SRX

Hello, juniper newbie, please assist/direct me to any posts/docs that would be helpful!

I have 2x of the following, both in virtual clusters
srx220h2 - JUNOS Software Release [12.1X44-D20.3]

ex3300-24t - JUNOS Base OS boot [12.3R6.6]

Not having any luck with setting up VLANs between the devices via JWeb and not sure exactly how to set everything up. I understanding SRX clustering changes some VLAN design options. Trying to keep gateway IPs and all server IPing the same to how we have it now to ease the migration once I get the FW/switches configured and tested.

I want to have the VLANs or network segments tied to zones so that we can do FW rules between the VLANs. All packets should be tagged when leaving the switch, so the trunk ports on the switches and reth interfaces carry all VLANs as is, but the SRX compares the traffic if crossing a VLAN (server to server communication) or in/out to the internet. (user to our website in DMZ for example).

Switches have 2 uplinks to each SRX for redundancy. The SRX VC has reths setup on ge-0/0/1,2 and ge-3/0/1,2.

Want to setup something like:

Name              ID  IP                            zone               interfaces
LAN                 10   192.168.1.254/24 LAN                 reth0,1
DMZ1              30   192.168.3.254/24 DMZ1              reth0,1
DMZ2-WEB1 40   192.168.4.254/24 DMZ2-WEB1  reth0,1
MGMT             60   192.168.6.254/24 MGMT              reth0,1

Also:
Can I rename the default trust and untrust zones to 'LAN' and 'WAN'?
Can I move the default vlan to a different vlan ID?  [EDIT: I'll just use VLAN ID 10]

Thank you!

Fred

Hi Fred,

You can configure vlan tagging on SRX reth interface (trust port)

Eg:

   reth1 {
        vlan-tagging;
        redundant-ether-options {
            redundancy-group1;

        }
        unit 10 {
            vlan-id 10;
            family inet {
                address 192.168.10.1/24;
            }
        }
    }
        unit 20 {
            vlan-id 20;
            family inet {
                address 192.168.20.1/24;
            }
        }
    }
    }
        unit 30 {
            vlan-id 30;
            family inet {
                address 192.168.30.1/24;
            }
        }
    }

You can create custom security zones called LAN , WAN etc.

set security zones security zone WAN interface reth0 host-inbound-services system-services all
set security zones security zone WAN interface Reth0 host-inbound-services protocols all

set security zones security zone LAN-10 interface reth1.10 host-inbound-services system-services all
set security zones security zone LAN-10 interface reth1.10 host-inbound-services protocols all

set security zones security zone LAN-20 interface reth1.20 host-inbound-services system-services all
set security zones security zone LAN-20 interface reth1.20 host-inbound-services protocols all

set security zones security zone LAN-30 interface reth1.30 host-inbound-services system-services all
set security zones security zone LAN-30 interface reth1.30 host-inbound-services protocols all

Now you can create security policies between LAN-10 to LAN-20 etc as well as between LAN-10 to WAN.

Also you can put all sub-interfaces reth1.10 , reth1.20 and reth1.30 in one Securtity zone called LAN

Regards
rparthi
 

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too

I see that I can't use VLAN ID 1(or change the ID of the default VLAN) so I will use 10 as you did in your example.

Is it possible to rename the default trust and untrust zones to 'LAN' and 'WAN'?

EDIT: I tried the following command but looks like I need to unbind all the stuff connected to 'trust' zone first.

# rename security zones security-zone trust to security-zone IGC1LAN1

What is being setup with these commands? Is this allowing anything from anywhere into those zones?

"set security zones security zone LAN-10 interface reth1.10 host-inbound-services system-services all
set security zones security zone LAN-10 interface reth1.10 host-inbound-services protocols all"

EDIT: Oh I see this is just for communication to the SRX themselves

"Also you can put all sub-interfaces reth1.10 , reth1.20 and reth1.30 in one Securtity zone called LAN"

I want to apply policy for traffic going between zones, so I don't want to do that, correct?

Thank you

EDIT: What types of configuration will I need to make on the switches?

Hi Freds,

Yes , after creating new security zones , you need move all the interfaces to this new zone.

or you could rename the default zones with any name that you want.

from the configration mode, take the backup first

save /var/tmp/config-backup

then

change the name of the trust zone to LAN using

replace pattern trust with LAN .

this will replace name of trust with LAN under all the configuration lines.

Host inbound services is for allowing accessing to that interface like ssh , telnet , ike etc)

Yes , you do not need to put all the interfaces under one zone as you wanted to configure policy between zones.

Following article talks about vlans.

http://www.juniper.net/us/en/local/pdf/app-notes/3500196-en.pdf

Regards
rparthi
 

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too

Thanks a lot for your help, things are getting a lot more clear.

The "show vlans" will be blank, along with the VLANs area of JWEB correct? However all the VLAN stuff with be on the interfaces. For the switches, I can configure the ports on VLANs, as long as I keep the VLAN id the same and tag the packets, everything should work between all the devices correct?

Related to that, how do I check health/config of vlan stuff, if all the show vlan commands dont show anything, just "show interfaces" ?

Do I need a "native-vlan-id" for untagged frames?

Does it matter if I have the "host-inbound-traffic" with the interfaces or at the security zone level, if those are the only interfaces in that zone? current config:

# show security zones
security-zone IGC1LAN1 {
    host-inbound-traffic {
        system-services {
            all;
        }
        protocols {
            all;
        }
    }
    interfaces {
        reth0.10 {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
        }
        reth1.10 {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
        }
    }
}
security-zone WAN {
    host-inbound-traffic {
        protocols {
            bgp;
        }
    }
    interfaces {
        ge-0/0/0.0 {
            host-inbound-traffic {
                system-services {
                    https;
                    ssh;
                }
            }
        }
        ge-3/0/0.0 {
            host-inbound-traffic {
                system-services {
                    ssh;
                    https;
                }
            }
        }
    }
}