This is an old revision of the document!
SRX
To see what policy is being hit by a flow:
show security match-policies ? Possible completions: destination-ip Match policy for the given destination IP destination-port Match policy for the given destination port) (1..65535)
[…]
source-port Match policy for the given source port) (1..65535) to-zone Match policy for the given destination zone
Packet processing chain: SRX vs J-Series (Important to notice that, in j series, all nat happens after policy and routing):
CLUSTER - HACheck logs :show log jsrpd To log into shell/cli from the pair node:
rlogin -Jk -T node1
To force the failover to node 1 request chassis cluster failover node 1 redundancy-group 1
Normally, after force failover, we reset the priority values to the ones determined in the config: request chassis cluster failover reset redundancy-group 1
redundancy-group 1 {
node 0 priority 100;
node 1 priority 99;
This priority is only used when two devices come up at the exact same time or when preempt is enabled. (see this link)
Unrelated is the monitored interface priority. Basically the priority is subtracted from 255 (forget about the node priority! and there is a fail-over when the cumulative weights reach 0!
HARDWARE
CHASSIS
CARDS:
- IOC: Input/output card. Traffic is intelligently distributed by IOCs to SPUs for service processing
- SCB: Switch Control Board: Monitors and interconnect IOCs
- NPC: Network Processing Card: One unit minimum. srx3000.Performs session lookup. To distribute inbound and outbound traffic to the SPCs/IOCs. Also QoS policy and shaping
- SPC: Services Processing Card:One unit minimum.They process all the services so doesn’t sit idle. SPC/SPU session management
- SPU: They are the SPC processors. Establish and manage traffic flows and perform most of the packet processing on a packet as it transits the device. Hash table for fast session lookup.
- RE: Routing Engine: Intel based PC platform. Runs JUNOS
ETHERNET SWITCHING mode on SRX
- To Enable it in SRX 300 Series External Link
- Create the l2 vlan-trust:
set vlans vlan-trust vlan-id 3
- Add interface vlan.0 L3]] interface
set vlans vlan-trust l3-interface vlan.0
- And put ip on it:
set interfaces vlan.0 family inet address 192.168.1.1/24
- Add physical interfaces to vlan-trust
set interfaces ge-0/0/10.0 family ethernet-switching vlan members vlan-trust
- See different modes to configure and manage Layer 2 and bridge settings (bridge settings are needed for transparent mode, ready of it lately users family ethernet-switching options. See last section in transparent mode review document)
- See this link for differences between family bridge (uses flow mode (full set of security functionalities ) and family ethernet-switch (switch local))
