SRX

 View Only
last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  SRX - Want to configure L3 dot1q trunk port + access ports into trunked vlans.

    Posted 06-02-2018 01:20

    My current setup has an SRX with a link into an aggregation switch via a single trunk port. I would like to configure and use the other interfaces on the SRX as layer2 access ports that can be in the same vlan(s) as the ones on the trunk.

     
     
    jr1.iwc.ig24# show interfaces 
ge-0/0/0 {
    vlan-tagging;
    unit 42 {
        vlan-id 42;
        family inet {
            address 192.168.0.1/24;
        }
    }
    unit 191 {
        vlan-id 191;
        family inet {
            address x.y.z.33/28;
        }
    }
    unit 376 {
        encapsulation ppp-over-ether;
        vlan-id 376;
    }
    unit 2000 {
        vlan-id 2000;
        family inet;
    }
}
     
     
    I've configured fe-0/0/0/6 as what I would think an access port on a specific vlan would look like:
     
     
    fe-0/0/6 {
    description "WIFI WAN - VLAN191";
    unit 0 {
        family ethernet-switching {
            vlan {
                members dot191;
            }
        }
    }
}
     
     
    VLANS:
     
    j
    r1.iwc.ig24# show vlans           
dot191 {
    vlan-id 191;
}
dot376 {
    description DSL_TESTING;
    vlan-id 376;
}
dot42 {
    vlan-id 42;
}
     
    I've set what I think the correct zones should be:
     
     
    jr1.iwc.ig24# show security zones 
security-zone LAN_TRUST {
    host-inbound-traffic {
        system-services {
            ping;
            ssh;
            http;
        }
    }
    interfaces {
        ge-0/0/0.42;
    }
}
security-zone WAN_UNTRUST {
    host-inbound-traffic {
        system-services {
            ping;
        }
    }
    interfaces {
        pp0.0;
    }                                   
}
security-zone WAN_DMZ {
    host-inbound-traffic {
        system-services {
            ping;
            traceroute;
        }
    }
    interfaces {
        ge-0/0/0.191;
        fe-0/0/6.0;
    }
}
     
    Further trouble shooting:
     
    When I configured l3-interface references from vlans, to vlan.X interface, my DSL worked but the vlan.42 & vlan.191 didn't come up.
     
     
    interfaces {
    ge-0/0/0 {
        vlan-tagging;
        unit 42 {
            vlan-id 42;
        }
        unit 191 {
            vlan-id 191;
        }
        unit 376 {
            encapsulation ppp-over-ether;
            vlan-id 376;
        }
    }
    vlan {
        unit 42 {
            family inet {
                address 192.168.42.33/27;
            }
        }
        unit 191 {
            family inet {
                address 209.112.191.33/28;
            }
        }
    }
}
 
vlans {
    dot191 {
        vlan-id 191;
        l3-interface vlan.191;
    }
    dot376 {
        description DSL_TESTING;
        vlan-id 376;
    }
    dot42 {
        vlan-id 42;
        l3-interface vlan.42;
    }
}
     
     
     
    # show interface terse | match vlan
 
vlan.42                 up    down inet     192.168.0.1/24
vlan.191                up    down inet     x.y.z.33/28
     
    Everything works well as long as it's plugged into a aggregation switch, but I would like to also utilize the ports on the SRX.
    In short "How can I get ge-0/0/0.191 & fe-0/0/6.0 into the same broadcast domain?"
    Thanks.
     
    -Sean


  • 2.  RE: SRX - Want to configure L3 dot1q trunk port + access ports into trunked vlans.
    Best Answer

    Posted 06-02-2018 06:17

    Generally for vlan.x interfaces to come up a physical interface in the same vlan needs to be up as well.

    In your config assign the physical interfaces to the vlan or use the member function on the sub interface instead of manually assigning the vlan-id.

     



  • 3.  RE: SRX - Want to configure L3 dot1q trunk port + access ports into trunked vlans.

    Posted 06-02-2018 17:39

    Thanks, that worked.. I had to move my underlying pppoe to an actual interface vs. a logical interface, but in the end it worked.

     

    -Sean