As I slowly diversify my skill set and acquire JUNOS knowledge I find that knowing the technology and underlying concepts are the same. Minor changes like routing preference and the like is easy to deal with. Slowly I am working through building a home network with a SRX110 as my main device. I have an Opengear ACM5504-G-E console server which I decided needed its own subnet and VLAN. I wanted to its own DHCP scope and the interface to reside in another VLAN. Today I will show you how to do this task.
Define the VLAN
First we make the VLANs and issue the following set commands from configuration mode.
set vlans Servers vlan-id 2 set vlans OOB-access vlan-id 100
Now we create the L3 interface that will form out default gateway for devices which reside in the different VLANs we create.
set interfaces vlan unit 2 family inet address 192.168.2.1/24 set interfaces vlan unit 100 family inet address 192.168.100.1/24
Apply interface to VLAN
Now we assign the required interfaces to each respect VLAN. Interface fe-0/0/7.0 is going into my OOB-access VLAN and my server is going onto fe-0/0/2.0 .
set interfaces fe-0/0/2 unit 0 family ethernet-switching vlan members Servers set interfaces fe-0/0/7 unit 0 family ethernet-switching vlan members OOB-access
Create DHCP scope
Now for the moment I want to provide DHCP scopes for this VLAN. If this were a real deployment I would suggest using a dedicated DHCP server.
set system services dhcp pool 192.168.2.0/24 address-range low 192.168.2.10 set system services dhcp pool 192.168.2.0/24 address-range high 192.168.2.254 set system services dhcp pool 192.168.2.0/24 router 192.168.2.1 set system services dhcp pool 192.168.2.0/24 domain-name servers.ciscoinferno.net set system services dhcp pool 192.168.100.0/24 address-range low 192.168.100.100 set system services dhcp pool 192.168.100.0/24 address-range high 192.168.100.254 set system services dhcp pool 192.168.100.0/24 domain-name oob.ciscoinferno.net set system services dhcp pool 192.168.100.0/24 router 192.168.100.1
Apply to correct security zone
Now we need to add each VLAN to the required security zone. For now I am just going to use the built int trust zone as I will explore zones further into my JNCIS-SEC studies.
set security zones security-zone trust interfaces fe-0/0/2.0 set security zones security-zone trust interfaces vlan.2 set security zones security-zone trust interfaces vlan.100 set security zones security-zone trust interfaces fe-0/0/7.0
Here is some verification to make sure the magic is happening
[email protected]> show vlans Name Tag Interfaces Servers 100 fe-0/0/2.0, fe-0/0/7.0* default 1 None vlan-trust 2 fe-0/0/1.0*, fe-0/0/3.0, fe-0/0/4.0, fe-0/0/5.0, fe-0/0/6.0 [email protected]SRX110> show system services dhcp binding IP address Hardware address Type Lease expires at 192.168.100.101 00:13:c6:00:a2:bb dynamic 2012-12-06 17:57:51 EST 192.168.2.10 00:16:cb:8d:06:b5 dynamic 2012-12-06 15:57:12 EST [email protected]> show security zones trust Security zone: trust Send reset for non-SYN session TCP packets: Off Policy configurable: Yes Interfaces bound: 5 Interfaces: fe-0/0/1.0 fe-0/0/2.0 fe-0/0/7.0 vlan.100 vlan.2 vlan up up vlan.2 up up inet 192.168.2.1/24 vlan.100 up up inet 192.168.100.1/24
Enjoy. Go forth my minions and configure those VLANs.