SRX

Hello everyone,

 

I'm trying to get used to the new world of networking with vlans etc, and I'm having a bit of a hard time fully understanding this.

 

Right now I have an SRX210 which is connected to my WAN, and also connected to my EX2200. I have configured the EX2200 and SRX210 to use 10.0.0.0/20, 10.0.16.0/20, 10.0.32.0/20 VLANS. Now, I'm fairly certain this is working correctly because I got two machines on the same subnet that can ping each other, view web page etc. If I can ping across the same subnet, does that mean that this is setup properly? I saw somewhere in the web config on my SRX210 that the second and third (non-default) VLans I created were "offline" is there was to make these go "online".

 

Now the main problem I'm running into is that I have no idea how to allow cross-chatter between the subnets. I need to allow port 80 out of the network to the WAN from my 10.0.16.0/20 subnet, and allow 22 from 10.0.16.0/20 to 10.0.32.0/20 (And vise versa). The only problem is, I have no idea where or how to configure this!

 

Any finger pointing in the right direction would be very much appreciated! I've torn through googling and official documentation with no luck.

Hi Null,

 

Since you're trying to filter traffic between VLANs, then you'd probably be best off routing between them on the SRX, so on the port that links the SRX to the EX (on both devices), you'll need to trunk all three VLANs.  Your config will look something like this:

 

    ge-0/0/6 {
        unit 0 {
            family ethernet-switching {
                port-mode trunk;
                vlan {
                    members [ VLAN0 VLAN16 VLAN32 ];
                }
            }
        }
    }

 Where VLAN0, VLAN16 and VLAN32 are the names you've given your VLANs.

 

The simplest way to perform your filtering is to place each VLAN into it's own security zone like so:

 

security-zone VLAN0-ZONE {
    host-inbound-traffic {
        system-services {
            ping;
            https;
            traceroute;
            ssh;
        }
    }
    interfaces {
        vlan.0;
    }
}

 after you've created a zone for each interface, you'll then need to create a policy between each of the security zones to allow or deny traffic.  Based on your example for port 22, you'd need a security policy such as:

 

        from-zone VLAN16-ZONE to-zone VLAN32-ZONE {
            policy ALLOW-SSH {
                match {
                    source-address VLAN16-SUBNET;
                    destination-address VLAN32-SUBNET;
                    application junos-ssh;
                }
                then {
                    permit;
                    log {
                        session-close;
                    }
                    count;
                }
            }
        }                               

 obviously, you'd have defined address book entries for VLAN16-SUBNET and VLAN32-SUBNET.  You'll also need to make sure that the SRX has vlan interfaces with addresses defined for each VLAN, and this address is the default gateway for hosts in each subnet.

 

Hope this helps!

Thank you very much for the prompt reply, it's unfortunate that I haven't had time until yesterday to try this config.

 

Even at that I quite honestly haven't had time to test the config...but there's a more pressing concern at this time.

 

The firewall is setup for ge-0/0/0 to be the WAN and others the LAN, which when I first set it up was fine...now for some reason it's being weird and not giving me an internet connection. The SRX gets an IP and can ping google.com fine. But yet on my VLAN that's allowed all traffic, it doesn't work! On my client end it seems like more of a DNS problem then anything.

Posting the configuration would be helpful.  Other than that the first few things I can think of are (a) ensure that source NAT is setup, (b) ensure that security zones are defined, (c) ensure that interfaces are defined and assigned to security zones, (d) and ensure that policies are created.

 

Aidan

This is my SRX config:

 

## Last commit: 2011-06-23 18:40:44 UTC by root
version 11.1R2.3;
system {
    host-name digi-srx-1;
    domain-name digi-pets.com;
    root-authentication {
        encrypted-password "$1$KRfQ.WBe$chXFsQG643TKllPj.ciM9/"; ## SECRET-DATA
    }
    name-server {
        208.67.222.222;
        208.67.220.220;
    }
    services {
        ssh;
        telnet;
        xnm-clear-text;
        web-management {
            http {
                interface ge-0/0/1.100;
            }
            https {
                system-generated-certificate;
                interface ge-0/0/1.100;
            }
        }
        dhcp {
            router {
                192.168.1.1;
            }
            pool 192.168.1.0/24 {
                address-range low 192.168.1.2 high 192.168.1.254;
            }
            propagate-settings ge-0/0/0.0;
        }
    }
    syslog {
        archive size 100k files 3;
        user * {
            any emergency;
        }
        file messages {
            any critical;
            authorization info;
        }
        file interactive-commands {
            interactive-commands error;
        }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                dhcp;
            }
        }
    }
    ge-0/0/1 {
        vlan-tagging;
        unit 16 {
            description Servers;
            vlan-id 16;
            family inet {
                address 10.0.16.1/20;
            }
        }
        unit 32 {
            description Dev;
            vlan-id 32;
            family inet {
                address 10.0.32.1/20;
            }
        }
        unit 100 {
            description vlan-trust;
            vlan-id 100;
            family inet {
                address 10.0.0.1/20;
            }
        }
    }
    fe-0/0/2 {
        unit 0 {
            family ethernet-switching;
        }
    }
    fe-0/0/3 {
        unit 0 {
            family ethernet-switching;
        }
    }
    fe-0/0/4 {
        unit 0 {
            family ethernet-switching;
        }
    }
    fe-0/0/5 {
        unit 0 {
            family ethernet-switching;
        }
    }
    fe-0/0/6 {
        unit 0 {
            family ethernet-switching;
        }
    }
    fe-0/0/7 {
        unit 0 {
            family ethernet-switching;
        }
    }
}
protocols {
    stp;
}
security {
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;
                }
                land;
            }
        }
    }
    nat {
        source {
            rule-set trust-to-untrust {
                from zone trust;
                to zone untrust;
                rule source-nat-rule {
                    match {
                        source-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
            rule-set dev-to-untrust {
                from zone dev-zone;
                to zone untrust;
                rule dev-source-nat-rule {
                    match {
                        source-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
    }
    policies {
        from-zone trust to-zone untrust {
            policy trust-to-untrust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone dev-zone to-zone untrust {
            policy dev-to-untrust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone servers-zone to-zone dev-zone {
            policy ssh-to-dev {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone dev-zone to-zone servers-zone {
            policy ssh-to-servers {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
    zones {
        security-zone trust {
            interfaces {
                ge-0/0/1.100 {
                    host-inbound-traffic {
                        system-services {
                            ping;
                        }
                    }
                }
            }
        }
        security-zone untrust {
            screen untrust-screen;
            interfaces {
                ge-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            dhcp;
                            tftp;
                        }
                    }
                }
            }
        }
        security-zone dev-zone {
            interfaces {
		ge-0/0/1.32 {
                    host-inbound-traffic {
                        system-services {
                            ping;
                        }
                    }
                }
            }
        }
        security-zone servers-zone {
            interfaces {
                ge-0/0/1.16 {
                    host-inbound-traffic {
                        system-services {
                            ping;
                        }
                    }
                }
            }
        }
    }
}

 

 

And this is my Ex config:

 

## Last changed: 2011-06-24 01:53:09 UTC
version 11.1R2.3;
system {
    host-name digi-ex2200-1;
    root-authentication {
        encrypted-password "$1$Pxqbd.QA$AwqD2.IVqjEA.i9ZZz3cD1";
    }
    services {
        ssh {
            protocol-version v2;
        }
        netconf {
            ssh;
        }
        web-management {
            http;
        }
    }
    syslog {
        user * {
            any emergency;
        }
        file messages {
            any notice;
            authorization info;
        }
        file interactive-commands {
            interactive-commands any;
        }
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family ethernet-switching {
                port-mode trunk;
                vlan {
                    members [ development servers default ];
                }
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/2 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/3 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/4 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/5 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/6 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/7 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/8 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/9 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/10 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/11 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/12 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/13 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/14 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/15 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/16 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/17 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/18 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/19 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/20 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/21 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/22 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/23 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/24 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/25 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/26 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/27 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/28 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/29 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/30 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/31 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/32 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/33 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/34 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/35 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/36 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/37 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/38 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/39 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/40 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/41 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/42 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/43 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/44 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/45 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/46 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/47 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/1/0 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/1/1 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/1/2 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/1/3 {
        unit 0 {
            family ethernet-switching;
        }
    }
    vlan {
        unit 16 {
            family inet {
                address 10.0.16.2/20 {
                    arp 10.0.17.1 mac 1c:6f:65:66:ba:6e;
                    arp 10.0.18.1 mac 1c:6f:65:66:ba:72;
                }
            }
        }
        unit 32 {
            family inet {
                address 10.0.32.2/20 {
                    arp 10.0.32.4 mac 6c:f0:49:57:68:52;
                }
            }
        }
        unit 100 {
            family inet {
                address 10.0.0.2/20;
            }
        }
    }
}
protocols {
    igmp-snooping {
        vlan all;
    }
    rstp;
    lldp {
        interface all;
    }
    lldp-med {
        interface all;
    }
}
routing-instances {
    VR_Default {
        instance-type virtual-router;
        interface vlan.100;
        routing-options {
            static {
                route 0.0.0.0/0 next-hop 10.0.0.1;
            }
        }
    }
    VR_Development {
        instance-type virtual-router;
        interface vlan.32;
        routing-options {
            static {
                route 0.0.0.0/0 next-hop 10.0.32.1;
            }
        }
    }
    VR_Servers {
        instance-type virtual-router;
        interface vlan.16;
        routing-options {
            static {
                route 0.0.0.0/0 next-hop 10.0.16.1;
            }
        }
    }
}
ethernet-switching-options {
    storm-control {
        interface all;
    }
}
vlans {
    default {
        vlan-id 100;
        l3-interface vlan.100;
    }
    development {
        vlan-id 32;
        interface {
            ge-0/0/1.0;
            ge-0/0/2.0;
            ge-0/0/3.0;
            ge-0/0/4.0;
            ge-0/0/5.0;
            ge-0/0/6.0;
            ge-0/0/7.0;
            ge-0/0/8.0;
            ge-0/0/9.0;
            ge-0/0/10.0;
            ge-0/0/11.0;
            ge-0/0/12.0;
            ge-0/0/13.0;
            ge-0/0/14.0;
            ge-0/0/15.0;
            ge-0/0/16.0;
            ge-0/0/17.0;
            ge-0/0/18.0;
            ge-0/0/19.0;
            ge-0/0/20.0;
            ge-0/0/21.0;
            ge-0/0/22.0;
            ge-0/0/23.0;
        }
        l3-interface vlan.32;
    }
    servers {
        vlan-id 16;
        interface {
            ge-0/0/24.0;
            ge-0/0/25.0;
            ge-0/0/26.0;
            ge-0/0/27.0;
            ge-0/0/28.0;
            ge-0/0/29.0;
            ge-0/0/30.0;
            ge-0/0/31.0;
            ge-0/0/32.0;
            ge-0/0/33.0;
            ge-0/0/34.0;
            ge-0/0/35.0;
            ge-0/0/36.0;
            ge-0/0/37.0;
            ge-0/0/38.0;
            ge-0/0/39.0;
            ge-0/0/40.0;
            ge-0/0/41.0;
            ge-0/0/42.0;
            ge-0/0/43.0;
            ge-0/0/44.0;
            ge-0/0/45.0;
            ge-0/0/46.0;
        }
        l3-interface vlan.16;
    }
}

 

 

 I'm having another odd issue and this isn't working how I intended it to. For some reason right now if I want to access my switches config I need to be plugged into the switch (duh) but if I'm connected to the switch, I can't reach the SRX's configuration page (can't ping 10.0.0.1 at all). If I plug directly into the SRX I can access it fine.

It looks to me like the VLAN tags on the trunk port are mismatched.  That should resolve the EX > SRX issue and possibly the internet access issue as well.

 

Aidan

How do you mean? Should the names of the VLAN's be exactly the same? And should I always have the exact same VLANs trunked on the interface?

 

EDIT: I changed it so that the SRX210 only uses servers and development VLANs on the trunk. Somehow I still cannot connect to 10.0.0.1 when I'm connected on the last port thru the switch (should be default VLAN) but I can still configure it if I'm plugged directly in.

 

EDIT #2: I also tried configuring the firewall so that it should allow ssh between development and servers, yet when I try to connect via ssh to the servers I'm getting "No route to host". Also changed the config file for the SRX210 in my previous post to reflect these changes.

vlans {
    dev {
        vlan-id 32;
        l3-interface vlan.2;
    }
    servers {
        vlan-id 16;
        l3-interface vlan.1;
    }
    vlan-trust {
        vlan-id 3;
        l3-interface vlan.0;
    }
}

 

vlans {
    default {
        l3-interface vlan.0;
    }
    development {
        vlan-id 2;
        interface {
            ge-0/0/1.0;
            ge-0/0/xx.0;
        }
        l3-interface vlan.2;
    }
    servers {
        vlan-id 4;
        interface {
            ge-0/0/24.0;
            ge-0/0/xx.0;
        }
        l3-interface vlan.3;
    }
}

 The vlan-id specifies an identifying value that is applied to the dot1q tag on the trunk.  In this case traffic from the servers on the EX is originates on VLAN 4 but the SRX expects it on VLAN 16 and thus drops the traffic.  Try matching these values on both devices.

 

Aidan

I tried changing the configuration the way you specified, to match all id's but it's still acting strange.

 

I can access my switch if I'm plugged into my firewall, which is a step in the right direction but things are still not right.

 

I still cannot access the internet, and I cannot ssh across the VLAN's, still tells me that the destination host is unavailable.

 

I updated my config again with the latest, is there anything that looks off?

So i see a couple things that should be fixed.

 

1) you only have a source nat from trust to untrust.  you need one for each zone that needs to have a NAT performed.

2) i believe you're going to have to use virtual routers on your switch (I think the 2200 will do it, my test system is a 3200, and it will)

 

I've attached a working config from my test gear that does what you need.  I don't think you'll need the "routing-options" section as this should be provided from the DHCP lease on your WAN interface.

 

 

Hello,

 

Thank you very much for your configurations dscott, but I still cannot seem to get things working properly.

 

I updated the configuration in my previous post again to reflect my changes. I was hoping I didn't have to come to the forums this much for help but, this seems like a very supportive community regardless!

 

Everything seems to match your config OK but still I get no internet access, I cannot ssh across VLANs, no pinging, nothing.

 

Also, when I'm plugged into my EX I can access the web config on the EX fine but when I try to access the SRX, I can't...even knowing I can ping it.

Couple troubleshooting steps before we get any further.
 
Are you getting your IP via DHCP?
If so, what is it using for the default gateway.  In my config you're going to have to use the .2 IP for each vlan as the default gateway.
If you log into the switch, and issue the following commands, which ping replys work?
 
ping 10.0.32.1 routing-instance VR_Default <try all 3 VR's here VR_Default/VR_Development/VR_Servers>
 
If you statically assign a machine in the dev zone an ip of 10.0.32.10/20 with a gateway of 10.0.32.2 can you ping 10.0.32.1, if so, can you ping 8.8.8.8 (Google public DNS server)
 
When I get home tonight, I'll setup some machines to acquire and IP from DHCP using your config, and see if that is working.  I have a feeling the machines either aren't getting an IP, are getting the wrong IP for their network, or have an invalid default gateway.
 
Dustin

Ok, so I think i've got your problem figured out.  See the 2 new configs attached.

 

Basically dhcp wasn't making it to your clients.

 

Now the EX will forward DHCP requests to the SRX.

 

As far as reaching other hosts is concerned, based on the security policies, you should be able to communicate as follows...

 

trust to internet (any port)

dev to internet (any port)

servers to dev (any port)

dev to servers (any port)

 

If you need more than this, the policies and NAT will need to be modified.

 

Hopefully this gets you going...

 

 

Dustin

Working crazy late night today or else I would have responded faster. First off thank again for taking time out of your friday to help me out!

 

I wasn't trying to use DHCP but I was hoping to set it up on development, so that helps a lot, thank you!

 

But, when I tried your first step you asked me to do (ping 10.0.32.1 routing-instance VR_Default/VR_Development/VR_Servers) they all failed saying "ping: invalid routing instance `VR_x'". I did not realize that you were supposed to setup the switch as the default gateway, so I did that on the machine I was assigning a static IP to. When I did, I was able to ping 10.0.32.1 but I was not able to ping 8.8.8.8.

 

Seems like to me that the routing-instances are not working properly? Would this have anything to do with me being at a newer version, should I try the suggested versions?

I'll update my test gear to your version and see how it works.  Could you repost the full config from both devices.

 

Do you get any commit errors on the ex2200 with you try to configure the routing-instances?  as of 10.1 they weren't supported on the ex2200.

 

http://forums.juniper.net/t5/Ethernet-Switching/Policy-based-routing-on-the-EX-2200/m-p/40668#M2037

 

I don't have an ex2200 to test on.  I'll see about modifying the setup to not need the routing instances.  You may need to run all of the traffic through the SRX at that point, but I'm not sure.  Once my software updates finish, I'll see what I can come up with by leaving the switch at layer 2.

Looks like routing instances aren't yet supported on the EX2200....

 

http://www.juniper.net/techpubs/en_US/junos/topics/concept/ex-series-software-features-overview.html#layer-3-protocols-features-by-platform-table

 

Still curious if you got an error on commit.  I'll look into a way to do this at L2

 

Dustin

The configs in my previous post are up to date, i haven touched anything since. Those configs are all committed and "working" hehe. Let me know what you find out and ill start testing asap.

Here are some updated configs.  The switch is using L2 VLANs, and no routing instances, which should work on the EX2200

 

DHCP works for all 3 subnets.

 

The default gateway is now on the SRX (.1 IP for each subnet)

 

Let me know how it goes.

Dustin

Thank you so much, I still am having some troubles with the servers but they are on static IPs and not DHCP, is there any way I can assign an IP via DHCP based on the mac address?

 

Other then that everything is working well! I can finally browse the web from default and development vlan, IPs are being assigned properly.

 

EDIT: I can access the servers fine from the development VLAN!!!! This is great, working as intended. Also I cannot access the web management from the default vlan, would ge-0/0/1.100 be the right interface to setup for that? 

Happy to help.  Glad it's working for you...

 

You can assign an IP based on the MAC address using DHCP static-binding

 

For example...

 

(On the SRX)

 

set system services dhcp static-binding 00:50:56:a8:00:01 fixed-address 10.0.0.12

 

You need to allow web management for the security zone the default vlan is in...

 

set security zones security-zone trust host-inbound-traffic system-services http

set security zones security-zone trust host-inbound-traffic system-services https

 

Dustin