SRX

Our branch office has everyone on the same LAN segment at the moment 192.68.3.x/24 - this includes phones, printers, and staff. I've been asked to create some VLANs to separate the VOIP phones as well as tech and business staff members.

We have an SRX210 with Junos 11.4R10.3. There is the default vlan-trust, and I was thinking of adding two more - vlan-VOIP and vlan-IT. I intend to leave all the printers and the business-oriented employees in vlan-trust.

Then I started thinking about assigning interfaces to the vlans and ran into an issue. All the devices are plugged into a couple of unmanaged Dell switches. One switch uplinks to the other and then to the ge-0/0/1 interface on the SRX. ge-0/0/0 is on the untrusted network. The network devices (phones, access points, printers, laptops) are randomly plugged into the Dell switches, and there a some small linksys 5-port switches scattered around the office as well.

I am going to convert the Dell switches to managed mode. I've created the VLANs. There's a dhcp server on the default vlan. What kind of suggestions do you have to segregate my traffic (another goal is to set up CoS for VOIP traffic) using the Dell switches, SRX interfaces or whatever else you can think of?

MJ

Hi Mike,

Ge-0/0/0{
        vlan-tagging;
        unit 10 {
            description VOIP;
            vlan-id 10;
            family inet {
                address 192.168.1.1/24;
            }
        }
        unit 100 {
            description Printers;
            vlan-id 100;
            family inet {
                address 192.168.2.1/24;
            }
        }
        unit 200 {
            description  Lan;
            vlan-id 200;
            family inet {
                address 192.168.3.1/24;
            }
        }
    }
 You can configure 3 vlans on dell switch for VOIP , LAN and Printers
 
Configure sub interfaces on SRX for each vlan.

Port on the Dell switch connecting SRX and Dell switch has to be Trunk port.

Now Ge-0/0/0.10 for VOIP
Ge-0/0/0.100 for Printers
Ge-0/0/0.200 for LAN

Now create policies to allow access beetween VOIP , Printer and LAN zones accordingly.

Regards
rparthi
 

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too

Thanks for your reply. I'm going to accept this as the solution. I have a couple more questions. We have a mix of wired and wireless connections. I'm thinking I can use different SSIDs to sort the wireless customers into different VLANs. The phones are all wired - I can use port tagging on the switch to assign the vlans.

I'm not sure of the difference between setting up vlan-tagging under the interface vs under the vlans hierarchy. Why do it under the interface? I'm still at the early stages in my Junos learning.

I still have a few other issues to resolve - the SoundPoint IP phones have a 2-port switch on the back and some users are connected via hardwire (instead of wireless). But that's not an SRX problem 🙂

Thanks,

MJ

Hi Mike,

Vlans can be configured on SRX using vlan configuration .

Each interface needs to be made as L2 using ethernet switching and then configure logical L3 interface.(valn.x)

it is used when you want to make use of srx interface as switch ports and connect devices to each port.

But for scaling and proper way is to configure VLAN on switch and Configure SRX interface as L3 interface with vlan tagging to route traffic between vlans.

Regards
rparthi
 

Click on  Kudos if you think i deserved it.....