Configuration for Juniper SRX Series

Overview

The Accelerated 6300-CX Cellular Extender provides a reliable, high-speed cellular connection that is compatible with existing wireline infrastructure. While its 4G LTE speeds are capable of operating as a primary WAN uplink, the 6300-CX can also be configured as a backup. This network redundancy solution delivers the ultimate flexibility to minimize expenses when it comes time for upgrading equipment to the latest wireless standards. 

Business continuity depends on the seamless integration of failover-connectivity solutions to prevent service interruptions. Now more than ever, contingency networks play a strategic role in sustaining business operations. Unplanned outages can cost companies significant time and money, frustrating employees and clients alike, which creates a negative perception that is difficult to overcome. 

Cellular data (4G LTE) bypasses wireline Internet service providers (ISPs) to facilitate the best redundancy possible.  Additionally, in some situations it may be a challenge to acquire access to wired circuits or an event may call for temporary online access. For these reasons Juniper and Accelerated Concepts have teamed up to offer comprehensive security and flexibility for small businesses, retail, government, remote sites, and branch offices. 

Combining next-generation firewall functionality with unified threat management (UTM) services, the Juniper SRX Series Services Gateways provides high-performance, cost-effective network security. It optimizes and fortifies networked environments thanks to a robust suite of administrative utilities  ranging from automated configuration to enhanced Web filtering  though this functionality hinges upon an active WAN connection. An SRX Series device paired with an Accelerated 6300-CX Cellular Extender will ensure your enterprise network remains secure and operational should its primary ISP go offline. Running a cellular backup via an Ethernet cable preserves the full security functionality of the SRX Gateway, which isn’t the case for USB-connected Aircards.

For additional information, please refer to Juniper’s SRX Series datasheet and the J-Web User Guide.

Interoperability Matrix

This section covers interoperability information of the hardware tested for this solution. It includes the firmware versions of both devices as well as the date of testing.    

Date JUNOS Release 6300-CX Firmware
05/2017 15.1X49-D5
 17.2.22

Caveats

The delivery of wireless services varies depending on the carrier and may lead to differences in the area of coverage, type of service (3G, 4G, LTE, etc.), availability of bandwidth, and IP address designation (Private or Public) among other factors. The interoperability test designed for this solution guide included LTE service, maximum coverage availability, and a public IP address assigned to each device.  

Using the 6300-CX as a secondary connection assumes that a primary WAN Ethernet cable is plugged into the 0/0 port on the Juniper device. Connect the 6300-CX’s backup Ethernet cable to port 0/2 and proceed to the configuration described herein. (Compatible with all SRX Series Services Gateways.)

Accelerated 6300-CX Cellular Extender Setup

Initial Setup

Affix both antennas to the router and insert an activated SIM card before deploying the device. Be sure to select a location with optimal signal strength. For detailed instruction, refer to the tables that follow. Subsequent sections will outline site selection, powering options, and other device functionality.

Step-by-Step Guidance: Initial Setup
  1. Insert the activated 2FF SIM card provided by your cellular network operator (putting the cut corner in first with metal contacts facing down). The card clicks into place when completely inserted.
  2. Attach the two included antennas; both should be installed for optimal operation. Do this by gripping the metal connector section with your thumb and forefinger, tightening until secure. Do not tighten the antenna by holding any part of the plastic antenna housing.
  3. To determine the optimal location for the 6300-CX, please see the “Site Survey” section.
  4. Refer to the section(s) for Remote or Direct Power Installations when ready to connect the 6300-CX to the permanent power supply unit.
  5. The 6300-CX uses DHCP with IP passthrough by default, which satisfies the setup requirements for most environments. If required, please use Accelerated View™ or the 6300-CX local GUI to configure the 6300-CX for router mode.

Site Survey

If you are unsure of the available cellular signal strength, or are choosing between several locations, please follow the instructions to identify the ideal installation site

Step-by-Step Guidance: Site Survey
  1. After following steps 1 and 2 in the “Initial Setup” section, connect the battery pack to temporarily power the Accelerated 6300-CX. The charge lasts two to four hours – it is not rechargeable and should be properly disposed of after use.
  2. Move the 6300-CX to different locations within your site to determine the best compromise between signal strength and installation constraints. Since cellular signal strength may fluctuate, it is important to wait at each location for 1 minute while observing the signal strength indicator on the front of the device. Minimum cellular signal strength for operation is 2 bars (3+ is preferred).
  3. After determining the optimal location, remove the battery pack and connect the main power supply unit or Ethernet cable connected to the PoE injector (per the power option outlined below).

Remote Power Installation – Powering Option #1

The included Power-over-Ethernet (PoE) injector allows the device to be positioned away from power outlets to simplify its installation needs. The adaptor consolidates the DC power and Ethernet connections so that both can be run to the 6300-CX via a single Ethernet cable. Distances of 300 ft have been tested on CAT6 and 250 ft on CAT5e. Note that cable conditions and the number of splices will impact actual distance.

Step-by-Step Guidance: Remote Power Installation
  1. Plug the 6300-CX’s power supply unit (PSU) into an AC  power outlet.
  2. Connect the end of the PSU into the DC input (4 pin  connector) of the PoE injector.
  3. Insert the male RJ45 connector of the PoE injector  cable into the SRX device.
  4. Connect an Ethernet cable from the RJ45 socket on the  PoE injector cable to the Ethernet port of the 6300-CX. (See diagram.)

Direct Power Installation – Powering Option #2

If you plan to collocate the 6300-CX with the MX device, you can directly power the 6300-CX without the PoE cable.

Step-by-Step Guidance: Direct Power Installation
  1. Use an Ethernet cable to connect the 6300-CX to the  security appliance using port Internet 1 (to use the cellular network as the  primary connection) or port Internet 2 (to configure a failover).
  2. Plug the 6300-CX power supply unit (PSU) into an AC  power outlet.
  3. Connect the PSU into the 4-pin power connector of the  6300-CX. (See diagram.)

Understanding the 6300-CX LEDs

Once power has been established, your device will initialize and attempt to connect to the network. Device initialization may take 30-60 seconds. Indicator lights on the Wireless Strength Indicator show you the cellular network signal strength. The Network Status Light on the front left of the 6300-CX displays connectivity information.

Please visit www.accelerated.com for additional information and troubleshooting tips.

Juniper Configuration with the Accelerated 6300-CX

DHCP Client Configuration

The 6300-CX’s cellular network access must be associated with a specific Ethernet port on the SRX Series security appliance before it can serve as a backup connection. Once assigned to an interface, additional options are available to further define the new DHCP Client’s characteristics (lease time, retransmission intervals, and other supplemental information). Since Juniper SRXs come preconfigured with the first two Ethernet ports assigned to WAN and LAN functionality (in that order), the third port (labeled 0/2) will be the first available interface for assignment in new deployments.

Access the J-Web admin portal at 192.168.1.1

Please refer to the Juniper knowledge article for an in-depth walkthrough of the DHCP Client screen.

Step-by-Step Guidance: DHCP Client Configuration
NOTE:Port0/0 is reserved for the default WAN and 0/1 is predefined as the default LAN, making 0/2 the first available interface for a failover WAN uplink. Be sure to type the full name, ge-0/0/2.0

  1. From the Configure tab of the admin portal, click on the Services menu option, select DHCP, and navigate to the DHCP Client page.
  2. Click the Add button.
  3. Specify which Ethernet Interface (port) will be assigned the cellular WAN connection.
  4. Enter any other relevant information, clicking Ok to create the DHCP client.
  5. Click the Apply button to finalize any changes.

Zones/Screens Settings

SRX Series Services Gateways leverage security zones to streamline the coordination of services and protocols associated with Ethernet traffic. The two default zones, “Internal” and “Internet,” are respectively used to delineate between LAN and WAN connections. Zone “junos-host” provides a dedicated means of managing self-traffic, both host-inbound and host-outbound. (Please refer to the Juniper knowledge article, Understanding Security Policies for Self Traffic, for more information regarding the junos-host zone.

Edit the Internet zone to establish the mechanisms required for WAN failover, allowing the SRX to retain an active Internet connection in light of a service interruption to its primary uplink. After configuring an interface for DHCP Clients, per the guidance on the previous page of this document, it becomes available for selection. Once assigned to the proper zone, the interface can be granted permission to JunOS’ predefined services and protocols.

The SRX device is ready for failover once the new interface has been set to recognize the CX’s cellular connection and it is subsequently assigned to the Internet zone with the required services enabled.

Please refer to the Juniper knowledge article for an in-depth walkthrough of the Zones/Screens menu.

Step-by-Step Guidance: Zones/Screens Settings
  1. From the Configure tab of the admin portal, click on the Security menu option and navigate to Zones/Screens.
  2. Select the Internet zone and click Edit.
  3. The Main tab contains a column of Available interfaces. Use the > arrow to move the cellular interface to the Selected column.
  4. Navigate to the Host Inbound Traffic – Interface tab and select the cellular interface.
  5. Move dhcp and ping from the Available Services column to Selected. Enable other protocols or services as needed.
  6. Click Ok to complete the configuration.
  7. From the horizontal menu bar at the top of the screen, select Commit from the corresponding pull-down to apply any changes.

Interface Monitoring

J-Web provides real-time monitoring of traffic as it flows through SRX Series Services Gateways. After completing the Accelerated 6300-CX configuration to establish backup connectivity, JunOS can confirm that the failover and failback mechanisms are functioning as intended.

To do so, monitor the port on the SRX device that is assigned for backup connectivity. After triggering a failover condition (disabling the primary Internet connection), traffic will switch over to the secondary interface. This activity registers as input and output viewable in the Interface Statistics table.

For an in-depth walkthrough of how to monitor with J-Web, please refer to chapter 4 of this Juniper knowledge article.

Step-by-Step Guidance: Interface Monitoring
  1. Navigate to the Dashboard tab of the J-Web admin portal.
  2. The Overview section contains a diagram of the SRX device, including green lights to indicate active Ethernet interfaces. Right click the desired interface and select Monitor Port.
  3. Refer to the Interface Statistics to confirm connectivity.