SRX Services Gateway
Reply
New User
emaneiro
Posts: 1
Registered: ‎01-19-2010
0

SRX210 Can't remove interface from VLAN

Hi

 

I am setting up an SRX210. This fw is factory configured with a vlan including all interfaces except ge-0/0/0.0.

 

When I remove one interface from the vlan it gives an OK message but it does not do it; the interface is still there.

 

I have comitted the change.

 

Any help?

Distinguished Expert
Raheel
Posts: 414
Registered: ‎06-18-2008
0

Re: SRX210 Can't remove interface from VLAN

it shouldn't be a problem, please paste your config.

 

thanks

raheel

Follow me on Twitter @anwar_raheel

--
If this post was helpful, please mark this post as an "Accepted Solution".
Kudos are always appreciated!
New User
secnet
Posts: 2
Registered: ‎06-10-2010
0

Re: SRX210 Can't remove interface from VLAN

Hello,

 

Same problem here...

and if I delete the entire vlan.trust I get error after Commit

Error(s):

'interfaces vlan.0'

 

1) Interface vlan.0 must be configured under interfaces

2) Interface <fe-0/0/2.0> vlan member <vlan-trust> undefined

3) configuration check-out failed

 

any suggesions ?

New User
secnet
Posts: 2
Registered: ‎06-10-2010
0

Re: SRX210 Can't remove interface from VLAN

here is the configuration file...

 

## Last changed: 2010-06-10 23:53:27 EEST
version 10.0R1.8;
system {
host-name MarkopoulosGroup;
time-zone Europe/Athens;
root-authentication {
encrypted-password "$1$Vlbl8vJ9$k2fvX/UONwot5kWNk1k/n1";
}
name-server {
208.67.222.222;
208.67.220.220;
}
services {
ssh;
telnet;
web-management {
http {
interface vlan.0;
}
https {
system-generated-certificate;
interface vlan.0;
}
}
dhcp {
router {
192.168.1.1;
}
pool 192.168.1.0/24 {
address-range low 192.168.1.2 high 192.168.1.254;
}
propagate-settings ge-0/0/0.0;
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
}
interfaces {
interface-range interfaces-trust {
member ge-0/0/1;
member fe-0/0/2;
member fe-0/0/3;
member fe-0/0/4;
member fe-0/0/5;
member fe-0/0/6;
member fe-0/0/7;
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/0 {
unit 0 {
family inet {
dhcp;
}
}
}
lo0 {
unit 0 {
family inet {
address 127.0.0.1/32;
}
}
}
vlan {
unit 0 {
family inet {
address 192.168.1.1/24;
}
}
}
}
security {
nat {
source {
rule-set trust-to-untrust {
from zone trust;
to zone untrust;
rule source-nat-rule {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
zones {
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
vlan.0;
}
}
security-zone untrust {
screen untrust-screen;
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
dhcp;
tftp;
}
}
}
}
}
}
policies {
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
}
vlans {
vlan-trust {
vlan-id 3;
l3-interface vlan.0;
}
}

Super Contributor
colemtb
Posts: 313
Registered: ‎09-30-2009
0

Re: SRX210 Can't remove interface from VLAN

SRX240JUNOS 10.0R3.10Standard4 May 2010

 

I'd at least give it a try.

Distinguished Expert
muttbarker
Posts: 2,377
Registered: ‎01-29-2008
0

Re: SRX210 Can't remove interface from VLAN

Sorry - not sure I understand your question. Looking at your config - what is the issue? If you want to remove fe-0/0/7 then you would simply:

 

edit interfaces interface-range interface-trust

delete member fe-0/0/07

 

Are you saying that does not work? Cause it certainly should and does on my 210's and 100's. :smileyhappy:

 

If you want to clean up and dump the default vlan setttings the following four commands will do so:

 

delete interfaces interface-range interfaces-trust
delete interfaces vlan
delete vlans
delete security zones security-zone trust interfaces vlan.0

 

This will remove the vlan default settings - it will still leave web management services assigned to vlan.0 so you will also need to edit / change that.

 

 

Kevin Barker
JNCIP-SEC
JNCIS-ENT, FWV, SSL, WLAN
JNCIA-ER, EX, IDP, UAC, WX
Juniper Networks Certified Instructor
Juniper Networks Ambassador

Juniper Elite Reseller
J-Partner Service Specialist - Implementation

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Contributor
vinayk
Posts: 31
Registered: ‎05-31-2010
0

Re: SRX210 Can't remove interface from VLAN

Hi,

 

I think you are using J-web to delete interface from vlan-trust. First, interface has to be removed from interface-trust so

use "configure > cli tools >point and cli" and delete the interface from interface-trust or alternatively follow cli commads provided by Kevin.

 

Regards,

Vinay.K

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.