Junos OS

 View Only
last person joined: yesterday 

Ask questions and share experiences about Junos OS.
  • 1.  Assign IP to VLAN trunk

    Posted 05-13-2019 11:47

    I have an SRX-240 in my phone closet where I want to dedicate a trunk port to receiving all data/phone traffic remotely cabled suites in the building on one cable with 2 separate tagged VLAN's (from downstream Mikrotik in that suite) on ge0/0/8, then NAT'ing them to ge0/0/0 which is the Internet. I'm trying to get the SRX to set up a gateway for each and a DHCP pool. Here's what I have so far:

    ge-0/0/8 {
        unit 0 {
            family ethernet-switching {
                port-mode trunk;
                vlan {
                    members [ data43 phone43 ];
                }
            }
        }
    
    show vlans
    data43 {
        vlan-id 431;
    }
    phone43 {
        vlan-id 432;
    }
    
    set system services dhcp pool 192.168.43.0/24 address-range low 192.168.43.100 high 192.168.43.254
    set system services dhcp pool 192.168.43.0/24 router 192.168.43.1
    set system services dhcp pool 192.168.43.0/24 name-server 1.1.1.1

    I somehow I have to tie that pool and the gateway to traffic received on ge0/0/8 for both subnets/VLAN's, not sure how to do that.

     

    I tried to set up a security zone called data43, but I think I'm missing some steps first?


    #VLANtrunk
    #vlan


  • 2.  RE: Assign IP to VLAN trunk

    Posted 05-13-2019 17:02

    You will need to remove the family ethernet-switching that only allows layer 2 on the interface in favor of vlan-tagging along with family inet

     

    set interface ge-0/0/8 vlan-tagging

    set interface ge-0/0/8 unit 431 vlan-id 431

    set interface ge-0/0/8 unit 431 family inet address x.x.x.x/x

    set interface ge-0/0/8 unit 432 vlan-id 432

    set interface ge-0/0/8 unit 432 family inet address x.x.x.x/x

     

     



  • 3.  RE: Assign IP to VLAN trunk

    Posted 05-14-2019 11:42

    Thanks for that @spuluka 🙂

    Okay, still having trouble getting my policies to commit. Here's what I have so far:

     

    set system services dhcp pool 192.168.43.0/24 address-range low 192.168.43.100 high 192.168.43.254
    set system services dhcp pool 192.168.43.0/24 router 192.168.43.1
    set system services dhcp pool 192.168.43.0/24 name-server 1.1.1.1
    
    set security zones security-zone data43
    [edit security zones]
    set security-zone data43 interfaces ge-0/0/8 host-inbound-traffic system-services ping
    
    [edit security policies]
    set policies from-zone data43 to-zone Internet policy data43 match source-address any destination-address any application any
    set from-zone data43 to-zone Internet policy data43 then permit
    
    [edit security nat source]
    set pool src-nat-pooldata43 address 192.168.43.1/32
    
    [edit security nat source]
    set rule-set data43 rule data43 match source-address 192.168.43.0/24
    set rule-set data43 rule data43 match destination-address 0.0.0.0/0
    set rule-set data43 rule data43 then source-nat pool src-nat-pooldata43

    I'm not really sure I need the nat src pool? Also, I don't know if it should be a /32 if I do?

     

    The commit error I'm getting is:

    root@srx240CP# commit check
    [edit security zones security-zone data43]
      'interfaces ge-0/0/8.0'
        Interface ge-0/0/8.0 must be configured under interfaces
    error: configuration check-out failed

    But I guess that shouldn't be unit 0, so I went back and tried to do:

    [edit security zones]
    root@srx240CP# set security-zone data43 interfaces ge-0/0/8 un
                                                                                                               ^
    syntax error.

    So it won't let me add unit 431/432 to this security zone? What else am I missing to pass traffic from my VLAN trunk to the Internet on ge0/0/0.0



  • 4.  RE: Assign IP to VLAN trunk
    Best Answer

    Posted 05-14-2019 11:55
    Try below config:
    delete security zones security-zone data43 interfaces ge-0/0/8.0
    set security zones security-zone data43 interfaces ge-0/0/8.431
    set security zones security-zone data43 interfaces ge-0/0/8.432




  • 5.  RE: Assign IP to VLAN trunk

    Posted 05-14-2019 16:21

    Thanks @Nellikka, that worked better than what I was trying 🙂

    Is there anything else I need to make it pass traffic? I'm still trying to configure a downstream Mikrotik to pass tagged traffic, so not sure whether my issue is there, or with this box. I'll might try to find another box that can support a trunk while I'm debugging (unless someone else has a better way to test?)



  • 6.  RE: Assign IP to VLAN trunk

    Posted 05-15-2019 03:48

    I believe it should work if SRX receives tagged packet from downstream device. If not please update us.

     

     



  • 7.  RE: Assign IP to VLAN trunk

    Posted 05-15-2019 10:54

    It worked!

     

    Well, mostly. Apparently my Juniper isn't serving up DHCP requests for 192.168.43.0/24 on vlan-id 431. But if I statically assign 192.168.43.3/24 to my laptop hanging off the Mikrotik port 2 (VLAN 431), I can ping both 192.168.43.1 and the public static configured on ge-0/0/0.0 so yay! Here's what I have for my DHCP config:

    dhcp {
        pool 192.168.43.0/24 {
            address-range low 192.168.43.100 high 192.168.43.254;
            name-server {
                1.1.1.1;
                8.8.8.8;
            }
            router {
                192.168.43.1;
            }
        }

    What should I do to make sure traffic tagged as 431 from ge-0/0/8.431 gets an IP from this pool?

     

    Also, since my traffic won't route to the public static upstream gateway connected to ge-0/0/0.0, this means I have to add something to my routing, What should I add to route that? Here's what I have:

    rule-set data43 {
            from zone data43;
            to zone Internet;
            rule data43 {
                match {
                    source-address 192.168.43.0/24;
                    destination-address 0.0.0.0/0;
                }
                then {
                    source-nat {
                        pool {
                            src-nat-pooldata43;
                        }
                    }
                }
            }

    Here's what I have for my src-nat-pooldata43:

    [edit security nat source]
    set pool src-nat-pooldata43 address 192.168.43.1/32

    Is that causing me problems?



  • 8.  RE: Assign IP to VLAN trunk

    Posted 05-15-2019 16:53

    Okay, I got it to pass traffic and hand out dhcp leases, here's what I did:

    set security zones security-zone data43 interfaces ge-0/0/8.431 host-inbound-traffic system-services dhcp

    then I got rid of my src-nat pool and assigned it to an interface like:

    rule-set data43 {
        from zone data43;
        to zone Internet;
        rule data43 {
            match {
                source-address 0.0.0.0/0;
                destination-address 0.0.0.0/0;
            }
            then {
                source-nat {
                    pool {
                        src-nat-pooldata43;
                    }
                }
            }
        }
    [edit security nat source]
    delete rule data43 then source-nat pool
    set rule data43 then source-nat interface
    show
    rule-set data43 {
        from zone data43;
        to zone Internet;
        rule data43 {
            match {
                source-address 0.0.0.0/0;
                destination-address 0.0.0.0/0;
            }
            then {
                source-nat {
                    interface;
                }
            }
        }

    Thanks all for you help, I'm soooo happy this community is here to help 🙂