SRX

Expand all | Collapse all

SRX340 - Layer 2 and 3

Jump to Best Answer
  • 1.  SRX340 - Layer 2 and 3

     
    Posted 10-01-2018 05:33

    Hi,

     

    Here's the set up:

     

    CPE --> NTE (SRX340) --> Downstream ISP - (dot1q tagged) --> Core --> Upstream ISP

     

    Remit:

    VLAN 10 Tagged direct from Core to CPE

    VLAN 99 Tagged - Management to NTE (SRX340)

     

    So, we only have a single interface at the Core and the NTE (SRX340). This means, if we are using the SRX340 at Layer 2 for VLAN 10 but layer 3 for VLAN 99, I need to be able to create a Sub-Interface at Layer 2 and a Sub-Interface at Layer 3.

     

    So, as follows:

    NTE (SRX340):

    Interface ge-0/0/15 unit 10 vlan-id 10

    Interface ge-0/0/15 unit 99 vlan-id 99

    Interface ge-0/0/15 unit 99 family inet address xxx.xxx.xxx.xxx/30

     

    Core to CPE - IP /30 at bothe ends - so, for VLAN 10 the SRX340 is just acting as basic layer 2 switch passing the traffic.

     

    Is this even possible please?



  • 2.  RE: SRX340 - Layer 2 and 3

     
    Posted 10-01-2018 07:18

    Okay, so I have some progress, simple really.... for 1 part....

     

    I have created all the interfaces as layer 2.... so

     

    ge-0/0/15.10 - layer 2

    ge-0/0/15.99 - layer 2

    ge-0/0/4.10 layer 2

     

    I have created the layer 2 vlans.

     

    I can now ping from the Core to the CPE at layer 3 across the SRX340.

     

    Now for the management to the device itself....

     

    irb.99 created with the IP address.

    New security zone created (as you cannot have layer 2 and 3 in the same zone).

     

    Still no ping to theSRX from the core...

     

    So, policy of any any any permit from trust to vlan99 zones and also the other way.

     

    Try and commit and I get:


    Cannot have layer 2 and layer 3 together under policies....

     

    Now I am stuck as to how to get the Layer 3 working from the layer 2 interface to the IRB (The IRB is also placed on the interface).

     

    Help please?



  • 3.  RE: SRX340 - Layer 2 and 3

     
    Posted 10-01-2018 07:33

    Hi,

     

    Can you paste or attach your config. So we can see what you have configured on your srx. (Interface config / GE-X-X-X/ IRB.X and VLAN config). You may also add the Security-Zone config.

     



  • 4.  RE: SRX340 - Layer 2 and 3

     
    Posted 10-01-2018 08:56

    Interface configuration:

     

    set protocols l2-learning global-mode transparent-bridge

    set interfaces ge-0/0/4 unit 0 family ethernet-switching interface-mode trunk
    set interfaces ge-0/0/4 unit 0 family ethernet-switching vlan members vlan10

     

    set interfaces ge-0/0/15 flexible-vlan-tagging
    set interfaces ge-0/0/15 unit 0 family ethernet-switching interface-mode trunk
    set interfaces ge-0/0/15 unit 0 family ethernet-switching vlan members vlan10
    set interfaces ge-0/0/15 unit 99 family ethernet-switching interface-mode trunk
    set interfaces ge-0/0/15 unit 99 family ethernet-switching vlan members vlan99

     

    set vlans vlan10 vlan-id 10
    set vlans vlan99 vlan-id 99
    set vlans vlan99 l3-interface irb.10

    set interfaces irb unit 10 family inet address 10.10.99.2/30

     

    set security zones security-zone trust host-inbound-traffic system-services all
    set security zones security-zone trust host-inbound-traffic protocols all
    set security zones security-zone trust interfaces ge-0/0/4.0
    set security zones security-zone trust interfaces ge-0/0/15.99

     

    set security policies from-zone trust to-zone trust policy trust-to-trust match source-address any
    set security policies from-zone trust to-zone trust policy trust-to-trust match destination-address any
    set security policies from-zone trust to-zone trust policy trust-to-trust match application any
    set security policies from-zone trust to-zone trust policy trust-to-trust then permit

     

    If I try and set the IRB interface to the trust zone I get the following error:

    [edit security zones security-zone trust]
    'interfaces irb.10'
    Interface irb is not allowed in mix mode

     

    If I create a new zone and assign irb.10 to it I get (I don't have the config), but something like:

     

    Can't assign policy to Layer 2 and Layer 3 zones

     

    The layer 2 works perfectly from end-to-end .... just stuck on this last point and not sure if it is possible on this device.

     

     

     



  • 5.  RE: SRX340 - Layer 2 and 3

     
    Posted 10-01-2018 09:05

    As an add on.... rather humorous

     

    If I remove Interface ge-0/0/15.99 from trust security zone.... I can ping layer 2 but not layer 3....

    If I place ge-0/0/15.99 into trust security zone layer 2 stops working but layer 3 pings 

     

    How strange

     

    ADD ON: Just realised, so I do not confuse people. When I say I can ping "Layer 2" I don't actually mean at "Layer 2", obviously, I mean from the SRX340 perspective acting at Layer 2 for those end point addresses.  🙂



  • 6.  RE: SRX340 - Layer 2 and 3
    Best Answer

     
    Posted 10-01-2018 12:50

    Try something like this. Change l2-learning global-mode requires a reboot to take effect.

     

    set protocols l2-learning global-mode switching
    
    set interfaces ge-0/0/4 unit 0 family ethernet-switching interface-mode trunk
    set interfaces ge-0/0/4 unit 0 family ethernet-switching vlan members vlan10
    
    set interfaces ge-0/0/15 unit 0 family ethernet-switching interface-mode trunk
    set interfaces ge-0/0/15 unit 0 family ethernet-switching vlan members [vlan10 vlan99]
    
    
    set vlans vlan10 vlan-id 10
    set vlans vlan99 vlan-id 99
    set vlans vlan99 l3-interface irb.99
    
    set interfaces irb unit 99 family inet address 10.10.99.2/30
    
    set security zones security-zone trust host-inbound-traffic system-services all
    set security zones security-zone trust host-inbound-traffic protocols all
    set security zones security-zone trust interfaces irb.99
     
    
    set security policies from-zone trust to-zone trust policy trust-to-trust match source-address any
    set security policies from-zone trust to-zone trust policy trust-to-trust match destination-address any
    set security policies from-zone trust to-zone trust policy trust-to-trust match application any
    set security policies from-zone trust to-zone trust policy trust-to-trust then permit


  • 7.  RE: SRX340 - Layer 2 and 3

     
    Posted 10-02-2018 01:28

    Hi Jonas,

     

    That works perfectly apart from  one little issue.....

     

    I have the following configured on the SRX340:

    set system services ssh

     

    But I cannot SSH to the device from the Core even though I can ping the irb address.

     

    Something is missing and I guess it is a link internally between the irb interface and the internal SSH.

     

    Any ideas please?



  • 8.  RE: SRX340 - Layer 2 and 3

     
    Posted 10-02-2018 01:34

    Hi Jonas,

     

    It's okay. It is not the SRX for the SSH access. I can SSH directly from the Core but not from beyond there. So the issue is probably a routing one of some sort somehwere on the internal network for the VPN address range...

     

    I'll sort that out.

     

    Thank you for your help

     



  • 9.  RE: SRX340 - Layer 2 and 3

     
    Posted 10-02-2018 01:35

    please provide your full config. My guess is that there is some "legacy" from your testing which result in your missing ssh connectivity.



  • 10.  RE: SRX340 - Layer 2 and 3

     
    Posted 10-02-2018 01:52

    Hi Jonas,

     

    All is good. It's not a legacy thing..... of course, on the SRX there were no static routes, so it would only ever know how to get back to the core.


    I added in a static route on the SRX to the VPN address range and it now works perfectly.

     

    Thanks