Juniper SRX240 Firewalls

Forums › LAN (ethernet/Wifi/routers/Bluetooth) › Juniper SRX240 Firewalls

JAMMAN2110

871 posts

Ultimate Geek

Trusted

#69647 12-Oct-2010 16:34

Hi all

We are looking at getting a Juniper SRX240 firewall but I can't find any information to answer some questions.

I need to know if the ports are physically separate or if they are just VLANed apart. (After switching has been disabled)

We need to have 1 interface connected to Citylink that can handle multiple IP addresses, and a backup ADSL / VDSL card.

Different servers will have different IP addresses / ports associated with them, but for compliance purposes we need to be able to prove that Server A on port ge-0/0/5 (which has IP XXX.XXX.XXX.XXX externally) can't talk directly to Server B on port ge-0/0/6 (which has IP XXX.XXX.XXX.YYY externally)

Can anyone help me answer the above question?

Cheers
James

muppet

2572 posts

Uber Geek

Trusted

#391020 12-Oct-2010 16:44

I don't quite understand what you're asking, sorry :)

The ports don't act like a hub though, if that's what you mean? You have to say "this port's in this VLAN"

Tim

Audiophiles are such twits! They buy such pointless stuff: Gold plated cables, $2000 power cords. Idiots.

OOOHHHH HYPERFIBRE!

JAMMAN2110

871 posts

Ultimate Geek

Trusted

#391024 12-Oct-2010 16:48

muppet: I don't quite understand what you're asking, sorry :)

The ports don't act like a hub though, if that's what you mean? You have to say "this port's in this VLAN"

Tim

I'm finding it quite hard to explain.

Really, we need one ethernet port for internet (I'm ignoring the ADSL / VDSL card) and then have the other Ethernet ports as separate zones, such as "Web Servers", "Mail Servers", "File Servers" etc

Does that explain it better? I'm told we need to do better than just VLANs

michaelmurfy

meow
13275 posts

Uber Geek

Moderator

ID Verified

Trusted

Lifetime subscriber

#391042 12-Oct-2010 17:34

The best thing would be to put the likes of certain ports on certain vlans, for example:

If you had Port ge-0/0/1 connected to Citylink with multiple IP addresses it might be worth asking if they can do BGP with this, that way using BGP they can route you different IP addresses and all you need to do is to update the router config to make these changes.

From here, you can allocate different computers / devices to different IP's - you can also get the Juniper to do natting for all computers on the "LAN" and give external IP's to the servers as needed.

If you didn't want the network on Port ge-0/0/2 accessing anything on port ge-0/0/1 the normal step would be to separate them with use of Vlans, you can also add certain devices to different vlans depending on your needs.

It's pretty hard to explain, but the best step would be for you to head over to these articles:

http://www.juniper.net/techpubs/software/erx/erx51x/swconfig-routing-vol2/html/bgp-config.html (This is for setting up BGP)

http://www.juniper.net/techpubs/software/management/nmc-rx/nmc-rx73x/swconfig-nmc-rx-vol2/html/vlan-config.html (Setting up Vlans)

http://www.juniper.net/techpubs/software/erx/junose71/swconfig-routing-services/html/nat-config.html (Nat Config)

With these routers don't get sucked into using the web interface, it's best to leave this disabled and use the CLI - you will get your head around things easier that way. The cool thing with these routers is if you are doing the config through the CLI and break something (and had a working config beforehand) then the router will revert to that working config after a reboot unless if you commit it.

Good luck! Good on you for supporting Juniper! They are awesome pieces of equipment!

Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.