SRX

I'm new to JunOS but a veteran to ScreenOS.

I'm looking to terminate several ports to a single VLAN -- but when I do this to a new SRX240, the question that comes to mind in the GUI is,

What is the difference between configuring an interface use a selected VLAN versus including an interface in a VLANs PORT menu?

In other words:

 Interfaces -> some FE/GE -> Switching Mode -> add vlan-somename

versus

Switching -> some VLAN -> Ports -> Add desired ports.

it would seem to me they would accomplish the same thing -- but I'm not sure if they actually are.

 -Ben

Hi Ben,

This comes down to a decision that was made in Junos a long time ago (when the EXs were first released).

Basically there was an argument about whether VLAN membership should be attached to physical ports, the way it was done on the M, T and MX routers at the time, or whether physical ports should be assigned to VLANs, the way other vendor's switches did it at the time .

In the end, both methods were implemented, which is why the GUI and CLI lets you do things both ways.

If you go into Switching in the GUI and add a port to the VLAN, your config change will be:

[edit interfaces]
+   fe-0/0/5 {
+       unit 0 {
+           family ethernet-switching;
+       }
+   }
[edit vlans VID11]
+   interface {
+       fe-0/0/5.0;
+   }

 if you go into the physical port and add the VLAN there, it will be:

[edit interfaces]
+   fe-0/0/5 {
+       unit 0 {
+           family ethernet-switching {
+               port-mode access;
+               vlan {
+                   members VID11;
+               }
+           }
+       }
+   }

 My personal preference is assigning VLAN IDs to a physical interface (the second one), as it is a lot easier to see (from the CLI anyway) what is native and what is tagged on a port all in one place.

But in terms of functionality (and your original question), both configuration options achieve the same functionality, even if the CLI they generate may be different.

Hope this helps!

I follow -- and can understand why they would do both - but in this version of JunOS (11.4r5.5), I'm not sure I am getting the same behavior.


In this installation, I initially assigned ge-0/0/4.0 - 7.0 to VLAN.1 and ge-0/0/8.0 - 11.0 to VLAN.2 --- but for troubleshooting, I reassigned ge-0/0/8.0 to 11.0 to VLAN.1 but through the switching menu. The switch group doesn't seem to work that way.

(I'm going to shorthand the interfaces since there's no extra tunnels or tagging or subIF's going on)

In other words, interfaces ge-4 through 7 are individually assigned to VLAN.1 while interfaces ge-8 through 11 are assigned to VLAN.1 through the VLAN ports menu. (as the KB article describes to do)

It SEEMS that ge-4 to 7 act as a bgroup (in old ScreenOS terms) but ge-8 to 11 do not.

And I agree with you that as I look at this, I like the self documenting of assigning the VLAN in the interface menu... but it's more of a pain in the GUI.

So that's why I asked.

I'm going to better test this later today and comment here. 

Thanks for your help!

  -Ben

p.s. from a firewall standpoint, I kinda liked how ScreenOS did it where a bgroup was an interface of sorts.
ports could be added/subtracted on a whim from the bgroup while VLANs and L3 parms were separate operations.

Just as a followup....

 Things are working normally as expected between both methods of configuration.

Thanks again for the help and elaboration on the features in question.

Cheers,

 -Ben