Beruflich Dokumente
Kultur Dokumente
Contents
Requirement ................................................................................................................................................. 3
Network Diagram .......................................................................................................................................... 3
Implementation ............................................................................................................................................ 3
WAN .......................................................................................................................................................... 4
LAN ............................................................................................................................................................ 4
Security Zones & Policies .......................................................................................................................... 5
Zone Interface Binding .............................................................................................................................. 6
Routing Instances ...................................................................................................................................... 6
DHCP and DNS within Routing Instance ................................................................................................... 7
References ................................................................................................................................................ 7
Requirement
Our client FAST NUCES required a 20Mbps VC link segregated into 15Mbps and 5Mbps respectively with
two separate default routes. Keeping this requirement in mind, two VLANs on a single fiber link were
dedicated for this purpose. However, segregation of VLAN traffic at client end was required and Juniper
SRX-100 was proposed.
Network Diagram
20 Mbps
Mobilink BSD
Connectivity
SRX 100
MC
Fiber Link
Mobilink BSD
Fiber POP
Internet
FAST- Islamabad
Implementation
The aforementioned requirement of traffic segregation along with separate default routes can be
implemented by numerous methods. JunOS gives us the option of using multiple instances as per our
need. This document will focus on the implementation of this requirement using separate routing
instances which serve as individual virtual routers somewhat same as Ciscos vrf.
Fe-0/0/1 Fe0/0/4
Vlan.0
202.61.61.33/28
SRX100
LINK/ACT
ALARM STATUS
POWER
HA
RESET
CONFIG
USB
CONSOLE
0/0
0/1
0/2
0/3
10/100
0/4
0/5
0/6
0/7
Fe-0/0/5 Fe-0/0/7
Vlan.1
202.61.61.49/29
Fe-0/0/0
Unit0 (VLAN 67) 10.5.12.206/30
Unit1 (VLAN 68) 10.5.12.210/30
WAN
Let us start off by enabling vlan-tagging on WAN port to receive tagged traffic on SRX100.
set interfaces fe-0/0/0 vlan-tagging
Next, create sub-interfaces, configure vlan-id [vlan tag], and configure desired IP addresses.
set interfaces fe-0/0/0 unit 0 vlan-id 67
set interfaces fe-0/0/0 unit 0 family inet address 10.5.12.206/30
set interfaces fe-0/0/0 unit 1 vlan-id 68
set interfaces fe-0/0/0 unit 1 family inet address 10.5.12.210/30
LAN
Now move on to the LAN ports, for which 2 separate vlans or groups have been configured and binded
to 2 different logical interface groups [recall bgroups from Juniper SSG-5].
set vlans vlan-15mb vlan-id 15
set vlans vlan-15mb l3-interface vlan.0
set vlans vlan-5mb vlan-id 5
set vlans vlan-5mb l3-interface vlan.1
Bind your physical interfaces or LAN ports to these vlan groups and assign desired IP address on both
groups.
set interfaces fe-0/0/1 unit 0 family ethernet-switching vlan members vlan-15mb
set interfaces fe-0/0/2 unit 0 family ethernet-switching vlan members vlan-15mb
set security policies from-zone untrust1 to-zone trust1 policy untrust1-to-trust1 match source-address
any
set security policies from-zone untrust1 to-zone trust1 policy untrust1-to-trust1 match destinationaddress any
set security policies from-zone untrust1 to-zone trust1 policy untrust1-to-trust1 match application any
set security policies from-zone untrust1 to-zone trust1 policy untrust1-to-trust1 then permit
Routing Instances
Create two routing instances with type as virtual router to separate the 15Mbps connectivity from
5Mbps, place WAN sub-interfaces and LAN vlan groups to their respective routing instance and
configure default route on each instance separately.
set routing-instances VC-15 instance-type virtual-router
set routing-instances VC-15 interface fe-0/0/0.0
set routing-instances VC-15 interface vlan.0
set routing-instances VC-15 routing-options static route 0.0.0.0/0 next-hop 10.5.12.205
set routing-instances VC-5 instance-type virtual-router
set routing-instances VC-5 interface fe-0/0/0.1
set routing-instances VC-5 interface vlan.1
set routing-instances VC-5 routing-options static route 0.0.0.0/0 next-hop 10.5.12.209
References
http://kb.juniper.net/InfoCenter/index?page=content&id=KB16453
http://www.ebrahma.com/2015/04/virtual-router-configuration-srx/
http://www.juniper.net/documentation/en_US/junos12.1x47/topics/topic-map/dhcp-security-localserver.html