Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Configure SD-WAN with Active/Standby Connection to the Internet on an SRX300 Services Gateway

Requirements

This example uses the following hardware and software components.

  • One SRX300 series devices (320, 340, 345, 380)

  • One Wi-Fi MPIM for SRX300 series

  • One LTE MPIM for SRX300 series

  • One SIM card with subscription for data services

  • Junos OS 19.4R1

Overview

In this example, we are setting up a branch SRX320 Series device to provide wired and wireless Internet and Intranet access to the employees on-site, as well as wireless Internet access to guest devices. The primary internet link is through Ethernet while the backup connectivity is through the LTE network. The two links are configured in Active/Standby mode, whereby no traffic is routed through the LTE modem, unless the primary link is down.

Topology

Figure 1: Example TopologyExample Topology

The topology of the example is shown in Figure 1. The LTE Mini-PIM is installed in slot 1. The WI-FI Mini-PIM is installed in slot 2. The SIM card is installed in slot 1 of the LTE module. The primary link is connected to interface ge-0/0/0 and it receives its IP address, network mask, default gateway and DNS servers from the device that it is connected to. The modem has interface cl-1/0/0.

The PDP context is terminated on interface dl.0 and, similarly to ge-0/0/0, the IP address, network mask and default gateway are assigned by the GGSN/PGW. The Wi-Fi interface is wl-2/0/0.200 serves the guest network, while interface wl-2/0/0.100 serves the corporate network. The security zones and the lists of interfaces for each zone are shown in Figure 2.

Figure 2: Security ZonesSecurity Zones

There are four security zones configured on the SRX300 series device, specifically Untrust, Trust, Corporate and Guest. The separation of the interfaces into security zones enables the separation of traffic and mitigates the risks the corporate Intranet is exposed to and serves as a vehicle to achieve clear and simplified implementation of security policies. Zone Untrust hosts the interfaces that have access to the Internet.

The internal interfaces in the corporate Intranet are in zone Trust. The organization wireless devices roam in zone Corporate. The personal mobile devices, which are granted Internet access only, are in zone Guest.

Table 1 shows the desired behavior of the security policies for traffic between zones.

Table 1: Security Policies by Zone

From-To

Untrust

Trust

Corporate

Guest

Untrust

No

Trust-initiated only

Corporate-initiated only

Guest-initiated only

Trust

Yes

Yes

Corporate-initiated only

No

Corporate

Yes

Yes

Yes

No

Guest

Yes

No

No

No

The VLAN information and the IP address information for the interfaces is summarized in Table 2.

Table 2: Interfaces Configuration Details

Interface

VLAN

IP Adress

Netmask

wl-2/0/0.100

100

172.16.100.1

255.255.255.0

wl-2/0/0.200

200

192.16.200.1

255.255.255.0

dl.0

3

DHCP

-

ge-0/0/0

3

DHCP

-

Irb.0

3

192.168.1.1

255.255.255.0

Configuration and Validation

Configuration

Step-by-Step Procedure

The steps in this configuration logically build from the lower layers to the upper layers.

  1. Create a VLAN for the guest devices.

  2. Create a VLAN for the corporate devices.

  3. Create an access point.

  4. Set the country where the device is installed. Different countries have different 802.11 spectrum available for general use.

  5. Configure the 5GHz radio interface of the access point. Set its mode, the channel number it will operate on, and the bandwidth it will use. Also, set the transmit power for the 5GHz radio interface (in %).

  6. Create a virtual access point (VAP) for the 5GHz guest network. The Mini-PIM supports up to eight virtual access points per radio interface.

  7. Configure security for the VAP as wpa-personal. Set the cipher suite, key type, and preshared key.

  8. Configure the 2.4GHz radio interface of the access point. Set its mode, the channel number it will operate on, and the bandwidth it will use. Also, set the transmit power for radio interface (in %).

  9. Configure the VAP on the 2.4GHz guest network.

  10. Configure security for the VAP as wpa-personal. Set the cipher suite, key type, and preshared key.

  11. Configure the VAP on the 5GHz corporate network.

  12. Configure security for the VAP as wpa-personal. Set the cipher suite, key type, and preshared key.

  13. Configure the VAP on the 2.4GHz corporate network.

  14. Configure security for the VAP as wpa-personal. Set the cipher suite, key type, and preshared key.

  15. Create the IP interface that will act as default gateway for devices in the guest VAPs (one VAP works on 5GHz and the other one on 2.4GHz).

  16. Create the IP interface that will act as the default gateway for devices in the in the corporate VAPs (one VAP works on 5GHz and the other one on 2.4GHz).

  17. Create a security zone for the guest devices and allow DHCP and all other necessary protocols in it. Ensure that the proper wl interface is added to the zone as well.

  18. Create a security zone for the corporate devices and allow DHCP and all other necessary protocols in it. Ensure that the proper wl interface is added to the zone as well.

  19. Create a unique DHCP server group for the guest VAPs (only one server group is needed for both of the guest VAPs).

  20. Create a unique DHCP server group for the corporate VAPs.

  21. Create a pool of IP addresses to be assigned to the devices, roaming in the guest VAPs. Set the lowest and the highest IP addresses to be assigned to devices from this pool, the DNS servers and the IP address of the default gateway for the pool.

  22. Create a pool of IP addresses to be assigned to the devices, roaming in the corporate VAPs. Set the lowest and the highest IP addresses to be assigned to devices from this pool, the DNS servers and the IP address of the default gateway for the pool.

  23. Create source NAT to apply NAT to devices in the guest zone to the outer interface.

  24. Create source NAT to apply NAT to devices in the corporate zone to the outer interface.

  25. Create a security policy that allows traffic between the Guest and Untrust zones. Make sure that the desired network segments and/or applications are included into the policy.

  26. Create a security policy that allows traffic between the Corporate and Untrust zones. This step enables traffic that has NAT applied to flow between the zones.

  27. Create a security policy that allows traffic between the Corporate and Trust zones, and enables traffic that has NAT applied to flow between the zones.

  28. Set the description of the interface for primary Internet link. Set the interface to obtain configuration over DHCP protocol. Make sure the LTE interface is set as backup for the Internet link.

  29. Configure the modem interface. Ensure that the SIM slot, which contains SIM card, is set to active.

  30. Configure the dialer interface.

  31. Configure the wireless interface to accept VLAN untagged packets.

  32. Set the access point name for the SIM in the modem.

  33. Commit the configuration

Validation

Step-by-Step Procedure

  1. Ensure that the interfaces are up and running.

  2. Check the status of the access point and make sure that the status of the radio interfaces is ON, the channels and the bandwidths they operate on are as configured..

  3. Check the status of all VAPs. Make sure that the SSIDs and the security settings are as configured.

  4. Check the summary about the client associations on each radio of the access point. This command shows the number of associated users on each radio interface.

  5. Check the details about the client associations on each radio of the access point. The MAC address of the users is shown in the output, as well as traffic statistics.

  6. Check if the Mini-PIM modules are detected by Junos.

  7. Check the firmware version of the Mini-PIMs and update it if needed.

  8. Get a packet capture on a VAP for troubleshooting purposes.

    The file is saved in /var/tmp. You can download the file and open with a packet trace application, like WIreshark.