SRX

I'm in the process of setting up a 2xSRX240 cluster and everything seems to be working fine so far but I want to confirm the way I've setup the VLAN trunk.

The following configuration seems to work but I don't know if I should change it to look like the config in this post:

http://forums.juniper.net/t5/SRX-Services-Gateway/enhanced-switching-on-SRX240/m-p/25396#M370

interfaces {
    ge-0/0/8 {
        gigether-options {
            redundant-parent reth1;
        }
    }
    ge-5/0/8 {
        gigether-options {
            redundant-parent reth1;
        }
    }
    reth1 {
        vlan-tagging;
        redundant-ether-options {
            redundancy-group 2;
        }
	unit 2 {
            vlan-id 2;
            family inet {
                address x.x.x.x/30
            }
        }
        unit 3 {
            vlan-id 3;
            family inet {
                address 172.19.1.1/24;
            }
        }
    }
}

Since you have a cluster, the way you have it is fine.  You can also do it the way in the link provided but you can only have 1 port.  A single SRX can do ethernet switching but in a cluster this feature is not available.

Hi mnarine,

Thanks for the quick reply. So let me get this right:

With the configuration in link I posted I could connect/use multiple ports for ethernet switching, but only if I'm not using a cluster?

And the current configuration I am using limits me to using a single port (again because I'm in a cluser I can only use one anyway)?

Hi,

Yes, you are correct on both counts.  There is a limitation right now with clustering.  I *think* Juniper will fix this in the future so you can use ethernet switching on the SRX in cluster mode.

Great thanks for your time and help!

Hi,

good to know about these.

Now I'm planning an SRX-650 cluster and like to know how to configure if it's possible a vlan-tagged reth interface with native-vlan.

I have the following:

set interfaces reth3 vlan-tagging
set interfaces reth3 redundant-ether-options redundancy-group 1
set interfaces reth3 unit 0 family inet address 192.168.168.100/24
set interfaces reth3 unit 3 vlan-id 169
set interfaces reth3 unit 3 family inet address 192.168.169.200/24
set interfaces reth3 unit 10 vlan-id 170
set interfaces reth3 unit 10 family inet address 192.168.170.200/24
set interfaces reth3 unit 15 vlan-id 11
set interfaces reth3 unit 15 family inet address 192.168.11.200/24

And I like to have a fouth ip on this interface untagged.

Is it possible?

Regards, Balázs

Hi,

I am in the same situation that you are. I have 2 SRX650 working in an active/passive cluster and 2 subnets going to a loadbalancer. I managed to make this work by tagging the interface with these 2 vlans:

set interfaces reth3 vlan-tagging

set interfaces reth3 redundant-ether-options redundancy-group 1

set interfaces reth3 unit 0 vlan-id 31

set interfaces reth3 unit 0 family inet address 10.15.22.2/24

set interfaces reth3 unit 1 vlan-id 32

set interfaces reth3 unit 1 family inet address 10.15.23.2/24

However, for ease of management, I would like to have flexible vlan tagging so that I could have vlan 31 untagged on reth3 and vlan 32 tagged on the same interface.

Have you managed to do it ?

I saw on the documentation that flexible-vlan-tagging enabled this feature, however, this command does not exist for reth interfaces, only for physical interfaces. 

Does anybody know a work around? or is it still not possible for now (I am running 10.1R1.8 version - the current latest version)?

Any help would be greatly appreciated.

Lili. 

NO

Finally I used another interface for this.

BB

No, you didn't succeed or no you know for a fact that this is not possible?

Thanks for your help. If anyone can give me some hints on how to proceed, that would be great.

Thanks 

Lili

I have the exact same problem using 10.2R3.10. There is a general company LAN which is not tagged, and we have recently decided to add "guest" access to the internet without any connectivity to the company LAN. Using the existing Ethernet infrastructure, VLANs are the obvious solution.

While I could send traffic both from the general LAN and the "guest" VLAN to our SRX210 reth with added tags, I would prefer to have tags added only for the "guest" VLAN and simply direct untagged traffic to a "default" logical interface. The annoying thing is that the gig ethernet interfaces used for the reth allow flexible-vlan-tagging, while the reth does not. Even more vexing is that the native-vlan-id option is THERE, can be SET, but fails on commit with an error message that is apparently completely out of place in a reth context where neither of the mentioned options can be enabled.

Unless I'm missing something, there's an option here that has no effect except for breaking your configuration. Shouldn't it be a simple matter of checking for flexible-vlan-tagging support in the child interfaces and then handing the frames off to the child interface's protocol stack for tagging?

It would be nice if support for flexible-vlan-tagging could be added to reth, depending on corresponding support in the redundant children - or the confusing native-vlan-id option with the even more confusing error message removed.

I was setting up a new SRX340 cluster and just ran into this exact situation. I saw the native-vlan-id setting and thought that was perfect for what I wanted, yet it complained just as described in posts above.  It seems that in the past 5.5 years this issue still hasn't been addressed at all.

For me it's not a huge deal, I can just configure my switch to also tag that particular VLAN specifically on the 2 ports connecting to my SRX units for this reth and move on with life.

I do agree though, the confusing command should be removed if the prerequisite feature isn't supported for reths.