SRX

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



Expand all | Collapse all

intervlan routing

  • 1.  intervlan routing

    Posted 08-02-2021 09:06
    Hi,

    My first post, be kind. :-) I'm working on breaking up a single-vlan "trust" network into multiple vlans.  I'm connecting a Ubiquiti unifi switch to my SRX-345 router for testing. The current "trust" network is running on ge-0/0/11, and I'm running tests for the new vlans from an isolated Ubiquiti unifi switch.

    I set up a _single_ trunk port carrying all the vlans from the unifi switch to the SRX.  I'm able to connect to the network (the corresponding SRX virtual gateway, the networks permitted by the security policies, and the wan, from any port (access or trunk) on the unif switch.

    However, when I configure the SRX and unifi switch to carry multiple trunks, each carrying a single vlan, I can only get one of the networks to function (specifically, the guest network loses all connection).

    Here's the SRX setup:

    [edit vlans]
    # show | display set relative 
    set vlan-LAN vlan-id 1
    set vlan-LAN l3-interface irb.160
    set vlan-guest vlan-id 167
    set vlan-guest l3-interface irb.167
    set vlan-kids_ls vlan-id 164
    set vlan-kids_ls l3-interface irb.164
    set vlan-trust vlan-id 168
    set vlan-trust l3-interface irb.168
    
    [edit interfaces]
    # show | display set relative 
    set traceoptions file if1
    set traceoptions flag all
    deactivate traceoptions
    set ge-0/0/0 unit 0 family inet
    set ge-0/0/2 unit 0 family ethernet-switching vlan members vlan-trust
    set ge-0/0/4 description "Kids Lower School"
    set ge-0/0/4 unit 0 family ethernet-switching interface-mode trunk
    set ge-0/0/4 unit 0 family ethernet-switching vlan members vlan-kids_ls
    set ge-0/0/11 unit 0 family ethernet-switching vlan members vlan-trust
    set ge-0/0/13 description "WAN1 Interface"
    set ge-0/0/13 unit 0 family inet address xxx.xxx.xxx.xxx/29
    set irb unit 160 family inet address 192.168.160.1/24
    set irb unit 164 family inet address 192.168.164.1/24
    set irb unit 167 family inet address 192.168.167.1/24
    set irb unit 168 family inet address 192.168.168.1/20
    
    [edit security zones]
    # show | display set relative 
    set security-zone trust host-inbound-traffic system-services all
    set security-zone trust host-inbound-traffic protocols all
    set security-zone trust interfaces irb.168
    set security-zone untrust screen untrust-screen
    set security-zone untrust interfaces ge-0/0/13.0 host-inbound-traffic system-services ping
    set security-zone untrust interfaces ge-0/0/13.0 host-inbound-traffic system-services traceroute
    set security-zone guest host-inbound-traffic system-services all
    set security-zone guest host-inbound-traffic protocols all
    set security-zone guest interfaces irb.167
    set security-zone kids_ls host-inbound-traffic system-services all
    set security-zone kids_ls host-inbound-traffic protocols all
    set security-zone kids_ls interfaces irb.164
    
    [edit security nat source]
    # show | display set relative    
    set rule-set trust-to-untrust from zone guest
    set rule-set trust-to-untrust from zone kids_ls
    set rule-set trust-to-untrust from zone trust
    set rule-set trust-to-untrust to zone untrust
    set rule-set trust-to-untrust rule source-nat-rule match source-address 0.0.0.0/0
    set rule-set trust-to-untrust rule source-nat-rule then source-nat interface
    set rule-set trusted-to-server from zone guest
    set rule-set trusted-to-server from zone kids_ls
    set rule-set trusted-to-server to zone trust
    set rule-set trusted-to-server rule rs1 match source-address 0.0.0.0/0
    set rule-set trusted-to-server rule rs1 then source-nat interface​

    The unifi switchports:

    (UBNT) #show interfaces switchport 0/4
    show interfaces switchport 0/4
    
    Port: 0/4
    VLAN Membership Mode: General
    Access Mode VLAN: 1 (default)
    General Mode PVID: 1 (default)
    General Mode Ingress Filtering: Enabled
    General Mode Acceptable Frame Type: Admit all
    General Mode Dynamically Added VLANs:
    General Mode Untagged VLANs:
    General Mode Tagged VLANs: 164
    General Mode Forbidden VLANs: 1,161,163,165-170
    Trunking Mode Native VLAN: 1 (default)
    Trunking Mode Native VLAN tagging: Disable
    Trunking Mode VLANs Enabled: All
    Protected Port: False
    
    
    (UBNT) #show interfaces switchport 0/5
    show interfaces switchport 0/5
    
    Port: 0/5
    VLAN Membership Mode: General
    Access Mode VLAN: 1 (default)
    General Mode PVID: 1 (default)
    General Mode Ingress Filtering: Enabled
    General Mode Acceptable Frame Type: Admit all
    General Mode Dynamically Added VLANs:
    General Mode Untagged VLANs:
    General Mode Tagged VLANs: 167
    General Mode Forbidden VLANs: 1,161,163-166,168-170
    Trunking Mode Native VLAN: 1 (default)
    Trunking Mode Native VLAN tagging: Disable
    Trunking Mode VLANs Enabled: All
    Protected Port: False
    
    
    (UBNT) #show interfaces switchport 0/6
    show interfaces switchport 0/6
    
    Port: 0/6
    VLAN Membership Mode: General
    Access Mode VLAN: 1 (default)
    General Mode PVID: 164
    General Mode Ingress Filtering: Enabled
    General Mode Acceptable Frame Type: Admit all
    General Mode Dynamically Added VLANs:
    General Mode Untagged VLANs: 164
    General Mode Tagged VLANs:
    General Mode Forbidden VLANs: 1,161,163,165-170
    Trunking Mode Native VLAN: 1 (default)
    Trunking Mode Native VLAN tagging: Disable
    Trunking Mode VLANs Enabled: All
    Protected Port: False
    
    
    (UBNT) #show interfaces switchport 0/7
    show interfaces switchport 0/7
    
    Port: 0/7
    VLAN Membership Mode: General
    Access Mode VLAN: 1 (default)
    General Mode PVID: 167
    General Mode Ingress Filtering: Enabled
    General Mode Acceptable Frame Type: Admit all
    General Mode Dynamically Added VLANs:
    General Mode Untagged VLANs: 167
    General Mode Tagged VLANs:
    General Mode Forbidden VLANs: 1,161,163-166,168-170
    Trunking Mode Native VLAN: 1 (default)
    Trunking Mode Native VLAN tagging: Disable
    Trunking Mode VLANs Enabled: All
    Protected Port: False​

    0/4 is kids_ls trunk
    0/5 is guest trunk
    0/6 is kids_ls access (a laptop)
    0/7 is guest access (another laptop).

    unifi port 0/4 connects to srx port ge-0/0/4
    unifi port 0/5 connects to srx port ge-0/0/7

    So why does the system work perfectly when I configure the two new vlans into a single trunk port, but fails when I attempt to break them into separate trunks?

    Thanks!!!



    ------------------------------
    RICK
    ------------------------------


  • 2.  RE: intervlan routing

    Posted 08-02-2021 13:47
    I'm up and running now, with a single "trunk-all" port between the SRX-345 and the 48-port unifi switch (USW Pro 48). I realize this isn't a Ubiquiti forum, and the problem with the multi-trunk setup may have been with the switch, rather than the router.

    ------------------------------
    RICK BYCHOWSKI
    ------------------------------