Junos OS

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



Expand all | Collapse all

Assign IP to VLAN trunk

Jump to Best Answer
  • 1.  Assign IP to VLAN trunk

    Posted 05-13-2019 11:47

    I have an SRX-240 in my phone closet where I want to dedicate a trunk port to receiving all data/phone traffic remotely cabled suites in the building on one cable with 2 separate tagged VLAN's (from downstream Mikrotik in that suite) on ge0/0/8, then NAT'ing them to ge0/0/0 which is the Internet. I'm trying to get the SRX to set up a gateway for each and a DHCP pool. Here's what I have so far:

    ge-0/0/8 {
        unit 0 {
            family ethernet-switching {
                port-mode trunk;
                vlan {
                    members [ data43 phone43 ];
                }
            }
        }
    
    show vlans
    data43 {
        vlan-id 431;
    }
    phone43 {
        vlan-id 432;
    }
    
    set system services dhcp pool 192.168.43.0/24 address-range low 192.168.43.100 high 192.168.43.254
    set system services dhcp pool 192.168.43.0/24 router 192.168.43.1
    set system services dhcp pool 192.168.43.0/24 name-server 1.1.1.1

    I somehow I have to tie that pool and the gateway to traffic received on ge0/0/8 for both subnets/VLAN's, not sure how to do that.

     

    I tried to set up a security zone called data43, but I think I'm missing some steps first?


    #VLANtrunk
    #vlan


  • 2.  RE: Assign IP to VLAN trunk

     
    Posted 05-13-2019 17:02

    You will need to remove the family ethernet-switching that only allows layer 2 on the interface in favor of vlan-tagging along with family inet

     

    set interface ge-0/0/8 vlan-tagging

    set interface ge-0/0/8 unit 431 vlan-id 431

    set interface ge-0/0/8 unit 431 family inet address x.x.x.x/x

    set interface ge-0/0/8 unit 432 vlan-id 432

    set interface ge-0/0/8 unit 432 family inet address x.x.x.x/x

     

     



  • 3.  RE: Assign IP to VLAN trunk

    Posted 05-14-2019 11:42

    Thanks for that @spuluka 🙂

    Okay, still having trouble getting my policies to commit. Here's what I have so far:

     

    set system services dhcp pool 192.168.43.0/24 address-range low 192.168.43.100 high 192.168.43.254
    set system services dhcp pool 192.168.43.0/24 router 192.168.43.1
    set system services dhcp pool 192.168.43.0/24 name-server 1.1.1.1
    
    set security zones security-zone data43
    [edit security zones]
    set security-zone data43 interfaces ge-0/0/8 host-inbound-traffic system-services ping
    
    [edit security policies]
    set policies from-zone data43 to-zone Internet policy data43 match source-address any destination-address any application any
    set from-zone data43 to-zone Internet policy data43 then permit
    
    [edit security nat source]
    set pool src-nat-pooldata43 address 192.168.43.1/32
    
    [edit security nat source]
    set rule-set data43 rule data43 match source-address 192.168.43.0/24
    set rule-set data43 rule data43 match destination-address 0.0.0.0/0
    set rule-set data43 rule data43 then source-nat pool src-nat-pooldata43

    I'm not really sure I need the nat src pool? Also, I don't know if it should be a /32 if I do?

     

    The commit error I'm getting is:

    root@srx240CP# commit check
    [edit security zones security-zone data43]
      'interfaces ge-0/0/8.0'
        Interface ge-0/0/8.0 must be configured under interfaces
    error: configuration check-out failed

    But I guess that shouldn't be unit 0, so I went back and tried to do:

    [edit security zones]
    root@srx240CP# set security-zone data43 interfaces ge-0/0/8 un
                                                                                                               ^
    syntax error.

    So it won't let me add unit 431/432 to this security zone? What else am I missing to pass traffic from my VLAN trunk to the Internet on ge0/0/0.0



  • 4.  RE: Assign IP to VLAN trunk

    Posted 05-15-2019 03:48

    I believe it should work if SRX receives tagged packet from downstream device. If not please update us.

     

     



  • 5.  RE: Assign IP to VLAN trunk

    Posted 05-15-2019 16:53

    Okay, I got it to pass traffic and hand out dhcp leases, here's what I did:

    set security zones security-zone data43 interfaces ge-0/0/8.431 host-inbound-traffic system-services dhcp

    then I got rid of my src-nat pool and assigned it to an interface like:

    rule-set data43 {
        from zone data43;
        to zone Internet;
        rule data43 {
            match {
                source-address 0.0.0.0/0;
                destination-address 0.0.0.0/0;
            }
            then {
                source-nat {
                    pool {
                        src-nat-pooldata43;
                    }
                }
            }
        }
    [edit security nat source]
    delete rule data43 then source-nat pool
    set rule data43 then source-nat interface
    show
    rule-set data43 {
        from zone data43;
        to zone Internet;
        rule data43 {
            match {
                source-address 0.0.0.0/0;
                destination-address 0.0.0.0/0;
            }
            then {
                source-nat {
                    interface;
                }
            }
        }

    Thanks all for you help, I'm soooo happy this community is here to help 🙂



  • 6.  RE: Assign IP to VLAN trunk
    Best Answer

    Posted 05-14-2019 11:55
    Try below config:
    delete security zones security-zone data43 interfaces ge-0/0/8.0
    set security zones security-zone data43 interfaces ge-0/0/8.431
    set security zones security-zone data43 interfaces ge-0/0/8.432




  • 7.  RE: Assign IP to VLAN trunk

    Posted 05-14-2019 16:21

    Thanks @Nellikka, that worked better than what I was trying 🙂

    Is there anything else I need to make it pass traffic? I'm still trying to configure a downstream Mikrotik to pass tagged traffic, so not sure whether my issue is there, or with this box. I'll might try to find another box that can support a trunk while I'm debugging (unless someone else has a better way to test?)



  • 8.  RE: Assign IP to VLAN trunk

    Posted 05-15-2019 10:54

    It worked!

     

    Well, mostly. Apparently my Juniper isn't serving up DHCP requests for 192.168.43.0/24 on vlan-id 431. But if I statically assign 192.168.43.3/24 to my laptop hanging off the Mikrotik port 2 (VLAN 431), I can ping both 192.168.43.1 and the public static configured on ge-0/0/0.0 so yay! Here's what I have for my DHCP config:

    dhcp {
        pool 192.168.43.0/24 {
            address-range low 192.168.43.100 high 192.168.43.254;
            name-server {
                1.1.1.1;
                8.8.8.8;
            }
            router {
                192.168.43.1;
            }
        }

    What should I do to make sure traffic tagged as 431 from ge-0/0/8.431 gets an IP from this pool?

     

    Also, since my traffic won't route to the public static upstream gateway connected to ge-0/0/0.0, this means I have to add something to my routing, What should I add to route that? Here's what I have:

    rule-set data43 {
            from zone data43;
            to zone Internet;
            rule data43 {
                match {
                    source-address 192.168.43.0/24;
                    destination-address 0.0.0.0/0;
                }
                then {
                    source-nat {
                        pool {
                            src-nat-pooldata43;
                        }
                    }
                }
            }

    Here's what I have for my src-nat-pooldata43:

    [edit security nat source]
    set pool src-nat-pooldata43 address 192.168.43.1/32

    Is that causing me problems?