SRX Services Gateway
Reply
New User
Posts: 1
Registered: ‎01-19-2010
0

SRX210 Can't remove interface from VLAN

Hi

 

I am setting up an SRX210. This fw is factory configured with a vlan including all interfaces except ge-0/0/0.0.

 

When I remove one interface from the vlan it gives an OK message but it does not do it; the interface is still there.

 

I have comitted the change.

 

Any help?

Distinguished Expert
Posts: 414
Registered: ‎06-18-2008
0

Re: SRX210 Can't remove interface from VLAN

it shouldn't be a problem, please paste your config.

 

thanks

raheel

Follow me on Twitter @anwar_raheel

--
If this post was helpful, please mark this post as an "Accepted Solution".
Kudos are always appreciated!
New User
Posts: 2
Registered: ‎06-10-2010
0

Re: SRX210 Can't remove interface from VLAN

Hello,

 

Same problem here...

and if I delete the entire vlan.trust I get error after Commit

Error(s):

'interfaces vlan.0'

 

1) Interface vlan.0 must be configured under interfaces

2) Interface <fe-0/0/2.0> vlan member <vlan-trust> undefined

3) configuration check-out failed

 

any suggesions ?

New User
Posts: 2
Registered: ‎06-10-2010
0

Re: SRX210 Can't remove interface from VLAN

here is the configuration file...

 

## Last changed: 2010-06-10 23:53:27 EEST
version 10.0R1.8;
system {
host-name MarkopoulosGroup;
time-zone Europe/Athens;
root-authentication {
encrypted-password "$1$Vlbl8vJ9$k2fvX/UONwot5kWNk1k/n1";
}
name-server {
208.67.222.222;
208.67.220.220;
}
services {
ssh;
telnet;
web-management {
http {
interface vlan.0;
}
https {
system-generated-certificate;
interface vlan.0;
}
}
dhcp {
router {
192.168.1.1;
}
pool 192.168.1.0/24 {
address-range low 192.168.1.2 high 192.168.1.254;
}
propagate-settings ge-0/0/0.0;
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
}
interfaces {
interface-range interfaces-trust {
member ge-0/0/1;
member fe-0/0/2;
member fe-0/0/3;
member fe-0/0/4;
member fe-0/0/5;
member fe-0/0/6;
member fe-0/0/7;
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/0 {
unit 0 {
family inet {
dhcp;
}
}
}
lo0 {
unit 0 {
family inet {
address 127.0.0.1/32;
}
}
}
vlan {
unit 0 {
family inet {
address 192.168.1.1/24;
}
}
}
}
security {
nat {
source {
rule-set trust-to-untrust {
from zone trust;
to zone untrust;
rule source-nat-rule {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
zones {
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
vlan.0;
}
}
security-zone untrust {
screen untrust-screen;
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
dhcp;
tftp;
}
}
}
}
}
}
policies {
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
}
vlans {
vlan-trust {
vlan-id 3;
l3-interface vlan.0;
}
}

Super Contributor
Posts: 313
Registered: ‎09-30-2009
0

Re: SRX210 Can't remove interface from VLAN

SRX240JUNOS 10.0R3.10Standard4 May 2010

 

I'd at least give it a try.

Distinguished Expert
Posts: 2,397
Registered: ‎01-29-2008
0

Re: SRX210 Can't remove interface from VLAN

Sorry - not sure I understand your question. Looking at your config - what is the issue? If you want to remove fe-0/0/7 then you would simply:

 

edit interfaces interface-range interface-trust

delete member fe-0/0/07

 

Are you saying that does not work? Cause it certainly should and does on my 210's and 100's. Smiley Happy

 

If you want to clean up and dump the default vlan setttings the following four commands will do so:

 

delete interfaces interface-range interfaces-trust
delete interfaces vlan
delete vlans
delete security zones security-zone trust interfaces vlan.0

 

This will remove the vlan default settings - it will still leave web management services assigned to vlan.0 so you will also need to edit / change that.

 

 

Kevin Barker
JNCIP-SEC
JNCIS-ENT, FWV, SSL, WLAN
JNCIA-ER, EX, IDP, UAC, WX
Juniper Networks Certified Instructor
Juniper Networks Ambassador

Juniper Elite Reseller
J-Partner Service Specialist - Implementation

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Contributor
Posts: 31
Registered: ‎05-31-2010
0

Re: SRX210 Can't remove interface from VLAN

Hi,

 

I think you are using J-web to delete interface from vlan-trust. First, interface has to be removed from interface-trust so

use "configure > cli tools >point and cli" and delete the interface from interface-trust or alternatively follow cli commads provided by Kevin.

 

Regards,

Vinay.K

Copyright© 1999-2015 Juniper Networks, Inc. All rights reserved.