Knowledge Search


×
 

SRX Getting Started - Configure Interfaces and Security Zones

  [KB16556] Show Article Properties


Summary:

This article provides an example of configuring an interface and security zone on an SRX Series device.

For other topics, go to the SRX Getting Started main page.

Symptoms:

Configure interfaces and security zones.

Cause:

Solution:

This section contains the following:

 

Network Interface Naming

Junos uses the following interface naming conventions:

  • The show interface terse command displays a list of the interfaces. 
user@host> show interfaces terse
Interface               Admin Link Proto    Local                 Remote
ge-0/0/0                up    up 
ge-0/0/0.0              up    up   inet     10.85.49.150/24
gr-0/0/0                up    up 
ip-0/0/0                up    up 
lsq-0/0/0               up    up 
lt-0/0/0                up    up 
mt-0/0/0                up    up 
pd-0/0/0                up    up 
pe-0/0/0                up    up 
  • The syntax for the interface name, such as ge-0/0/0, is as follows:
Interface Type - Slot / Module / Port . Logical number  

For information about interface name syntax, see Interface Naming Conventions.

For information about slot numbering for SRX Series devices, see Network Interfaces.
  • All numbers for the slot, module, and port start with 0.
  • For example :

    ge-0/0/0 = First onboard Gigabit Interface
    st0.0 = First Secure Tunnel Interface (VPN Tunnel)
    lo0 = First loopback interface

  • Wildcards--Many commands accept wildcards in the interface names.
  • For example:

    show interfaces ge-0/0/*

 

Security Zone

A security zone is a collection of interfaces that define a security boundary. Internal network interfaces may be assigned to a security zone named "trust," and external network interfaces may be assigned to a security zone named "untrust." Security policies are then used to control transit traffic between security zones. For more information about security zones, see Understanding Security Zones.

Note: For SRX Branch devices, interfaces are assigned to a default security zone in the factory-default settings. See the device's Getting Started Guide for interface and zone assignments, as they vary by platform.

The Getting Started Guide can be located as follows:

Restrictions:

  • You can assign one or more logical interfaces to a zone.
  • You can also assign one or more logical interfaces to a routing instance.
  • You cannot assign a logical interface to multiple zones or multiple routing instances.
  • You must also ensure that all a zone's logical interfaces are in a single routing instance.
  • Violating any of these restrictions results in a configuration error.

Security policies are associated with zones. A packet’s incoming zone, as determined by the interface through which it arrived, and its outgoing zone, as determined by the forwarding lookup, together determine which policy is used for packets of the flow. For information about zones and policies, refer to Security Policies Feature Guide for Security Devices.

Configure Interface and Security Zone

J-Web

The following example configures a security zone with one interface:

  1. Configure the ge-0/0/1.0 interface with the IP address 192.168.20.2/24.
    1. Select Configure>Interfaces and click the ge-0/0/1 interface to edit.
    2. Click Add Logical Interfaces.
    3. Click Add under IPv4 Addresses and Prefixes
    4. Enter the IP address and prefix, i.e. 192.168.120.2/24 and click OK.
    5. Click OK.
    6. Click OK.

    For more information about configuring an interface, see Technical Documentation.

  2. Configure a security zone, and then assign the ge-0/0/1.0 interface to the security zone.
    1. Select Configure>Security>Zones. If a security zone name does not exist, click Add under the the Security Zone section, and enter the zone name. If the security zone name does exist, click the zone name.
    2. Go to the Interfaces Configuration section.
    3. In the Interfaces out of the zone list, select the ge-0/0/1.0 interface.
    4. Click the left arrow to move the interface to the Interfaces in the zone list.
    5. Click OK.
    6. Click Commit.

    For more information about configuring a security zone, see Technical Documentation.


CLI


The following example configures a security zone with one interface:

  1. Verify existing security zones, and verify which interfaces have been assigned to the security zones by using one of the following commands:

    user@host> show security zones
    user@host>
    show interfaces

  2. Configure the ge-0/0/1.0 interface with the IP address 192.168.20.2/24.
  3. user@host# set interfaces ge-0/0/1 unit 0 family inet address 192.168.20.2/24

    For more information about configuring an interface, see Technical Documentation.

  4. If a security zone name does not exist, configure a security zone:
  5. user@host# set security zones security-zone trust

  6. Assign the ge-0/0/1.0 interface to the trust security zone.
  7. user@host# set security zones security-zone trust interfaces ge-0/0/1.0

    For more information about configuring a security zone, see Technical Documentation.

 

Technical Documentation

Security Zones and Interfaces Overview

 

Verification

To verify interface and security zone configuration, use the following operational commands:

  • show interfaces terse
  • show interfaces
  • show security zones

 

Troubleshooting

Interfaces

  • Use the show interface command to display information about the interface.For more information, see show interface.
  • Use the monitor interface command to display . For more information, see monitor interface.
  • Configure traceoptions to troubleshoot interface issues. The following traceoption flags are applicable: 

    All interfaces:
  • [edit interfaces]
    user@host# set traceoptions flag ?
    Possible completions:
    all Enable all configuration logging
    change-events Log changes that produce configuration events
    config-states Log the configuration state machine changes
    kernel Log configuration IPC messages to kernel
    kernel-detail Log details of configuration messages to kernel


    A specific interface:

    [edit interfaces ge-11/1/0]
    user@host# set traceoptions flag ?
    Possible completions:
    all Enable all interface trace flags
    event Trace interface events
    ipc Trace interface IPC messages
    media Trace interface media changes


    For information about configuring traceoptions for debugging and trimming output, see KB16108 - SRX Getting Started -- Configuring Traceoptions for Debugging and Trimming Output.

  • Use the packet capture feature to snoop packets. For more information, see KB15779 - SRX Getting Started - Troubleshooting Commands.


Zones

  • Configure traceoptions to troubleshoot security zones. The following traceoptions are applicable:

  • [edit security]
    user@host# set traceoptions flag ?
    Possible completions:
    all Trace everything
    compilation Trace compilation events
    configuration Trace configuration events
    routing-socket Trace routing socket events


    For information about configuring traceoptions for debugging and trimming output, see KB16108 - SRX Getting Started -- Configuring Traceoptions for Debugging and Trimming Output.

 

Related Links: