SRX

last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  DHCP, SRX320 and out of my depth (SOLVED)

    Posted 03-04-2017 02:36

    Hello All,

    I'm sure someone will look at this for about ten seconds and spot my issue. So if you're out there, I appreciate your help in advance. This is my first foray in to Junos/SRX as I'm replacing an old Cisco 857 I had - and thought as I have no DSL for a few days, I may as well start trying to get this working.

    Basically where I'm stuck, or what I'm trying to achieve is the following:

    1) Have interfaces ge-0/0/1 through ge-0/0/5 operating as switch ports within the same logical trust zone, able to communicate with one another.

    2) Have DHCP working, it seems to hand out addresses that are statically defined - but not dynamic ones from a pool.

    I've included my whole config below, and would greatly appreciate any input/suggestions/assistance as I've run out of combinations of profanities to use.

    root@srx> show configuration
## Last commit: 2017-03-04 10:04:36 UTC by root
version 15.1X49-D45;
system {
    host-name X;
    time-zone "Australia\Melbourne";
    root-authentication {
        encrypted-password "X"; ## SECRET-DATA
    }
    name-server {
        8.8.8.8;
        8.8.4.4;
    }
    login {
        user X {
            uid 2001;
            class super-user;
            authentication {
                encrypted-password "X"; ## SECRET-DATA
            }
        }
    }
    services {
        ssh;
        xnm-clear-text;
        web-management {
            http {
                interface [ ge-0/0/1.0 ge-0/0/2.0 ge-0/0/3.0 ge-0/0/4.0 ge-0/0/5.0 ];
            }
            https {
                system-generated-certificate;
                interface [ ge-0/0/1.0 ge-0/0/2.0 ge-0/0/3.0 ge-0/0/4.0 ge-0/0/5.0 ];
            }
        }
        dhcp {
            traceoptions {
                file dhcp.dbg;
                level all;
                flag all;
            }
            pool 192.168.2.0/24 {
                address-range low 192.168.2.2 high 192.168.2.254;
                name-server {
                    8.8.8.8;
                    8.8.4.4;
                }
                router {
                    192.168.2.1;
                }
            }
            static-binding 80:2a:a8:40:97:73 {
                fixed-address {
                    192.168.2.202;
                }
            }
            static-binding b8:27:eb:77:88:66 {
                fixed-address {
                    192.168.2.203;
                }
            }
            static-binding dc:ef:09:d2:a2:14 {
                fixed-address {
                    192.168.2.204;
                }
            }
            static-binding 00:10:75:43:c0:ab {
                fixed-address {
                    192.168.2.201;
                }
            }
        }
    }
    syslog {
        archive size 100k files 3;
        user * {
            any emergency;
        }
        file messages {
            any critical;
            authorization info;
        }
        file interactive-commands {
            interactive-commands error;
        }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
}
security {
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;
                }
                land;
            }
        }
    }

    nat {
        source {
            rule-set trust-to-untrust {
                from zone trust;
                to zone untrust;
                rule source-nat-rule {
                    match {
                        source-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
    }
    policies {
        from-zone trust to-zone trust {
            policy trust-to-trust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }


        from-zone trust to-zone untrust {
            policy trust-to-untrust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
    zones {
        security-zone trust {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                irb.0 {
                    host-inbound-traffic {
                        system-services {
                            ping;
                            ssh;
                            http;
                            https;
                            all;
                        }
                        protocols {
                            all;
                        }
                    }
                }
            }
        }
        security-zone untrust {
            screen untrust-screen;
            interfaces {
                ge-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            dhcp;
                            tftp;
                        }
                    }
                }
                at-2/0/0.0;
                pp0.0;
            }
        }
    }
}
interfaces {
    ge-0/0/0 {
        description "X";
        unit 0 {
            family inet {
                address 10.0.0.1/32;
            }
        }
    }
    ge-0/0/1 {
        description "X";
        unit 0 {
            family ethernet-switching {
                interface-mode access;
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/2 {
        description "Access Point";
        unit 0 {
            family ethernet-switching {
                interface-mode access;
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/3 {
        description "NAS Drive";
        unit 0 {
            family ethernet-switching {
                interface-mode access;
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/4 {
        description "X";
        unit 0 {
            family ethernet-switching {
                interface-mode access;
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/5 {
        unit 0 {
            family ethernet-switching {
                interface-mode access;
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    at-2/0/0 {
        mtu 1540;
        encapsulation ethernet-over-atm;
        atm-options {
            vpi 8;
        }
        dsl-options {
            operating-mode auto;
        }
        unit 0 {
            encapsulation ppp-over-ether-over-atm-llc;
            vci 8.35;
        }
    }
    irb {
        unit 0 {
            proxy-arp;
            family inet {
                address 192.168.2.1/24;
            }
        }
    }
    pp0 {
        traceoptions {
            flag all;
        }
        unit 0 {
            point-to-point;
            ppp-options {
                chap {
                    default-chap-secret "X"; ## SECRET-DATA
                    local-name "X";
                    passive;
                }
                pap {
                    default-password "X"; ## SECRET-DATA
                    local-name "X";
                    local-password "X"; ## SECRET-DATA
                    passive;
                }
            }
            pppoe-options {
                underlying-interface at-2/0/0.0;
                idle-timeout 0;
                auto-reconnect 30;
                client;
            }
            no-keepalives;
            family inet {
                negotiate-address;
            }
        }
    }
}
routing-options {
    static {
        route 0.0.0.0/0 {
            next-hop pp0.0;
            metric 1;
        }
    }
}
protocols {
    l2-learning {
        global-mode switching;
    }
}
vlans {
    vlan-trust {
        vlan-id 10;
        l3-interface irb.0;
    }
}



     

     



  • 2.  RE: DHCP, SRX320 and out of my depth (SOLVED)
    Best Answer

    Posted 03-04-2017 04:21

    Hi,

     

    • I see that the SRX320 is running version 15.1X49-D45.
    • You are using DHCP configuration on the SRX.
    • The DHCP config has ben deprecated from 15.1X49-D60 and JDHCP has replced it completely.

    https://kb.juniper.net/InfoCenter/index?page=content&id=TSB16991

     

    1. Upgrade the SRX to D75 which is more stable than the current running version.
    2. Use JDHCP as mentioned in the following link :-

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB26898

     

    Hope this helps !

     

    Regards,

    Sahil Sharma
    ---------------------------------------------------
    Please mark my solution as accepted if it helped, Kudos are appreciated as well.



  • 3.  RE: DHCP, SRX320 and out of my depth (SOLVED)

    Posted 03-04-2017 22:14

    Hi ,

    Thanks for your input. I've now changed all my configuration over to use jdhcp - but am still seeing the same issues.

    I'll get my srx updated from 15.1X49-D45 to15.1X49-D75 and fingers crossed that does the job.

    I'll post here with any progress I make.



  • 4.  RE: DHCP, SRX320 and out of my depth (SOLVED)

    Posted 03-08-2017 02:36 
    root@klaus-core> show version
Hostname: klaus-core
Model: srx320
Junos: 15.1X49-D75.5
JUNOS Software Release [15.1X49-D75.5]

    root@klaus-core> show dhcp server binding
IP address        Session Id  Hardware address   Expires     State      Interface
192.168.2.100     1           5c:26:0a:65:d5:2a  86013       BOUND      irb.0
192.168.2.203     2           b8:27:eb:77:88:66  85045       BOUND      irb.0

    C:\Users\bcummings>ping 192.168.2.203

Pinging 192.168.2.203 with 32 bytes of data:
Reply from 192.168.2.203: bytes=32 time=4ms TTL=64
Reply from 192.168.2.203: bytes=32 time=4ms TTL=64
Reply from 192.168.2.203: bytes=32 time=5ms TTL=64
Reply from 192.168.2.203: bytes=32 time=4ms TTL=64

    C:\Users\bcummings>ping 192.168.2.1

Pinging 192.168.2.1 with 32 bytes of data:
Reply from 192.168.2.1: bytes=32 time<1ms TTL=64
Reply from 192.168.2.1: bytes=32 time<1ms TTL=64
Reply from 192.168.2.1: bytes=32 time<1ms TTL=64
Reply from 192.168.2.1: bytes=32 time=1ms TTL=64

    Smiley Very Happy

    The software update has done the trick. Thank you very much (I initially assumed my config was wrong)