Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Configure a WAN Link with LTE Backup in Active/Standby Mode to the Internet

 

This example shows how to configure a WAN link with LTE backup in Active/Standby setup on the SRX line of devices.

Requirements

This example uses the following hardware and software components.

  • One device from the SRX300 line of devices (SRX320, SRX340, SRX345, SRX380, or SRX550)

  • One LTE Mini-PIM

  • One SIM card with subscription for data services

Overview

In this example, we are setting up an SRX device to provide wired and wireless Internet and Intranet access to the employees on-site, as well as wireless Internet access to guest devices. The primary internet link is through Ethernet, while the backup connectivity is through the LTE network. The two links are configured in active/standby mode; no traffic is routed through the LTE modem (LTE-MPIM), unless the primary link is down.

Figure 1 shows the topology of this example.

Figure 1: Branch Office with Redundant Internet Connectivity Example
Branch Office with Redundant
Internet Connectivity Example

Following are the topology details:

  • The LTE Mini-PIM is installed in slot 1 of the SRX device.

  • The SIM card is installed in slot 1 of the LTE module.

  • The primary link is connected to interface ge-0/0/7.

  • The primary link receives IP address, network mask, default gateway and DNS servers from the device that it is connected to.

  • The interface cl-1/0/0 identifies the modem (LTE-MPIM).

The LTE network terminates the link over the cellular network on interface dl.0, and assigns the IP address, network mask, and default gateway to ge-0/0/7.

There are two security zones, untrust and trust configured on the SRX device. The separation of the interfaces into security zones enables the separation of traffic and lowers the risks that the corporate Intranet is exposed to. Security zones serve as a vehicle to achieve clear and simplified implementation of security policies. The untrust zone hosts the interfaces that have access to the Internet.

Figure 2 shows the interfaces in each security zone.

Figure 2: Security Zones
Security Zones

The internal interfaces in the corporate Intranet are in the trust zone. Table 1 shows the desired behavior of the security policies for traffic between zones.

Table 1: Security Policies by Zone

From Zone

To Zone

Security Policy Behavior

Trust

Trust

Yes

Untrust

Untrust

No

Trust

Untrust

Yes

Untrust

Trust

Trust-initiated only

Table 2 summarizes the VLAN information and the IP address information for the interfaces.

Table 2: Interfaces Configuration Details

Interface

VLAN

IP Address

Network Mask

dl.0

-

DHCP

-

ge-0/0/7

-

DHCP

-

irb.0

3

192.0.2.1

255.255.255.0

Configuration

Step-by-Step Procedure

The steps in this configuration logically build from the lower layers to the upper layers.

  1. Create a common VLAN for the LAN segment of the network.
  2. Create a security policy that allows traffic between the trust and untrust zones. Make sure that you include the desired network segments and applications in the policy.
  3. Create a security policy that allows traffic between devices in the trust zone. Make sure that you include the desired network segments and applications in the policy.
  4. Create a unique DHCP server group for the devices that are connected on the LAN segment.
  5. Create a pool of IP addresses to be assigned to the devices that are in the LAN segment. Set the lowest and the highest IP addresses to be assigned to devices from this pool, the DNS servers, and the IP address of the default gateway for the pool that is the IP address of the irb.0 interface.
  6. Create source NAT to apply NAT to devices in the trust zone to the outer interface. For more information about source NAT, see Source NAT.
  7. Configure the primary interface.
  8. Configure the modem (LTE-MPIM) interface.
  9. Configure the dialer interface.
  10. Set the Access Point Name for the SIM in the modem (LTE-MPIM).
  11. Configure the LAN interfaces ge-0/0/0, ge-0/0/1, and the others to be switching interfaces in the trust VLAN. The trust VLAN will effectively make them part of the trust zone. The configuration example shown is for one interfaces, specifically ge-0/0/0. Repeat the same steps for all LAN segment interfaces.
  12. Make sure that the necessary protocols are allowed in the trust zone. That ensures proper operation of the LAN segment of the network.
  13. Ensure that the protocols are allowed in the untrust zone.
  14. Configure class of service, assign best-effort traffic to queue 0, and define rate limiters.

    The SRX320 devices support eight priority queues per interface for integrated Class of Service (CoS). Business-critical traffic is routed over queue 0.

  15. Define AppQos rules and application match criteria.

    An AppQoS rule-set steers traffic through different queues. The first rule, rule1, steers the business-critical applications toward queue 0 and sets low probability to drop traffic in case of congestion. The restrule rule enforces the shaper for the rest of the traffic in both directions (uplink and downlink). Salesforce and Office365 are identified as critical applications in this example.

  16. Commit the configuration.

Verification

To confirm that the configuration is working properly, perform this task:

Verifying the Mini-PIM modules detected by Junos OS.

Purpose

Verifying the Mini-PIM modules detected by Junos OS.

Action

From operational mode:

user@host> show chassis hardware

Meaning

The output lists the Mini-PIM modules detected. The Mini-PIM slot number is reported as an FPC number, and the Mini-PIM number (always 0) is reported as the PIC number.

Verifying the Firmware Version of the Mini-PIMs

Purpose

Verify the firmware version of the Mini-PIMs.

Action

From operational mode:

user@host> show system firmware

Meaning

The output shows the firmware version of the Mini-PIM as 17.1.80.

Verifying the Traffic on the WAN Interface

Purpose

Verify the traffic is passing through the expected queue on the WAN interface.

Action

From operational mode:

user@host> show interfaces ge-0/0/7 extensive

Meaning

The output shows that the best-effort, expedited-forwarding, assured-forwarding, and network-control traffic is passing through expected queues 0, 1, 2, and 3, respectively on the WAN interface.