As many of you are well aware I own a Juniper Networks SRX110H-VA firewall. THis firewall has been the focus of many blogs up until now. I have covered off a myriad of subjects with many more to come in the future. One feature of this particular model and one which separates it from the SRX100 series, is it’s ADSL interface.
On the picture above below the Powered by Junos text you can note a black port. This accepts a 2-pair RJ11 cable. Connected into my wall and off into the POTS, this cable runs back to my carries DSLAM. This post assumes an ADSL service is already active and running on the line. It is important to remember that the current settings I list below work from Australian ISPs. I am not familiar with ISP networks to know if all settings are a world wide standard though it would honestly surprise me if it was.
So my goal of this post was to get ADSL installed. Kurt and Cooper had pointed me in the right direction in the past. I had seem configs around and knew what the end goal was. It was time to do it. After ensuring I would breech a household Service Level Agreement, I commenced my outage.
First, note that the ADSL interface is separate to other interfaces, defined by the FPC number. Separate card, different number.
set interfaces at-1/0/0 description ADSL2+_Bigpond_Liberty200GB set interfaces at-1/0/0 traceoptions flag all set interfaces at-1/0/0 mtu 1540 set interfaces at-1/0/0 encapsulation atm-pvc set interfaces at-1/0/0 atm-options vpi 8 set interfaces at-1/0/0 dsl-options operating-mode auto
So above I have defined the MTU I want. This is important due to overheads and the last thing you want is fragmented traffic. Most ISPs should support 1540 though some carries may not. I’ve labeled the description and set the operating mode and now it is time to define the logical unit.
set interfaces at-1/0/0 unit 0 description PPPoA set interfaces at-1/0/0 unit 0 encapsulation atm-ppp-llc set interfaces at-1/0/0 unit 0 vci 8.35 set interfaces at-1/0/0 unit 0 ppp-options chap passive set interfaces at-1/0/0 unit 0 family inet negotiate-address
Now my logical interface is asking for an IP address by negotiating it. If you had a static you would manually define this here. For me, I rely on Dynamic DNS (a new feature to 12.1x SRX code I believe, incoming post soon!) so a negotiated IP is fine. Chap passive command will challenge the upstream device and respond to its request. The information it requests is below. This information is unique per customer which is generally your ISP email/account information.
set interfaces at-1/0/0 unit 0 ppp-options chap local-name [email protected] set interfaces at-1/0/0 unit 0 ppp-options chap default-chap-secret ciscoinfernopassword
Now, I personally wanted to use a generate route as I learnt of its use in my JNCIS-ENT studies. I could use a static route to a NH interface if I wanted but lets mix it up.
set routing-options generate 0.0.0.0/0
So remember that this device is an SRX. We need to set the security zone to the untrust zone for the at-1/0/0.0 interface . I also have default interface NAT on my SRX which performs translation on traffic going from the trust to untrust security zones.
set security zones security-zone untrust interface at-1/0/0
Now lets confirm the settings of everything.
[email protected]> show interfaces at-1/0/0 Physical interface: at-1/0/0, Enabled, Physical link is Up Interface index: 148, SNMP ifIndex: 546 Description: ADSL2+_Bigpond_Liberty200GB Link-level type: ATM-PVC, MTU: 1540, Clocking: Internal, ADSL mode, Speed: ADSL2+, Loopback: None Device flags : Present Running Link flags : None CoS queues : 8 supported, 8 maximum usable queues Current address: b0:a8:6e:66:e2:20 Last flapped : 2013-01-24 11:05:45 UTC (00:10:49 ago) Input rate : 152 bps (0 pps) Output rate : 208 bps (0 pps) ADSL alarms : None ADSL defects : None ADSL status: Modem status : Showtime (Adsl2plus) DSL mode : Auto Annex A Last fail code: None Subfunction : 0x00 Seconds in showtime : 649 Logical interface at-1/0/0.0 (Index 80) (SNMP ifIndex 547) Description: PPPoA Flags: Point-To-Point SNMP-Traps 0x0 Encapsulation: ATM-PPP-LLC Input packets : 4296 Output packets: 3705 Keepalive settings: Interval 10 seconds, Up-count 1, Down-count 3 Keepalive: Input: 0 (never), Output: 63 (00:00:07 ago) LCP state: Opened NCP state: inet: Opened, inet6: Not-configured, iso: Not-configured, mpls: Not-configured CHAP state: Success PAP state: Closed Security: Zone: untrust Protocol inet, MTU: 1534 Flags: Sendbcast-pkt-to-re, Negotiate-Address Addresses, Flags: Kernel Is-Preferred Is-Primary Destination: 172.18.210.17, Local: 18.104.22.168 VCI 8.35 Flags: Active Total down time: 0 sec, Last down: Never Input packets : 4296 Output packets: 3705
The above output confirms interface is up, security-zone application, encapsulation, chap status, speed, and more. Now to make sure our generate default route has populated the routing table – another step to confirm connectivity in its fullest.
[email protected]> show route inet.0: 9 destinations, 9 routes (9 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 0.0.0.0/0 *[Aggregate/130] 00:10:27 > via at-1/0/0.0 22.214.171.124/32 *[Local/0] 00:12:34 Local via at-1/0/0.0 172.18.210.17/32 *[Direct/0] 00:12:34 > via at-1/0/0.0 192.168.2.0/24 *[Direct/0] 00:56:47 > via vlan.0 192.168.2.1/32 *[Local/0] 4d 10:25:07 Local via vlan.0
There we are. The aggregate route with a default metric of 130 sending all traffic not defined by a more specific route out to the interface at-1/0/0.0. This traffic is then NAT’ed with the interface IP negotiated by my ISP and send on ward to the inter-googles.
Now to do a speed test and monitor the interface. Before now I’ve only used monitor interface commands to prove knowledge. Now I am using it with legitimate traffic on my home network. Let us see how much traffic is going through my network. I can find out some information using interface statistics.
[email protected]> show interfaces at-1/0/0.0 statistics Logical interface at-1/0/0.0 (Index 80) (SNMP ifIndex 547) Description: PPPoA Flags: Point-To-Point SNMP-Traps 0x0 Encapsulation: ATM-PPP-LLC Input packets : 26380 Output packets: 17983 Keepalive settings: Interval 10 seconds, Up-count 1, Down-count 3 Keepalive: Input: 0 (never), Output: 134 (00:00:01 ago) LCP state: Opened NCP state: inet: Opened, inet6: Not-configured, iso: Not-configured, mpls: Not-configured CHAP state: Success PAP state: Closed Security: Zone: untrust Protocol inet, MTU: 1534 Flags: Sendbcast-pkt-to-re, Negotiate-Address Addresses, Flags: Kernel Is-Preferred Is-Primary Destination: 172.18.210.17, Local: 126.96.36.199 VCI 8.35 Flags: Active Total down time: 0 sec, Last down: Never Input packets : 26380 Output packets: 17983
That doesn’t give us much information. Lets try something else.
[email protected]> monitor interface at-1/0/0.0 SRX110 Seconds: 70 Time: 11:29:53 Delay: 1/1/23 Interface: at-1/0/0.0, Enabled, Link is Up Flags: Point-To-Point SNMP-Traps 0x4000 Encapsulation: ATM-PPP-LLC VCI 8.35 cdvt: 0 Local statistics: Current delta Input bytes: 10339  Output bytes: 3826  Input packets: 152  Output packets: 155  Remote statistics: Input bytes: 35017058 (12512056 bps)  Output bytes: 3654049 (315624 bps)  Input packets: 31405 (1044 pps)  Output packets: 21568 (716 pps)  Traffic statistics: Input bytes: 35027397  Output bytes: 3657875  Input packets: 31557  Output packets: 21723  Protocol: inet, MTU: 1534, Flags: 0x1000000 VCI 8.35, Flags: Active 0x400 Total down time: 0 sec, Last down: Never Traffic statistics: Input bytes : 35027397 Output bytes : 3657875 Input packets: 31557 Output packets: 21723
That is much better. I was running a speed test at the same time so you can see my interface is pushing around 14 megabit per second. Not bad for where I live though I know my sync rates can get me around 20 megabit usually. The information here is great as you can see how much, over how long and expected usage.
This is the same information but through the J-WEB interface. Nice management friendly graphs, your layer 8 friend.
The configuration of the ADSL interface isn’t hard. The general gist of it is the same among vendors. What I found was that applying it with firewall technologies and NAT on top of ADSL technologies might be a stumbling block for some. Now that I have safely got my ADSL connection running happily, I issued hardware rollback and changed to my old modem before the scheduled outage window was over and the household SLA was not breached.
Now I am very excited for leaking my internet route into my lab and doing more magic. Oh, and the new release of Dynamic DNS on Branch SRX. Om nom nom!