Versions Compared

Old Version 13

changes.mady.by.user Jean-luc KRIKER

Saved on

compared with

New Version Current

changes.mady.by.user Jean-luc KRIKER

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


https://services.jlabs.juniper.net/kb?id=kb_article_view&sysparm_article=KB0010824&sys_kb_id=d73d510213f6c05034fbd7028144b0f2&spa=1

...

Pre -work ( on board 2 out of 3 vSRX )

My document:   Demo Procedure and serial number.txt
Enable console port on the vSRX  ( spoke and hub )

get the serial number the vSRX ( spoke and hub ) 

E-Hub : 8A9AEC392D29
Spoke-1: CD208CE65C4E
Spoke-2: D50C01BD6620

E-Hub :       B98660690BA7
Spoke-1:    C232DEDE45B4
Spoke-2:    A35151948B56

E-Hub : D318879C3874
Spoke-1: 7DC5A31FE5D5
Spoke-2: 9EFF58CEDC4E


Access thru the console port

default credential:   root / Juniper!1


Log into CSO to onboard the vSRX

1- Hub

2- the vSRX ( only one, to 

https://contrail-juniper.net/


Credential in the template:  ????


Device template

1- Hub

Log using the console port

get the serial number


1- clone the "Device Template":   CSOaaS vSRX E-HUB  >>> jlk_CSOaaS vSRX E-HUB

2- change the password to Juniper!1

2- Spoke

Log using the console port

get the serial number


1- clone the "Device Template":   CSOaaS vSRX CPE >>>  jlk_CSOaaS vSRX CPE

2- change the password to Juniper!1

On-boarding Enterprise Hub and Spoke

3- Onboarding Enterprise Hub

2b- Onboard vSRX onto CSOaaS
Signature Database

Administration > Signature Database

>>> Click on "Install on Device" and select all the device.

Src-NAT Policy @E-HUB

Because we don’t have local breakout + NAT enabled at the spoke,
in this demo, we will have to add a policy to allow NATing at the hub.
Configuration > NAT > NAT Policies

Name: ehubNATPolicy
Manage Auto-Proxy ARP: TRUE [DEFAULT]
Site Applied on: E-HUB

"Add Rule" to Src-NAT Policy Rules:
Configuration > NAT > NAT Policies > "Policy name" > "Add rule" > "Add Source NAT Rule" >Rule Name: ehubNATPolicy-rule1
Src: Any-IP4 AND trust Zone
Dst: Any-IPv4 AND Zone: untrust or untrust_WAN_0 AND Services: any
Translation: Interface
DELPOY ( the NAT policy define )
FireWall Policy:
1- site-to-site traffic and site-to-internet traffic flow
LAN Site to Internetname: site2internet_ALLOWED
Src: Department: Default
Select Action: Allow
Dst: Address Any
Advanced Security ( UTM or IPS ): none
>> SAVE

default department site x to def dept site Y

( or LAN Site to LAN Site )

name: site2site_ALLOWED
Src: Department: Default
Select Action: Allow
Dst: Department: Default
Advanced Security ( UTM or IPS ): none
>> SAVE
2- allow traffic from trust zone to the untrust zone




SD-WAN local breakout policy: