Switching

Please excuse the silliness of my questions, but I would like to understand this a bit better.
I just got myself an EX2200-C switch (Junos 12.3R6.6) to try out some test scenarios..I never worked with EX before.
On SRX220 I have two VLANs with assigned ports per each VLAN and network

VLAN A with network A.A.A.A/24
VLAN B with network B.B.B.B/24

 

I have access to Internet from all the devices connected on those ports on SRX for both VLANs.

For my next test scenario I would like to assign different ports on EX with its own VLANs (two of them).
Some ports will be assigned to the first VLAN and others to the second one.
My goal here is to connect EX to SRX so devices connected on EX have access to Internet and obtain IPs from SRX's VLANs.

For my first test I assigned vlan.0 address C.C.C.C/24 (on EX) for a completely different network, connected one of the two uplink ports on EX into one of SRX's ports for VLAN A and my laptop connected on EX side reached Internet and pulled its private IP from VLAN A: A.A.A.A/24 on SRX.

First, I do not understand why I was able to reach Internet from EX since I'm on a completely different network C.C.C.C/24 on EX?
Second, is it possible to assign other ports on EX to be under different VLANs and connect those ports to ports on SRX for both VLAN A: A.A.A.A/24 and VLAN B: B.B.B.B/24 and get Internet connectivity for the devices connected on EX's side under two different VLANs? So far I had no luck when it comes to more than one VLAN. 
Do the VLANs on EX have to be on the same network as my VLANs on SRX?
On EX I can apply routing-options static route 0.0.0.0/0 next-hop for one VLAN on SRX, but what about the second one?

Is there a way to accomplish this at all or do I need to setup a trunk on SRX and connect it to EX?
Can someone please point me into the right direction?

Part of my config:

set interfaces ge-0/0/0 unit 0 family ethernet-switching
set interfaces ge-0/0/1 unit 0 family ethernet-switching
set interfaces ge-0/0/2 unit 0 family ethernet-switching
set interfaces ge-0/0/3 unit 0 family ethernet-switching
set interfaces ge-0/0/4 unit 0 family ethernet-switching
set interfaces ge-0/0/5 unit 0 family ethernet-switching
set interfaces ge-0/0/6 unit 0 family ethernet-switching
set interfaces ge-0/0/7 unit 0 family ethernet-switching
set interfaces ge-0/0/8 unit 0 family ethernet-switching
set interfaces ge-0/0/9 unit 0 family ethernet-switching
set interfaces ge-0/0/10 unit 0 family ethernet-switching
set interfaces ge-0/0/11 unit 0 family ethernet-switching
set interfaces ge-0/1/0 unit 0 family ethernet-switching
set interfaces ge-0/1/1 unit 0 family ethernet-switching
set interfaces me0 unit 0 family inet address Y.Y.Y.Y/24 
set interfaces vlan unit 0 family inet address C.C.C.C/24
set vlans default l3-interface vlan.0

Thank you.

Hello IsabellaFletcher,

 

Hope you are doing great!

 

So If I understand, you want to create two new vlans in the EX2200, and then connect it to the SRX to access the internet, right?

 

So, you configured vlan/network C.C.C.C in the EX, but the laptop got an ip from subnet A.A.A.A, right? My guess is that vlan A and vlan C are using the same vlan-id/tag, so the DHCP packets were able to reach the DHCP server. I see from the configuration you provided that you are using the default vlan.

 

For the second part, I'm a bit confused. 

 

Q/ is it possible to assign other ports on EX to be under different VLANs and connect those ports to ports on SRX for both VLAN A: A.A.A.A/24 and VLAN B: B.B.B.B/24

 

A/ Yes, you can assing ports to different vlans for example. 

set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members v10 
set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members v20
if you want to do a trunk port for all vlans
set interfaces ge-0/0/0 unit 0 family ethernet-switching port-mode trunk vlan members all (or specific ones)

https://kb.juniper.net/InfoCenter/index?page=content&id=KB11013&actp=METADATA

 

If you are planning to get access to the internet through vlans A and B, I think is not necessary to configure different vlans/subnets in the EX, you can simply use the same vlans that are present in the SRX and configure a trunk port for both vlans.

 

Something like this 

 

PC -----vlan A ge-0/0/0 EX2200 ge-0/0/1 ----trunk vlan all-----SRX

PC -----vlan B ge-0/0/0 EX2200 ge-0/0/1 ----trunk vlan all-----SRX

 

If you want the switch to be the gateway for two new vlans, you will need to add some routing protocols and configure DHCP relay depending in where is the DHCP server.

 

PC ---- vlan C ge-0/0/0 EX2200 ge-0/0/1 x.x.x.1 ------- x.x.x.2SRX

 

set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members vlan-C
set interfaces ge-0/0/1 unit 0 family inet x.x.x.1/30 (SRX with .2)
set interfaces vlan unit 0 family inet address C.C.C.C/24
set vlans vlan-C l3-interface vlan.0
set vlans vlan-C vlan-id 10
set routing-options static route 0.0.0.0/0 next-hop x.x.x.2 (this will work for all the vlans you configure in the EX)

 

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/dhcp-relay-agent-security-devices.html#id-example-minimum-dhcp-relay-agent-configuration

 

Q/ On EX I can apply routing-options static route 0.0.0.0/0 next-hop for one VLAN on SRX, but what about the second one?

 

A/ what ip are you using as a next-hop?

 

If you have in the EX for example vlan.0 C.C.C.C/vlan.1 D.D.D.D, and in the SRX vlan A/vlan B. Doing a static route won't help unless the vlans are in the same subnet, otherwise, the switch won't be able to resolve the next-hop.  

 

Hope this helps!

 

If this solves your problem, please mark this post as "Accepted Solution".

 

 

 

Thank you very much for your reply, gguadamuz! I was hoping things would start making sense to me, but obviously I'm still missing something..
To answer your previous question, IP that was used as a next-hop on EX in my previous tests = GW for VLAN A on SRX

I really liked your idea of having trunk configured on EX and using the same vlans that I already have on SRX, so I tried the below
and left 

vlans default l3-interface vlan.0

in my config and unplugged EX uplink ports from SRX

I'm trying to accomplish this:

 

PC1 -----> v10 ----- EX2200 ge-0/0/0 trunk <----- SRX with assigned port A for VLAN A with network A.A.A.A/24
PC2 -----> v20 ----- EX2200 ge-0/0/3 trunk <----- SRX with assigned port B for VLAN B with network B.B.B.B/24

 

On EX setup two trunks ge-0/0/0 and ge-0/0/3 and connect them to SRX
Connect PC1 to port ge-0/0/1 on EX for v10 and obtain IP from VLAN A with network A.A.A.A/24 on SRX
Connect PC2 to port ge-0/0/2 on EX for v20 and obtain IP from VLAN B with network B.B.B.B/24 on SRX

set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members v10
set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members v20

set interfaces ge-0/0/0 unit 0 family ethernet-switching port-mode trunk vlan members v10
set interfaces ge-0/0/3 unit 0 family ethernet-switching port-mode trunk vlan members v20

 

error: Trunk/Tagged-access interface ge-0/0/0.0 should not have a vlan v10 with tag value 0
error: configuration check-out failed

I think it has something to do with that vlans default..isn't this the one used for untagged frames and these do not go over the trunk interface?
If I setup trunk port for all vlans on EX

 

 

 

set interfaces ge-0/0/0 unit 0 family ethernet-switching port-mode trunk vlan members all
set interfaces ge-0/0/3 unit 0 family ethernet-switching port-mode trunk vlan members all

No errors, but no Internet access and my laptop connected on EX side on ge-0/0/1 (v10) fails to obtain private IP from SRX for VLAN A with network A.A.A.A/24

 

What went wrong? 
Thank you again!

 

Hello IsabellaFletcher,

 

I think the problem is that you didn't configure the vlans. You referenced v10 and v20, but they are not configured.

 

Could you try this? The vlan ID must match with the ones configured in the SRX.

 

set vlans v10 vlan-id # 

set vlans v20 vlan-id #

 

-Regards

 

Hello gguadamuz,

Thank you for your suggestion!

I added it into my configuration to match vlan IDs on EX with SRX...unfortunately my result is still the same with
no Internet access and my laptop connected on EX - ge-0/0/1 (v10) still fails to obtain private IP from SRX for vlan A with network A.A.A.A/24
The only way it "works" if I go back to this:

set interfaces ge-0/0/0 unit 0 family ethernet-switching
set interfaces ge-0/0/1 unit 0 family ethernet-switching
set interfaces ge-0/0/2 unit 0 family ethernet-switching
...
set interfaces ge-0/1/0 unit 0 family ethernet-switching
set interfaces ge-0/1/1 unit 0 family ethernet-switching
set interfaces vlan unit 0 family inet address C.C.C.C/24
set vlans default l3-interface vlan.0

my original config

I have to manually plug cables from EX into SRX per each desired vlan and I can only use one vlan at the time my laptop obtains its private IP without any issues from SRX side depending on which vlan I'm using at the time, but it does not provide me with the desired two trunks on EX as I originally wanted.

Thank you!

Hi Isabella


In the scenario with the trunks you can test adding vlan default as native vlan that way the trunks should carry the untagged traffic as explained here
https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/native-vlan-id-edit-interfaces-qfx-series.html

Hello, carloscalvo, that worked! 
And thank you, gguadamuz for all your help!!