SRX

 View Only
last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  native-vlan-id statement ignored

    Posted 22 days ago

    Hi,

    I'm migrating from an SRX240 running 12.3 to an SRX1500 and am having an issue where my trunk definition is no longer valid.

    The current definition  is

    ge-0/0/15 {
        unit 0 {
            family ethernet-switching {
                port-mode trunk;
                vlan {
                    members [ vlan-Management vlan-User vlan-School vlan-Guest ];
                }
                native-vlan-id vlan-trust;
            }
        }
    }

    When I entered the configuration into the new device it said 

    unit 0 {
        family ethernet-switching {
            vlan {
                members [ vlan-Management vlan-User vlan-School vlan-Guest ];
            }
            ##
            ## Warning: statement ignored: unsupported platform (srx1500)
            ##
            native-vlan-id vlan-trust;
        }
    }

    There was another thread here that mentioned an example from https://www.juniper.net/documentation/us/en/software/junos/multicast-l2/topics/topic-map/layer-2-interfaces.html and when I tried it I got the following warnings:

    vlan-tagging;
    ##
    ## Warning: native-vlan-id can be specified with flexible-vlan-tagging mode or with interface-mode trunk
    ## Warning: native-vlan-id can be specified with flexible-vlan-tagging mode or with interface-mode trunk
    ## Warning: native-vlan-id can be specified with flexible-vlan-tagging mode or with interface-mode trunk
    ##
    native-vlan-id 3;
    unit 0 {
        ##
        ## Warning: An interface cannot have both family ethernet-switching and vlan-tagging configured
        ## Warning: An interface cannot have both family ethernet-switching and vlan-tagging configured
        ## Warning: An interface cannot have both family ethernet-switching and vlan-tagging configured
        ## Warning: An interface cannot have both family ethernet-switching and vlan-tagging configured
        ## Warning: An interface cannot have both family ethernet-switching and vlan-tagging configured
        ## Warning: An interface cannot have both family ethernet-switching and vlan-tagging configured
        ##
        family ethernet-switching {
            vlan {
                members [ vlan-Management vlan-User vlan-School vlan-Guest vlan-trust ];
            }
        }
    }

    I then added interface-mode trunk but I still get the ethernet-switching and vlan-tagging conflict.

    vlan-tagging;
    native-vlan-id 3;
    unit 0 {
        ##
        ## Warning: An interface cannot have both family ethernet-switching and vlan-tagging configured
        ## Warning: An interface cannot have both family ethernet-switching and vlan-tagging configured
        ## Warning: An interface cannot have both family ethernet-switching and vlan-tagging configured
        ## Warning: An interface cannot have both family ethernet-switching and vlan-tagging configured
        ## Warning: An interface cannot have both family ethernet-switching and vlan-tagging configured
        ## Warning: An interface cannot have both family ethernet-switching and vlan-tagging configured
        ##
        family ethernet-switching {
            interface-mode trunk;
            vlan {
                members [ vlan-Management vlan-User vlan-School vlan-Guest vlan-trust ];
            }
        }
    }
    
    

    If I remove vlan-tagging things are fine.

    This happens on 18.4 and 23.4. I want vlan-Management, vlan-User, vlan-School, and vlan-Guest to be tagged while vlan-trust (vlan 3) to be untagged.

    What would be the proper way to define a trunk with untagged vlan-trust (3)?

    I also don't like the fact that I need to reference native-vlan-id as a number instead of a symbolic VLAN definition. Is there any way to do that?



  • 2.  RE: native-vlan-id statement ignored

    Posted 21 days ago

    As far as I know if the l3 vlan specified by the

    machines standard setup( vlan id 3) is trunked

    anywhere, it is untagged unless you tell it

    that it's untagged elsewhere. 

    You would specify native vlan at the interface

    level. Not at the logical level.

    ge-0/0/1

    Not ge-0/0/1.0

    You can now use flexible.



    ------------------------------
    Adrian Aguinaga
    B.S.C.M. I.T.T. Tech
    (Construction Management)
    A.A.S. I.T.T. Tech
    (Drafting & Design)
    ------------------------------



  • 3.  RE: native-vlan-id statement ignored

    Posted 20 days ago

    I came up with this. I haven't tried to see if flexible

    works, again. It had issues before. I assume we

    are getting it done with this.

    srx300

        ge-0/0/3 {

            promiscuous-mode;

            native-vlan-id 1;

            speed 1g;

            mtu xxxx;

            link-mode full-duplex;

            mac xx:xx:xx:xx:xx:xx;

            gratuitous-arp-reply;

            gigether-options {

                auto-negotiation;

            }

            unit 0 {

                radio-router {

                    bandwidth 20;

                    resource 100;

                    latency 80;

                    quality 93;

                    data-rate 45;

                    threshold 40;

                }

                arp-resp;

                family ethernet-switching {

                    interface-mode trunk;

                    vlan {

                        members [ default vlan0 ];

                    }

                    policer {

                        input MyToken-Bucket;

                        output MyToken-Bucket;

                    }

                }

            }

       }



    ------------------------------
    Adrian Aguinaga
    B.S.C.M. I.T.T. Tech
    (Construction Management)
    A.A.S. I.T.T. Tech
    (Drafting & Design)
    ------------------------------



  • 4.  RE: native-vlan-id statement ignored

    Posted 20 days ago

    Thanks to all who replied.

    I have been able to verify removing vlan-tagging and following the changes per @Nikolay Semov's link makes everything work like the old way. One just has to include the native VLAN in members.




  • 5.  RE: native-vlan-id statement ignored

    Posted 19 days ago

    The best answer to why native-vlan-id I could

    Come up with us this.

    1. The vlan-rewrite statement can force extended support, i.e. vlans of 1024 and higher. If this mechanism isn't operating properly you need to get it extended. This has to do with, IN MY OPINION, NA(non temporary addressing). Other industry gateways do not always have this ability.
    2. This is in an area where traffic is high and the big guys get this done. Segmentation. Take facebook, for example.

                    interface-mode trunk;

                    vlan {

                        members [ default vlan0 ];

                    }

                     vlan-rewrite {

                              translate X 1;

                    }

                    policer {

                        input MyToken-Bucket;

                        output MyToken-Bucket;

                    }

    Where X is your vlan conversion ID. 



    ------------------------------
    Adrian Aguinaga
    B.S.C.M. I.T.T. Tech
    (Construction Management)
    A.A.S. I.T.T. Tech
    (Drafting & Design)
    ------------------------------



  • 6.  RE: native-vlan-id statement ignored
    Best Answer

    Posted 21 days ago

    SRX1500 uses ELS (Enhanced Layer 2 Software) so configuration commands have been moved around a bit. In your case, the most important ones are:

    • port-mode is now interface-mode
    • native-vlan-id is not specified outside of unit 0
    • and if you want Layer 3 for the VLAN, you use "irb" interface instead of "vlan" interface

    Other than that, things should work more or less the same as before.

    Here's a more comprehensive list of changes: https://www.juniper.net/documentation/us/en/software/junos/multicast-l2/topics/topic-map/layer-2-understanding.html#d183e409



    ------------------------------
    Nikolay Semov
    ------------------------------



  • 7.  RE: native-vlan-id statement ignored

    Posted 21 days ago

    Thanks for the link. I do see the changes for port-mode > interface-mode in Changes to the Interfaces Hierarchy.

    Could you provide insight why https://www.juniper.net/documentation/us/en/software/junos/multicast-l2/topics/topic-map/layer-2-interfaces.html#d220e43__d36322e119 advises to use vlan-tagging? If I go to the vlan-tagging documentation at https://www.juniper.net/documentation/us/en/software/junos/cli-reference/topics/ref/statement/vlan-tagging-edit-interfaces.html even though there is a section specifically for SRX, it appears this keyword is for L3 interfaces on the subinterface level per its related documentation section.




  • 8.  RE: native-vlan-id statement ignored

    Posted 21 days ago

    Honestly, I don't know. I've only ever used (flexible-)vlan-tagging statement to define L3 subinterfaces, but never for an L2 interface with an ethernet-switching logical interface.



    ------------------------------
    Nikolay Semov
    ------------------------------