Sounds like you really don't need mixed mode or any of the layer 2 mode security features. These are used when you need to insert the SRX at layer 2 and not with routing layer 3 between devices. These are generally used to isolate a device within a subnet for higher security.
When you use mixed mode you have zones that are for communication within a layer 2 domain and normal layer 3 zones and you cannot mix them in policy.
Once you move out of mixed mode, you don't need to declare access port for an untagged interface connected to a vlan. There are two options for the layer 3 interface.
If this is a dedicated layer 3 port for that vlan you just add family inet address and the SRX is now the gateway for the vlan.
If you need multiple untagged ports, the irb interface is created and all the interfaces are bridged with that l3 interface under vlans. Only the irb interface needs to be added to the security zone.
------------------------------
Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home------------------------------
Original Message:
Sent: 05-06-2021 04:20
From: Gianni Stubbe
Subject: Getting started with SRX but having issues with VLAN + NAT + DHCP
Hello,
I'm just getting started with SRX ( I have some experience with the EX line) but I have some issues setting up an interface which is set in vlan access mode and having DHCP + natting enabled on that interface. Following is my config:
version 20.4R1-S1.2;system { host-name CM_TEST; root-authentication { encrypted-password ""; ## SECRET-DATA } services { ssh { root-login allow; protocol-version v2; } netconf { ssh; } dhcp-local-server { group MGMT { interface irb.310; } } web-management { https { system-generated-certificate; } } } time-zone UTC; authentication-order [ radius password ]; name-server { 1.1.1.1; 1.0.0.1; } radius-server { 10.10.8.109 secret ""; ## SECRET-DATA } syslog { file messages { any any; authorization info; } file interactive-commands { interactive-commands any; } } ntp { server 193.190.147.153; }}chassis { alarm { management-ethernet { link-down ignore; } }}security { nat { source { rule-set Local-To-WAN { from zone trust; to zone untrust; rule SNAT-WAN { match { destination-address 0.0.0.0/0; } then { source-nat { interface; } } } } } } zones { security-zone untrust { host-inbound-traffic { system-services { dhcp; https; ping; ssh; ike; traceroute; } } interfaces { ge-0/0/0.0; } } security-zone trust { host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { irb.310; } } }}interfaces { ge-0/0/0 { unit 0 { family inet { dhcp; } } } ge-0/0/1 { unit 0 { family ethernet-switching { interface-mode access; vlan { members VLAN_MGMT; } } } } irb { unit 310 { family inet { address 10.33.6.1/28; } } }}access { address-assignment { pool MGMT { family inet { network 10.33.6.0/28; range MGMT_RANGE { low 10.33.6.2; high 10.33.6.14; } dhcp-attributes { maximum-lease-time 14400; name-server { 1.1.1.1; 1.0.0.1; } router { 10.33.6.1; } } } } }}protocols { lldp { interface all; } lldp-med { interface all; }}vlans { VLAN_MGMT { vlan-id 310; l3-interface irb.310; }}
committing this gives the error:
[edit security zones security-zone trust] 'interfaces irb.310' Interface irb is not allowed in mix modeerror: configuration check-out failed
when changing that interface to ge0/0/1.0 this works but I get an issue on the nat config:
[edit security nat source rule-set Local-To-WAN] 'from' From zone can not be a L2 zone.
I would like to use this vlan structure as this allows me to bridge the vlan to another interface as well. While setting the vlan directly on the interface like the following does not allow me to do that right?
ge-0/0/1 { vlan-tagging; unit 0 { vlan-id 310; family inet { address 10.33.6.1/28; } } }
I read this on SRX mixed mode on mixed mode but I am unsure how I would be able to have one vlan coming out of multiple interfaces having DHCP + NAT support.
------------------------------
Gianni Stubbe
------------------------------