SRX Services Gateway
Highlighted
SRX Services Gateway

SRX 100 Vlan configuration

‎02-19-2014 04:53 PM

I am new to juniper products and to this forum, so if i posted in the wrong place i am sorry, also if i ask dumb questions it is because i am learning juniper i have been a cisco tech for the most part.

 

We just got a new SRX 100 for a remote office before i send it to the remote office i am trying to get as much of the configuration done at the office as i can. 

 

I am setting the SRX up in a test enviroment to start with but it basicly mirrors the network of the remote office. It is on different subnets but the set up will be close to the same.

 

My question/problem is VLAN configuration

 

all equipment is Cisco. the remote office right now has a Point to Point T1 set up. Router on both ends that pass vlan traffic across as they should.

 

The remote office router has 3 vlans setup as follows

vlan 211 10.1.21.254/24 for Data traffic

vlan 212 10.2.21.254/24 for Voice traffice (VOIP)

vlan 213 10.3.21.254/24 for Public wireless access

 

the Switch has ports configured as follows 

Interface fastethernet0/1

switchport access vlan 211

switchport trunk native vlan 211

switchport mode trunk

switchport voice vlan 212

spanning-tree port fast

 

I do not have the SRX config i can not access it from home and the commands i have used do not seem to work. I can post a config of the SRX 1st thing in the morning if it will help.

 

 

 

 

15 REPLIES 15
Highlighted
SRX Services Gateway

Re: SRX 100 Vlan configuration

‎02-19-2014 09:48 PM

Dear 

 

Could you please post a diagram of your desired topology, where do want to put your SRX , I assume the router will still be there for T1 link modulation , so SRX will be between your router and switch  .

 

are you planning to move the vlan interfaces to the SRX (routed mode), or you want to keep them on the router (in this case you need put SRX in Transparent mode -Layer 2-)

 

Regards

Red1 


if this worked for you, kindly help other visitors/members of our community by tagging this post as "Accepted Solution".
Kudos are good way of appreciation.
-------------
Red1
JNCIE-SEC #158, JNCIP-SP, JNCIS- ( FWV, SA, AC )

Highlighted
SRX Services Gateway

Re: SRX 100 Vlan configuration

‎02-19-2014 09:56 PM

The below link will help you for routed mode config , 

 

http://kb.juniper.net/InfoCenter/index?page=content&id=KB16667

 

if you need to run the SRX in transparent mode , please notify me , I will help you 

 

Regards


if this worked for you, kindly help other visitors/members of our community by tagging this post as "Accepted Solution".
Kudos are good way of appreciation.
-------------
Red1
JNCIE-SEC #158, JNCIP-SP, JNCIS- ( FWV, SA, AC )

Highlighted
SRX Services Gateway

Re: SRX 100 Vlan configuration

‎02-20-2014 05:54 AM

Red 1 i have attached an example of what the network will look like.

 

Sorry i did not put that in my 1st post.

 

Basicly the Point to Point T1's are going away and we are installing Internet at the location, they will have VPN tunnel back to corporate office for all domain and shared document traffic.

 

My example the router goes away and the firewall steps in, the firewall will host all vpn tunnels and I would like it to have all vlan infomation DHCP is handled from the corporate office. (I am working on that part and think i have an idea of how it works.)

 

It is a simple drawing you can laugh at it. lol

Attachments

Highlighted
SRX Services Gateway

Re: SRX 100 Vlan configuration

‎02-20-2014 10:24 AM

Ok after doing some digging on google i have corrected some of the problem.

 

Configuration on Juniper srx

   set vlans vlan-211 vlan-id 211 (Do for all vlan ID's)

   set interfaces fe-/0/02 unit 0 family ethernet-switching vlan members vlan-211

   set interfaces fe-0/0/2 unit 0 family ethernet -switching port-mode trunk

   set interfaces fe-0/0/2 unit 0 family ethernet-switching vlan members all

   set interfaces fe-0/0/2 unit 0 family ethernet-switching native-vlan-id vlan-211

   set interfaces vlan unit 211 family inet address 10.1.41.254/24 (Do for all vlan ID's)

   set vlans vlan-211 vlan-id l3-interface vlan.211 (Do for all vlan ID's)

   set interfaces vlan.211 host-inbound-traffic system-services all (Do for all vlan ID's)

   set interfaces vlan.211 host-inbound-traffic protocal all (Do for all vlan ID's)

 

From my Cisco switch i am able to ping 10.1.41.254 (SRX 100 vlan 211) and ping through to the internet. I am not able to ping any of the other vlan interfaces.

 

 

Highlighted
SRX Services Gateway

Re: SRX 100 Vlan configuration

‎02-20-2014 11:10 AM

Hi 

I prefer to use the below to add the vlan memeber of the interfaces 

 set interfaces fe-/0/02 unit 0 family ethernet-switching vlan members [ vlan-211 vlan-xxx vlan-yyy ]

 

 

could you please remove the below

set interfaces fe-0/0/2 unit 0 family ethernet-switching vlan members all

 

why u r using native vlan ?  

set interfaces fe-0/0/2 unit 0 family ethernet-switching native-vlan-id vlan-211

 

use the below command to show the mac table 

 

show ethernet-switching table

 

 

Regards

Red1


if this worked for you, kindly help other visitors/members of our community by tagging this post as "Accepted Solution".
Kudos are good way of appreciation.
-------------
Red1
JNCIE-SEC #158, JNCIP-SP, JNCIS- ( FWV, SA, AC )

Highlighted
SRX Services Gateway

Re: SRX 100 Vlan configuration

‎02-20-2014 11:49 AM

the setup information that i used was pieced together from a google search and from a support call in to juniper.

 

I have changed to your perfered setup to show all the vlan (vlan-211 vlan-212 vlan-213)

 

After working with Support yesterda and there failed attempt to set up the vlan traffic i was thinking that maybe the SRX needed to know what default vlan traffic was, i removed it and am still able to ping vlan-211, still no traffic to vlan-212 or 213.

 

And the Command you posted i can not get to work from [edit]

 

shane

 

Highlighted
SRX Services Gateway

Re: SRX 100 Vlan configuration

‎02-20-2014 11:58 AM

Ok i got the command working it has to run from ">" not "#"

i have attached the output.

 

 

Attachments

Highlighted
SRX Services Gateway

Re: SRX 100 Vlan configuration

‎02-20-2014 12:13 PM

just question , did you add the l3 interfaces vlan.x to security zone(s) , if so , is the ping allowed under host-inbound-traffic system services  in the security-zone config?

 

 

if you are on config mode and you want to run operational command , add "run" at the begginning of your operational command , example : run show ethernet-switching table

 

you need to check the mac table on the L2 Switch as well 

 

 

 

 

you interface config should resemble to the below : 

 

interface {
                 ge-*/*/* {
                              unit 0 {
                                         family ethernet-switching {
                                                   port-mode trunk;
                                                    vlan {
                                                             members [<vlan name or id> <vlan name or id> …]
                                                     }
                                          }
                                 }
                     }

 


vlan {
          unit <unit number> {
                                              family {
                                                           inet {
                                                                    address <ip address>/<netmask>;
                                                            }
                                               }
              }
}

 

}

 


vlans {
               <vlan name> {
                l3-interface vlan.<unit of newly created vlan ifl>;
              }
}

 

 

please read the first  pages of the below document link ,it explains your setup

 

http://www.juniper.net/us/en/local/pdf/app-notes/3500196-en.pdf

 

 

if you will be able to ping the vlan l3 interfaces IPs , next step , you need to define security policies 

Regards

 

 


if this worked for you, kindly help other visitors/members of our community by tagging this post as "Accepted Solution".
Kudos are good way of appreciation.
-------------
Red1
JNCIE-SEC #158, JNCIP-SP, JNCIS- ( FWV, SA, AC )

Highlighted
SRX Services Gateway

Re: SRX 100 Vlan configuration

‎02-20-2014 12:29 PM

looking at your sample config below, i assume you did a "show interfaces" my interface and vlan (without the s) looks like yours. i had to do "show vlans" to see the vlans part of the config you posted is that correct?

 

 

 

Highlighted
SRX Services Gateway

Re: SRX 100 Vlan configuration

‎02-20-2014 12:33 PM

Yes , "show vlans" in config mode

 

Regards


if this worked for you, kindly help other visitors/members of our community by tagging this post as "Accepted Solution".
Kudos are good way of appreciation.
-------------
Red1
JNCIE-SEC #158, JNCIP-SP, JNCIS- ( FWV, SA, AC )

Highlighted
SRX Services Gateway

Re: SRX 100 Vlan configuration

[ Edited ]
‎02-20-2014 12:39 PM

Ok i do have a question about your config compaired to mine.

 

your vlans

vlans {
               <vlan name> {
                l3-interface vlan.<unit of newly created vlan ifl>;
              }
}

 

my vlans

vlan-211  {

        vlan-id 211;

        l3-interfaces vlan.211;

}

 

all three of my vlans look this way they are not nested under vlans.

 

yes i do think that the security zones is where i am losing traffic

 

 

I may have looked at that incorrect, sorry if i did and i really apprecate the help.

 

 

Shane

Highlighted
SRX Services Gateway

Re: SRX 100 Vlan configuration

‎02-20-2014 01:27 PM

I have attached a running copy of my config

 

when i try to put in a policy for vlan-211 to vlan-212 it tells me they are already in a policy. It looks to me like they are in Internal

 

the commands i am trying to run are as follows

set security zones security zone vlan-211 interface vlan.211 this would be done for each vlan

set security policies from-zone vlan-211 to-zone vlan-212 policy vlan_traffic match source-address match any

set security policies from-zone vlan-211 to-zone vlan-212 policy policy vlan_traffic match destination-address any

 

 

 

 

Attachments

Highlighted
SRX Services Gateway

Re: SRX 100 Vlan configuration

‎02-20-2014 01:51 PM
Your interfaces are already part of Internal zone, your just need to allow intrazone traffic by adding security policy from-zone Internal to-zone Internal. Before that, are you able to ping in l3 vlan interfaces IPs from machines part to relevant vlan? For vlan.212 you shouldn't be able to ping the interface IP, as system services section us not defined for this interface (see below)

vlan.212 {
host-inbound-traffic {
protocols {
all;
}
}
}

if this worked for you, kindly help other visitors/members of our community by tagging this post as "Accepted Solution".
Kudos are good way of appreciation.
-------------
Red1
JNCIE-SEC #158, JNCIP-SP, JNCIS- ( FWV, SA, AC )

Highlighted
SRX Services Gateway

Re: SRX 100 Vlan configuration

‎02-20-2014 02:10 PM

i seen the problem with vlan.212 about the time i posted the config, i did correct it.

 

and thank you for your help

Highlighted
SRX Services Gateway

Re: SRX 100 Vlan configuration

‎02-20-2014 06:18 PM

is your issue resolved now ? 

 

 

Regards


if this worked for you, kindly help other visitors/members of our community by tagging this post as "Accepted Solution".
Kudos are good way of appreciation.
-------------
Red1
JNCIE-SEC #158, JNCIP-SP, JNCIS- ( FWV, SA, AC )