SRX
To see what policy is being hit by a flow:
show security match-policies ? Possible completions: destination-ip Match policy for the given destination IP destination-port Match policy for the given destination port) (1..65535)
[…]
source-port Match policy for the given source port) (1..65535) to-zone Match policy for the given destination zone
Packet processing chain: SRX vs J-Series (Important to notice that, in j series, all nat happens after policy and routing):
CLUSTER - HACheck logs :show log jsrpd To log into shell/cli from the pair node:
rlogin -Jk -T node1
To force the failover to node 1 request chassis cluster failover node 1 redundancy-group 1
Normally, after force failover, we reset the priority values to the ones determined in the config: request chassis cluster failover reset redundancy-group 1
redundancy-group 1 {
node 0 priority 100;
node 1 priority 99;
This priority is only used when two devices come up at the exact same time or when preempt is enabled. (see this link)
Unrelated is the monitored interface priority. Basically the priority is subtracted from 255 (forget about the node priority! and there is a fail-over when the cumulative weights reach 0!
HARDWARE
CHASSIS
CARDS:
- IOC: Input/output card. Traffic is intelligently distributed by IOCs to SPUs for service processing
- SCB: Switch Control Board: Monitors and interconnect IOCs
- NPC: Network Processing Card: One unit minimum. srx3000.Performs session lookup. To distribute inbound and outbound traffic to the SPCs/IOCs. Also QoS policy and shaping
- SPC: Services Processing Card:One unit minimum.They process all the services so doesn’t sit idle. SPC/SPU session management
- SPU: They are the SPC processors. Establish and manage traffic flows and perform most of the packet processing on a packet as it transits the device. Hash table for fast session lookup.
- RE: Routing Engine: Intel based PC platform. Runs JUNOS
ETHERNET SWITCHING mode on SRX
- To Enable it in SRX 300 Series External Link
set protocols l2-learning global-mode switching
reboot show ethernet-switching global-information
External Link
Create the l2 vlan-trust:
set vlans vlan-trust vlan-id 3
Add interface vlan.0 L3]] interface
set vlans vlan-trust l3-interface vlan.0
And put ip on it:
set interfaces vlan.0 family inet address 192.168.1.1/24
Add physical interfaces to vlan-trust
set interfaces ge-0/0/10.0 family ethernet-switching vlan members vlan-trust
- See different modes to configure and manage Layer 2 and bridge settings (bridge settings are needed for transparent mode, ready of it lately users family ethernet-switching options. See last section in transparent mode review document)
- See this link for differences between family bridge (uses flow mode (full set of security functionalities ) and family ethernet-switch (switch local)): External Link
BGP SRX
To get inspiration: External Link & this seminal External Link
See this External Link
- Disable flow mode and enable packet mode: External Link + disable all security features:
configure
delete security < confirm this will delete everything below this level> set security forwarding-options family mpls mode packet-based commit and-quit request system reboot
- Define irb gateway
- policy options
- BOGON-LIST
- irb.1 148.64.57.1 / 254 (decide which one)
- vlans?
- irb export term (called iBGP-export in the slingshots)
Note that in packet mode, no security policies are allowed, no point on defining zones either.. External Link
If we are in flow mode, To allow communication:
Put all interfaces in the same zone:
set security zones security-zone trust interface ge-0/0/2.0 set security zones security-zone trust interface ge-0/0/3.0
Create a policy to permit intra-zone traffic.
set security policies from-zone trust to-zone trust policy trust-to-trust match source-address any destination address any application any set security policies from-zone trust to-zone trust policy trust-to-trust then permit
SRX DIRECTORIES
- /junos : This is a read-only dir created in runtime by malloc. Expected to be 100%. See Link