SRX

Expand all | Collapse all

Ethernet-switch removal on SRX300

Jump to Best Answer
  • 1.  Ethernet-switch removal on SRX300

     
    Posted 07-20-2018 09:15

    I am having a problem trying to remove a single port on an SRX300 from the default "ethernet-switching" mode.

     

    Is this possible or is it a global configuration that cannot be changed per single interface?

     

    Basically, we have an end CPE device that cannot be placed into a VLAN. 

     

    From the Core I can create a VLAN to an ethernet-switched port on the SRX300 and can connect to it. No problem. But the other side we have a CPE that cannot be assigned a VLAN so therefore the port it connects to needs to have an IP address assigned directly to unit 0 on the interface.

     

    I am not sure if this is possible?

     



  • 2.  RE: Ethernet-switch removal on SRX300
    Best Answer

     
    Posted 07-21-2018 07:22

    I am not sure I follow you but it looks like you want to have both layer 3 and layer 2 interfaces on the same SRX and that is supported.  In fact that is the default branch configuration where ge-0/0/0 is a layer 3 dhcp client interface and the remaining interfaces are joined into a layer 2 bridge with a virtual layer 3 interface for the internal network.

     

    I assume you are having conflicts maybe removing an existing interface from the layer 2 domain so that it can be configured with family inet and the ip address you want untagged facing the cpe?

     

    Generally you want to remove the desired interface form the assiged vlan either on the interface or under the vlans hierarchy.  then configure the desired ip address under family inet for the same.

     

    What commit check error are you getting?

    what is the interfaces and vlans configuration on the SRX?

     



  • 3.  RE: Ethernet-switch removal on SRX300

     
    Posted 07-23-2018 01:01

    Hi Spuluka,

     

    Thanks for that. As usual with me, impatience 🙂

     

    The interfaces are set to family ethernet-switching.... just remove that and it drops it out of the layer 2 bridge....

     

    Thanks

     

     



  • 4.  RE: Ethernet-switch removal on SRX300

     
    Posted 07-23-2018 05:50

    Hi Spuluka / everyone,

     

    Here is the issue I now have:

     

    This is all on the same physical SRX300:

     

    CPE 192.168.20.2/30 --> SRX300-ge-0/0/4.0 - 192.168.20.1/30 --> SRX300 irb.10 - 10.10.10.1/30 --> Core 10.10.10.2/30

     

    So, here is what can be achieved successfully:

     

    ping from SRX300, source ge-0/0/4, to Internet 8.8.8.8 - Successful

    ping from CPE to 8.8.8.8 - unsuccessful

    ping from SRX300, source irb.10 to CPE - unsuccessful

    ping from srx300 direct to CPE - successful

     

    Given that I can ping the internet from source port on the same network as the CPE but cannot ping the internet from the CPE, maybe the following is happening (but I am asking to confirm):

     

    Interface irb.10 is a VLAN, albeit with an interface address. So, as the packets are being tagged on their way out, I'm going to say a layer 2 VLAN (I have proved the tagging with a monito traffic interface, command).

     

    As I cannot ping the internet from the CPE I am wondering if the following occurs:

     

    I ping from the actual SRX, with a source of ge-0/0/4, to 8.8.8.8 and it works. From the CPE connected to this port it does not work (but I can ping the ge-0/0/4 interface). This leads me to believe (maybe) that when I ping directly from the SRX the system already knows that the packet needs to be tagged and so therefore will send it across the VLAN. When a packet from the CPE enters the ge-0/0/4 interface, it is at Layer 3 and therefore the packet will not get tagged with any VLAN information. Has anyone seen this before and if so, how did they get around it?

     

     



  • 5.  RE: Ethernet-switch removal on SRX300

     
    Posted 07-24-2018 02:53

    The other major difference is that a ping from a connected device like the CPE is transit traffic subject to SRX security policy while a ping from the SRX is self traffic that is permited by default.

     

    When running the CPE ping look for sessions on the SRX to confirm the traffic is permitted and what policy is applied.

    show security flow session source-prefix 192.168.20.2

    If there are no sessions then you need to modify or create policy to allow the traffic based on the zones assigned to the ingress and egress zones.

     



  • 6.  RE: Ethernet-switch removal on SRX300

     
    Posted 07-24-2018 04:40

    Hi Spuluka,

     

    Thank you for the response.

     

    So, interestingly, it is a VLAN issue that is the problem.

     

    At a guess, I would say because the CPE facing interface and the Core facing Interface are both bridged then they will be operating at layer 2. 

    So, if I am using 2 x /30 subnets, I have to, effectively, create 2 x VLANs that have to be tagged differently (unless I don't have to - I can give that a try). That means that when the traffic enters the CPE facing Interface it will be on VLAN 12 and the tag will not be stripped. The header tag will then look for a VLAN 12 exit interface, which won't exist as the Core facing interface is on VLAN 10.

     

    I have proved this theory by creating 1 x /29 and assigning irb.10 as the gateway for both the core and the CPE. This gives us full internet connectivity.

     

    That is no good though.

     

    So, how can I make this work where the CPE does not require a VLAN configuration on it? This appears to be adefault for most ISPs that they supply a CPE with NO vlan tagging requirement.

     

    How can I make it work where the Core facing Interface is going to be tagged but the CPE is not going to be?

     

    Thanks



  • 7.  RE: Ethernet-switch removal on SRX300

     
    Posted 07-24-2018 06:23

    Hi Spuluka,

     

    here is a copy of the config if you need it.... but I cannot get this to work.....

     

    Thanks..

     

    set system host-name ethernet-test
    set system root-authentication encrypted-password "$5$3SfqX8ZZ$qi1coBu3jSktSTWHorvwGvwzv/gNFtjXoib6WZmv2GB"
    set system name-server 8.8.8.8
    set system name-server 8.8.4.4
    set system login user Clive uid 2000
    set system login user Clive class super-user
    set system login user Clive authentication encrypted-password "$5$ICpDO7X.$yOrUExnumS2CeBJP7Uz9d4N4hVvhdf1JjvwHOXFO8G2"
    set system login user Stephen uid 2001
    set system login user Stephen class super-user
    set system login user Stephen authentication encrypted-password "$5$rFxT8ZOy$9xFHE6siGuhlrlVSpfASjpiEVdrppAxE5BOj7u6po63"
    set system services ssh root-login deny
    set system services ssh no-tcp-forwarding
    set system services ssh connection-limit 3
    set system services netconf ssh
    set system services dhcp-local-server group jdhcp-group interface irb.0
    set system services web-management https system-generated-certificate
    set system syslog archive size 100k
    set system syslog archive files 3
    set system syslog user * any emergency
    set system syslog file messages any notice
    set system syslog file messages authorization info
    set system syslog file interactive-commands interactive-commands any
    set system max-configurations-on-flash 5
    set system max-configuration-rollbacks 5
    set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
    set system phone-home server https://redirect.juniper.net
    set system phone-home rfc-complaint
    set security log mode stream
    set security log report
    set security screen ids-option untrust-screen icmp ping-death
    set security screen ids-option untrust-screen ip source-route-option
    set security screen ids-option untrust-screen ip tear-drop
    set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
    set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
    set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
    set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
    set security screen ids-option untrust-screen tcp syn-flood timeout 20
    set security screen ids-option untrust-screen tcp land
    set security nat source rule-set trust-to-untrust from zone trust
    set security nat source rule-set trust-to-untrust to zone untrust
    set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 0.0.0.0/0
    set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat interface
    set security policies from-zone trust to-zone trust policy trust-to-trust match source-address any
    set security policies from-zone trust to-zone trust policy trust-to-trust match destination-address any
    set security policies from-zone trust to-zone trust policy trust-to-trust match application any
    set security policies from-zone trust to-zone trust policy trust-to-trust then permit
    set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any
    set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
    set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
    set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit
    set security zones security-zone trust host-inbound-traffic system-services all
    set security zones security-zone trust host-inbound-traffic protocols all
    set security zones security-zone trust interfaces irb.0
    set security zones security-zone trust interfaces irb.10
    set security zones security-zone trust interfaces ge-0/0/4.0
    set security zones security-zone untrust screen untrust-screen
    set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services dhcp
    set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services tftp
    set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services https
    set security zones security-zone untrust interfaces ge-0/0/7.0 host-inbound-traffic system-services dhcp
    set security zones security-zone untrust interfaces ge-0/0/7.0 host-inbound-traffic system-services tftp
    set interfaces ge-0/0/0 unit 0 family inet
    set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members vlan-trust
    set interfaces ge-0/0/2 unit 0 family inet
    set interfaces ge-0/0/3 unit 0 family ethernet-switching vlan members vlan-trust
    set interfaces ge-0/0/4 unit 0 family inet address 192.80.23.17/30
    set interfaces ge-0/0/5 unit 0 family ethernet-switching interface-mode trunk
    set interfaces ge-0/0/5 unit 0 family ethernet-switching vlan members v10
    set interfaces ge-0/0/5 unit 0 family ethernet-switching vlan members management
    set interfaces ge-0/0/6 unit 0 family ethernet-switching vlan members vlan-trust
    set interfaces ge-0/0/7 unit 0 family inet
    set interfaces irb unit 0 family inet
    set interfaces irb unit 10 family inet address 192.80.23.22/30
    set interfaces irb unit 100 family inet
    set interfaces irb unit 999
    set routing-options static route 192.80.23.21/32 next-hop 192.80.23.22
    set routing-options static route 0.0.0.0/0 next-hop 195.80.23.21
    set routing-options static route 192.80.23.18/32 next-hop 192.80.23.17
    set protocols l2-learning global-mode switching
    set protocols rstp interface all
    set vlans customer vlan-id 100
    set vlans customer l3-interface irb.100
    set vlans management vlan-id 999
    set vlans management l3-interface irb.999
    set vlans v10 vlan-id 10
    set vlans v10 l3-interface irb.10
    set vlans vlan-trust vlan-id 3
    set vlans vlan-trust l3-interface irb.0



  • 8.  RE: Ethernet-switch removal on SRX300

     
    Posted 07-24-2018 07:51

    Hi Spuluka,

     

    Apologies, When I say I could not get the above configuration to work, I meant I could, but ONLY if I configure the CPE with a VLAN-ID and this cannot be allowed.... (most ISPs only supply the address with the CPE with no VLAN configuration requirements)

     

    Thanks



  • 9.  RE: Ethernet-switch removal on SRX300

     
    Posted 07-25-2018 06:22

    Hi, For some strange reason, and without changing any config, I have got this working.

     

     



  • 10.  RE: Ethernet-switch removal on SRX300

     
    Posted 07-26-2018 02:53

    Looking over the config I don't see why you have vlan customer setup as there are no physical interfaces assigned to this layer 2 vlan.

     

    Since it looks like your customer connection is only the layer 3 interface you don't need any layer two configuraiton for that.