APPLICATION NOTE CONFIGURING THE CX111 FOR J SERIES AND BRANCH SRX SERIES DEVICES How to Configure the CX111 as a Primary or Backup 3G WAN Connection Option for Junos OS-Based Platforms Copyright © 2010, Juniper Networks, Inc.
APPLICATION NOTE - Configuring the CX111 for J Series and Branch SRX Series Devices Table of Contents Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
APPLICATION NOTE - Configuring the CX111 for J Series and Branch SRX Series Devices Introduction Due to their ubiquitous presence, the use of third-generation (3G) wireless networks has become a common deployment option for both primary and backup connectivity.
APPLICATION NOTE - Configuring the CX111 for J Series and Branch SRX Series Devices Description and Deployment Scenario The CX111 ships with a default configuration that should accommodate most deployment scenarios. The deployment model assumes that the CX111 is connected to a DHCP-enabled interface. 192.168.1.0/24 Trust Zone SRX210 INTERNET CX111 OFFICE ge-0/0/0.0 is connected to the Internet ge-0/0/1.
APPLICATION NOTE - Configuring the CX111 for J Series and Branch SRX Series Devices Power over Ethernet When available, Power over Ethernet (PoE) can be used to power the CX111. In the event that the CX111 is connected through a switch or a gateway that does not support PoE, an external power supply can be used (provided with the basic install kit). When PoE is used, the device will require about 3.5 watts of power per modem connected, so plan your power budget accordingly.
APPLICATION NOTE - Configuring the CX111 for J Series and Branch SRX Series Devices The relevant sections of the default configuration are shown here, for completeness. set system services dhcp router 192.168.1.1 set system services dhcp pool 192.168.1.0/24 address-range low 192.168.1.2 set system services dhcp pool 192.168.1.0/24 address-range high 192.168.1.254 set system services dhcp propagate-settings ge-0/0/0.
APPLICATION NOTE - Configuring the CX111 for J Series and Branch SRX Series Devices Management Access A VLAN-tagged logical interface can be used to provide access to the CX111’s management console. NAT can also be used to facilitate access from any device behind the gateway, eliminating the need for complex routing (as all traffic to the CX111’s management interface will be translated as if it originated from the management subnet).
APPLICATION NOTE - Configuring the CX111 for J Series and Branch SRX Series Devices source-address 0.0.0.0/0 set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat interface /* NAT rule used for management access to the CX111*/ set security nat source rule-set trust-to-management from zone trust set security nat source rule-set trust-to-management to zone management set security nat source rule-set trust-to-management rule nat-to-CX111 match source-address 0.0.0.
APPLICATION NOTE - Configuring the CX111 for J Series and Branch SRX Series Devices CX111 Used for Backup In this example, the CX111 will only be used when the primary interface is down. This is shown mostly for illustrative purposes, as only a failure in the primary interface will trigger a failover. Also, this example can only be used with the CX111 operating in “always on” mode, as once connected, the DHCP requests from the SRX Series will keep the connection up.
APPLICATION NOTE - Configuring the CX111 for J Series and Branch SRX Series Devices interface /* Security Zones */ set security zones security-zone traffic system-services ping set security zones security-zone traffic system-services dhcp set security zones security-zone set security zones security-zone system-services dhcp set security zones security-zone system-services ping set security zones security-zone system-services ssh untrust interfaces ge-0/0/0.0 host-inbounduntrust interfaces ge-0/0/1.
APPLICATION NOTE - Configuring the CX111 for J Series and Branch SRX Series Devices Even though this example builds on the previous one, in order to present a complete working scenario, the full configuration is shown below. /* Enable the commit script. The commit script must be stored under /var/db/ scripts/commit */ set system scripts commit allow-transients set system scripts commit file rpm-monitor-config.xslt /* Enable the event script.
APPLICATION NOTE - Configuring the CX111 for J Series and Branch SRX Series Devices set routing-options static route 0.0.0.0/0 next-hop 198.0.0.1 /* NAT configuration */ set security nat source set security nat source set security nat source 0.0.0.0/0 set security nat source address 0.0.0.
APPLICATION NOTE - Configuring the CX111 for J Series and Branch SRX Series Devices Traffic statistics can be found under the Status->Statistics page. Figure 7: Modem statistics When using the RPM monitor scripts, it is quite useful to look at the script logs. These logs record events such as probe failures, enabling/disabling of the backup interface, etc. Using the configuration shown in the last example, the logs can be viewed with the “show log rpm-monitor” command.
APPLICATION NOTE - Configuring the CX111 for J Series and Branch SRX Series Devices About Juniper Networks Juniper Networks, Inc. is the leader in high-performance networking. Juniper offers a high-performance network infrastructure that creates a responsive and trusted environment for accelerating the deployment of services and applications over a single network. This fuels high-performance businesses. Additional information can be found at www.juniper.net.