SRX

Hi - I have an SRX 210 with ge-0/0/0 (untrust) and ge-0/0/1 (trust) configured as family inet with IP addresses assigned. There is a dhcp pool configured with the same subnet as the trust interface. Rather than using a seperate L2 switch plugged into the ge-0/0/1 port for the devices to access the srx and obtain IP addresses from the pool etc. I would like to plug directly into the fe ports. Currently when I look at the config via teh cli the fe ports are not listed but of course they are in the gui.

Please advise how I can do this and if at all possible without reconfiguring the ge-0/0/1 port as this device is in production.

Thank you

Hi,

Not sure if I get your question the right way. If not, please ignore.

Do you want to connect ge-0/0/1 to a fe (100m fast Ethernet) interface?

If that's the case, there's a few points:

1. On the Juniper device, the interface is always named as ge-x/x/x

2. You need to make sure your optics (SFP-T I assume), is capable of supporting 100m. Usually it's tri-rate SFP (10/100/1000) 

3. On most of the junos platform, you need to disable auto-negotiation and manually configure speed 100m and full duplex. Something like below, but syntax may be a little different across platforms:

  set interfaces ge-0/0/0 gigether-options link-mode full-duplex
  set interfaces ge-0/0/0 gigether-options speed 100m
  set interfaces ge-0/0/0 gigether-options no-auto-negotiation

So right now the IP assigned to the ge-0/0/1 interface is 10.1.1.1. There is a dhcp pool set to dish out 10.1.1.x IPs with 10.1.1.1 being the DG. Right now all communications to the lan devices are done through the ge-0/0/1 port which has a L2 switch plugged into it. I want to eliminate the switch and plug lan devices directly into the fe ports.

Right now if i plug anything into a fe port the port comes up but there is no communications to the device. Its like there is no logical link between the fe ports and ge-0/0/1.

Hi,

What you need to do is:

1. Create a vlan-interface and assign IP address 10.1.1.1 to it.

# set interfaces vlan.10 family inet address 10.1.1.1/24

2. Link this vlan-interface to a vlan.

set vlans [VLAN_NAME] vlan-id 10
set vlans [VLAN_NAME] l3-interface vlan.10

3. Assigned the fe ports to this vlan.

# set interfaces fe-0/0/0 unit 0 family ethernet-switching interface-mode access vlan members [VLAN_NAME]

You dont need to change DHCP configuration.

Will I need to remove the 10.1.1.1 from ge-0/0/1 first? Will the interface need to be assigned to a zone?

yes

Yes, you will need to remove the IP address from the ge interface, else you will receive a commit error.  Also you need to place the vlan-interface under the same security-zone you currently have the ge interface and specify DHCP as host-inbound-traffic under that vlan-interface.

Because you mentioned that the SRX in in production, I recommend to schedule a maintenance window for this.

As workaround you could create a new subnet and use this new subnet for this migration (for the vlan-interface). Of course this involves creating a new DHCP pool for this new subnet and security-policies and NAT rules for this new subnet. Once this is done, you could unplug one PC from the switch and connect it directly to the SRX and test if everything works as expected, if so you can move the rest of the PCs. Just keep in mind that they now will be on a different subnet.