example on page 22.

http://www.juniper.net/us/en/local/pdf/app-notes/3500196-en.pdf

Starting from scratch you best bet is to sign up for a free "Fast Track" account.

https://learningportal.juniper.net/juniper/user_fasttrack_home.aspx

There is an set of pdf books and free on-line tutorials here.

For the SRX policies and mgmt setup see Day One: Deploying SRX.  You may find other Day one books helpful too.

http://forums.juniper.net/t5/Day-One-Books/Day-One-Book-Deploying-SRX-Series-Services-Gateways/ba-p/52398

In the KB the jump station is helpful collection of common tasks

http://kb.juniper.net/InfoCenter/index?page=content&id=KB15694

Thanks 4 the answer! I finally configured my trunk port, here are commands I used 4 this:

set vlans PORT_666 vlan-id 666

set vlans TRUNK_777 vlan-id 777

run show vlans

set vlans PORT_666 l3-interface vlan.666

set vlans TRUNK_777 l3-interface vlan.777

set interfaces ge-0/0/1 unit 0 family ethernet-switching port-mode trunk

set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members PORT_666

set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members TRUNK_777

set interfaces vlan unit 666 family inet address 192.168.6.1/24

set interfaces vlan unit 777 family inet address 192.168.7.1/24

set security zones security-zone trust interfaces vlan.666

set security zones security-zone trust interfaces vlan.777

set security policies from-zone trust to-zone trust policy default-permit match source-address any
set security policies from-zone trust to-zone trust policy default-permit match destination-address any
set security policies from-zone trust to-zone trust policy default-permit match application any
set security policies from-zone trust to-zone trust policy default-permit then permit

commit confirmed

And it works like a charm! 🙂 I only have a problem with the last one: enable access from Internet to hosts in vlans (private networks). How should I setup NAT? I mean how is taht possible (how to configure it with JSRX) to be able to access ANY from my computers in my vlans through the Internet? Any docs from Juniper available, any advices? 🙂

I must say, Junipers docs are brilliant!

I believe you would be looking for outbound source nat using the interface ip address.  This is found on page 5 of the Junos NAT Configuration examples documentation.

http://kb.juniper.net/InfoCenter/index?page=content&id=TN81

Hmm, something wired is happening now.

My topology:

192.168.1.3 can ping 8.8.8.8 (google's DNS)

192.168.1.3 can ping 192.168.1.1 (JSRX)

192.168.1.3 can ping 172.16.254.197

192.168.1.1 (JSRX) can ping 8.8.8.8

192.168.1.1 (JSRX) can ping 192.168.1.3

192.168.1.1 (JSRX) can ping 172.16.254.197

192.168.1.1 (JSRX) can ping 172.16.1.197

192.168.1.3 cant ping 172.16.1.197 (nothing ...)

172.16.254.197 cant ping 192.168.1.3 (destination host unreachable)

My JSRX config is the standard config, I only added this configuration to the out of the box config:

set vlans MANAGEMENT vlan-id 254

set vlans TRUNKSRX vlan-id 2

run show vlans

set vlans MANAGEMENT l3-interface vlan.254

set vlans TRUNKSRX l3-interface vlan.2

set interfaces ge-0/0/1 unit 0 family ethernet-switching port-mode trunk

set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members MANAGEMENT

set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members TRUNKSRX

set interfaces vlan unit 254 family inet address 172.16.254.254/24

set interfaces vlan unit 2 family inet address 172.16.1.1/24

set security zones security-zone trust interfaces vlan.254

set security zones security-zone trust interfaces vlan.2

set security policies from-zone trust to-zone trust policy default-permit match source-address any
set security policies from-zone trust to-zone trust policy default-permit match destination-address any
set security policies from-zone trust to-zone trust policy default-permit match application any
set security policies from-zone trust to-zone trust policy default-permit then permit

commit confirmed

 Switch is configured properly:

VLAN       Name                         Ports          Type      Authorization
-----  ---------------                  -------------          -----     -------------
2      vlan2                            1/g17-1/g20,    Static    Required
                                              1/g24

 VLAN       Name                         Ports          Type      Authorization
-----  ---------------                  -------------          -----     -------------
254    vlan254                    1/g13-1/g20,    Static    Required
                                             1/g23-1/g24

Will adding

ip route 0.0.0.0 172.16.254.254

on the switch be a solution?

You seem to be missing the RVI (layer 3 interface) for vlan 254

Also your trunk port is putting all vlans into the same unit.  You would need multiple units on ge-0/0/1 with unique unit numbers to separate the vlans.

Also these vlan tags here must match what you configure on the switch for the q tag which you would also set in each unit.

Thank you.

So I need to change this:

set vlans MANAGEMENT vlan-id 254

set vlans TRUNKSRX vlan-id 2

set interfaces ge-0/0/1 unit 0 family ethernet-switching port-mode trunk
set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members MANAGEMENT
set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members TRUNKSRX
set interfaces vlan unit 254 family inet address 172.16.254.254/24
set interfaces vlan unit 2 family inet address 172.16.1.1/24

to that:

set vlans vlan254 vlan-id 254

set vlans vlan2 vlan-id 2

set interfaces ge-0/0/1 unit 0 family ethernet-switching port-mode trunk

set interfaces ge-0/0/1 unit 254 family ethernet-switching vlan members vlan254

set interfaces ge-0/0/1 unit 2 family ethernet-switching vlan members vlan2

set interfaces vlan unit 254 family inet address 172.16.254.254/24

set interfaces vlan unit 2 family inet address 172.16.1.1/24

?

And the RVI interface - how to configure it here? And why its needed for the 254 vlan?

The changes look good.  You are probably not using unit 0 here in your configuration as you don't seem from the diagram to have a native untagged vlan going here.  But the presence of this should not be a problem.

I missed this last night, you do have both RVI configured with these.  For some reason I did not see it.

set vlans MANAGEMENT l3-interface vlan.254

set vlans TRUNKSRX l3-interface vlan.2

 So on the switch side you set the port to trunk and have vlan tags 2 and 254 assigned at the switch.

Your switch will just be layer two as you have the gateways setup on the SRX at the desired addresses.

"How should I setup NAT? I mean how is taht possible (how to configure it with JSRX) to be able to access ANY from my computers in my vlans through the Internet? Any docs from Juniper available, any advices? "

That is a wide open request. What kind of access do want to hosts and do you want access from any source on the internet to any computer behind the SRX? You want to decide first, which host do want to allow access to, what kind of access, and from which source. For example, do you want to allow RDP to any client? Or if their VoIP phones etc. Or is it web services etc. Then you would probably do a DNAT to the hosts for specific port access. And the relevant security policy to allow that kind of communication.

Huh, pasted this in my top configuration mode ([edit]):

set vlans vlan254 vlan-id 254

set vlans vlan2 vlan-id 2

set vlans vlan254 l3-interface vlan.254

set vlans vlan2 l3-interface vlan.2

set interfaces ge-0/0/1 unit 0 family ethernet-switching port-mode trunk

set interfaces ge-0/0/1 unit 254 family ethernet-switching vlan members vlan254

set interfaces ge-0/0/1 unit 2 family ethernet-switching vlan members vlan2

set interfaces vlan unit 254 family inet address 172.16.254.254/24

set interfaces vlan unit 2 family inet address 172.16.1.1/24

set security zones security-zone trust interfaces vlan.254

set security zones security-zone trust interfaces vlan.2

set security policies from-zone trust to-zone trust policy default-permit match source-address any
set security policies from-zone trust to-zone trust policy default-permit match destination-address any
set security policies from-zone trust to-zone trust policy default-permit match application any
set security policies from-zone trust to-zone trust policy default-permit then permit

commit confirmed

 And got those errors:

[edit interfaces ge-0/0/1]
  'unit 2'
    Only unit 0 is valid for this encapsulation
error: configuration check-out failed

 How to solve this?

Tried:

delete interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members vlan-trust
delete interfaces ge-0/0/1 unit 0

edit interfaces ge-0/0/1
set vlan-tagging
exit

 But didnt help at all, a new issue came out.

If you want to make ge-0/0/1 a trunk port, then:
delete interfaces ge-0/0/1
set interfaces ge-0/0/1 unit 0 family ethernet-switching port-mode trunk vlan members [vlan254 vlan2]

Family ethernet-switching can only be configured on unit 0 of any interface

If what you want to do is to configure a different Layer logical interface for each of the vlans, then this would work

delete interfaces ge-0/0/1 unit 0

edit interfaces ge-0/0/1
set vlan-tagging
set interfaces ge-0/0/1 unit 254 vlan-id 254

set interfaces ge-0/0/1 unit 2 vlan-id 2

Thanks! Did it like this:

set vlans Management vlan-id 254
set vlans Management l3-interface vlan.254
set interfaces vlan unit 254 family inet address 172.16.254.254/24

set vlans LAN vlan-id 2
set vlans LAN l3-interface vlan.2
set interfaces vlan unit 2 family inet address 172.16.1.1/24

set interfaces ge-0/0/1 unit 0 family ethernet-switching port-mode trunk
set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members LAN
set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members Management

 Is that correct?