CX111

I recently had the opportunity to test out a CX111.
Its a device that acts as a L2 bridge between a 3G/4G USB modem connected to one of 3 available USB ports on it and a single Ethernet port.

http://www.juniper.net/au/en/products-services/routing/srx-series/cx111/

Specifically I tested it with a Telstra 4G Sierra Wireless AirCard 320U.
And the results were great!

My setup was as follows..
Telstra 4G USB ----CX111----SRX----laptop
The 4G USB stick was plugged into USB1 of the CX111.
The SRX on the CX111 side was set to the untrust zone and on the client side the trust zone.

The only things I had to do on the CX111 to get it connected to the Telstra network were:
a) Upgrade the firmware from 1.7.2 to 2.2.2 which was easily done through the CX111 gui.

 
 b) Program the SIM PIN of the USB into CX111.

 

That's it! After that the Telstra 4G USB stick successfully connected to the network. Too easy..

 

The CX111 has a 2 position switch on it. In the "O" position the CX111 assigns a locally set DHCP assignment downstream to it's LAN connected device. This is known as configuration mode, though its still usable as a WAN device when set this way - its just that you can manage it as well from it's LAN side.

When the switch is set to the "I" position it's in Pass-Through mode and CX111 LAN side device receives the ISP IP assignment.

The only gotcha is that the CX111 will not propagate the ISP DNS settings in its DHCP assignment to the SRX (Or whatever is on it's LAN interface) regardless of which way the switch is set. So you must hard set the DNS for the SRX trust zone DHCP pool within the SRX config.

 Conclusion - a quick and easy way to bring 4G data services to a site as either a primary or backup WAN service.

Here is the relevant parts of the config of the SRX to get it going.

set system services dhcp pool 192.168.40.0/24 address-range low 192.168.40.40
set system services dhcp pool 192.168.40.0/24 address-range high 192.168.40.210
set system services dhcp pool 192.168.40.0/24 default-lease-time 86400
set system services dhcp pool 192.168.40.0/24 name-server 10.4.81.103
set system services dhcp pool 192.168.40.0/24 router 192.168.40.1

set interfaces ge-0/0/0 unit 0 family inet dhcp
set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/2 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/3 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/4 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/5 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/6 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/7 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces vlan unit 2 family inet address 192.168.40.1/24

set security nat source rule-set trust_to_untrust from zone trust
set security nat source rule-set trust_to_untrust to zone untrust
set security nat source rule-set trust_to_untrust rule source_nat_trust match source-address 0.0.0.0/0
set security nat source rule-set trust_to_untrust rule source_nat_trust then source-nat interface

set security policies from-zone trust to-zone untrust policy p1 match source-address any
set security policies from-zone trust to-zone untrust policy p1 match destination-address any
set security policies from-zone trust to-zone untrust policy p1 match application any
set security policies from-zone trust to-zone untrust policy p1 then permit
set security policies from-zone trust to-zone untrust policy p1 then log session-init

set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces vlan.2
set security zones security-zone untrust screen untrust-screen
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services dhcp
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ping

set vlans vlan-trust vlan-id 2
set vlans vlan-trust l3-interface vlan.2
Posted by at
Labels: , ,

1 comment:

  1. Unknown25 May 2015 at 14:01

    Great Article.

    One quick question which you might be able to help me with.

    I have got my CX111 working in configuration mode with my SRX210. I have on my SRX210 3 vlans, vlan1 (trust) vlan.2 (data) with vlan.3900 (cx-management). I have everything working, my devices on the LAN side of the SRX210 on vlan1 can talk to the outside world no problems via vlan.2. However the only issue I'm encounting is when trying to communicate to the CX111 via vlan.3900 from vlan.1 I have setup the CX111 as 192.168.0.1 (with the following command set services wireless-wan adapter CX111 ip-address 192.168.0.1) and my vlan 3900 has 192.168.0.2.
    When I try and run a show wireless-wan adapter CX111 i get an error "adapter no reachable/SNMP request timed out". When I run that same command while monitoring the traffic, I get an error reserve lookup for 192.168.0.1 failed.

    The issue is I can't check and or configure teh CX111 from the CX111.

    Any help would be greatly appriecated.

    Cheers, Jason

    ReplyDelete

New comments are not allowed.

Subscribe to: Post Comments (Atom)