SRX

I am a novice on the juniper firewall (SRX 240h). I have a working production juniper running 10 Vlans, I would like to add a few more Vlans. I have a couple of questions I hope someone can help me with, concerning the interfaces. How many sub-interfaces can you have? Is there a limit?

Here is a sampling of our interfaces with the Vlans:

set vlans Pod-1 vlan-id 100
set vlans Pod-1 interface ge-0/0/1.0
set vlans Pod-1 l3-interface vlan.100
set vlans Pod-2 vlan-id 200
set vlans Pod-2 interface ge-0/0/2.0
set vlans Pod-2 l3-interface vlan.200
set vlans Pod-3 vlan-id 300
set vlans Pod-3 interface ge-0/0/3.0
set vlans Pod-3 l3-interface vlan.300
set vlans Pod-4 vlan-id 400
set vlans Pod-4 interface ge-0/0/4.0
set vlans Pod-4 l3-interface vlan.400
set vlans Servers vlan-id 600
set vlans Servers interface ge-0/0/6.0
set vlans Servers l3-interface vlan.600
set vlans WAP vlan-id 500
set vlans WAP interface ge-0/0/5.0
set vlans WAP l3-interface vlan.500

If I were to add another Vlan could this work? 

• set vlans VehicleCompliance vlan-id 210
  set vlans VehicleCompliance interface ge-0/0/2.1
  set vlans VehicleCompliance l3-interface vlan.210
  set vlans DeckNew vlan-id 220
  set vlans DeckNew interface ge-0/0/2.2
  set vlans DeckNew l3-interface vlan.220

Or should the interface stay at ge-0/0/2.0?

Hi tbuilt62,

Your configuration is almost correct, except from what you've shared it seems you are using the interfaces ( ge-0/0/1-6 ) as access ports and not trunks ?  Can you provide us with the output of the following command :

#show interfaces | display set

You  would have to use some of the other free ports for your new vlans instead of the already used ports (  or use one port as a trunk connected to another switch, for example ( I use ports ge-0/0/7 & ge-0/0/8 😞

set vlans VehicleCompliance vlan-id 210

set vlans VehicleCompliance interface ge-0/0/7.0
set vlans VehicleCompliance l3-interface vlan.210

set vlans DeckNew vlan-id 220
set vlans DeckNew interface ge-0/0/8.0
set vlans DeckNew l3-interface vlan.220

You'll also have to add the two new ports to  a security zone and configure the vlan L3 interfaces ( vlan.220, vlan.210 ) etc ........

The show command didnt work gives me a syntex error, instead of set I used xml. Here is the output I was able to get, I have attached the file. If you need a different output just let me know.

Attachment(s)

Output 2016-01-11.txt   142 KB 1 version

Hi tbuilt62,

You have to run the command in configuration mode, the same mode from which you provided the original vlan configuration. That is why I put a '#' at the beginning of the command I gave you to indicate it as the cursor will be a hash in configuration mode as opposed to a > in operation mode. To enter configuration mode type :

configure  ( at the > )

then execute the command I shared :

show interfaces | display set

Sorry about that, like I said I am a novice with the SRX. I have attached the output for the command you asked for.

Attachment(s)

Show Interfaces.txt   6 KB 1 version

Hi tbuilt62,

Not a problem ! It seems you are using the port I proposed you use and the only free ports are ports 14 and 15, this will be your new configuration :

set vlans VehicleCompliance vlan-id 210

set vlans VehicleCompliance interface ge-0/0/14.0
set vlans VehicleCompliance l3-interface vlan.210

set vlans DeckNew vlan-id 220
set vlans DeckNew interface ge-0/0/15.0
set vlans DeckNew l3-interface vlan.220

You will also have to configure the two ports as access ports :

set interfaces ge-0/0/14 unit 0 family ethernet-switching port-mode access
set interfaces ge-0/0/14 unit 0 family ethernet-switching vlan members VehicleCompliance

set interfaces ge-0/0/15 unit 0 family ethernet-switching port-mode access
set interfaces ge-0/0/15 unit 0 family ethernet-switching vlan members DeckNew

You will also have to assign them to appropriate security zones and create security policies and configure an IP on the VLAN interfaces vlan.210 and vlan.220 .

That will only take care of two new vlans, can those ports have sub-interfaces? I would like to create 11 more vlans.

Dear tbuilt62,

Yes you can configure any port as a trunk and configure multiple vlans on the trunk (  with subinterfaces ) . From the configuration snippet you shared you already have a trunk configured on your SRX ( port 13 ) so you can add the new vlans to that trunk; but you will also have to add them to the switch trunk port connected to the SRX. 

Sorry for all the questions. If I use the trunk port 13 and add subinterfaces, will I configure the interfaces like this?

ge-0/0/13.1

ge-0/0/13.2

ge-0/0/13.3

Dear tbuilt62,

No juniper is different from Cisco. The interfaces you quoted are physical interfaces, the vlan subinterfaces are vlan.0, vlan.1, vlan.2 etc. We usually number the subinterface with the same number as the VLAN ID for clarity. The way VLANs are configured in Juniper is different. We configure a vlan :

set vlans test vlan-id 200

Create a layer 3 interface subinterface ( VLAN interface ) if we need one :

set interfaces vlan.200 family inet address x.y.z.w/a

Assign the VLAN interface to the vlan :

set vlans test l3-interface vlan.200

Then add the vlan to a trunk port ( in your case ) note only the last line with vlan members test is new :

set interfaces ge-0/0/13 unit 0 family ethernet-switching port-mode trunk
set interfaces ge-0/0/13 unit 0 family ethernet-switching vlan members OpenStack1
set interfaces ge-0/0/13 unit 0 family ethernet-switching vlan members OpenStack0
set interfaces ge-0/0/13 unit 0 family ethernet-switching vlan members test

Or if we wanted to add a physical port to the vlan as an access port, you do it this way ( port 14 😞

set interfaces ge-0/0/14 unit 0 family ethernet-switching port-mode access
set interfaces ge-0/0/14 unit 0 family ethernet-switching vlan members test

Dear tbuilt62,

If you are from a Cisco background this Juniper book will be good for you :

http://www.juniper.net/us/en/training/jnbooks/day-one/fundamentals-series/junos-for-ios-engineers/

If you don't have a Juniper account you can find it online on Scribd. Also don't forget to mark my comment as a solution if it answered your query ( beside my profile picture on the left of a comment ).

Thanks for the materials, you have been most helpful.

You're Welcome !

Thank you for your time on this. I have made the changes you suggested can you look it over, let me know if this will work as you suggested?

Attachment(s)

NewJuniperVlans.txt   12 KB 1 version

HI tbuilt62,

Looks good except for one tiny piece. Execute the following commands to delete this :

delete vlans VehicleCompliance interface ge-0/0/13
delete vlans DeckNew interface ge-0/0/13

You only need to add an interface in the fashion you did if ge-0/0/13 was to be used as an access interface not a trunk interface.