Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Configure Secure Local Branch Connectivity

Now that you've verified the LAN/WAN connectivity, you're ready to use the Junos CLI to deploy VLANs and related policies to secure LAN and WAN connectivity.

SRX platforms are all about security. It's what they do. Securing local and Internet connectivity in this modern age is critically important. We'll show you how to configure the SRX to meet your security needs.

Configure VLANs and Security Policies

Local Branch Connectivity Goals

Figure 1 details the local branch office connectivity goals used in these procedures.

Figure 1: Secure Local Branch Connectivity Secure Local Branch Connectivity

Here's how we'll achieve these goals:

  • Place employees in the Trust VLAN (vlan-trust)/trust zone. Allow them full Internet access and the ability to initiate specific connectivity to devices in the contractors zone.
  • The branch handles retail sales and provides free Wi-Fi to patrons. Place the guests VLAN in the guests zone and allow limited Internet access.
  • Contractors are working on a new web-based business application in the local branch. Place the contractors in the contractors VLAN/zone and don't allow them Internet access. Contractors can't initiate communications to either the trust or guests zones.

The following table summarizes the VLAN connectivity requirements:

Table 1: VLAN Connectivity Requirements
VLAN ID Name/Zone Subnet Internet Access? Security Policy
3 * vlan-trust/trust * * Full *
  • trust to untrust *
  • source NAT *
  • trust to local host, all services and protocols *
  • trust to contractors, HTTP/HTTPS and ping
20 guests HTTP and HTTPS only
  • guests to untrust, HTTP/ HTTPS, and ping
  • source NAT
  • guests to local host, DHCP and ping only
30 contractors No
  • contractors can't initiate to trust, guest, or untrust zones
  • contractors to local host, DHCP and ping only

The entries in the table marked with an "*" for vlan-trust are already in place through the factory-default configuration. We told you this would be easy! All that is needed for the factory-default trust zone is to add a security policy that permits the specified protocols from the trust zone to the contractors zone.

Permit Trust to Contractors Zone Traffic

To meet the stated connectivity goals, create a security policy to allow specific traffic (HTTP/HTTPS and ping) from the trust zone to the contractors zone. As a security appliance, the SRX has a default deny-all policy for inter-zone traffic. In the factory-default configuration, traffic is permitted from the trust to untrust zones only.


In this example, we keep it simple and match on any source or destination IP address. Here, we simply match on the source and destination zone for policy control. For better security, consider defining address book entries for the trust and contractors subnet, which are and prefixes in this branch office. With an address book entry, you can match on source-address trust and destination-address contractors.

Further, you can add host-specific address book entries to control the specific IP addresses that are allowed to communicate between zones. If you use a host-specific IP address in your policy, be sure you assign a static IP address to related hosts. If you recall, we use DHCP in this example. So, if a lease times out or a client machine reboots, the client machines will automatically be assigned a new IP address unless you've assigned static IP addresses to the related hosts.

Configure a Guests VLAN, Security Zone, and Security Policies

Let's get those guests up and running. After all, they have web shopping to do! At a high level, this task involves these key parts:

  • Define the guest VLAN and associate it with one or more LAN interfaces
  • Define the VLAN's integrated routing and bridging (IRB) interface
  • Configure a DHCP server to assign IP addresses to members of the VLAN
  • Define a security zone and policy in accordance with the connectivity needs for the VLAN
  1. Log in as root to the branch SRX device. You can use console or SSH access. Start the CLI, and enter configuration mode.
  2. Define the guests VLAN and associate it with an IRB interface. This IRB interface serves as the default gateway for the devices on the VLAN.
  3. Place the ge-0/0/1 interface into the guests VLAN. In the default configuration, this interface, like most, belongs to the trust VLAN. You begin by deleting the interface's current VLAN association so you can replace it with the updated guests VLAN.
  4. Configure the IRB interface for the guests VLAN. This step assigns an IP subnet to the VLAN. In this example, you match the VLAN ID to the IRB unit number to make things easier to remember. This association is for convenience only. You can use any unused unit number for this step.
  5. Configure the DHCP server for the guests VLAN. Note that the VLAN's IRB interface is configured as the DHCP server interface. This configuration assigns IP addresses from the specified range, and also assigns the client a default route and a public DNS server address. The default route points to the VLAN's IRB as the next hop for all non-local (inter-VLAN and LAN to WAN) traffic.
  6. Members of the guests VLAN are provided with Internet access. Because the local branch is using local-use only RFC-1918 IP addresses, Internet access requires that the SRX perform source NAT to the WAN interface IP address. Only globally-routable IP addresses can be used over the Internet. Here's how to define a source NAT policy for the guests VLAN:
  7. Almost done. Next, you create the guests security zone. As part of this process, you place the related VLAN's IRB into the new zone. Part of a zone's definition is to specify the protocols and services that are allowed to flow from that zone to the SRX device's control plane.

    For this example, you allow users in the guests VLAN to initiate DHCP and ping traffic to the local control plane. This allows the guest to request an IP address using DHCP, and to ping their VLAN's IRB for debugging purposes, while blocking all other services and protocols to the local host. As a result, users in the guest zone are blocked from initiating Telnet or SSH to the branch SRX. In contrast, users in the trust zone are allowed to initiate SSH connections to the SRX.

  8. The last step is to define the security policies for the guests VLAN. To keep the configuration statements shorter, we "park" ourselves at the [edit security policies] hierarchy. To limit Internet access, your policy provides support only for HTTP, HTTPS, DNS, and ping.

Quick Configurations

Guests VLAN Quick Configuration

Here's the complete configuration for defining the guests VLAN and its security policies in set format. To get up and running quickly, simply edit the configuration statements as needed for your environment and paste them into your SRX.

Contractors VLAN Quick Configuration

The contractors VLAN and related security zone is similar to that detailed above for the guests VLAN. We save some paper by jumping straight to the Quick Configuration for the contractors VLAN.


The lack of security policy definition for the contractors zone is significant. With out an explicit policy, the default deny all policy is in full effect for any inter-zone traffic initiated from this zone! The result is that all traffic that initiates in the contractors zone is blocked from entering all other zones.

Be sure to commit your configuration to activate the changes on the branch SRX.


The results of your secure VLAN configuration are displayed in Junos curly brace format. We've omitted the factory-default configuration from the below for brevity.

Next, we'll show you how to verify that your configuration is working as expected to secure local branch communications.