__**SRX**__

To see what policy is being hit by a flow:
  show security match-policies ?
   Possible completions:
  destination-ip       Match policy for the given destination IP
  destination-port     Match policy for the given destination port) (1..65535)
[...]
  source-port          Match policy for the given source port) (1..65535)
  to-zone              Match policy for the given destination zone

{{:network_stuff:arista:j-series_pchain.gif?350 |}}
{{ :network_stuff:arista:srx_pchain.png?350|}}
----

Packet processing chain: SRX vs J-Series (Important to notice that, in j series, all nat happens after policy and routing):




CLUSTER - HACheck logs :show log jsrpd
To log into shell/cli from the pair node:

  rlogin -Jk -T node1

To force the failover to node 1
request chassis cluster failover node 1 redundancy-group 1

Normally, after force failover, we reset the priority values to the ones determined in the config:
request chassis cluster failover reset redundancy-group 1 


  redundancy-group 1 {
    node 0 priority 100;
    node 1 priority 99;

This priority is only used when two devices come up at the exact same time or when preempt is enabled. (see this link)

Unrelated is the monitored interface priority. Basically the priority is subtracted from 255 (forget about the node priority! and there is a fail-over when the cumulative weights reach 0!
----
**HARDWARE**
CHASSIS \\

CARDS:\\
  * IOC: Input/output card. Traffic is intelligently distributed by IOCs to SPUs for service processing
  * SCB: Switch Control Board: Monitors and interconnect IOCs
  * NPC: Network Processing Card: One unit minimum. srx3000.Performs session lookup. To distribute inbound and outbound traffic to the SPCs/IOCs. Also QoS policy and shaping
  * SPC: Services Processing Card:One unit minimum.They process all the services so doesn’t sit idle. SPC/SPU session management
  * SPU: They are the SPC processors. Establish and manage traffic flows and perform most of the packet processing on a packet as it transits the device. Hash table for fast session lookup.
  * RE: Routing Engine: Intel based PC platform. Runs JUNOS

----
**ETHERNET SWITCHING mode on SRX**\\

  * To Enable it in SRX 300 Series [[https://marioblab.wordpress.com/2016/10/23/enable-ethernet-switching-mode-on-juniper-firewals-srx-300-series/|External Link]]
  set protocols l2-learning global-mode switching
  reboot
  show ethernet-switching global-information

\\
[[http://kb.juniper.net/InfoCenter/index?page=content&id=KB16667&cat=SRX_650&actp=LIST|External Link]]
Create the l2 vlan-trust:
  set vlans vlan-trust vlan-id 3
Add interface vlan.0 L3]] interface
  set vlans vlan-trust l3-interface vlan.0
And put ip on it:
  set interfaces vlan.0 family inet address 192.168.1.1/24
Add physical interfaces to vlan-trust
  set interfaces ge-0/0/10.0 family ethernet-switching vlan members vlan-trust
\\
  * See different modes to configure and manage Layer 2 and bridge settings (bridge settings are needed for transparent mode, ready of it lately users family ethernet-switching options. See last section in transparent mode review document) 
  * See this link for differences between family bridge (uses flow mode (full set of security functionalities ) and family ethernet-switch (switch local)): [[http://forums.juniper.net/t5/Ethernet-Switching/Difference-between-family-bridge-and-ethernet-switching/td-p/145646|External Link]]


----
**BGP SRX**\\
To get inspiration: [[http://myitnotes.info/doku.php?id=en:jobs:bgp_basic_configuration|External Link]] & this seminal [[http://puck.nether.net/bgp/juniper-config.html|External Link]]
\\
See this [[https://www.experts-exchange.com/questions/28243494/How-to-configure-a-Juniper-SRX210-as-a-client-gateway-using-BGP.html|External Link]]
  * Disable flow mode and enable packet mode: [[http://www.mustbegeek.com/configure-srx-mode-to-packet-mode-from-flow-mode/|External Link]] + disable all security features:
  configure
  delete security
  < confirm this will delete everything below this level>
  set security forwarding-options family mpls mode packet-based 
  commit and-quit
  request system reboot

  * Define irb gateway
  * policy options
    * BOGON-LIST
    * irb.1 148.64.57.1 / 254 (decide which one)
    * vlans?
    * irb export term (called iBGP-export in the slingshots)

Note that in packet mode, no security policies are allowed, no point on defining zones either.. [[http://forums.juniper.net/t5/Routing/J-6350-MPLS-Support/m-p/17775|External Link]]


If we are in flow mode, To allow communication:\\
Put all interfaces in the same zone:

  set security zones security-zone trust interface ge-0/0/2.0
  set security zones security-zone trust interface ge-0/0/3.0

Create a policy to permit intra-zone traffic.

  set security policies from-zone trust to-zone trust policy trust-to-trust match source-address any destination address any application any
  set security policies from-zone trust to-zone trust policy trust-to-trust then permit


----

**SRX DIRECTORIES**\\
  * /junos : This is a read-only dir created in runtime by malloc. Expected to be 100%. See [[https://kb.juniper.net/InfoCenter/index?page=content&id=KB27198 |Link]]