SRX

Hello!!

I want to measure several ports and vlans on a bridge but at the same time have virtual routers on the same port, is that possible?
I've been trying for several days and looking for information on "bridge domains", I need to have 2 vlans in one port and another vlan in another but it gives me this error:

root@srx# commit check
[edit bridge-domains bd1]
'vlan-id-list'
domain-type can not be specified under vlan-id-list
error: configuration check-out failed: (statements constraint check failed)

[edit]
root@srx#

How can I put 2 vlans or interfaces on the same bridge? He tells me that with vlan-list it is not possible, thanks for your help.

PD: If you need any information do not hesitate to ask me, thank you 

Hi c0d3

Are you configuring the SRX in transparent mode or you just want to have vlans on the SRX and make sure those vlans can route traffic to other vlans/subnets?

If you are looking for the second scenario then you can follow the configuration shown on this post:

https://forums.juniper.net/t5/SRX-Services-Gateway/Multiple-VLAN-gateways-on-physical-interface/m-p/469268#M55396

Basically it shows:

1. Vlans creation and association with their L3 interface
2. L3 Interfaces creation and association with a security-zone
3. Trunk port configuration facing a switch
4. Policies for permitting traffic between vlans

It would be more like the second scenario, I have seen the link before and it has clarified a lot, but it gives me trouble with the irb interface and transparent mode would not help me since I want to create about 20 virtual routers, can it be with bridge? thanks

Error IRB:

root@srx# ...ly inet address 10.207.62.2/24 web-authentication http

[edit]
root@GoodJuniper# commit check
[edit interfaces irb unit 1500 family]
'inet'
Web-authentication address 10.207.62.2/24 is not within the subnet of any address on this interface
error: configuration check-out failed

Thanks men, i accept your solution.

Can you provide more details about why you are configuring "web-authentication http" on interface irb.1500?

Also share the following command's outputs:

    # show interfaces irb

    > show ethernet-switching global-information

Look what I really want to do is connect a service router, (MikroTik), to Juniper's ge-0/0/3 port, but on the same port I want to have several virtual routers and several VLANs, but it tells me that I can't use "ethernet-switching" or vlan-list, how could I ask to see it? Thank you

Cod3

In order to confirm what the problem is, I will need to see the configuration you currently have on ge-0/0/3 becuase maybe the existing configuration is avoiding you to configure that port as "ethernet-switching".

Also it is important to confirm the L2 mode your SRX in configured for, and this is why I requested the commands in my previous post. Those outputs will help me guide you on how to properly configure your SRX so that it can process different vlans on ge-0/0/3 and have multiple routers (irb interfaces) linked to that ge-0/0/3 interface as well.

He tried to follow the configuration but I don't know if it will be for the version of the software that I have of the SRX550 but it doesn't let me, I get this error:

root# ...B interfaces irb.2500 host-inbound-traffic system-services ping
error: interface-unit: 'irb.2500': This interface cannot be configured in a zone
error: statement creation failed: irb.2500

I have been asked to put in a port a bridge, where we host all virtual routers, I put the configuration that I have right now, but I think I will delete it and start from 0 because I have things that are not yet clear to me, I could put in bridge-domain several virtual-routers? Thank you

My conf:

root# show
## Last changed: 2019-10-17 11:43:29 UTC
version 12.3X48-D85.1;
system {
root-authentication {
encrypted-password "$1$lF6LWOE6$AhiW/stsYxHoqWoeqGYNU0"; ## SECRET-DATA
}
services {
ssh;
web-management {
https {
port 443;
system-generated-certificate;
interface ge-0/0/0.0;
}
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
}
security {
policies;
zones {
security-zone untrust {
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
https;
ssh;
}
}
}
}
}
security-zone RepartoZone {
description "Zona del router de reparto.";
host-inbound-traffic {
system-services {
ping;
}
}
interfaces {
ge-0/0/3.0;
}
}
}

interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address 192.168.3.1/24;
}
}
}
ge-0/0/3 {
unit 0 {
family inet {
address 192.168.20.10/24;
}
}
}
ge-0/0/4 {
vlan-tagging;
unit 0 {
family bridge {
interface-mode trunk;
vlan-id-list [ 2500 3500 ];
}
}
}
irb {
unit 2500 {
family inet {
address 192.168.7.254/24;
}
}
unit 3500 {
family inet {
address 172.22.1.254/24;
}
}
}
}

routing-instances {
VRPRUEBA {
description "Este router es de prueba para conectar entre ellos mismos";
instance-type virtual-router;
interface irb.2500;
}

Thanks!

Yes, the srx550 uses the old style vlan interfaces instead of irb interfaces.

vlan.2500 in place of irb.2500

Thank you spuluka!

Look what I really want to do is connect a service router, (MikroTik), to Juniper's ge-0/0/3 port, but on the same port I want to have several virtual routers and several VLANs, but it tells me that I can't use "ethernet-switching" or vlan-list, how could I ask to see it? Thank you

Since you are connecting two routers I assume you are creating point to point links for the VR on the Juniper to the MikroTik routerboard.  I have done a similar setup using the routerboard.

The simpliest solution is to use family inet with multiple units on the Junos side.

interfaces {
    ge-0/0/0 {
        unit 1 {
            family inet {               
                address 172.20.77.1/30;
            }
         unit 2 {
            family inet {               
                address 172.20.78.1/30;
            }
          unit 3 {
            family inet {               
                address 172.20.79.1/30;
            }
        }
    }

Add each specific unit to your VR

routing-instances {
    vr1 {
        instance-type virtual-router;   
        interface ge-0/0/0.1;
    {
    vr2 {
        instance-type virtual-router;   
        interface ge-0/0/0.2;
    {
    vr2 {
        instance-type virtual-router;   
        interface ge-0/0/0.3;
    {

Add these to the appropriate zone and create policy if you are running as a firewall.  If this is a router in packet mode just add the routing protocol needed and you are done.

I appreciate all your collaboration but I have barely had time due to work, tomorrow morning I put all the information that I have been asked for, although the configuration of irb 1500 I deleted it to prove what they have advised me, thanks epaniagua and spuluka