Demo instructions
https://services.jlabs.juniper.net/sys_attachment.do?sys_id=133d510213f6c05034fbd7028144b0f7
Pre -work ( on board 2 out of 3 vSRX ) | |
---|---|
My document: Demo Procedure and serial number.txt | |
Enable console port on the vSRX ( spoke and hub ) | |
get the serial number the vSRX ( spoke and hub ) E |
-Hub : 8A9AEC392D29 E-Hub : B98660690BA7 E-Hub : D318879C3874 | Access thru the console port default credential: root / Juniper!1 |
Log into CSO to onboard the vSRX 1- Hub 2- the vSRX ( only one, to | Credential in the template: ???? |
Device template | |
1- Hub |
Log using the console port get the serial number | 1- |
clone the "Device Template": CSOaaS vSRX E-HUB >>> jlk_CSOaaS vSRX E-HUB 2- change the password to Juniper!1 | |
2- Spoke Log using the console port get the serial number | 1- |
clone the "Device Template": CSOaaS vSRX CPE >>> jlk_CSOaaS vSRX CPE 2- change the password to Juniper!1 | |
On-boarding Enterprise Hub and Spoke | |
3- Onboarding Enterprise Hub | |
2b- Onboard vSRX onto CSOaaS | |
Signature Database | |
Administration > Signature Database >>> Click on "Install on Device" and select all the device. | |
Src-NAT Policy @E-HUB | |
Because we don’t have local breakout + NAT enabled at the spoke, in this demo, we will have to add a policy to allow NATing at the hub. | |
Configuration > NAT > NAT Policies | Name: ehubNATPolicy |
"Add Rule" to Src-NAT Policy Rules: | |
Configuration > NAT > NAT Policies > "Policy name" > "Add rule" > "Add Source NAT Rule" > | Rule Name: ehubNATPolicy-rule1 Src: Any-IP4 AND trust Zone Dst: Any-IPv4 AND Zone: untrust or untrust_WAN_0 AND Services: any Translation: Interface |
DELPOY ( the NAT policy define ) | |
FireWall Policy: | |
1- site-to-site traffic and site-to-internet traffic flow | |
LAN Site to Internet | name: site2internet_ALLOWED Src: Department: Default Select Action: Allow Dst: Address Any Advanced Security ( UTM or IPS ): none >> SAVE |
default department site x to def dept site Y ( or LAN Site to LAN Site ) | name: site2site_ALLOWED Src: Department: Default Select Action: Allow Dst: Department: Default Advanced Security ( UTM or IPS ): none >> SAVE |
2- allow traffic from trust zone to the untrust zone | |
SD-WAN local breakout policy: | |