Hello,
I'm new to VLANs on JUNOS, and I'm trying to create VLANs on the SRX220 with a trunk to a Cisco Catalyst 3550-12T.
This is my current setup;
SRX220 port 8 (mode = trunk, all VLANs) <-> 3550 port 1 (switchport mode trunk, encapsulation dot1q)
SRX220 has the IP of 10.0.0.1/24. Cisco 3550's management interface is 10.0.0.2/24.
I could ping the SRX220 from the 3550, also pinging 8.8.8.8 from the catalyst switch is possible. Also, I've tried setting up port 7 on the SRX220 as an access port for, say, VLAN 5 (which is identified in the SRX's CLI as vlan.6) - and able to ping the catalyst's IP for that VLAN.
There are a few problems, some of which may be off topic:
- If I connect my laptop to an access port on the catalyst switch, and configured a fixed IP address on that VLAN, say 10.100.5.20 (network's 10.100.5.1/24), I couldn't ping that device from the SRX220 itself.
- The catalyst 3550 could ping both the SRX220, and 8.8.8.8 - however, devices connected to an access port on the catalyst couldn't ping 8.8.8.8, the SRX220, or any other site on the internet.
I'm not sure if this problem comes from the SRX side, or the catalyst side, or both...
Some additional questions I'd like to ask:
- How do you configure multi-DHCP for multiple VLANs on the SRX?
- How do you configure inter-VLAN firewall policies and routing on the SRX?
Issuing the "show route" command on the SRX showed this info (shortened version from the full list):
10.100.5.0/24 *[Direct/0] 03:49:11
> via vlan.6
10.100.5.1/32 *[Local/0] 03:49:26
Local via vlan.6
This is my configuration for the SRX220:
interfaces {
ge-0/0/0 {
unit 0 {
encapsulation ppp-over-ether;
}
}
ge-0/0/1 {
unit 0 {
family ethernet-switching {
vlan {
members vlan1;
}
}
}
}
ge-0/0/2 {
unit 0 {
family ethernet-switching {
vlan {
members vlan1;
}
}
}
}
ge-0/0/3 {
unit 0 {
family ethernet-switching {
vlan {
members vlan1;
}
}
}
}
ge-0/0/4 {
unit 0 {
family ethernet-switching {
vlan {
members vlan1;
}
}
}
}
ge-0/0/5 {
unit 0 {
family ethernet-switching {
vlan {
members vlan1;
}
}
}
}
ge-0/0/6 {
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members Office-VLAN;
}
}
}
}
ge-0/0/7 {
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members all;
}
}
}
}
pp0 {
unit 0 {
apply-macro internet-fttx;
ppp-options {
chap {
default-chap-secret [secret-data]
local-name "internet-username@fttxservice";
no-rfc2486;
passive;
}
pap {
local-name "internet-username@fttxservice";
no-rfc2486;
local-password [secret-data]
passive;
}
}
pppoe-options {
underlying-interface ge-0/0/0.0;
}
family inet {
negotiate-address;
}
}
}
vlan {
unit 1 {
family inet {
address 10.0.0.1/24;
}
}
unit 2 {
family inet {
address 10.100.9.1/24;
}
}
unit 3 {
family inet {
address 10.100.8.1/24;
}
}
unit 4 {
family inet {
address 10.100.7.1/24;
}
}
unit 5 {
family inet {
address 10.100.6.1/24;
}
}
unit 6 {
family inet {
address 10.100.5.1/24;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 {
next-hop pp0.0;
qualified-next-hop pp0.0 {
metric 1;
}
}
}
}
protocols {
stp;
}
security {
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set nsw_srcnat {
from zone Internal;
to zone Internet;
rule nsw-src-interface {
match {
source-address 0.0.0.0/0;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}
policies {
from-zone Internal to-zone Internet {
policy All_Internal_Internet {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone Internal {
interfaces {
vlan.1 {
host-inbound-traffic {
system-services {
all;
http;
https;
ssh;
}
protocols {
all;
}
}
}
}
}
security-zone Internet {
screen untrust-screen;
interfaces {
pp0.0;
}
}
}
}
vlans {
Automation-VLAN {
description "Automation Devices VLAN";
vlan-id 6;
l3-interface vlan.5;
}
Office-VLAN {
description "Office Network VLAN";
vlan-id 5;
l3-interface vlan.6;
}
Server-VLAN {
description "Server (DMZ) VLAN";
vlan-id 9;
l3-interface vlan.2;
}
Wifi-Client-VLAN {
description "Wireless Network Client VLAN";
vlan-id 8;
l3-interface vlan.3;
}
Wifi-Devices-VLAN {
description "Wireless Network Devices/APs VLAN";
vlan-id 7;
l3-interface vlan.4;
}
vlan1 {
vlan-id 3;
l3-interface vlan.1;
}
}
And this is my configuration for the Catalyst 3550
(I've not configured any other port other than GigabitEthernet0/1, the trunk port, and GigabitEthernet0/10, the access port. Others are left at their default value.)
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
interface GigabitEthernet0/1
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet0/2
switchport access vlan 3
switchport trunk native vlan 3
switchport mode dynamic desirable
!
interface GigabitEthernet0/3
switchport access vlan 3
switchport trunk native vlan 3
switchport mode dynamic desirable
!
interface GigabitEthernet0/4
switchport access vlan 3
switchport trunk native vlan 3
switchport mode dynamic desirable
!
interface GigabitEthernet0/5
switchport access vlan 3
switchport trunk native vlan 3
switchport mode dynamic desirable
!
interface GigabitEthernet0/6
switchport access vlan 3
switchport trunk native vlan 3
switchport mode dynamic desirable
!
interface GigabitEthernet0/7
switchport access vlan 3
switchport trunk native vlan 3
switchport mode dynamic desirable
!
interface GigabitEthernet0/8
switchport access vlan 3
switchport trunk native vlan 3
switchport mode dynamic desirable
!
interface GigabitEthernet0/9
switchport access vlan 3
switchport trunk native vlan 3
switchport mode dynamic desirable
!
interface GigabitEthernet0/10
switchport access vlan 5
switchport mode access
!
interface GigabitEthernet0/11
switchport access vlan 3
switchport trunk native vlan 3
switchport mode dynamic desirable
!
interface GigabitEthernet0/12
switchport access vlan 3
switchport trunk native vlan 3
switchport mode dynamic desirable
!
interface Vlan1
no ip address
!
interface Vlan3
ip address 10.0.0.2 255.255.255.0
!
interface Vlan5
ip address 10.100.5.1 255.255.255.0
!
interface Vlan6
no ip address
!
interface Vlan9
ip address 10.100.9.1 255.255.255.0
!
ip default-gateway 10.0.0.1
ip classless
ip route 0.0.0.0 0.0.0.0 10.0.0.1
ip http server
ip http secure-server
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
line vty 0 4
password [secret-data]
login
line vty 5 15
password [secret-data]
login
!
end
Thank you!
Namo.