SRX

last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Secure-access-port questions....

    Posted 09-26-2018 12:54
    I have an srx240b2. I have chosen to try the secure-access-port option for the ports that I use. They are ge-0/0/1.0 to ge-0/0/15.0 . I know that I want to use them on those ports. My question is..... If I use this option on port ge-0/0/0.0 will it be a waste of code. I use port ge-0/0/0.0 for my modem(wan) connection. It is DHCP enabled. Will the SRX utilize the Mac attributes from the modem? I assume that nat will take care of the Mac attributes from the external. Should I turn on secure-access-port on the ge-0/0/0.0 port?


  • 2.  RE: Secure-access-port questions....
    Best Answer

    Posted 09-26-2018 20:21

    Hi Eugene

     

    If ge-0/0/0.0 is DHCP enabled then it is a L3 interface (family inet) and you cannot use secure-access-port on a L3 interface but only in L2 interfaces (family ethernet-switching).

    If you configure a L3 interface under [edit ethernet-switching-options secure-access-port interface ] hierarchy and this interface is family inet, the SRX will report an error upon commit stating that the L3 interface doesnt exitst. See below:

     

     

    root@SRX1# show interfaces
fe-0/0/3 {
    unit 0 {
        family inet;
    }
}
fe-0/0/4 {
    unit 0 {
        family ethernet-switching;
    }
}

     

     

    We include both interfaces under secure-access-port:

     

     

    [edit]
root@SRX1# show ethernet-switching-options
secure-access-port {
    interface fe-0/0/3.0 {
        mac-limit 1 action log;
        persistent-learning;
    }
    interface fe-0/0/4.0 {
        mac-limit 1 action log;
        persistent-learning;
    }
}

     

    Upon commit you will receive an error that the L3 interface (fe-0/0/3) doesnt exist:

     

    [edit]
root@SRX1# commit check
[edit ethernet-switching-options secure-access-port]
  'interface fe-0/0/3.0'
    Interface fe-0/0/3.0 not found
error: configuration check-out failed

    If we remove the L3 interface only then the commit works:

     

    [edit]
root@SRX1# delete ethernet-switching-options secure-access-port interface fe-0/0/3.0

[edit]
root@SRX1# commit check
configuration check succeeds

    I hope the above info is helpful. Smiley Wink

     

     



  • 3.  RE: Secure-access-port questions....

    Posted 09-27-2018 04:02

    I realize it is simple enough to try the code first. My environment is a harsh location. This is why.

    My version is 11.47xxx , the output was...

     

    There were error(s) delivering the configuration.

    Error(s):
    'interface ge-0/0/0.0'

    1) Interface ge-0/0/0.0 not found
    2) configuration check-out failed

     

    thx for the help. Knowing a little more info helped.



  • 4.  RE: Secure-access-port questions....

    Posted 09-27-2018 09:02

    You are very welcome Eugene, thanks for marking the post as resolved!