Juniper SRX Configuration

Juniper SRX Configuration

Now that you’ve configured your switch, you need to configure your router, or what’s later known as your “Hub” in future labs. You will be using a Juniper SRX for your router. The configuration will be very similar to the switch, with some noticable and important differences.

System

The system section will look identical to the system section on the switch with the exception of the hostname, which will be:

gw-neatrack-lab

Chassis

The chassis section will also look the same as the switch’s chassis section. However, you will be removing the redundancy configuration as that only applies to switches and is unsupported on the SRX.

Security

Now you will configure the security sections, which is not present on the switch. This is important at the SRX is a router and a firewall so there are extra configurations that must be done in order to work in your NeatRack lab correctly. There are 2 sections that apply to this course, zones and policies.


First, let’s get to the security hierarchy:

router> edit security

Zones

Security zones are how we separate traffic, whether that’s to allow or block certain types of networks access to each other. In NeatRack, we only need one zones, which will be the trust zone. Let’s create the zone first:

router> edit zones security-zone trust

Now, because we are in the trust zone, we want to allow all system services and all protocols to be used:

[edit security zones security-zone trust]
router> set host-inbound-traffic system-services all
router> set host-inbound-traffic protocols all

Next, we need to specify which interfaces are to be put into the trust zone. This would typically be one of your IRB interfaces or it could be a physical interface with an IP address on it. For this case, it’s irb.60:

[edit security zones security-zone trust] router> set interfaces irb.60

Please note that you will need to add additional interfaces into the trust zone in future labs. So, now our zones should look like the following:

[edit security zones security-zones trust]

router> show

host-inbound-traffic {

     system-services {

         all;

     }

     protocols {

         all;

     }

}

interfaces {

     irb.60;

}

Policies

Next we need to set the policies. Policies are how we determine where traffic can go based on zones, source IPs, destination IPs, and applications. Because we only have one zone, this is a relatively simple configuration, we want to allow anything in our trust zone on any source to any destination with any application to talk. First, let’s go to the policies hierarchy:

[edit security zones security-zone trust] router>

top edit security policies

 

[edit security policies]

router>

Once in the policies hierarchy, we need to define the “from zone” and the “to zone”. In our case, it’s from the trust zone to the trust zone:

[edit security policies]
router> edit from-zone trust to-zone trust

[edit security policies from-zone trust to-zone trust]
router>

Next is the policy name itself, which we typically would be the same is the from-zone and to-zone:

[edit security policies from-zone trust to-zone trust]
router> edit policy trust-to-trust

[edit security policies from-zone trust to-zone trust policy trust-to-trust]
router>

Then we can specify our match rules, and what to do if there is a match. This is similar to an if-then statement in programming languages. So our match is our if statement:

[edit security policies from-zone trust to-zone trust policy trust-to-trust]
router> set match source-address any
router> set match destination-address any
router> set match application any

Next, is the then statement, which we want to allow, or permit in this case:

[edit security policies from-zone trust to-zone trust policy trust-to-trust]
router> set then permit

And that’s it for the policies, it should look like the following:

[edit security policies from-zone trust to-zone trust policy trust-to-trust]
router> top edit security policies

[edit security policies]
router> show

from-zone trust to-zone trust {
    policy trust-to-trust {
        match {
            source-address any;
            destination-address any;
            application any;
        }
        then {
            permit;
        }
    }
}

Interfaces

We only need to configure a few interfaces on our SRX for now, the uplink to the switch, a test port, and our irb.60.

Uplink to Switch

The configuration for the uplink port to the switch it the same as what you configured on the switch for the uplink to the SRX. The only thing that needs to be changed is the description.

Test Port

We need a port that we can test connectivity to the SRX with BEFORE we plug it into the switch. This extra step will save troubleshooting time. The port will need access to vlan 60 and will look like the following:

[edit interfaces]
router> show ge-0/0/1

ge-0/0/1 {
    description "Test Port (ge-0/0/1)";
    unit 0 {
        family ethernet-switch {
            interface-mode access;
            vlan {
                members 60;
            }
            storm-control default;
        }
    }
}

IRB

Lastly, you need to set up your irb.60 like you did on the switch. Since this is the “hub” of your NeatRack lab, you will give it an IP of 172.30.60.1/24.

Remaining Configuration

The rest of the configuration should look like the switch. The sections to reference are:

  • forwarding-options
  • vlans
  • protocols
  • rstp
  • poe

Verifying and Concluding

Now that everything is configured, you can commit your configuration. If there are any errors, take note of them and correct them. If you are unsure of the error, please reach out to your NeatRack trainer for guidance. You can also Google the issue you’re running into. Remember Google is your friend, there are a lot of useful documentation and forums that can sometimes resolve your issues quicker than troubleshooting can.

Testing

Before moving your SRX to the lab, let’s verify that you can SSH to the SRX. Disconnect your laptop from wifi and plug an Ethernet cable from your laptop to your test port on the SRX. Next, go to your network setting on your laptop and set a static IP to 172.30.60.2/24 (255.255.255.0). Once that is done, verify that you can ping the SRX. If your pings are successful, try to SSH into it and if you are able to, then you may shut down the SRX by running:

gw-neatrack-lab> reqeust system halt at now
gw-neatrack-lab> reqeust system halt at now

Now that the SRX is powered off, you can move it into your lab and connect to your switch.