SRX

Hello,

You should combine 2 VLANs under same unit 0:

[edit interfaces fe-0/0/2]
unit 0 {
    family ethernet-switching {
        port-mode trunk;
        vlan {
            members [ vlan-trust backbone ];
        }
    }
}

 HTH

Thanks

Alex

Indeed,

what you're probably looking for is "the other way" to do vlan tagging;

set interfaces fe-0/0/2 vlan-tagging

set interfaces fe-0/0/2.10 vlan-id 10

set interfaces fe-0/0/2.11 vlan-id 11

...

Catch: if memory serves well, you _need_ to have a vlan ID and you can't create an untagged unit. The other end should be able to provide you workarounds (i.e., tag the untagged unit to the native vlan).

The other option, if you're looking for routing, is indeed the solution aarseniev provided you with, then you can create a vlan.X interface and point the l3-interface under [edit vlans] to it.

Good luck

Thanks Alex and Frederik!

I added both the vlans to unit 0.

All I'm trying to do is connect the SRX210 to an L2/L3 switch and communicate on a vlan that is tagged 70. I'm now able to ping the SRX210

SRX210----------------------vlan-70-------------------------L2/L3 switch

172.28.0.9/22                                                            172.28.0.1/22

Here's the relevant configuration:

fe-0/0/2 {
        unit 0 {
            family ethernet-switching {
                port-mode trunk;
                vlan {
                    members [ vlan-trust backbone ]

unit 70 {
            family inet {
                address 172.28.0.9/22;

}

routing-options {
    static {
        route 0.0.0.0/0 next-hop 172.28.0.1;
    }

zones {
        security-zone trust {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }

          }
            interfaces {
                vlan.0;
                vlan.70;
                fe-0/0/2.0;
            }
        }

vlans {
    backbone {
        vlan-id 70;
        interface {
            fe-0/0/2.0;
        }
        l3-interface vlan.70;
    }

I can see that the arp table has been populated as well.

root# run show arp
MAC Address       Address         Name                      Interface           Flags
00:04:96:1d:70:f0 172.28.0.1      172.28.0.1                vlan.70             none

All this is good, but I'm not satisfied with having to use unit 0 under fe0/0/2. It would in my opinion be cleaner to create a unit 70 for vlan-id 70, unit 100 for vlan-id 100, etc. Or am I just getting confused with concepts from other vendors?

Thanks!

Hello there,

Glad to be of help.

I don't know which vendors You have in mind, but "1 unit = 1 vlan-id" concept is also used on Juniper SRX (and EX, and M/T series etc) when plain L3 routed subinterfaces are required. If You don't need L2 switching for Your "vlan-trust" VLAN then You can use both unit 0 and unit 70 on fe-0/0/2, by assigning IP addresses directly under "fe-0/0/2 unit <> family inet", and not on RVI.

HTH

Thanks

Alex

Thanks for clearing that up, helps a lot.

Appreciate it!!