Switching

Expand all | Collapse all

Trunk between EX and SRX, native VLAN incompatibility?

Jump to Best Answer
  • 1.  Trunk between EX and SRX, native VLAN incompatibility?

    Posted 01-11-2020 06:04

    I'm trying to set up a trunk between an SRX and an EX with the SRX acting as a sort of "router on a stick" (i.e. both subinterfaces on the trunk are configured for family inet and are routed ports). Here is the SRX side config:

     

    vlan-tagging;
    unit 0 {
        vlan-id 12;
        family inet {
            address 192.168.195.21/30;
        }
    }
    unit 1 {
        vlan-id 13;
        family inet {
            address 192.168.195.25/29;
        }
    }

    And here is the EX side config (ge-0/0/15)

     

    native-vlan-id 12;
    unit 0 {
        family ethernet-switching {
            interface-mode trunk;
            vlan {
                members all;
            }
        }
    }
    
    vlans {
        TEST1 {
            vlan-id 12;
            l3-interface irb.0;
        }
        TEST2 {
            vlan-id 13;
        }
    }

    Notice the native-vlan-id is set, because I also have this:

     

    dot1x {
        authenticator {
            authentication-profile-name WIRED_AUTH;
            interface {
                ge-0/0/15.0 {
                    disable;
                }
                all {
                    supplicant multiple;
                    retries 3;
                    transmit-period 10;
                    reauthentication 7200;
                    server-timeout 10;
                    maximum-requests 3;
                }
            }
        }
    }

    Dot1x is configured, but it's explicitly disabled for port ge-0/0/15 (the trunk port back to the SRX). But, apparently I need to set the native-VLAN, because I get this message if I don't:

     

    [edit interfaces ge-0/0/15 unit 0 family ethernet-switching interface-mode]
      'interface-mode trunk'
        Must configure native-vlan-id but no flexible-vlan-tagging for dot1x enabled port
    error: commit failed: (statements constraint check failed)

    Now, it seems like the logical thing to do would be just set up a native VLAN on the SRX, but it appears that I can't do that with a routed-port on the SRX:

     

    [edit interfaces ge-0/0/1 native-vlan-id]
      'native-vlan-id 12'
        native-vlan-id can be specified with flexible-vlan-tagging mode or with interface-mode trunk

    So, what's the right way to do this? I'd rather not set up the SRX port for ethernet-switching and need to configure IRB ports if I can avoid it, but I'm not sure how to get around this.



  • 2.  RE: Trunk between EX and SRX, native VLAN incompatibility?
    Best Answer

     
    Posted 01-11-2020 07:10

    Hello Ian,

     

    when you configure "flexible-vlan-tagging" together with "native-vlan-id" instead of "vlan-tagging" on your SRX ge-0/0/1, would this solve your issue?



  • 3.  RE: Trunk between EX and SRX, native VLAN incompatibility?

    Posted 01-13-2020 08:17

    I didn't try it, but I read a handful of things telling one not to enable flexible VLAN tagging as the implementation is buggy and unstable. I can give it a shot, but I'm just wondering if there is a standard way of doing this. I guess more importantly, I'm wondering why the native VLAN is required on the EX port even though the EX port is explicitly disabled from dot1x (in addition to dot1x being configured for all other ports).



  • 4.  RE: Trunk between EX and SRX, native VLAN incompatibility?

    Posted 01-13-2020 09:42

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB11234&actp=METADATA

    That's the KB article specifically for this 🙂

    KR

    Adam



  • 5.  RE: Trunk between EX and SRX, native VLAN incompatibility?

     
    Posted 01-13-2020 09:53

    We are using flexible-vlan-tagging on our QFX and ACX devices, and it works like a charm. I don't see any reason why not to use it. I can just suggest you to try it out to see if it works for you.



  • 6.  RE: Trunk between EX and SRX, native VLAN incompatibility?

    Posted 01-13-2020 11:59

    Thanks for the feedback. I did configure flexible VLAN tagging and it seems to work just fine, so I guess I'll stick with that approach.

     

    I still don't know why dot1x settings are enforcing rules on this interface even though it's explicitly disabled. I don't think that should be the case, but it appears it is, so this is getting into more of a feature request territory. 



  • 7.  RE: Trunk between EX and SRX, native VLAN incompatibility?

     
    Posted 01-13-2020 12:08

    I'm glad that it works now (even the dot1x question is still not answered). Please mark the solution as "Accepted Solution" so that others can find the right answer quickly and easily.