在Juniper SRX上配置VLANs无法解决
这一定是疯狂的简单,但我每次都会出错。
我有一个非常基本的设置。
SRX 300
ge-0/0/0 =不信任
ge-0/0/1虽然ge-0/0/5 =信任
ge-0/0/0和0/0/4正在使用中。
我有一个接入点,可以承载多个SSID,并为每个SSID分配一个VLAN。
我想要创建一个VLAN与指定的DHCP服务器,为不安全的客户互联网只访问。
理想情况下,可以将此VLAN分配给ge-0/0/4。
到目前为止,我已经收回了我所有的变化。
我试着尽可能多地包含相关的信息。
root@HSRX300# show interfaces
ge-0/0/0 {
unit 0 {
family inet {
address xxx.xxx.xxx.xxx/xx;
address xxx.xxx.xxx.xxx/xx;
}
}
}
ge-0/0/1 {
unit 0 {
family inet {
address 192.168.1.1/24;
}
}
}
ge-0/0/2 {
unit 0 {
family inet {
address 192.168.2.1/24;
}
}
}
ge-0/0/3 {
unit 0 {
family inet {
address 192.168.3.1/24;
}
}
}
ge-0/0/4 {
unit 0 {
family inet {
address 192.168.4.1/24;
}
}
}
ge-0/0/5 {
unit 0 {
family inet {
address 192.168.5.1/24;
}
}
}
ge-0/0/6 {
unit 0;
}
ge-0/0/7 {
unit 0;
}
st0 {
unit 1 {
family inet {
mtu 1436;
address xxx.xxx.xxx.xxx/xx;
}
}
unit 2 {
family inet {
mtu 1436;
address xxx.xxx.xxx.xxx/xx;
}
}
}
root@HSRX300# show protocols
l2-learning {
global-mode switching;
}
root@HSRX300# show security zones
security-zone trust {
address-book {
address Some-Server xxx.xxx.xxx.xxx/xx;
address Some-Server-II xxx.xxx.xxx.xxx/xx;
}
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
bgp;
}
}
interfaces {
ge-0/0/1.0;
ge-0/0/2.0;
ge-0/0/3.0;
ge-0/0/4.0;
ge-0/0/5.0;
st0.1;
st0.2;
}
}
security-zone untrust {
screen untrust-screen;
host-inbound-traffic {
system-services {
ike;
}
}
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
dhcp;
tftp;
}
}
}
}
}回答 1
Network Engineering用户
发布于 2016-11-30 12:14:12
好的,从上面说:
- 我强烈建议您在开始之前将代码升级到
15.1X49-D60.7。 - 您需要在盒子上全局启用切换模式(这需要重新启动,但保存到添加了所有配置):
set protocols l2-learning global-mode switching
- 接下来,创建您的VLAN -让我们假设VLAN-ID 4和一个匹配的irb (路由)接口与它一起。我们还将将irb接口放入信任安全区,以便主机入站配置应用于它:
set vlans WLAN-HOME vlan-id 4
set vlans WLAN-HOME l3-interface irb.4
set interfaces irb unit 4 family inet address 192.168.4.1/24
set security zones security-zone trust interface irb.4
- 现在,删除当前接口
ge-0/0/4,从信任安全区中删除它,并在新的VLAN中作为交换接口重新创建它。注意:这假设您的AP预期VLAN 4将被标记-除非您还向该端口添加了一个本机-VLAN-id,否则您可能会失去对管理接口的访问权限,这将需要另一个单独的VLAN:
delete interfaces ge-0/0/4
delete security zones security-zone trust interface ge-0/0/4.0
set interfaces ge-0/0/4 unit 0 family ethernet-switching interface-mode trunk
set interfaces ge-0/0/4 unit 0 family ethernet-switching vlan members WLAN-HOME
- 为新子网设置DHCP作用域,并将其配置为在irb.4上提供地址:
set system services dhcp-local-server group jdhcp-group interface irb.4
set access address-assignment pool WLAN-HOME-POOL family inet network 192.168.4.0/24
set access address-assignment pool WLAN-HOME-POOL family inet range junosRange low 192.168.4.10
set access address-assignment pool WLAN-HOME-POOL family inet range junosRange high 192.168.4.80
set access address-assignment pool WLAN-HOME-POOL family inet dhcp-attributes router 192.168.4.1
set access address-assignment pool WLAN-HOME-POOL family inet dhcp-attributes maximum-lease-time 3600
set access address-assignment pool WLAN-HOME-POOL family inet dhcp-attributes name-server 192.168.1.10
- 好了。
https://networkengineering.stackexchange.com/questions/36923
复制相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号