Junos OS

last person joined: 4 days ago 

Ask questions and share experiences about Junos OS.

  • 1.  Assign IP to VLAN trunk

    Posted 05-13-2019 11:47

    I have an SRX-240 in my phone closet where I want to dedicate a trunk port to receiving all data/phone traffic remotely cabled suites in the building on one cable with 2 separate tagged VLAN's (from downstream Mikrotik in that suite) on ge0/0/8, then NAT'ing them to ge0/0/0 which is the Internet. I'm trying to get the SRX to set up a gateway for each and a DHCP pool. Here's what I have so far:

    ge-0/0/8 {
    unit 0 {
        family ethernet-switching {
            port-mode trunk;
            vlan {
                members [ data43 phone43 ];
            }
        }
    }

show vlans
data43 {
    vlan-id 431;
}
phone43 {
    vlan-id 432;
}

set system services dhcp pool 192.168.43.0/24 address-range low 192.168.43.100 high 192.168.43.254
set system services dhcp pool 192.168.43.0/24 router 192.168.43.1
set system services dhcp pool 192.168.43.0/24 name-server 1.1.1.1

    I somehow I have to tie that pool and the gateway to traffic received on ge0/0/8 for both subnets/VLAN's, not sure how to do that.

     

    I tried to set up a security zone called data43, but I think I'm missing some steps first?


    #VLANtrunk
    #vlan


  • 2.  RE: Assign IP to VLAN trunk

    Posted 05-13-2019 17:02

    You will need to remove the family ethernet-switching that only allows layer 2 on the interface in favor of vlan-tagging along with family inet

     

    set interface ge-0/0/8 vlan-tagging

    set interface ge-0/0/8 unit 431 vlan-id 431

    set interface ge-0/0/8 unit 431 family inet address x.x.x.x/x

    set interface ge-0/0/8 unit 432 vlan-id 432

    set interface ge-0/0/8 unit 432 family inet address x.x.x.x/x

     

     



  • 3.  RE: Assign IP to VLAN trunk

    Posted 05-14-2019 11:42

    Thanks for that @spuluka 🙂

    Okay, still having trouble getting my policies to commit. Here's what I have so far:

     

    set system services dhcp pool 192.168.43.0/24 address-range low 192.168.43.100 high 192.168.43.254
set system services dhcp pool 192.168.43.0/24 router 192.168.43.1
set system services dhcp pool 192.168.43.0/24 name-server 1.1.1.1

set security zones security-zone data43
[edit security zones]
set security-zone data43 interfaces ge-0/0/8 host-inbound-traffic system-services ping

[edit security policies]
set policies from-zone data43 to-zone Internet policy data43 match source-address any destination-address any application any
set from-zone data43 to-zone Internet policy data43 then permit

[edit security nat source]
set pool src-nat-pooldata43 address 192.168.43.1/32

[edit security nat source]
set rule-set data43 rule data43 match source-address 192.168.43.0/24
set rule-set data43 rule data43 match destination-address 0.0.0.0/0
set rule-set data43 rule data43 then source-nat pool src-nat-pooldata43

    I'm not really sure I need the nat src pool? Also, I don't know if it should be a /32 if I do?

     

    The commit error I'm getting is:

    root@srx240CP# commit check
[edit security zones security-zone data43]
  'interfaces ge-0/0/8.0'
    Interface ge-0/0/8.0 must be configured under interfaces
error: configuration check-out failed

    But I guess that shouldn't be unit 0, so I went back and tried to do:

    [edit security zones]
root@srx240CP# set security-zone data43 interfaces ge-0/0/8 un
                                                                                                           ^
syntax error.

    So it won't let me add unit 431/432 to this security zone? What else am I missing to pass traffic from my VLAN trunk to the Internet on ge0/0/0.0



  • 4.  RE: Assign IP to VLAN trunk
    Best Answer

    Posted 05-14-2019 11:55
    Try below config:
    delete security zones security-zone data43 interfaces ge-0/0/8.0
    set security zones security-zone data43 interfaces ge-0/0/8.431
    set security zones security-zone data43 interfaces ge-0/0/8.432




  • 5.  RE: Assign IP to VLAN trunk

    Posted 05-14-2019 16:21

    Thanks @Nellikka, that worked better than what I was trying 🙂

    Is there anything else I need to make it pass traffic? I'm still trying to configure a downstream Mikrotik to pass tagged traffic, so not sure whether my issue is there, or with this box. I'll might try to find another box that can support a trunk while I'm debugging (unless someone else has a better way to test?)



  • 6.  RE: Assign IP to VLAN trunk

    Posted 05-15-2019 03:48

    I believe it should work if SRX receives tagged packet from downstream device. If not please update us.

     

     



  • 7.  RE: Assign IP to VLAN trunk

    Posted 05-15-2019 10:54

    It worked!

     

    Well, mostly. Apparently my Juniper isn't serving up DHCP requests for 192.168.43.0/24 on vlan-id 431. But if I statically assign 192.168.43.3/24 to my laptop hanging off the Mikrotik port 2 (VLAN 431), I can ping both 192.168.43.1 and the public static configured on ge-0/0/0.0 so yay! Here's what I have for my DHCP config:

    dhcp {
    pool 192.168.43.0/24 {
        address-range low 192.168.43.100 high 192.168.43.254;
        name-server {
            1.1.1.1;
            8.8.8.8;
        }
        router {
            192.168.43.1;
        }
    }

    What should I do to make sure traffic tagged as 431 from ge-0/0/8.431 gets an IP from this pool?

     

    Also, since my traffic won't route to the public static upstream gateway connected to ge-0/0/0.0, this means I have to add something to my routing, What should I add to route that? Here's what I have:

    rule-set data43 {
        from zone data43;
        to zone Internet;
        rule data43 {
            match {
                source-address 192.168.43.0/24;
                destination-address 0.0.0.0/0;
            }
            then {
                source-nat {
                    pool {
                        src-nat-pooldata43;
                    }
                }
            }
        }

    Here's what I have for my src-nat-pooldata43:

    [edit security nat source]
set pool src-nat-pooldata43 address 192.168.43.1/32

    Is that causing me problems?



  • 8.  RE: Assign IP to VLAN trunk

    Posted 05-15-2019 16:53

    Okay, I got it to pass traffic and hand out dhcp leases, here's what I did:

    set security zones security-zone data43 interfaces ge-0/0/8.431 host-inbound-traffic system-services dhcp

    then I got rid of my src-nat pool and assigned it to an interface like:

    rule-set data43 {
    from zone data43;
    to zone Internet;
    rule data43 {
        match {
            source-address 0.0.0.0/0;
            destination-address 0.0.0.0/0;
        }
        then {
            source-nat {
                pool {
                    src-nat-pooldata43;
                }
            }
        }
    }
[edit security nat source]
delete rule data43 then source-nat pool
set rule data43 then source-nat interface
show
rule-set data43 {
    from zone data43;
    to zone Internet;
    rule data43 {
        match {
            source-address 0.0.0.0/0;
            destination-address 0.0.0.0/0;
        }
        then {
            source-nat {
                interface;
            }
        }
    }

    Thanks all for you help, I'm soooo happy this community is here to help 🙂