Hi,
My first post, be kind. :-) I'm working on breaking up a single-vlan "trust" network into multiple vlans. I'm connecting a Ubiquiti unifi switch to my SRX-345 router for testing. The current "trust" network is running on ge-0/0/11, and I'm running tests for the new vlans from an isolated Ubiquiti unifi switch.
I set up a _single_ trunk port carrying all the vlans from the unifi switch to the SRX. I'm able to connect to the network (the corresponding SRX virtual gateway, the networks permitted by the security policies, and the wan, from any port (access or trunk) on the unif switch.
However, when I configure the SRX and unifi switch to carry multiple trunks, each carrying a single vlan, I can only get one of the networks to function (specifically, the guest network loses all connection).
Here's the SRX setup:
[edit vlans]
# show | display set relative
set vlan-LAN vlan-id 1
set vlan-LAN l3-interface irb.160
set vlan-guest vlan-id 167
set vlan-guest l3-interface irb.167
set vlan-kids_ls vlan-id 164
set vlan-kids_ls l3-interface irb.164
set vlan-trust vlan-id 168
set vlan-trust l3-interface irb.168
[edit interfaces]
# show | display set relative
set traceoptions file if1
set traceoptions flag all
deactivate traceoptions
set ge-0/0/0 unit 0 family inet
set ge-0/0/2 unit 0 family ethernet-switching vlan members vlan-trust
set ge-0/0/4 description "Kids Lower School"
set ge-0/0/4 unit 0 family ethernet-switching interface-mode trunk
set ge-0/0/4 unit 0 family ethernet-switching vlan members vlan-kids_ls
set ge-0/0/11 unit 0 family ethernet-switching vlan members vlan-trust
set ge-0/0/13 description "WAN1 Interface"
set ge-0/0/13 unit 0 family inet address xxx.xxx.xxx.xxx/29
set irb unit 160 family inet address 192.168.160.1/24
set irb unit 164 family inet address 192.168.164.1/24
set irb unit 167 family inet address 192.168.167.1/24
set irb unit 168 family inet address 192.168.168.1/20
[edit security zones]
# show | display set relative
set security-zone trust host-inbound-traffic system-services all
set security-zone trust host-inbound-traffic protocols all
set security-zone trust interfaces irb.168
set security-zone untrust screen untrust-screen
set security-zone untrust interfaces ge-0/0/13.0 host-inbound-traffic system-services ping
set security-zone untrust interfaces ge-0/0/13.0 host-inbound-traffic system-services traceroute
set security-zone guest host-inbound-traffic system-services all
set security-zone guest host-inbound-traffic protocols all
set security-zone guest interfaces irb.167
set security-zone kids_ls host-inbound-traffic system-services all
set security-zone kids_ls host-inbound-traffic protocols all
set security-zone kids_ls interfaces irb.164
[edit security nat source]
# show | display set relative
set rule-set trust-to-untrust from zone guest
set rule-set trust-to-untrust from zone kids_ls
set rule-set trust-to-untrust from zone trust
set rule-set trust-to-untrust to zone untrust
set rule-set trust-to-untrust rule source-nat-rule match source-address 0.0.0.0/0
set rule-set trust-to-untrust rule source-nat-rule then source-nat interface
set rule-set trusted-to-server from zone guest
set rule-set trusted-to-server from zone kids_ls
set rule-set trusted-to-server to zone trust
set rule-set trusted-to-server rule rs1 match source-address 0.0.0.0/0
set rule-set trusted-to-server rule rs1 then source-nat interface
The unifi switchports:
(UBNT) #show interfaces switchport 0/4
show interfaces switchport 0/4
Port: 0/4
VLAN Membership Mode: General
Access Mode VLAN: 1 (default)
General Mode PVID: 1 (default)
General Mode Ingress Filtering: Enabled
General Mode Acceptable Frame Type: Admit all
General Mode Dynamically Added VLANs:
General Mode Untagged VLANs:
General Mode Tagged VLANs: 164
General Mode Forbidden VLANs: 1,161,163,165-170
Trunking Mode Native VLAN: 1 (default)
Trunking Mode Native VLAN tagging: Disable
Trunking Mode VLANs Enabled: All
Protected Port: False
(UBNT) #show interfaces switchport 0/5
show interfaces switchport 0/5
Port: 0/5
VLAN Membership Mode: General
Access Mode VLAN: 1 (default)
General Mode PVID: 1 (default)
General Mode Ingress Filtering: Enabled
General Mode Acceptable Frame Type: Admit all
General Mode Dynamically Added VLANs:
General Mode Untagged VLANs:
General Mode Tagged VLANs: 167
General Mode Forbidden VLANs: 1,161,163-166,168-170
Trunking Mode Native VLAN: 1 (default)
Trunking Mode Native VLAN tagging: Disable
Trunking Mode VLANs Enabled: All
Protected Port: False
(UBNT) #show interfaces switchport 0/6
show interfaces switchport 0/6
Port: 0/6
VLAN Membership Mode: General
Access Mode VLAN: 1 (default)
General Mode PVID: 164
General Mode Ingress Filtering: Enabled
General Mode Acceptable Frame Type: Admit all
General Mode Dynamically Added VLANs:
General Mode Untagged VLANs: 164
General Mode Tagged VLANs:
General Mode Forbidden VLANs: 1,161,163,165-170
Trunking Mode Native VLAN: 1 (default)
Trunking Mode Native VLAN tagging: Disable
Trunking Mode VLANs Enabled: All
Protected Port: False
(UBNT) #show interfaces switchport 0/7
show interfaces switchport 0/7
Port: 0/7
VLAN Membership Mode: General
Access Mode VLAN: 1 (default)
General Mode PVID: 167
General Mode Ingress Filtering: Enabled
General Mode Acceptable Frame Type: Admit all
General Mode Dynamically Added VLANs:
General Mode Untagged VLANs: 167
General Mode Tagged VLANs:
General Mode Forbidden VLANs: 1,161,163-166,168-170
Trunking Mode Native VLAN: 1 (default)
Trunking Mode Native VLAN tagging: Disable
Trunking Mode VLANs Enabled: All
Protected Port: False
0/4 is kids_ls trunk
0/5 is guest trunk
0/6 is kids_ls access (a laptop)
0/7 is guest access (another laptop).
unifi port 0/4 connects to srx port ge-0/0/4
unifi port 0/5 connects to srx port ge-0/0/7
So why does the system work perfectly when I configure the two new vlans into a single trunk port, but fails when I attempt to break them into separate trunks?
Thanks!!!
------------------------------
RICK
------------------------------