Adding a new interfaces with vlan-tagging enabled to exisiting SRX650 A/S



  • Hi All,

    I have an existing SRX 650 (10.4R6.5)  Active Standby firewall… i want to create a multiple DMZ segment using vlan with each subinterface as a gateway ip address of each segment.  Kindly help to advice what are the commands needed im quite new in juniper.

    ====current===config===

    set chassis cluster reth-count 5
    set chassis cluster node 0
    set chassis cluster node 1
    set chassis cluster redundancy-group 0 node 0 priority 100
    set chassis cluster redundancy-group 0 node 1 priority 1
    set chassis cluster redundancy-group 0 hold-down-interval 180
    set chassis cluster redundancy-group 0 interface-monitor ge-2/0/0 weight 255
    set chassis cluster redundancy-group 0 interface-monitor ge-2/0/2 weight 255
    set chassis cluster redundancy-group 0 interface-monitor ge-2/0/4 weight 255
    set chassis cluster redundancy-group 0 interface-monitor ge-2/0/10 weight 255
    set chassis cluster redundancy-group 0 interface-monitor ge-11/0/0 weight 255
    set chassis cluster redundancy-group 0 interface-monitor ge-11/0/2 weight 255
    set chassis cluster redundancy-group 0 interface-monitor ge-11/0/4 weight 255
    set chassis cluster redundancy-group 0 interface-monitor ge-11/0/10 weight 255
    set chassis cluster redundancy-group 0 interface-monitor ge-2/0/5 weight 255
    set chassis cluster redundancy-group 0 interface-monitor ge-11/0/5 weight 255
    set chassis cluster redundancy-group 1 node 0 priority 100
    set chassis cluster redundancy-group 1 node 1 priority 1
    set chassis cluster redundancy-group 1 hold-down-interval 180
    set chassis cluster redundancy-group 1 interface-monitor ge-2/0/0 weight 255
    set chassis cluster redundancy-group 1 interface-monitor ge-2/0/2 weight 255
    set chassis cluster redundancy-group 1 interface-monitor ge-2/0/4 weight 255
    set chassis cluster redundancy-group 1 interface-monitor ge-2/0/10 weight 255
    set chassis cluster redundancy-group 1 interface-monitor ge-11/0/0 weight 255
    set chassis cluster redundancy-group 1 interface-monitor ge-11/0/2 weight 255
    set chassis cluster redundancy-group 1 interface-monitor ge-11/0/4 weight 255
    set chassis cluster redundancy-group 1 interface-monitor ge-11/0/10 weight 255
    set chassis cluster redundancy-group 1 interface-monitor ge-2/0/5 weight 255
    set chassis cluster redundancy-group 1 interface-monitor ge-11/0/5 weight 255
    set interfaces ge-2/0/0 gigether-options redundant-parent reth0
    set interfaces ge-2/0/2 gigether-options redundant-parent reth1
    set interfaces ge-2/0/4 gigether-options redundant-parent reth2
    set interfaces ge-2/0/5 gigether-options redundant-parent reth4
    set interfaces ge-2/0/10 gigether-options redundant-parent reth3
    set interfaces ge-11/0/0 gigether-options redundant-parent reth0
    set interfaces ge-11/0/2 gigether-options redundant-parent reth1
    set interfaces ge-11/0/4 gigether-options redundant-parent reth2
    set interfaces ge-11/0/5 gigether-options redundant-parent reth4
    set interfaces ge-11/0/10 gigether-options redundant-parent reth3
    set interfaces fab0 fabric-options member-interfaces ge-0/0/2
    set interfaces fab1 fabric-options member-interfaces ge-9/0/2
    set interfaces reth0 redundant-ether-options redundancy-group 1
    set interfaces reth0 unit 0 family inet address 10.163.22.1/28
    set interfaces reth1 redundant-ether-options redundancy-group 1
    set interfaces reth1 unit 0 family inet address 10.163.22.17/28
    set interfaces reth2 redundant-ether-options redundancy-group 1
    set interfaces reth2 unit 0 family inet address 10.163.22.33/28
    set interfaces reth3 redundant-ether-options redundancy-group 1
    set interfaces reth3 unit 0 family inet address 10.163.25.1/24
    set interfaces reth4 redundant-ether-options redundancy-group 1
    set interfaces reth4 unit 0 family inet address 10.163.22.49/29
    set security zones security-zone Internet screen All-Zone-screen
    set security zones security-zone Internet host-inbound-traffic system-services all
    set security zones security-zone Internet host-inbound-traffic protocols all
    set security zones security-zone Internet interfaces reth0.0

    ======new config i will be adding======= using ge-0/0/3 and ge-9/0/03

    1. adding RETH interface currently its only max of 5
    set chassis cluster reth-count 11

    2.  Enable redundancy group monitoring for the new interface.
    set chassis cluster redundancy-group 0 interface-monitor ge-0/0/3 weight 255
    set chassis cluster redundancy-group 1 interface-monitor ge-9/0/3 weight 255

    3.  Attached phyical interface to a redundant ethernet interface.
    set interfaces ge-0/0/3 gigether-options redundant-parent reth6
    set interfaces ge-9/0/3 gigether-options redundant-parent reth6

    4.  Adding vlan tagging  IP address for the interfaces
    set interface reth6 vlan-tagging
    set interfaces reth6 redundant-ether-options redundancy-group 1
    set interfaces reth6 unit 11 vlan-id 11
    set interfaces reth6 unit 11 family inet address x.x.x.x/25
    set interfaces reth6 unit 12 vlan-id 12
    set interfaces reth6 unit 12 family inet address y.y.y.y/25

    5.  Assigning the interface to a Security Zone.
    set security zones security-zone DMZ11 screen All-Zone-screen
    set security zones security-zone DMZ11 host-inbound-traffic system-services all
    set security zones security-zone DMZ11 host-inbound-traffic protocols all
    set security zones security-zone DMZ11 interfaces reth6.11
    set security zones security-zone DMZ12 screen All-Zone-screen
    set security zones security-zone DMZ12 host-inbound-traffic system-services all
    set security zones security-zone DMZ12 host-inbound-traffic protocols all
    set security zones security-zone DMZ12 interfaces reth6.12

    Kindly help to check if the above steps are correct.  also if i want to enable Aggregation how can i do that?

    thanks,
    firsttimer



  • hi mate,
    below commands might be helpful;

    assuming your available reth interface is reth6 assigned to DMZ, you can use below commands;

    set interfaces reth6 unit 6 vlan-id 6
    set interfaces reth6 unit 6 family inet address 1.1.1.1/24

    for aggregation, you can check below;

    set chassis aggregated-devices ethernet device-count 5
    set interfaces ge-2/0/1 gigether-options 802.3ad ae0
    set interfaces ge-2/0/2 gigether-options 802.3ad ae0
    set interfaces ae0 aggregated-ether-options lacp active
    set interfaces ae0 unit 0 family ethernet-switching
    set vlans vlan20 vlan-id 20
    set vlans vlan20 interface ae0

    Check the configuration by entering the show vlans and show interfaces commands
    tia,
    winters


 

26
Online

38.5k
Users

12.7k
Topics

44.5k
Posts