Skip to content

Networking

Juniper SRX: Initial Lab Setup

juniper-srx-320

The Juniper SRX device is Jeniper security applicance with security, routing, and networking features. The security feature includes NGF, IPS, UTM, and more. SRX stands for security, routing, and networking.

I started the setup of my 2 Juniper SRX 320 device today and it did not start the way I tought it would. Let me tell you what happen.

What I got in the boxes

Here is what I got in the box:

  • the SRX320 firewall device
  • two console cables (DB9 to RJ-45 and usb to mini-usb)
  • and a quite big PSU

It box contains basically anything you would need to get up and running.

Configuring the Juniper SRX320 Device

I am going to configure the device for my homelab and this is the initial configuration. So there will not be anything much in it. Just the basic to start with then change the configuration based on the lab I am woring on. I will be posting a series of the labs I am doing in my blog here.

Junos version

See what version of Junos came with the device:

show version

show system information

junos-version

Factory configuration

To see the factory configuration, run:

show configuration

We can specify the topic after this command to see the configuration of the selected topic. For example show configuration security to see the security configuration of the SRX device.

We can even select a sub topic to see even filtered configuration. For example show configuration security policies to see security policies related configuration.

This is going to help us later to filter the configuration to see only the configuration we want to see.

Initial cleanup

disable-auto-img-upgrade

After power on the device, I started receiving the logs you can see on the screen. Clearing it with the command delete chassis auto-image-upgrade did not work. It required the root password to be setup first. After the root setting up the root password, the problem disapeared.

Root user password

Juniper device comes with the root user created without a password. So, the first business of the day is to setup the root user password. Here is how we do it in the CLI.

junos-login

set system root-authentication plain-text-password

Now the root user is setup. See the configuration with:

show configuration system root-authentication

Hostname, date, and timezone

For the initial setup, the device time is not going to be synchronized with an NTP server. That may be part of a future lab. The date module takes YYYYMMDDHHMM time format. The date and time is setup in the operational mode and not in the configuration mode.

set date 202512241105

To view the time and date, run:

show system uptime

sys-uptime

Since we have two SRX device distinct hostnames would be helpful.

[edit]
set system host-name SRX1

set system time-zone America/Chicago

To view the configured timezone:

show configuration system timezone

User accounts and permissions

Junos devices came with the root user account. I am going to need a non root user for my labs.

To create a new user, run:

[edit]

set system login user sam full-name "Mamadou Sandwidi"

Let's add the new user to a login class. For now I am going to use a predefined login class. We will make our own later during lab time.

set system login user sam class super-user

then add the password for the new user with:

set system login user sam authentication plain-text-password

View the newly configured user with:

[edit]

show system login user sam

user-account

Interfaces and VLANs

Let see the available interfaces.

show interfaces terse | no-more

interfaces

interfaces

That is a lot. Let only see the gigabit interfaces since they are the one I will be working the most with.

show interfaces ge-* terse

ge-interfaces

Clear SRX device data

request system zeroize

Conclusion

From here I think we are all good for the first basic Juniper SRX labs. See you in a moment.

Networking: The OSI and TCP/IP Models

The OSI Model

OSI stands for Open Systems Interconnection. It is a standard and fundamental model for desribing how network communication is processed in a network device. The model has 7 layers:

7.Application Layer

6.Presentation Layer

5.Session Layer

4.Transport Layer

3.Network Layer

2.Data Link Layer

1.Physical Layer

The layers are stack on each other with layer 1, the physical layer, at the bottom.

Layer 1: The Physical Layer

This layer refers to the cabling and connectors that allow the communication signals to reach to the devices in the network.

This layer enables the communication in the same local area network. It is also called the switching layer. Here the network devices use MAC addresses to forward/send packets.

Layer 3: The Network Layer

This layer is also called the routing layer. In this layer, network devices use IP addresses to determine where to send network traffic.

Layer 4: The Transport Layer

This layer is responsible for providing the appropriate protocal for transporting data accross the network. This is where we can find TCP or UDP protocols.

Layer 5: The Session Layer

The session layer helps manage the communication between network devices using protocols like NetBIOS, SOCKS, and NFS.

Layer 6: The Presentation Layer

The presentation layer formats the data received into a format human can understand. For example png, mp4, and more.

Layer 7: The Application Layer

The application layer is the top layer in the OSI model. It provides an interface between the computer applications and the underlying network. We find http, dnf, ftp, in this layer.

The TCP/IP Model

The TCP/IP model is derrived from the OSI model but it has four layers instead of 7:

Layer 1: The Network Access Layer

This layer combines the physical layer and the data link layer from the OSI model into a single layer.

Layer 2: The Internet Layer

The network layer from OSI model becomes the internet layer.

Layer 3: The Transport Layer

The transport layer stayed the same.

Layer 1: The Application Layer

The session, presentation, and application layers from the OSI model are combined to become the application layer in the TCP/IP model.

Linux: Troubleshooting Networking Issues

Firewall Issues

Misconfigured Firewall

Typo in firewall rule

A simple typo in a firewall rule can block traffic.

Use firewall-cmd --list-ports to see open ports

Remove bad rule with firewall-cmd --remove-port=<PORT>/PROTOCOL --permanent, re-issue the correct command, and reload the firewall with firewall-cmd --reload.

Incorrect Rule Ordering

This happens when a DROP or REJECT rule is placed above an ACCEPT rule, causing legitimate traffic to be blocked.

Forgetting to persist firewall changes across reboot

If a rule is added without --permanent the rule disappears after reboot.

Addressing Issues

DHCP issues

This issue occurs when servers or workstations fail to obtain an IP address automatically.

  • Is the DCHP service is running at all?
  • Does the server has free ip address to allocate? Check for DHCP scope for exhaustion by reviewing logs on the DHCP server.
  • Do I need to expand the pool?
  • Force client to request an ip again
  • Confirm connectivity
  • Update network documentation to reflect the change

IP conflicts

IP conflicts occur when two devices claim the same address, leading to intermittent connectivity or "duplicate address" warnings in syslog.

  • Common signs are random disconnect, slow network performance, or ARP conflict messages.
  • Identify all devices using the conflicting IP by checking the DHCP lease files and DNS records
  • Assign a unique address to one of the devices
  • Update any static configurations
  • Clear the ARP cache to ensure no stale entries remain
  • Monitor the network to confirm the conflict is gone

Dual stack issues

This issue occurs when a server configured for both IPV4 and IPV6 fail to handle traffic properly.

  • Ping test may fail for either IPV4 or IPV6
  • Does DNS records include both A and AAAA entries
  • Adjust service configuration files to listen to both IPV4 and IPV6
  • Test connectivity over both protocols and ensure firewalls allow the appropriate traffic on each address family

Routing Issues

DNS issues

ping my.server.com returns unknown host

Confirm the DNS server in /etc/resolv.conf Make changes if necessary Is the DNS server reachable Test DNS resolution

Wrong gateway

  • Why the packets are not leaving the local network?
  • Can devices in the different subnet communicate?
  • Can devices in other subnet communicate with external resources?
  • Check default route with ip route -n
  • Update default route if necessary
  • Ping external resources to confirm connectivity

Server unreachable

When a server is unreachable, nor the hostname or ip address respond to ping.

  • Use ip link to check if the network interface is up and running.
  • Check switch port and, VLAN settings
  • Is the firewall blocking ICMP or SSH?
  • Adjust port, VLAN, and firewall rule if necessary
  • Confirm connectivity using ping or SSH

Interface Misconfiguration

Subnet misconfiguration

This issue occurs when an interface is assigned to the wrong network or network mask. That prevents the server from communicating with other devices in the network.

  • Confirm address settings with ip addr
  • Edit the interface's configuration so the IP address and netmask align with the correct network segment
  • Apply changes with netplan apply or systemctl restart networking
  • Ping a known host on the subnet and confirm that traffic works has it should

MTU mismatch

This happens when one endpoint sends packet sized differently than the receiving interface can handle.

  • ping -s 1500 => Frag needed but DF set
  • Check MTU on each interface with ip link show
  • Pick a consistent MTU value, which is often 1500 for standard networks, and update the interface configuration.
  • Retry transfer or ping test to see correct connectivity

Cannot ping server

This often indicates a deeper interface misconfiguration, such as disabled interface, missing address, or firewall blocking ICMP

  • Is the interface up with a valid ip address?
  • Bring up the interface with ip link set <INTEFACE> up and assign the correct IP address
  • Is the firewall blocking ICMP? use sudo ufw status or iptables -L to ensure that ICMP is not blocked
  • Ping again to confirm connectivity

Interface bonding issues

Interface bonding is when combining two or more physical NICs into a single virtual interface to increase bandwidth and provide redundancy.

  • Is any interface in /proc/net/bonding/bond0 marked down even though it is plugged?
  • Mode 0 (balance-rr), Mode 1 (active-backup), Mode 4 (802.3ad/LACP)
  • Is the bonding driver loaded
  • Check the bonding configuration in either /etc/netplan...yaml on Ubuntu or /etc/sysconfig/network-scripts/ifcfg-bond0 on RHEL
  • Check switch setting to confirm matching valid configuration

MAC spoofing issues

This issue occurs when tow NICs present the same MAC address.

  • arping <IP ADDRESS> returns multiple MAC address
  • Does ip neigh shows frequent MAC flapping?
  • Look for duplicate MAC address with ip link show
  • Correct MAC settings
  • Restart network service to apply changes confirm with the command ip neigh show

This issue occurs when devices are unable to communicate effectively due to problem with the network interface.

The interface is failing to establish or maintain a connection. Maybe a faulty cable The port is disconnected? Maybe the hardware is faulty ip addr and ifconfig show the interface as down Logs are found with dmesg and journalctl Maybe the driver is bad Maybe the interface is misconfigured Maybe the interface is administratively down. use ip link show <INTERFACE> to confirm. Bring it up if necessary Restart networking with systemctl restart network

This involves problems in the automatic process where devices agree on the speed and duplex settings for their connection.

Common signs are poor performance, slow speeds, connectivity dropouts.

  • Check link status with ethtool <INTERFACE>
  • Is autonegotiation enabled
  • Maybe there the hardware have issues. Review system logs for related issues
  • Do the network driver have bugs and need to be updated?