As many of you are well aware I own a Juniper Networks SRX110H-VA firewall. THis firewall has been the focus of many blogs up until now. I have covered off a myriad of subjects with many more to come in the future. One feature of this particular model and one which separates it from the SRX100 series, is it’s ADSL interface.
On the picture above below the Powered by Junos text you can note a black port. This accepts a 2-pair RJ11 cable. Connected into my wall and off into the POTS, this cable runs back to my carries DSLAM. This post assumes an ADSL service is already active and running on the line. It is important to remember that the current settings I list below work from Australian ISPs. I am not familiar with ISP networks to know if all settings are a world wide standard though it would honestly surprise me if it was.
So my goal of this post was to get ADSL installed. Kurt and Cooper had pointed me in the right direction in the past. I had seem configs around and knew what the end goal was. It was time to do it. After ensuring I would breech a household Service Level Agreement, I commenced my outage.
First, note that the ADSL interface is separate to other interfaces, defined by the FPC number. Separate card, different number.
set interfaces at-1/0/0 description ADSL2+_Bigpond_Liberty200GB set interfaces at-1/0/0 traceoptions flag all set interfaces at-1/0/0 mtu 1540 set interfaces at-1/0/0 encapsulation atm-pvc set interfaces at-1/0/0 atm-options vpi 8 set interfaces at-1/0/0 dsl-options operating-mode auto
So above I have defined the MTU I want. This is important due to overheads and the last thing you want is fragmented traffic. Most ISPs should support 1540 though some carries may not. I’ve labeled the description and set the operating mode and now it is time to define the logical unit.
set interfaces at-1/0/0 unit 0 description PPPoA set interfaces at-1/0/0 unit 0 encapsulation atm-ppp-llc set interfaces at-1/0/0 unit 0 vci 8.35 set interfaces at-1/0/0 unit 0 ppp-options chap passive set interfaces at-1/0/0 unit 0 family inet negotiate-address
Now my logical interface is asking for an IP address by negotiating it. If you had a static you would manually define this here. For me, I rely on Dynamic DNS (a new feature to 12.1x SRX code I believe, incoming post soon!) so a negotiated IP is fine. Chap passive command will challenge the upstream device and respond to its request. The information it requests is below. This information is unique per customer which is generally your ISP email/account information.
set interfaces at-1/0/0 unit 0 ppp-options chap local-name [email protected] set interfaces at-1/0/0 unit 0 ppp-options chap default-chap-secret ciscoinfernopassword
Now, I personally wanted to use a generate route as I learnt of its use in my JNCIS-ENT studies. I could use a static route to a NH interface if I wanted but lets mix it up.
set routing-options generate 0.0.0.0/0
So remember that this device is an SRX. We need to set the security zone to the untrust zone for the at-1/0/0.0 interface . I also have default interface NAT on my SRX which performs translation on traffic going from the trust to untrust security zones.
set security zones security-zone untrust interface at-1/0/0
Now lets confirm the settings of everything.
[email protected]> show interfaces at-1/0/0 Physical interface: at-1/0/0, Enabled, Physical link is Up Interface index: 148, SNMP ifIndex: 546 Description: ADSL2+_Bigpond_Liberty200GB Link-level type: ATM-PVC, MTU: 1540, Clocking: Internal, ADSL mode, Speed: ADSL2+, Loopback: None Device flags : Present Running Link flags : None CoS queues : 8 supported, 8 maximum usable queues Current address: b0:a8:6e:66:e2:20 Last flapped : 2013-01-24 11:05:45 UTC (00:10:49 ago) Input rate : 152 bps (0 pps) Output rate : 208 bps (0 pps) ADSL alarms : None ADSL defects : None ADSL status: Modem status : Showtime (Adsl2plus) DSL mode : Auto Annex A Last fail code: None Subfunction : 0x00 Seconds in showtime : 649 Logical interface at-1/0/0.0 (Index 80) (SNMP ifIndex 547) Description: PPPoA Flags: Point-To-Point SNMP-Traps 0x0 Encapsulation: ATM-PPP-LLC Input packets : 4296 Output packets: 3705 Keepalive settings: Interval 10 seconds, Up-count 1, Down-count 3 Keepalive: Input: 0 (never), Output: 63 (00:00:07 ago) LCP state: Opened NCP state: inet: Opened, inet6: Not-configured, iso: Not-configured, mpls: Not-configured CHAP state: Success PAP state: Closed Security: Zone: untrust Protocol inet, MTU: 1534 Flags: Sendbcast-pkt-to-re, Negotiate-Address Addresses, Flags: Kernel Is-Preferred Is-Primary Destination: 172.18.210.17, Local: 121.214.22.238 VCI 8.35 Flags: Active Total down time: 0 sec, Last down: Never Input packets : 4296 Output packets: 3705
The above output confirms interface is up, security-zone application, encapsulation, chap status, speed, and more. Now to make sure our generate default route has populated the routing table – another step to confirm connectivity in its fullest.
[email protected]> show route inet.0: 9 destinations, 9 routes (9 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 0.0.0.0/0 *[Aggregate/130] 00:10:27 > via at-1/0/0.0 121.214.22.238/32 *[Local/0] 00:12:34 Local via at-1/0/0.0 172.18.210.17/32 *[Direct/0] 00:12:34 > via at-1/0/0.0 192.168.2.0/24 *[Direct/0] 00:56:47 > via vlan.0 192.168.2.1/32 *[Local/0] 4d 10:25:07 Local via vlan.0
There we are. The aggregate route with a default metric of 130 sending all traffic not defined by a more specific route out to the interface at-1/0/0.0. This traffic is then NAT’ed with the interface IP negotiated by my ISP and send on ward to the inter-googles.
Now to do a speed test and monitor the interface. Before now I’ve only used monitor interface commands to prove knowledge. Now I am using it with legitimate traffic on my home network. Let us see how much traffic is going through my network. I can find out some information using interface statistics.
[email protected]> show interfaces at-1/0/0.0 statistics Logical interface at-1/0/0.0 (Index 80) (SNMP ifIndex 547) Description: PPPoA Flags: Point-To-Point SNMP-Traps 0x0 Encapsulation: ATM-PPP-LLC Input packets : 26380 Output packets: 17983 Keepalive settings: Interval 10 seconds, Up-count 1, Down-count 3 Keepalive: Input: 0 (never), Output: 134 (00:00:01 ago) LCP state: Opened NCP state: inet: Opened, inet6: Not-configured, iso: Not-configured, mpls: Not-configured CHAP state: Success PAP state: Closed Security: Zone: untrust Protocol inet, MTU: 1534 Flags: Sendbcast-pkt-to-re, Negotiate-Address Addresses, Flags: Kernel Is-Preferred Is-Primary Destination: 172.18.210.17, Local: 121.214.22.238 VCI 8.35 Flags: Active Total down time: 0 sec, Last down: Never Input packets : 26380 Output packets: 17983
That doesn’t give us much information. Lets try something else.
[email protected]> monitor interface at-1/0/0.0 SRX110 Seconds: 70 Time: 11:29:53 Delay: 1/1/23 Interface: at-1/0/0.0, Enabled, Link is Up Flags: Point-To-Point SNMP-Traps 0x4000 Encapsulation: ATM-PPP-LLC VCI 8.35 cdvt: 0 Local statistics: Current delta Input bytes: 10339 [476] Output bytes: 3826 [154] Input packets: 152 [7] Output packets: 155 [7] Remote statistics: Input bytes: 35017058 (12512056 bps) [7199927] Output bytes: 3654049 (315624 bps) [268304] Input packets: 31405 (1044 pps) [5154] Output packets: 21568 (716 pps) [3714] Traffic statistics: Input bytes: 35027397 [7200403] Output bytes: 3657875 [268458] Input packets: 31557 [5161] Output packets: 21723 [3721] Protocol: inet, MTU: 1534, Flags: 0x1000000 VCI 8.35, Flags: Active 0x400 Total down time: 0 sec, Last down: Never Traffic statistics: Input bytes : 35027397 Output bytes : 3657875 Input packets: 31557 Output packets: 21723
That is much better. I was running a speed test at the same time so you can see my interface is pushing around 14 megabit per second. Not bad for where I live though I know my sync rates can get me around 20 megabit usually. The information here is great as you can see how much, over how long and expected usage.
This is the same information but through the J-WEB interface. Nice management friendly graphs, your layer 8 friend.
Thoughts
The configuration of the ADSL interface isn’t hard. The general gist of it is the same among vendors. What I found was that applying it with firewall technologies and NAT on top of ADSL technologies might be a stumbling block for some. Now that I have safely got my ADSL connection running happily, I issued hardware rollback and changed to my old modem before the scheduled outage window was over and the household SLA was not breached.
Now I am very excited for leaking my internet route into my lab and doing more magic. Oh, and the new release of Dynamic DNS on Branch SRX. Om nom nom!
Spot on, Tony ! I was about to start playing with ADSL configuration on my SRX 😉 Thank you
No worries. Watch the MTU. 🙂
Have to ask: can you configure IPv6 with dynamic address (SLAAC or DHCPv6) on outside interface? Can it do IA_PD?
Hey Ivan,
At this stage the scheduled release for DHCPv6 client support is 13.1R1 ( http://forums.juniper.net/t5/SRX-Services-Gateway/Branch-SRX-as-a-DHCPv6-prefix-delegation-client/td-p/99340/page/2 )
Follow update RLI 17269 as that has more information. From my readings, the SRX code train will sit at 12.1 for most of this year (odd). I’d like to think it would be very soon.
IA_PD I believe falls under this as well. All of the above can work when the SRX acts as a local server. It just cannot handle the notion of receiving IPv6. Odd stumble for Juniper.
I just set up my SRX110 and I can’t believe this is still missing I’ll guess I’ll have to go back to my OpenWRT box until juniper pull finger.
If you were looking to migrate from an existing system, I would suggest looking at the specifications sheet. The fact that it cannot do it yet is a pain but it is only one of the few things it cannot do.
Traceoptions isn’t something I would keep on all the time btw…
Thanks – I didn’t realize I left it in there. In the lab it should be fine 🙂
How much did the SRX110 set you back when you bought it and how much would you pay for one now? I am looking to buy one for a lab but can only find American sites with RRPs and can’t gauge whats a ‘good deal’ and what isnt.
Hi Cameron, I was lucky to find a brand new 110H-VA one on ebay for $400 AUD with free shipping.
Excellent post Anthony !! Just a quick one regarding memory on the SRX 110’s …. I’ve recently purchased the SRX 110H-VA (1Gb RAM) and notice my control plane memory is constantly in the high 90’s region (between 95-97%) and it’s running a little warm (60 degrees C)…. Just wondering what memory utilisation and temps you’re seeing on your SRX?
Here’s from my unit:
———————————————————————————-
[email protected]> show chassis routing-engine
Routing Engine status:
Temperature 60 degrees C / 140 degrees F
Total memory 1024 MB Max 727 MB used ( 71 percent)
Control plane memory 560 MB Max 532 MB used ( 95 percent)
Data plane memory 464 MB Max 190 MB used ( 41 percent)
———————————————————————————-
I’ve left all the default UTM (websense, AV etc) stuff on and have really just configured the SRX for ADSL, a couple of policies, and 1 dynamic VPN. I’m going to re-distribute some (64Mb) data plane memory to the control plane memory (using command ‘set security advanced-services data-plane memory low’), but first need to upgrade my Junos version to 11.4R5 (currently running 11.2R3.3).
Everything else seems stable (10% cpu)……. A great little firewall to learn SRX and Junos 🙂
Hey, did you guys end up with any MTU issues?
With Internode I am seeing some strange stuff where I can’t get pings over 1454 bytes out to a server on our DC network.
Currently have an MTU of 1540 on the at at-1/0/0 interface and 1492 on the pp0.0 interface
My next point of call was going to be dropping the pp0.0 mtu down to test.
This was on an Internode DSLAM port.