SRX

I am having a problem trying to remove a single port on an SRX300 from the default "ethernet-switching" mode.

Is this possible or is it a global configuration that cannot be changed per single interface?

Basically, we have an end CPE device that cannot be placed into a VLAN. 

From the Core I can create a VLAN to an ethernet-switched port on the SRX300 and can connect to it. No problem. But the other side we have a CPE that cannot be assigned a VLAN so therefore the port it connects to needs to have an IP address assigned directly to unit 0 on the interface.

I am not sure if this is possible?

I am not sure I follow you but it looks like you want to have both layer 3 and layer 2 interfaces on the same SRX and that is supported.  In fact that is the default branch configuration where ge-0/0/0 is a layer 3 dhcp client interface and the remaining interfaces are joined into a layer 2 bridge with a virtual layer 3 interface for the internal network.

I assume you are having conflicts maybe removing an existing interface from the layer 2 domain so that it can be configured with family inet and the ip address you want untagged facing the cpe?

Generally you want to remove the desired interface form the assiged vlan either on the interface or under the vlans hierarchy.  then configure the desired ip address under family inet for the same.

What commit check error are you getting?

what is the interfaces and vlans configuration on the SRX?

Hi Spuluka,

Thanks for that. As usual with me, impatience 🙂

The interfaces are set to family ethernet-switching.... just remove that and it drops it out of the layer 2 bridge....

Thanks

Hi Spuluka / everyone,

Here is the issue I now have:

This is all on the same physical SRX300:

CPE 192.168.20.2/30 --> SRX300-ge-0/0/4.0 - 192.168.20.1/30 --> SRX300 irb.10 - 10.10.10.1/30 --> Core 10.10.10.2/30

So, here is what can be achieved successfully:

ping from SRX300, source ge-0/0/4, to Internet 8.8.8.8 - Successful

ping from CPE to 8.8.8.8 - unsuccessful

ping from SRX300, source irb.10 to CPE - unsuccessful

ping from srx300 direct to CPE - successful

Given that I can ping the internet from source port on the same network as the CPE but cannot ping the internet from the CPE, maybe the following is happening (but I am asking to confirm):

Interface irb.10 is a VLAN, albeit with an interface address. So, as the packets are being tagged on their way out, I'm going to say a layer 2 VLAN (I have proved the tagging with a monito traffic interface, command).

As I cannot ping the internet from the CPE I am wondering if the following occurs:

I ping from the actual SRX, with a source of ge-0/0/4, to 8.8.8.8 and it works. From the CPE connected to this port it does not work (but I can ping the ge-0/0/4 interface). This leads me to believe (maybe) that when I ping directly from the SRX the system already knows that the packet needs to be tagged and so therefore will send it across the VLAN. When a packet from the CPE enters the ge-0/0/4 interface, it is at Layer 3 and therefore the packet will not get tagged with any VLAN information. Has anyone seen this before and if so, how did they get around it?

The other major difference is that a ping from a connected device like the CPE is transit traffic subject to SRX security policy while a ping from the SRX is self traffic that is permited by default.

When running the CPE ping look for sessions on the SRX to confirm the traffic is permitted and what policy is applied.

show security flow session source-prefix 192.168.20.2

If there are no sessions then you need to modify or create policy to allow the traffic based on the zones assigned to the ingress and egress zones.

Hi Spuluka,

Thank you for the response.

So, interestingly, it is a VLAN issue that is the problem.

At a guess, I would say because the CPE facing interface and the Core facing Interface are both bridged then they will be operating at layer 2. 

So, if I am using 2 x /30 subnets, I have to, effectively, create 2 x VLANs that have to be tagged differently (unless I don't have to - I can give that a try). That means that when the traffic enters the CPE facing Interface it will be on VLAN 12 and the tag will not be stripped. The header tag will then look for a VLAN 12 exit interface, which won't exist as the Core facing interface is on VLAN 10.

I have proved this theory by creating 1 x /29 and assigning irb.10 as the gateway for both the core and the CPE. This gives us full internet connectivity.

That is no good though.

So, how can I make this work where the CPE does not require a VLAN configuration on it? This appears to be adefault for most ISPs that they supply a CPE with NO vlan tagging requirement.

How can I make it work where the Core facing Interface is going to be tagged but the CPE is not going to be?

Thanks

Hi Spuluka,

here is a copy of the config if you need it.... but I cannot get this to work.....

Thanks..

set system host-name ethernet-test
set system root-authentication encrypted-password "$5$3SfqX8ZZ$qi1coBu3jSktSTWHorvwGvwzv/gNFtjXoib6WZmv2GB"
set system name-server 8.8.8.8
set system name-server 8.8.4.4
set system login user Clive uid 2000
set system login user Clive class super-user
set system login user Clive authentication encrypted-password "$5$ICpDO7X.$yOrUExnumS2CeBJP7Uz9d4N4hVvhdf1JjvwHOXFO8G2"
set system login user Stephen uid 2001
set system login user Stephen class super-user
set system login user Stephen authentication encrypted-password "$5$rFxT8ZOy$9xFHE6siGuhlrlVSpfASjpiEVdrppAxE5BOj7u6po63"
set system services ssh root-login deny
set system services ssh no-tcp-forwarding
set system services ssh connection-limit 3
set system services netconf ssh
set system services dhcp-local-server group jdhcp-group interface irb.0
set system services web-management https system-generated-certificate
set system syslog archive size 100k
set system syslog archive files 3
set system syslog user * any emergency
set system syslog file messages any notice
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands any
set system max-configurations-on-flash 5
set system max-configuration-rollbacks 5
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set system phone-home server https://redirect.juniper.net
set system phone-home rfc-complaint
set security log mode stream
set security log report
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security nat source rule-set trust-to-untrust from zone trust
set security nat source rule-set trust-to-untrust to zone untrust
set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 0.0.0.0/0
set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat interface
set security policies from-zone trust to-zone trust policy trust-to-trust match source-address any
set security policies from-zone trust to-zone trust policy trust-to-trust match destination-address any
set security policies from-zone trust to-zone trust policy trust-to-trust match application any
set security policies from-zone trust to-zone trust policy trust-to-trust then permit
set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces irb.0
set security zones security-zone trust interfaces irb.10
set security zones security-zone trust interfaces ge-0/0/4.0
set security zones security-zone untrust screen untrust-screen
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services dhcp
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services tftp
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services https
set security zones security-zone untrust interfaces ge-0/0/7.0 host-inbound-traffic system-services dhcp
set security zones security-zone untrust interfaces ge-0/0/7.0 host-inbound-traffic system-services tftp
set interfaces ge-0/0/0 unit 0 family inet
set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces ge-0/0/2 unit 0 family inet
set interfaces ge-0/0/3 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces ge-0/0/4 unit 0 family inet address 192.80.23.17/30
set interfaces ge-0/0/5 unit 0 family ethernet-switching interface-mode trunk
set interfaces ge-0/0/5 unit 0 family ethernet-switching vlan members v10
set interfaces ge-0/0/5 unit 0 family ethernet-switching vlan members management
set interfaces ge-0/0/6 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces ge-0/0/7 unit 0 family inet
set interfaces irb unit 0 family inet
set interfaces irb unit 10 family inet address 192.80.23.22/30
set interfaces irb unit 100 family inet
set interfaces irb unit 999
set routing-options static route 192.80.23.21/32 next-hop 192.80.23.22
set routing-options static route 0.0.0.0/0 next-hop 195.80.23.21
set routing-options static route 192.80.23.18/32 next-hop 192.80.23.17
set protocols l2-learning global-mode switching
set protocols rstp interface all
set vlans customer vlan-id 100
set vlans customer l3-interface irb.100
set vlans management vlan-id 999
set vlans management l3-interface irb.999
set vlans v10 vlan-id 10
set vlans v10 l3-interface irb.10
set vlans vlan-trust vlan-id 3
set vlans vlan-trust l3-interface irb.0

Hi Spuluka,

Apologies, When I say I could not get the above configuration to work, I meant I could, but ONLY if I configure the CPE with a VLAN-ID and this cannot be allowed.... (most ISPs only supply the address with the CPE with no VLAN configuration requirements)

Thanks

Hi, For some strange reason, and without changing any config, I have got this working.

Looking over the config I don't see why you have vlan customer setup as there are no physical interfaces assigned to this layer 2 vlan.

Since it looks like your customer connection is only the layer 3 interface you don't need any layer two configuraiton for that.