Junos OS

 View Only
last person joined: yesterday 

Ask questions and share experiences about Junos OS.
  • 1.  Assign IP to VLAN trunk

    Posted 05-13-2019 11:47

    I have an SRX-240 in my phone closet where I want to dedicate a trunk port to receiving all data/phone traffic remotely cabled suites in the building on one cable with 2 separate tagged VLAN's (from downstream Mikrotik in that suite) on ge0/0/8, then NAT'ing them to ge0/0/0 which is the Internet. I'm trying to get the SRX to set up a gateway for each and a DHCP pool. Here's what I have so far:

    ge-0/0/8 {
        unit 0 {
            family ethernet-switching {
                port-mode trunk;
                vlan {
                    members [ data43 phone43 ];
    show vlans
    data43 {
        vlan-id 431;
    phone43 {
        vlan-id 432;
    set system services dhcp pool address-range low high
    set system services dhcp pool router
    set system services dhcp pool name-server

    I somehow I have to tie that pool and the gateway to traffic received on ge0/0/8 for both subnets/VLAN's, not sure how to do that.


    I tried to set up a security zone called data43, but I think I'm missing some steps first?


  • 2.  RE: Assign IP to VLAN trunk

    Posted 05-13-2019 17:02

    You will need to remove the family ethernet-switching that only allows layer 2 on the interface in favor of vlan-tagging along with family inet


    set interface ge-0/0/8 vlan-tagging

    set interface ge-0/0/8 unit 431 vlan-id 431

    set interface ge-0/0/8 unit 431 family inet address x.x.x.x/x

    set interface ge-0/0/8 unit 432 vlan-id 432

    set interface ge-0/0/8 unit 432 family inet address x.x.x.x/x



  • 3.  RE: Assign IP to VLAN trunk

    Posted 05-14-2019 11:42

    Thanks for that @spuluka 🙂

    Okay, still having trouble getting my policies to commit. Here's what I have so far:


    set system services dhcp pool address-range low high
    set system services dhcp pool router
    set system services dhcp pool name-server
    set security zones security-zone data43
    [edit security zones]
    set security-zone data43 interfaces ge-0/0/8 host-inbound-traffic system-services ping
    [edit security policies]
    set policies from-zone data43 to-zone Internet policy data43 match source-address any destination-address any application any
    set from-zone data43 to-zone Internet policy data43 then permit
    [edit security nat source]
    set pool src-nat-pooldata43 address
    [edit security nat source]
    set rule-set data43 rule data43 match source-address
    set rule-set data43 rule data43 match destination-address
    set rule-set data43 rule data43 then source-nat pool src-nat-pooldata43

    I'm not really sure I need the nat src pool? Also, I don't know if it should be a /32 if I do?


    The commit error I'm getting is:

    root@srx240CP# commit check
    [edit security zones security-zone data43]
      'interfaces ge-0/0/8.0'
        Interface ge-0/0/8.0 must be configured under interfaces
    error: configuration check-out failed

    But I guess that shouldn't be unit 0, so I went back and tried to do:

    [edit security zones]
    root@srx240CP# set security-zone data43 interfaces ge-0/0/8 un
    syntax error.

    So it won't let me add unit 431/432 to this security zone? What else am I missing to pass traffic from my VLAN trunk to the Internet on ge0/0/0.0

  • 4.  RE: Assign IP to VLAN trunk
    Best Answer

    Posted 05-14-2019 11:55
    Try below config:
    delete security zones security-zone data43 interfaces ge-0/0/8.0
    set security zones security-zone data43 interfaces ge-0/0/8.431
    set security zones security-zone data43 interfaces ge-0/0/8.432

  • 5.  RE: Assign IP to VLAN trunk

    Posted 05-14-2019 16:21

    Thanks @Nellikka, that worked better than what I was trying 🙂

    Is there anything else I need to make it pass traffic? I'm still trying to configure a downstream Mikrotik to pass tagged traffic, so not sure whether my issue is there, or with this box. I'll might try to find another box that can support a trunk while I'm debugging (unless someone else has a better way to test?)

  • 6.  RE: Assign IP to VLAN trunk

    Posted 05-15-2019 03:48

    I believe it should work if SRX receives tagged packet from downstream device. If not please update us.



  • 7.  RE: Assign IP to VLAN trunk

    Posted 05-15-2019 10:54

    It worked!


    Well, mostly. Apparently my Juniper isn't serving up DHCP requests for on vlan-id 431. But if I statically assign to my laptop hanging off the Mikrotik port 2 (VLAN 431), I can ping both and the public static configured on ge-0/0/0.0 so yay! Here's what I have for my DHCP config:

    dhcp {
        pool {
            address-range low high;
            name-server {
            router {

    What should I do to make sure traffic tagged as 431 from ge-0/0/8.431 gets an IP from this pool?


    Also, since my traffic won't route to the public static upstream gateway connected to ge-0/0/0.0, this means I have to add something to my routing, What should I add to route that? Here's what I have:

    rule-set data43 {
            from zone data43;
            to zone Internet;
            rule data43 {
                match {
                then {
                    source-nat {
                        pool {

    Here's what I have for my src-nat-pooldata43:

    [edit security nat source]
    set pool src-nat-pooldata43 address

    Is that causing me problems?

  • 8.  RE: Assign IP to VLAN trunk

    Posted 05-15-2019 16:53

    Okay, I got it to pass traffic and hand out dhcp leases, here's what I did:

    set security zones security-zone data43 interfaces ge-0/0/8.431 host-inbound-traffic system-services dhcp

    then I got rid of my src-nat pool and assigned it to an interface like:

    rule-set data43 {
        from zone data43;
        to zone Internet;
        rule data43 {
            match {
            then {
                source-nat {
                    pool {
    [edit security nat source]
    delete rule data43 then source-nat pool
    set rule data43 then source-nat interface
    rule-set data43 {
        from zone data43;
        to zone Internet;
        rule data43 {
            match {
            then {
                source-nat {

    Thanks all for you help, I'm soooo happy this community is here to help 🙂