SRX

Hello

First time trying to create a trunk interface in srx router, did some googling and came up with config, but i think something is still missing since i cant ping the interface even from router itself.

Config:

security {

 policies {

	from-zone Vlan_203 to-zone X {
            policy Default {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone X to-zone Vlan_203 {
            policy Default {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }	


	}


 zones {
	security-zone Test {
            interfaces {
                xe-2/2/2.0 {
                    host-inbound-traffic {
                        system-services {
                            any-service;
                        }
                        protocols {
                            all;
                        }
                    }
                }
            }
        }
        security-zone Vlan_203 {
            interfaces {
                vlan.203 {
                    host-inbound-traffic {
                        system-services {
                            any-service;
                        }
                        protocols {
                            all;
                        }
                    }
                }
            }
        }
    }
 }


}

interfaces {
    xe-2/2/2 {
        unit 0 {
            family ethernet-switching {
                interface-mode trunk;
                vlan {
                    members Vlan_203;
                }
            }
        }
    }

    vlan {
        unit 203 {
            family inet {
                address 192.168.3.1/24;
            }
        }
    }
}

vlans {
    Vlan_203 {
        vlan-id 203;
        l3-interface irb.203;
    }
}

root@SRX> show vlans

Routing instance        VLAN name             Tag          Interfaces
default-switch          Vlan_203              203
                                                           xe-2/2/2.0*
default-switch          default               1

root@SRX> show interface terse
 vlan 203 is not listen in there

pinging 192.168.3.1 from router = no route to host

version: Model: srx5400, Junos: 17.3R2.10

Hi,

You defined l3interface as irb.203 in vlan config but forgot to define irb interface. Create irb interface and delete vlan interface.

set interfaces irb unit 203 family inet address 192.168.3.1/24
delete interfaces vlan

You problem is that SRX4100 and higher platforms doesn't support ethernet-switching.

you should create a physical interface with vlan-tagged logical interfaces instead and refer to these in your security zones.

Example with vlan-tagged interface and security zone mapping:

user@fw> show configuration interfaces ge-0/0/2
vlan-tagging;
unit 10 {
    vlan-id 10;
    family inet {
        address 10.0.1.1/30;
    }
}
unit 20 {
    vlan-id 20;
    family inet {
        address 10.0.2.1/30;
    }
}

user@fw> show configuration security zones
security-zone test1 {
    host-inbound-traffic {
        system-services {
            all;
        }
        protocols {
            all;
        }
    }
    interfaces {
        ge-0/0/2.10;
        ge-0/0/2.20;
    }
}

Thanks for the info, works like a charm and cleaner code also. 🙂

Intresting that i didnt find such example in google...