VLANs and more

As I slowly diversify my skill set and acquire JUNOS knowledge I find that knowing the technology and underlying concepts are the same. Minor changes like routing preference and the like is easy to deal with. Slowly I am working through building a home network with a SRX110 as my main device. I have an Opengear ACM5504-G-E console server which I decided needed its own subnet and VLAN. I wanted to its own DHCP scope and the interface to reside in another VLAN. Today I will show you how to do this task.

My test network

Define the VLAN

First we make the VLANs and issue the following set commands from configuration mode.

set vlans Servers vlan-id 2
set vlans OOB-access vlan-id 100

Create SVI

Now we create the L3 interface that will form out default gateway for devices which reside in the different VLANs we create.

set interfaces vlan unit 2 family inet address 192.168.2.1/24
set interfaces vlan unit 100 family inet address 192.168.100.1/24

Apply interface to VLAN

Now we assign the required interfaces to each respect VLAN. Interface fe-0/0/7.0 is going into my OOB-access VLAN and my server is going onto fe-0/0/2.0 .

set interfaces fe-0/0/2 unit 0 family ethernet-switching vlan members Servers
set interfaces fe-0/0/7 unit 0 family ethernet-switching vlan members OOB-access

Create DHCP scope

Now for the moment I want to provide DHCP scopes for this VLAN. If this were a real deployment I would suggest using a dedicated DHCP server.

set system services dhcp pool 192.168.2.0/24 address-range low 192.168.2.10
set system services dhcp pool 192.168.2.0/24 address-range high 192.168.2.254
set system services dhcp pool 192.168.2.0/24 router 192.168.2.1
set system services dhcp pool 192.168.2.0/24 domain-name servers.ciscoinferno.net
set system services dhcp pool 192.168.100.0/24 address-range low 192.168.100.100
set system services dhcp pool 192.168.100.0/24 address-range high 192.168.100.254
set system services dhcp pool 192.168.100.0/24 domain-name oob.ciscoinferno.net
set system services dhcp pool 192.168.100.0/24 router 192.168.100.1

Apply to correct security zone

Now we need to add each VLAN to the required security zone. For now I am just going to use the built int trust zone as I will explore zones further into my JNCIS-SEC studies.

set security zones security-zone trust interfaces fe-0/0/2.0
set security zones security-zone trust interfaces vlan.2
set security zones security-zone trust interfaces vlan.100
set security zones security-zone trust interfaces fe-0/0/7.0

Here is some verification to make sure the magic is happening

[email protected]> show vlans                             
Name           Tag     Interfaces
Servers        100    
                       fe-0/0/2.0, fe-0/0/7.0*
default        1      
                       None
vlan-trust     2      
                       fe-0/0/1.0*, fe-0/0/3.0, fe-0/0/4.0, fe-0/0/5.0,
                       fe-0/0/6.0

[email protected]> show system services dhcp binding 
IP address       Hardware address   Type     Lease expires at
192.168.100.101  00:13:c6:00:a2:bb  dynamic  2012-12-06 17:57:51 EST
192.168.2.10     00:16:cb:8d:06:b5  dynamic  2012-12-06 15:57:12 EST

[email protected]> show security zones trust     

Security zone: trust
  Send reset for non-SYN session TCP packets: Off
  Policy configurable: Yes  
  Interfaces bound: 5
  Interfaces:
    fe-0/0/1.0
    fe-0/0/2.0
    fe-0/0/7.0
    vlan.100
    vlan.2

vlan                    up    up  
vlan.2                  up    up   inet     192.168.2.1/24  
vlan.100                up    up   inet     192.168.100.1/24

Enjoy. Go forth my minions and configure those VLANs.

Leave a Reply

Your email address will not be published. Required fields are marked *


*