SRX

last person joined: 4 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  srx multiple vlans on wan interface

    Posted 07-04-2015 13:30

    Hi!

     

    signal is coming from a ISP fiber-modem which carries 3 vlans(internet, iptv, voip)

     

    Was wondring if it's possible to enable(terminate) multiple vlans on wan interface to remove the ISP-modem alltogether?

     

    I know the actual vlan IDs and was thinking of something like this:

     

    using flexible-vlan tagging terminate the vlans on physical "wan"-interface

     

    create l3 interface and vlan-interfaces

    add vlan interfaces to different vlan-zones(create NAT rules and policies)

    untagg og tagg the vlans on "family ethernet-switching" on other "lan"

     

    is this correct approach?



  • 2.  RE: srx multiple vlans on wan interface

    Posted 07-06-2015 20:47

    Hello dan_b,

     

    SRX supports flexible vlan tagging on Junos 12.1X46 onwards.

     

    You can run following config:

     

     

    [edit]
root# show interfaces ge-0/0/4
flexible-vlan-tagging;
native-vlan-id 10;
unit 10 {
    vlan-id 10;
    family inet {
        address 10.1.1.1/32;
    }
}
unit 20 {
    vlan-id 20;
    family inet {
        address 20.1.1.1/32;
    }
}
unit 30 {
    vlan-id 30;
    family inet {
        address 30.1.1.1/32;
    }
}

     

     



  • 3.  RE: srx multiple vlans on wan interface

    Posted 07-08-2015 13:55

    Hi AVD:

     

    I had already tried this and yes, it works but is assumes routing ?

     

    I need a vlan coming from outside to be available on the inside of the firewall.

     

    i other words if i could use srx as a managed switch to bring the vlan firther into the network where I could access it on another management switch at other locations.

     

    something like this:

     

    vlan1(internet),vlan2----->ge0.1,ge0.2(untrust1,untrust2 zones)SRX(vlan.11,vlan.22)(trust11,trust22 zones)trunk------>management switch

     

    what is really needed is this: one vlan(internet) to be routed/firewalled and second should just flow through the SRX with no routing/firewalling.

     

    vlan1(internet),vlan2----->SRX(vlan11,vlan2)-------->management switch-----------vlan11 or vlan2

    routing for vlan1<->vlan11

    bridging/transparent for vlan2<->vlan2

     

    so I think the vlan1 is ok, but how to configure bridge/transparent for second vlan?

     

    what would be the best approach here?

     

    thanks in advance!!



  • 4.  RE: srx multiple vlans on wan interface

    Posted 07-08-2015 14:20

    Maybe if you used the flexible vlan tagging and specified unit 20 and 30 as ethernet switching instead of inet?



  • 5.  RE: srx multiple vlans on wan interface

    Posted 07-09-2015 13:09

    Hi guys,

     

    After googling a bit I came across this post on the forums:

    http://forums.juniper.net/t5/SRX-Services-Gateway/Layer-2-and-Layer-3-logical-interfaces-on-same-physical/td-p/245068

     

    I'm having just about same setup where I need to acces 2 vlans coming to an interface where one should be routed/firewalled and second just bridged through the SRX without processing..

     

    they make use of flexible-ethernet-services and vlan-tagging, does not tell me lot I afraid.

    then they create routing-instance where they bridge the interfaces.

     

    I created mine setup here I can then access internet(the routed vlan1) from trust zone but I cannot access internet through bridged vlan(though I get ip-adress from dhcp on another side of the firewall(another SRX)):

     

    when testing vlan20 computer is connected to the fe7

    I've tried to create a zone where I attached ge0.20 and fe7.20 but it didn't help.

    I can ping hosts(and myself) on the same network but cannot access internet through another SRX which delivers dhcp to me.. 😞

     

    here's the code:

    show interfaces ge-0/0/0
vlan-tagging;
mtu 1600;
encapsulation flexible-ethernet-services;
unit 1 {
    vlan-id 1;
    family inet {
        dhcp;
    }
}
unit 20 {
    encapsulation vlan-vpls;
    vlan-id 20;
    family vpls;
}

     

    show interfaces fe-0/0/7
flexible-vlan-tagging;
native-vlan-id 20;
mtu 1600;
encapsulation extended-vlan-vpls;
unit 20 {
    vlan-id 20;
    family vpls;
}

     

    show routing-instances
Bridge-vlan20 {
    instance-type vpls;
    vlan-id 20;
    interface ge-0/0/0.20;
    interface fe-0/0/7.20;
    protocols {
        vpls {
            no-tunnel-services;
        }
    }
}

    no nat/policy/zones exist for vlan20 as all processing should happen on the first SRX

     

     

    Any ideas where to look and what to check?

     

     

    P.S:

    the TS also talks about vlan-ccc encapsulation which does not tell me much neither:

    Spoiler
    I ended up using vlan-ccc encapsulation and interface-switch under protocols>connections.

     

    Addition:

    I cannot ping local-network on vlan20 only nic-ip



  • 6.  RE: srx multiple vlans on wan interface
    Best Answer

    Posted 07-13-2015 00:58

    Hi folks.

     

    after using weekend to troubleshoot this I really cant get this to work guys.

     

    I tried different approaches wih vlan-CCC as the guy in the post:

    encapsulation and protocols connections interface-switch.

    Re: Layer 2 and Layer 3 logical interfaces on same physical interface
Options
‎09-08-2014 11:02 PM

Thanks for these answers.

I ended up using vlan-ccc encapsulation and interface-switch under protocols>connections.

Paolo

     

    I'm afraid Im not configuring it(vlan-ccc) right as I cannot configure native-vlan-id or use flexible-ethernet-services and thus get IP-adress

    I've tried with another tagget interface on another switch but even then cannot get IP-address

     

    with vpls-encapsulation I get IP-adress on correct vlan but cannot communicate to outside world but setting client on another swich with same vlan gets me right on the internet 😞

     

     

    please advise