Ethernet Switching
Highlighted
Ethernet Switching

Trunk between EX and SRX, native VLAN incompatibility?

‎01-11-2020 06:04 AM

I'm trying to set up a trunk between an SRX and an EX with the SRX acting as a sort of "router on a stick" (i.e. both subinterfaces on the trunk are configured for family inet and are routed ports). Here is the SRX side config:

 

vlan-tagging;
unit 0 {
    vlan-id 12;
    family inet {
        address 192.168.195.21/30;
    }
}
unit 1 {
    vlan-id 13;
    family inet {
        address 192.168.195.25/29;
    }
}

And here is the EX side config (ge-0/0/15)

 

native-vlan-id 12;
unit 0 {
    family ethernet-switching {
        interface-mode trunk;
        vlan {
            members all;
        }
    }
}

vlans {
    TEST1 {
        vlan-id 12;
        l3-interface irb.0;
    }
    TEST2 {
        vlan-id 13;
    }
}

Notice the native-vlan-id is set, because I also have this:

 

dot1x {
    authenticator {
        authentication-profile-name WIRED_AUTH;
        interface {
            ge-0/0/15.0 {
                disable;
            }
            all {
                supplicant multiple;
                retries 3;
                transmit-period 10;
                reauthentication 7200;
                server-timeout 10;
                maximum-requests 3;
            }
        }
    }
}

Dot1x is configured, but it's explicitly disabled for port ge-0/0/15 (the trunk port back to the SRX). But, apparently I need to set the native-VLAN, because I get this message if I don't:

 

[edit interfaces ge-0/0/15 unit 0 family ethernet-switching interface-mode]
  'interface-mode trunk'
    Must configure native-vlan-id but no flexible-vlan-tagging for dot1x enabled port
error: commit failed: (statements constraint check failed)

Now, it seems like the logical thing to do would be just set up a native VLAN on the SRX, but it appears that I can't do that with a routed-port on the SRX:

 

[edit interfaces ge-0/0/1 native-vlan-id]
  'native-vlan-id 12'
    native-vlan-id can be specified with flexible-vlan-tagging mode or with interface-mode trunk

So, what's the right way to do this? I'd rather not set up the SRX port for ethernet-switching and need to configure IRB ports if I can avoid it, but I'm not sure how to get around this.

6 REPLIES 6
Highlighted
Ethernet Switching
Solution
Accepted by topic author ian.barrere@datavail.com
‎01-13-2020 02:18 PM

Re: Trunk between EX and SRX, native VLAN incompatibility?

[ Edited ]
‎01-11-2020 07:09 AM

Hello Ian,

 

when you configure "flexible-vlan-tagging" together with "native-vlan-id" instead of "vlan-tagging" on your SRX ge-0/0/1, would this solve your issue?

--------------------------------------------------

If this solves your problem, please mark this post as "Accepted Solution".
If you think that my answer was helpful, please spend some Kudos.
Highlighted
Ethernet Switching

Re: Trunk between EX and SRX, native VLAN incompatibility?

‎01-13-2020 08:17 AM

I didn't try it, but I read a handful of things telling one not to enable flexible VLAN tagging as the implementation is buggy and unstable. I can give it a shot, but I'm just wondering if there is a standard way of doing this. I guess more importantly, I'm wondering why the native VLAN is required on the EX port even though the EX port is explicitly disabled from dot1x (in addition to dot1x being configured for all other ports).

Highlighted
Ethernet Switching

Re: Trunk between EX and SRX, native VLAN incompatibility?

‎01-13-2020 09:42 AM

https://kb.juniper.net/InfoCenter/index?page=content&id=KB11234&actp=METADATA

That's the KB article specifically for this 🙂

KR

Adam

~~~~~~~~~~~~~~~~~~~~~~~
- Please Kudos if you found my response helpful
- Please accept my response as a 'Accepted Solution' if it solved your query
Highlighted
Ethernet Switching

Re: Trunk between EX and SRX, native VLAN incompatibility?

‎01-13-2020 09:53 AM

We are using flexible-vlan-tagging on our QFX and ACX devices, and it works like a charm. I don't see any reason why not to use it. I can just suggest you to try it out to see if it works for you.

--------------------------------------------------

If this solves your problem, please mark this post as "Accepted Solution".
If you think that my answer was helpful, please spend some Kudos.
Highlighted
Ethernet Switching

Re: Trunk between EX and SRX, native VLAN incompatibility?

‎01-13-2020 11:59 AM

Thanks for the feedback. I did configure flexible VLAN tagging and it seems to work just fine, so I guess I'll stick with that approach.

 

I still don't know why dot1x settings are enforcing rules on this interface even though it's explicitly disabled. I don't think that should be the case, but it appears it is, so this is getting into more of a feature request territory. 

Ethernet Switching

Re: Trunk between EX and SRX, native VLAN incompatibility?

‎01-13-2020 12:07 PM

I'm glad that it works now (even the dot1x question is still not answered). Please mark the solution as "Accepted Solution" so that others can find the right answer quickly and easily.

--------------------------------------------------

If this solves your problem, please mark this post as "Accepted Solution".
If you think that my answer was helpful, please spend some Kudos.
Feedback