I have a feeling this is really obvious...
My setup is as follows:
I have a comcast business device upstream of my SRX that is configured to give me IPs on a /28. I've assigned those IPs to ge-0/0/0.0
I would like to use one of those IPs for management of the SRX (via HTTPS and SSH), one for VPN (dynamic vpn), and the rest for servers (I'd NAT the public IPs to separate internal IPs on a DMZ zone to which ge-0/0/3.0 belongs).
The web management setup looks like this:
web-management {
management-url jweb;
https {
pki-local-certificate star_<domain-name redacted>;
interface [ vlan.0 ge-0/0/0.0 ];
}
}
The public interface looks like this (IPs have been redacted)
ge-0/0/0 {
unit 0 {
family inet {
address 96.89.xxx.xx1/28;
address 96.89.xxx.xx2/28;
address 96.89.xxx.xx3/28;
address 96.89.xxx.xx4/28;
address 96.89.xxx.xx5/28;
address 96.89.xxx.xx6/28;
address 96.89.xxx.xx7/28;
address 96.89.xxx.xx8/28;
address 96.89.xxx.xx9/28;
address 96.89.xxx.xy0/28;
address 96.89.xxx.xy1/28;
address 96.89.xxx.xy2/28;
}
}
}
Currently, I can ssh, vpn to, or access the web management interface from any of these IPs. I'd like to actually segment things. What would be the best way to accomplish this? When I tried adding a logical unit to the interface, it gave me some error about only allowing the one unit 0 on the interface.