SRX

last person joined: 4 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Need help with vlan tagging on physical interface on SRX

    Posted 08-15-2014 02:33

    Hi,

     

    On production firewall we need to add a vlan on a LAN-interface, add it to new security zone and security policy.

    In other words we need to add en extra lab-network and tagg it to the destination on existing LAN.

     

    there are no l3 interfaces configured, the IPs are configured directly on the interface like this:

    set interfaces fe-0/0/6 unit 0 family inet address 10.10.10.1/24

     

     

    I've tried to add another l3 interface but cannot seem to get this to work!

     

    This shouldn't be any problems to achieve but somehow this is a difficult topic in SRX.

     

    I've tried the following:

    set interfaces fe-0/0/6 vlan-tagging

    set interfaces fe-0/0/6 unit 200 vlan-id 200
    set interfaces fe-0/0/6 unit 200 family inet address 10.0.200.1/24

     

    but when commiting it complains about not having vlan-id on unit 0

    adding "set interfaces fe-0/0/6 unit 0 vlan-id 0" brakes the LAN-connectivity!!!

     

    What to do?

    Many thanks in advance,

    regards, DB.



  • 2.  RE: Need help with vlan tagging on physical interface on SRX
    Best Answer

    Posted 08-15-2014 05:38

    If you're running 12.1x44D10 or later you could use flexible-vlan-tagging to achieve this:

     

    set interfaces fe-0/0/6 flexible-vlan-tagging

    set interfaces fe-0/0/6 native-vlan-id 1

    set interfaces fe-0/0/6 unit 0 vlan-id 1

    set interfaces fe-0/0/6 unit 200 vlan-id 200
    set interfaces fe-0/0/6 unit 200 family inet address 10.0.200.1/24

     

     

    See http://www.juniper.net/techpubs/en_US/junos12.1x44/topics/concept/security-interface-vlan-tagging-configuring.html

    for the documentation.

     

    And following KB article mentions the supported release: http://kb.juniper.net/InfoCenter/index?page=content&id=KB14586

     



  • 3.  RE: Need help with vlan tagging on physical interface on SRX

    Posted 08-15-2014 05:55

    Hi and thanks,

     

    will be back with the results!



  • 4.  RE: Need help with vlan tagging on physical interface on SRX

    Posted 08-15-2014 06:45

    Hi again,

     

    it worked partially.

     

    configured as proposed and yes, LAN connectivity is okay, but we cannot access the internett with new test-200 zone.

    We can ping router-interface and the swtich.

     

    set interfaces fe-0/0/6 flexible-vlan-tagging
    set interfaces fe-0/0/6 native-vlan-id 1
    set interfaces fe-0/0/6 unit 0 vlan-id 1
    set interfaces fe-0/0/6 unit 0 family inet address 10.10.10.1/24
    set interfaces fe-0/0/6 unit 200 vlan-id 200
    set interfaces fe-0/0/6 unit 200 family inet address 10.0.200.1/24

     

    set security zones security-zone test-200 host-inbound-traffic system-services all
    set security zones security-zone test-200 host-inbound-traffic protocols all
    set security zones security-zone test-200 interfaces fe-0/0/6.200

     

    set security policies from-zone test-200 to-zone untrust policy test-200-out match source-address any
    set security policies from-zone test-200 to-zone untrust policy test-200-out match destination-address any
    set security policies from-zone test-200 to-zone untrust policy test-200-out match application any
    set security policies from-zone test-200 to-zone untrust policy test-200-out then permit



  • 5.  RE: Need help with vlan tagging on physical interface on SRX

     
    Posted 08-15-2014 06:49
    Must ask. Did you also create a NAT policy?

    Regards
    Sam


  • 6.  RE: Need help with vlan tagging on physical interface on SRX

    Posted 08-15-2014 07:11

    Hi,

     

    how could I forget that!

    Did the trick!

     

    thanks guys!