dokucama

User Tools

Site Tools

Trace: ws_analysis openstack
network_stuff:juniper:srx

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
network_stuff:juniper:srx [2016/02/05 20:45] – external edit 127.0.0.1network_stuff:juniper:srx [2023/11/02 14:38] (current) – external edit 127.0.0.1
Line 38: Line 38:
  
 Unrelated is the monitored interface priority. Basically the priority is subtracted from 255 (forget about the node priority! and there is a fail-over when the cumulative weights reach 0! Unrelated is the monitored interface priority. Basically the priority is subtracted from 255 (forget about the node priority! and there is a fail-over when the cumulative weights reach 0!
 +----
 +**HARDWARE**
 +CHASSIS \\
 +
 +CARDS:\\
 +  * IOC: Input/output card. Traffic is intelligently distributed by IOCs to SPUs for service processing
 +  * SCB: Switch Control Board: Monitors and interconnect IOCs
 +  * NPC: Network Processing Card: One unit minimum. srx3000.Performs session lookup. To distribute inbound and outbound traffic to the SPCs/IOCs. Also QoS policy and shaping
 +  * SPC: Services Processing Card:One unit minimum.They process all the services so doesn’t sit idle. SPC/SPU session management
 +  * SPU: They are the SPC processors. Establish and manage traffic flows and perform most of the packet processing on a packet as it transits the device. Hash table for fast session lookup.
 +  * RE: Routing Engine: Intel based PC platform. Runs JUNOS
 +
 +----
 +**ETHERNET SWITCHING mode on SRX**\\
 +
 +  * To Enable it in SRX 300 Series [[https://marioblab.wordpress.com/2016/10/23/enable-ethernet-switching-mode-on-juniper-firewals-srx-300-series/|External Link]]
 +  set protocols l2-learning global-mode switching
 +  reboot
 +  show ethernet-switching global-information
 +
 +\\
 +[[http://kb.juniper.net/InfoCenter/index?page=content&id=KB16667&cat=SRX_650&actp=LIST|External Link]]
 +Create the l2 vlan-trust:
 +  set vlans vlan-trust vlan-id 3
 +Add interface vlan.0 L3]] interface
 +  set vlans vlan-trust l3-interface vlan.0
 +And put ip on it:
 +  set interfaces vlan.0 family inet address 192.168.1.1/24
 +Add physical interfaces to vlan-trust
 +  set interfaces ge-0/0/10.0 family ethernet-switching vlan members vlan-trust
 +\\
 +  * See different modes to configure and manage Layer 2 and bridge settings (bridge settings are needed for transparent mode, ready of it lately users family ethernet-switching options. See last section in transparent mode review document) 
 +  * See this link for differences between family bridge (uses flow mode (full set of security functionalities ) and family ethernet-switch (switch local)): [[http://forums.juniper.net/t5/Ethernet-Switching/Difference-between-family-bridge-and-ethernet-switching/td-p/145646|External Link]]
 +
 +
 +----
 +**BGP SRX**\\
 +To get inspiration: [[http://myitnotes.info/doku.php?id=en:jobs:bgp_basic_configuration|External Link]] & this seminal [[http://puck.nether.net/bgp/juniper-config.html|External Link]]
 +\\
 +See this [[https://www.experts-exchange.com/questions/28243494/How-to-configure-a-Juniper-SRX210-as-a-client-gateway-using-BGP.html|External Link]]
 +  * Disable flow mode and enable packet mode: [[http://www.mustbegeek.com/configure-srx-mode-to-packet-mode-from-flow-mode/|External Link]] + disable all security features:
 +  configure
 +  delete security
 +  < confirm this will delete everything below this level>
 +  set security forwarding-options family mpls mode packet-based 
 +  commit and-quit
 +  request system reboot
 +
 +  * Define irb gateway
 +  * policy options
 +    * BOGON-LIST
 +    * irb.1 148.64.57.1 / 254 (decide which one)
 +    * vlans?
 +    * irb export term (called iBGP-export in the slingshots)
 +
 +Note that in packet mode, no security policies are allowed, no point on defining zones either.. [[http://forums.juniper.net/t5/Routing/J-6350-MPLS-Support/m-p/17775|External Link]]
 +
 +
 +If we are in flow mode, To allow communication:\\
 +Put all interfaces in the same zone:
 +
 +  set security zones security-zone trust interface ge-0/0/2.0
 +  set security zones security-zone trust interface ge-0/0/3.0
 +
 +Create a policy to permit intra-zone traffic.
 +
 +  set security policies from-zone trust to-zone trust policy trust-to-trust match source-address any destination address any application any
 +  set security policies from-zone trust to-zone trust policy trust-to-trust then permit
 +
 +
 +----
 +
 +**SRX DIRECTORIES**\\
 +  * /junos : This is a read-only dir created in runtime by malloc. Expected to be 100%. See [[https://kb.juniper.net/InfoCenter/index?page=content&id=KB27198 |Link]] 
 +
network_stuff/juniper/srx.1454705131.txt.gz · Last modified: (external edit)

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki