Verify Secured LAN Connectivity
Now that you've configured VLANs and security polices to secure local branch communications, let's quickly confirm that the branch VLAN connectivity works as expected. The validation process is similar to the one you used to validate default connectivity. The main difference is that now, these verification steps occur in the context of a specific VLAN/security zone. And, of course, given the VLAN changes you made, you no longer expect full connectivity between the LAN ports.
Verify LAN DHCP Servers
Verify that the SRX has assigned IP addresses to the LAN clients.
root@branch-srx> show dhcp server binding IP address Session Id Hardware address Expires State Interface 192.168.30.10 3543 08:81:f4:82:a4:5c 46482 BOUND irb.30 192.168.2.8 3538 08:81:f4:8a:eb:51 61414 BOUND irb.0 192.168.20.10 3542 20:4e:71:a6:a7:01 46622 BOUND irb.20 192.168.20.11 3544 d4:20:b0:00:c3:37 46621 BOUND irb.20
Notice that the devices have the same MAC addresses as before (see Branch SRX Default Connectivity), but now, they’re associated with different IP subnets and IRB units, based on their respective VLAN assignment. The display confirms at least one device is in the vlan-trust, the guests, and the contractors VLANs. This output confirms that your DHCP servers function properly within each VLAN.
Verify your VLAN configuration.
root@branch-srx> show vlans Routing instance VLAN name Tag Interfaces default-switch contractors 30 ge-0/0/3.0* default-switch default 1 default-switch guests 20 ge-0/0/1.0* default-switch vlan-trust 3 ge-0/0/2.0* ...
The output confirms that you have correctly configured the guests and contractors VLANs.
Verify the Guests VLAN
Verify that devices in the guests VLAN and zone can access the Internet. You confirm Internet access with a successful ping to www.juniper.net. Recall that your branch office design states guests are only allowed to send HTTP/HTTPS and ping traffic to the Internet.
user@guest-device> ping www.juniper.net inet count 2 PING e1824.dscb.akamaiedge.net (104.100.54.237): 56 data bytes 64 bytes from 104.100.54.237: icmp_seq=0 ttl=46 time=5.323 ms 64 bytes from 104.100.54.237: icmp_seq=1 ttl=46 time=6.204 ms --- e1824.dscb.akamaiedge.net ping statistics --- 2 packets transmitted, 2 packets received, 0% packet loss round-trip min/avg/max/stddev = 5.323/5.764/6.204/0.441 ms
If your guests zone device supports a command line HTTP client, like CURL, use it to verify HTTP access to the Internet. You can always use a web browser if the device has a GUI interface to test web connectivity.
user@guest-device curl --head www.juniper.net HTTP/1.1 301 Moved Permanently Content-Type: text/html Location: https://www.juniper.net/ Content-Length: 0 Date: Mon, 18 Apr 2022 22:32:15 GMT Connection: keep-alive
We won't bother trying to find an Internet connected machine to confirm that all other services, that is, SSH, Telnet, FTP, and so on won't work. One option here is to temporarily remove the policy rule that allows ICMP from the guests to the untrust zone. Once the change takes effect the ping to www.juniper.net should time-out.
We'll finish validating the guests VLAN by confirming that guest devices are unable to ping the IRB interface in either the trust or contractors zones.
user@guest-device> ping 192.168.2.1 count 1 PING 192.168.2.1 (192.168.2.1): 56 data bytes --- 192.168.2.1 ping statistics --- 1 packets transmitted, 0 packets received, 100% packet loss user@guest-device ping 192.168.30.1 count 1 PING 192.168.30.1 (192.168.30.1): 56 data bytes --- 192.168.30.1 ping statistics --- 1 packets transmitted, 0 packets received, 100% packet loss
The pings to the IRB interfaces in the trust and contractors zones fail, as expected. Although not shown, pings initiated from guests to end stations in the trust or contractors zones also fail. Again, you need an explicit policy to permit traffic to flow between zones. For guest users, the only security policy in effect is to allow HTTP and ping traffic to the untrust zone.
Validate Employee VLAN
Verify that the employees in the trust zone can access the Internet.
user@employee-device> ping www.juniper.net inet count 2 PING e1824.dscb.akamaiedge.net (104.100.54.237): 56 data bytes 64 bytes from 104.100.54.237: icmp_seq=0 ttl=44 time=4.762 ms 64 bytes from 104.100.54.237: icmp_seq=1 ttl=44 time=5.075 ms --- e1824.dscb.akamaiedge.net ping statistics --- 2 packets transmitted, 2 packets received, 0% packet loss round-trip min/avg/max/stddev = 4.762/4.918/5.075/0.157 ms
Verify that the employees can ping the contractors.
user@employee-device> ping 192.168.30.10 PING 192.168.30.10 (192.168.30.10): 56 data bytes --- 192.168.30.10 ping statistics --- 38 packets transmitted, 0 packets received, 100% packet loss
The output shows that the ping is not successful. See Debug Connectivity Issues for information about how to debug this issue.
Debug Connectivity Issues
Let's try to debug the issue of the employees being unable to ping the
contractors. We'll use traceoptions to debug the packet flow as the packets
traverse from the trust zone to the
contractors zone. At a minimum, the
traceoptions
configuration must include a target file and a
flag. The argument to the file
command specifies the file name
that stores the trace output. The argument(s) to the flag
command defines the type of events to be traced.
[edit] root@branch-srx# set security flow traceoptions file flow-debug root@branch-srx# set security flow traceoptions flag basic-datapath root@branch-srx# commit
With the tracing activated, generate pings from the trust zone
to the contractors zone. While the pings are failing, use the
show log <log_name>
CLI command
along with the find
switch to quickly locate areas of interest
in the trace log file.
root@branch-srx> show log flow-debug | find 192.168.30 Apr 20 03:22:36 03:22:36.712246:CID-0:RT:flow_ipv4_rt_lkup success 192.168.30.1, iifl 0x48, oifl 0x0 Apr 20 03:22:36 03:22:36.712246:CID-0:RT:flow_first_routing: setting out_vrf_id in lpak to 0, grp 0 Apr 20 03:22:36 03:22:36.712246:CID-0:RT:Changing out-ifp from .local..0 to irb.30 for dst: 192.168.30.1 in vr_id:0 Apr 20 03:22:36 03:22:36.712246:CID-0:RT: routed (x_dst_ip 192.168.30.1) from trust (irb.0 in 0) to irb.30, Next-hop: 192.168.30.1 Apr 20 03:22:36 03:22:36.712246:CID-0:RT:Policy lkup: vsys 0 zone(7:trust) -> zone(9:contractors) scope:0 src vrf (0) dsv vrf (0) scope:0 Apr 20 03:22:36 03:22:36.712246:CID-0:RT: 192.168.2.2/2048 -> 192.168.30.1/34912 proto 1 Apr 20 03:22:36 03:22:36.712246:CID-0:RT:Policy lkup: vsys 0 zone(5:global) -> zone(5:global) scope:0 src vrf (0) dsv vrf (0) scope:34912 Apr 20 03:22:36 03:22:36.712246:CID-0:RT: 192.168.2.2/2048 -> 192.168.30.1/34912 proto 1 Apr 20 03:22:36 03:22:36.712246:CID-0:RT:flow_first_policy_search: policy search from zone trust-> zone contractors (0x0,0x3d56010a,0x10a), result: 0xfa3c538, pending: 0? Apr 20 03:22:36 03:22:36.712246:CID-0:RT:flow_first_policy_search: dynapp_none_policy: TRUE, uc_none_policy: TRUE, is_final: 0x0, is_explicit: 0x0, policy_meta_data: 0x0 Apr 20 03:22:36 03:22:36.712246:CID-0:RT: app 0, timeout 60s, curr ageout 60s Apr 20 03:22:36 03:22:36.712246:CID-0:RT: packet dropped, denied by policy Apr 20 03:22:36 03:22:36.712246:CID-0:RT: denied by policy default-policy-logical-system-00(2), dropping pkt Apr 20 03:22:36 03:22:36.712246:CID-0:RT: packet dropped, policy deny. . . .
The highlighted entries confirm that the test traffic sent from the
trust zone to the contractors zone is
being dropped. The message says denied by policy
default-policy-logical-system
which indicates there isn't a policy
to allow this traffic.
You must have a policy to allow traffic to flow between zones. Add the below
configuration to configure a security policy that allows the desired traffic
types between the trust zone and the
contractors zone. The configuration is in Quick
Configuration set format, so you can simply paste it into the branch SRX at the
[edit]
hierarchy:
set security policies from-zone trust to-zone contractors policy trust-to-contractors match source-address any set security policies from-zone trust to-zone contractors policy trust-to-contractors match destination-address any set security policies from-zone trust to-zone contractors policy trust-to-contractors match application junos-http set security policies from-zone trust to-zone contractors policy trust-to-contractors match application junos-ping set security policies from-zone trust to-zone contractors policy trust-to-contractors then permit
Be sure to commit your changes. Now, the ping from the trust zone to the contractors zone should succeed. Now that your debugging is complete, remove the security flow traceoptions configuration .
[edit] root@branch-srx# delete security flow traceoptions root@branch-srx# commit
Contractors VLAN
Verify that the contractors cannot communicate with the clients in the trust or guests zones.
Only the ping to the IRB interface (irb.30) should succeed. Because the client IP addresses can change with updated DHCP assignments, we opt to test inter-zone connectivity by pinging the IRB interface for a given zone. In this example, the IP addresses assigned to the IRB interfaces are static and therefore won't change over time.
user@contractor-device> ping 192.168.30.1 count 2 PING 192.168.30.1 (192.168.30.1): 56 data bytes 64 bytes from 192.168.30.1: icmp_seq=0 ttl=64 time=0.929 ms 64 bytes from 192.168.30.1: icmp_seq=1 ttl=64 time=0.864 ms --- 192.168.30.1 ping statistics --- 2 packets transmitted, 2 packets received, 0% packet loss round-trip min/avg/max/stddev = 0.829/0.866/0.929/0.036 ms
As expected, the ping from a contractor zone device to the IRB interface for the contractors zone succeeds. Now, you verify the lack of connectivity to the trust and guests zones. Refer to Secure Local Branch Connectivity for details on the addresses assigned to the IRB interfaces in this example.
user@contractor-device> ping 192.168.2.1 count 2 PING 192.168.2.1 (192.168.2.1): 56 data bytes --- 192.168.2.1 ping statistics --- 2 packets transmitted, 0 packets received, 100% packet loss
user@contractor-device> ping 192.168.20.1 count 2 PING 192.168.20.1 (192.168.20.1): 56 data bytes --- 192.168.20.1 ping statistics --- 2 packets transmitted, 0 packets received, 100% packet loss
The output shows that only the ping to 192.168.30.1 (assigned to irb.30) is successful. This confirms that contractors are unable to access the trust and guests zones.
Confirm that the contractors cannot access the Internet.
user@contractor-device> ping www.juniper.net inet count 1 ping: cannot resolve www.juniper.net: Host name lookup failure user@contractor-device> ping 8.8.8.8 count 1 PING 8.8.8.8 (8.8.8.8): 56 data bytes --- 8.8.8.8 ping statistics --- 1 packets transmitted, 0 packets received, 100% packet loss
Notice that the attempt to ping www.juniper.net returns a hostname lookup failure message. This branch office doesn't have a local DNS server and relies on a public DNS service that is reachable only over the Internet. The failure to resolve the host name is a good indication that contractors are correctly blocked from Internet access. As a final confirmation, ping the public DNS server by its IP address. Again, the ping fails as expected.
These results complete validation of the branch office's secure local connectivity. Good job! In the next step, we'll show you how to establish secure connectivity over the Internet.