8 Copyright © 2011, Juniper Networks, Inc.
APPLICATION NOTE - Configuring and Deploying the AX411 Wireless Access Point
For completeness, security policies, Network Address Translation (NAT), and untrust interface configurations
required to allow traffic from the access points to the Internet are included in this configuration To avoid unnecessary
repetitions and unless explicitly noted, our next examples will omit these sections from the configuration.
#Enable PoE if you will be using that to power the AX411.
set poe interface all
#DHCP Server cong
set system services dhcp name-server 4.2.2.2
set system services dhcp pool 192.168.2.0/24 address-range low 192.168.2.2
set system services dhcp pool 192.168.2.0/24 address-range high 192.168.2.254
set system services dhcp pool 192.168.2.0/24 router 192.168.2.1
#Interface and VLAN Conguration
#Note how interface-ranges can be used to simplify the conguration when a large
number of APs are used
set interfaces interface-range APs member ge-0/0/1
set interfaces interface-range APs member fe-0/0/2
set interfaces interface-range APs member fe-0/0/3
set interfaces interface-range APs unit 0 family ethernet-switching vlan members
default
set interfaces ge-0/0/0 unit 0 family inet address 198.0.0.1/24
# Untrust Static IP
set interfaces vlan unit 2 family inet address 192.168.2.1/24
set vlans default vlan-id 2
set vlans default l3-interface vlan.2
#Routing is trivial, there is only a default route pointing to the Internet
set routing-options static route 0.0.0.0/0 next-hop 10.0.1.1
#NAT all traic from the WiNet to untrust. Use the IP address of the egress
interface as the new source.
set security nat source rule-set Internet-Access from zone WiFiNet
set security nat source rule-set Internet-Access to zone untrust
set security nat source rule-set Internet-Access rule nat-all match source-
address 0.0.0.0/0
set security nat source rule-set Internet-Access rule nat-all then source-nat
interface
#Security Zones and policies conguration. Please note that the vlan.0 interface
MUST be assigned to a zone
set security zones security-zone untrust interfaces ge-0/0/0.0
#It is important to allow both DHCP and PING otherwise the SRX will not discover
the APs
set security zones security-zone WiNet interfaces vlan.2 host-inbound-traic
system-services dhcp
set security zones security-zone WiNet interfaces vlan.2 host-inbound-traic
system-services ping
set security policies from-zone WiNet to-zone untrust policy allow-internet-
access match source-address any
set security policies from-zone WiNet to-zone untrust policy allow-internet-
access match destination-address any
set security policies from-zone WiNet to-zone untrust policy allow-internet-
access match application any
set security policies from-zone WiNet to-zone untrust policy allow-internet-
access then permit
To Next Page
Loading...
Need help?
General
