I am having a problem trying to remove a single port on an SRX300 from the default "ethernet-switching" mode.
Is this possible or is it a global configuration that cannot be changed per single interface?
Basically, we have an end CPE device that cannot be placed into a VLAN.
From the Core I can create a VLAN to an ethernet-switched port on the SRX300 and can connect to it. No problem. But the other side we have a CPE that cannot be assigned a VLAN so therefore the port it connects to needs to have an IP address assigned directly to unit 0 on the interface.
I am not sure if this is possible?
I am not sure I follow you but it looks like you want to have both layer 3 and layer 2 interfaces on the same SRX and that is supported. In fact that is the default branch configuration where ge-0/0/0 is a layer 3 dhcp client interface and the remaining interfaces are joined into a layer 2 bridge with a virtual layer 3 interface for the internal network.
I assume you are having conflicts maybe removing an existing interface from the layer 2 domain so that it can be configured with family inet and the ip address you want untagged facing the cpe?
Generally you want to remove the desired interface form the assiged vlan either on the interface or under the vlans hierarchy. then configure the desired ip address under family inet for the same.
What commit check error are you getting?
what is the interfaces and vlans configuration on the SRX?
Thanks for that. As usual with me, impatience 🙂
The interfaces are set to family ethernet-switching.... just remove that and it drops it out of the layer 2 bridge....
Hi Spuluka / everyone,
Here is the issue I now have:
This is all on the same physical SRX300:
CPE 192.168.20.2/30 --> SRX300-ge-0/0/4.0 - 192.168.20.1/30 --> SRX300 irb.10 - 10.10.10.1/30 --> Core 10.10.10.2/30
So, here is what can be achieved successfully:
ping from SRX300, source ge-0/0/4, to Internet 126.96.36.199 - Successful
ping from CPE to 188.8.131.52 - unsuccessful
ping from SRX300, source irb.10 to CPE - unsuccessful
ping from srx300 direct to CPE - successful
Given that I can ping the internet from source port on the same network as the CPE but cannot ping the internet from the CPE, maybe the following is happening (but I am asking to confirm):
Interface irb.10 is a VLAN, albeit with an interface address. So, as the packets are being tagged on their way out, I'm going to say a layer 2 VLAN (I have proved the tagging with a monito traffic interface, command).
As I cannot ping the internet from the CPE I am wondering if the following occurs:
I ping from the actual SRX, with a source of ge-0/0/4, to 184.108.40.206 and it works. From the CPE connected to this port it does not work (but I can ping the ge-0/0/4 interface). This leads me to believe (maybe) that when I ping directly from the SRX the system already knows that the packet needs to be tagged and so therefore will send it across the VLAN. When a packet from the CPE enters the ge-0/0/4 interface, it is at Layer 3 and therefore the packet will not get tagged with any VLAN information. Has anyone seen this before and if so, how did they get around it?
The other major difference is that a ping from a connected device like the CPE is transit traffic subject to SRX security policy while a ping from the SRX is self traffic that is permited by default.
When running the CPE ping look for sessions on the SRX to confirm the traffic is permitted and what policy is applied.
show security flow session source-prefix 192.168.20.2
If there are no sessions then you need to modify or create policy to allow the traffic based on the zones assigned to the ingress and egress zones.
Thank you for the response.
So, interestingly, it is a VLAN issue that is the problem.
At a guess, I would say because the CPE facing interface and the Core facing Interface are both bridged then they will be operating at layer 2.
So, if I am using 2 x /30 subnets, I have to, effectively, create 2 x VLANs that have to be tagged differently (unless I don't have to - I can give that a try). That means that when the traffic enters the CPE facing Interface it will be on VLAN 12 and the tag will not be stripped. The header tag will then look for a VLAN 12 exit interface, which won't exist as the Core facing interface is on VLAN 10.
I have proved this theory by creating 1 x /29 and assigning irb.10 as the gateway for both the core and the CPE. This gives us full internet connectivity.
That is no good though.
So, how can I make this work where the CPE does not require a VLAN configuration on it? This appears to be adefault for most ISPs that they supply a CPE with NO vlan tagging requirement.
How can I make it work where the Core facing Interface is going to be tagged but the CPE is not going to be?
here is a copy of the config if you need it.... but I cannot get this to work.....
set system host-name ethernet-testset system root-authentication encrypted-password "$5$3SfqX8ZZ$qi1coBu3jSktSTWHorvwGvwzv/gNFtjXoib6WZmv2GB"set system name-server 220.127.116.11set system name-server 18.104.22.168set system login user Clive uid 2000set system login user Clive class super-userset system login user Clive authentication encrypted-password "$5$ICpDO7X.$yOrUExnumS2CeBJP7Uz9d4N4hVvhdf1JjvwHOXFO8G2"set system login user Stephen uid 2001set system login user Stephen class super-userset system login user Stephen authentication encrypted-password "$5$rFxT8ZOy$9xFHE6siGuhlrlVSpfASjpiEVdrppAxE5BOj7u6po63"set system services ssh root-login denyset system services ssh no-tcp-forwardingset system services ssh connection-limit 3set system services netconf sshset system services dhcp-local-server group jdhcp-group interface irb.0set system services web-management https system-generated-certificateset system syslog archive size 100kset system syslog archive files 3set system syslog user * any emergencyset system syslog file messages any noticeset system syslog file messages authorization infoset system syslog file interactive-commands interactive-commands anyset system max-configurations-on-flash 5set system max-configuration-rollbacks 5set system license autoupdate url https://ae1.juniper.net/junos/key_retrievalset system phone-home server https://redirect.juniper.netset system phone-home rfc-complaintset security log mode streamset security log reportset security screen ids-option untrust-screen icmp ping-deathset security screen ids-option untrust-screen ip source-route-optionset security screen ids-option untrust-screen ip tear-dropset security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048set security screen ids-option untrust-screen tcp syn-flood timeout 20set security screen ids-option untrust-screen tcp landset security nat source rule-set trust-to-untrust from zone trustset security nat source rule-set trust-to-untrust to zone untrustset security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 0.0.0.0/0set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat interfaceset security policies from-zone trust to-zone trust policy trust-to-trust match source-address anyset security policies from-zone trust to-zone trust policy trust-to-trust match destination-address anyset security policies from-zone trust to-zone trust policy trust-to-trust match application anyset security policies from-zone trust to-zone trust policy trust-to-trust then permitset security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address anyset security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address anyset security policies from-zone trust to-zone untrust policy trust-to-untrust match application anyset security policies from-zone trust to-zone untrust policy trust-to-untrust then permitset security zones security-zone trust host-inbound-traffic system-services allset security zones security-zone trust host-inbound-traffic protocols allset security zones security-zone trust interfaces irb.0set security zones security-zone trust interfaces irb.10set security zones security-zone trust interfaces ge-0/0/4.0set security zones security-zone untrust screen untrust-screenset security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services dhcpset security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services tftpset security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services httpsset security zones security-zone untrust interfaces ge-0/0/7.0 host-inbound-traffic system-services dhcpset security zones security-zone untrust interfaces ge-0/0/7.0 host-inbound-traffic system-services tftpset interfaces ge-0/0/0 unit 0 family inetset interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members vlan-trustset interfaces ge-0/0/2 unit 0 family inetset interfaces ge-0/0/3 unit 0 family ethernet-switching vlan members vlan-trustset interfaces ge-0/0/4 unit 0 family inet address 22.214.171.124/30set interfaces ge-0/0/5 unit 0 family ethernet-switching interface-mode trunkset interfaces ge-0/0/5 unit 0 family ethernet-switching vlan members v10set interfaces ge-0/0/5 unit 0 family ethernet-switching vlan members managementset interfaces ge-0/0/6 unit 0 family ethernet-switching vlan members vlan-trustset interfaces ge-0/0/7 unit 0 family inetset interfaces irb unit 0 family inetset interfaces irb unit 10 family inet address 126.96.36.199/30set interfaces irb unit 100 family inetset interfaces irb unit 999set routing-options static route 188.8.131.52/32 next-hop 184.108.40.206set routing-options static route 0.0.0.0/0 next-hop 220.127.116.11set routing-options static route 18.104.22.168/32 next-hop 22.214.171.124set protocols l2-learning global-mode switchingset protocols rstp interface allset vlans customer vlan-id 100set vlans customer l3-interface irb.100set vlans management vlan-id 999set vlans management l3-interface irb.999set vlans v10 vlan-id 10set vlans v10 l3-interface irb.10set vlans vlan-trust vlan-id 3set vlans vlan-trust l3-interface irb.0
Apologies, When I say I could not get the above configuration to work, I meant I could, but ONLY if I configure the CPE with a VLAN-ID and this cannot be allowed.... (most ISPs only supply the address with the CPE with no VLAN configuration requirements)
Hi, For some strange reason, and without changing any config, I have got this working.
Looking over the config I don't see why you have vlan customer setup as there are no physical interfaces assigned to this layer 2 vlan.
Since it looks like your customer connection is only the layer 3 interface you don't need any layer two configuraiton for that.