SRX

 View Only
last person joined: 4 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  SRX345 switch L2 to L3 commit issues

    Posted 07-21-2017 10:20

    I tried to switch L2 to L3 and reboot like:

     

    set protocols l2-learning global-mode switching

    then tried a commit check and found:

     

    [edit security zones security-zone BT interfaces]
  'ge-0/0/0.0'
    Referenced interface must not be ethernet-switching interface of switching mode
[edit security zones security-zone PA interfaces]
  'ge-0/0/1.0'
    Referenced interface must not be ethernet-switching interface of switching mode
[edit interfaces ge-0/0/0 unit 0 family]
  'ethernet-switching'
    In switching mode, ethernet-switching interface must not be in security zone.
[edit interfaces ge-0/0/1 unit 0 family]
  'ethernet-switching'
    In switching mode, ethernet-switching interface must not be in security zone.
error: configuration check-out failed: (statements constraint check failed)

    So I thought I need to assign an IP to ge-0/0/0.0 like:

     

    set interfaces ge-0/0/0 unit 0 family inet address 1.2.3.4/24

    and I tried to switch:

     

    set interfaces ge-0/0/0 unit 0 family ethernet-switching interface-mode access

    and put it in a security zone like:

     

    set security zones security-zone untrust
set security zones security-zone untrust interfaces ge-0/0/0

    But then I get the same error about not being in a security zone and also ethernet-switching

     

    [edit security zones security-zone untrust interfaces]
  'ge-0/0/0.0'
    Referenced interface must not be ethernet-switching interface of switching mode
[edit interfaces ge-0/0/0 unit 0 family]
  'ethernet-switching'
    In switching mode, ethernet-switching interface must not be in security zone.

    What am I doing wrong? I'm new to JunOS, I'm used to the old SSG boxes, so trying to learn. I've read a bunch of docs and can't get it. I want to put ge-0/0/0 in untrust public static 1.2.3.4/24 and ge-0/0/1 in trust1 5.6.7.8/24 and CGNAT between the two zones.



  • 2.  RE: SRX345 switch L2 to L3 commit issues

    Posted 07-22-2017 04:14

    I don't have a SRX300 series handy to test and the documentation is ambiguous.  But I think you don't want this command in at all.

     

    You seem to want a full layer 3 deploy.  This command seems to set the SRX into either full transparent mode or layer 2 mode.



  • 3.  RE: SRX345 switch L2 to L3 commit issues

    Posted 07-23-2017 03:57

    If you are in ethernet-switching mode, then you put irb interfaces into security-zones rather than physical interfaces.  If you are in transparent-mode, you can put physical interfaces into zones, but you would configure them with family bridge rather than with family ethernet-switching.

     

    -Ron



  • 4.  RE: SRX345 switch L2 to L3 commit issues

    Posted 07-23-2017 04:00

    Also, I would suggest making sure you are at 15.1X49D75 or higher.  There were significant issues with switching code in early releases for the SRX300.



  • 5.  RE: SRX345 switch L2 to L3 commit issues

    Posted 07-24-2017 14:14

    It turns out I didn't have to do:

    set protocols l2-learning global-mode switching

    at all. I just went in an deleted the interface and deleted it from the BT security-zone like:

    delete interface ge-0/0/0
delete security zones security-zone BT interfaces ge-0/0/0
commit

    then re-create the interface like:

    set interfaces ge-0/0/0 unit 0 family inet address 1.2.3.4/24
set security zones security-zone untrust interfaces ge-0/0/0
commit

    Now I'll see if it will persist across a reboot. Thanks for the help 🙂