SRX Services Gateway
Highlighted
SRX Services Gateway

l3 vlans for trunks and access ports

‎05-31-2012 04:28 AM

Hello for everyone.

Ok, it's quite simple to configure trunk between SRX cluster and some L2 device by 'router on a stick' technology.

We need to configure interfaces and assign them to reth group. Then on rethX interface create l3 vlan-sub interfaces.

 

interfaces {                           
    ge-0/0/5 {
        gigether-options {
            redundant-parent reth1;
        }
    }
    ge-9/0/5 {
        gigether-options {
            redundant-parent reth1;
        }
    }
}

reth1 {
    vlan-tagging;
    redundant-ether-options {
        redundancy-group 1;             
    }
    unit 2 {
        vlan-id 2;
        family inet {
            address 2.2.2.2/24;
        }
    }
    unit 3 {
        vlan-id 3;
        family inet {
            address 3.3.3.3/24;
        }
    }
}

 

Here we have L3 interfaces reth1.2 and reth1.3 

 

But, how i use to configure SRX if i want vlans (that is on trunk and configured as above) to assign them on access ports? I need connect common workstations to access ports to these vlans.

 

 For example on Cat6500 its very simple to create L3 vlans, then make some trunks and/or access ports with assigned vlans in any combination. Need information is it possible to do on SRX?

 

Much help will be appreciated, thanks in advance!

 

10 REPLIES 10
Highlighted
SRX Services Gateway

Re: l3 vlans for trunks and access ports

‎05-31-2012 06:26 AM
You have configured the RETH interface as a layer-3 interface. If you want it to be a layer-2 interface, then you would configure family ethernet-switching on the physical (or reth) interface instead of family inet, and set the port up as either an access or trunk port, then add the appropriate VLAN(s). If you need a layer-3 interface, you setup the VLAN, add an IP address to a vlan.x interface, then set that as the l3-interface for the VLAN. interfaces { ge-4/0/0 { unit 0 { family ethernet-switching { port-mode trunk; vlan { members all; } } } } ge-5/0/0 { unit 0 { family ethernet-switching { port-mode access; vlan { members SERVERS; } } } } vlan { unit 100 { family inet { address 10.1.1.1/24; } } unit 200 { family inet { address 10.2.1.1/24; } } } vlans { CLIENTS { vlan-id 200; l3-interface vlan.200; } SERVERS { vlan-id 100; l3-interface vlan.100; } }
JNCIE-SEC #127
JNCIE-ENT #489
Highlighted
SRX Services Gateway

Re: l3 vlans for trunks and access ports

‎05-31-2012 08:52 AM

Hmmm.  I might have to lab this one.

 

Do you have workstations connected to a switch, or are they connected to the SRX650?

 

Ron's explanation is like that of a Cisco that you mention, just create vlan interfaces.  If you a switch, you can use your configuration and don't need access ports on SRX650, ie it's a router on a stick, not a router in a switch

Highlighted
SRX Services Gateway

Re: l3 vlans for trunks and access ports

‎05-31-2012 09:48 PM

It is only plan to implement needed scheme in a customer network. For now i have no any hardware SRX or smth else.

 

Can anyone test this configuration or confirm will it work or not. I wrote it in notepad 🙂

I created L3 VLAN interfaces, trunk L2 and access L2 ports for transmit this vlans to another switch and users.

 

 

ge-0/0/2 {
 description "access port for workstation in vlan 2";
 unit 0 {
 family ethernet-switching {
 port-mode access;
    vlan {
     members 2;
    }
}

ge-0/0/3 {
 description "access port for workstation in vlan 3";
 unit 0 {
 family ethernet-switching {
 port-mode access;
    vlan {
     members 3;
    }
}

ge-0/0/4 {
 description "access port for workstation in vlan 4";
 unit 0 {
 family ethernet-switching {
 port-mode access;
    vlan {
     members 4;
    }
}



xe-1/0/0 {
  gigether-options {
  redundant-parent reth1;
 }
}
xe-9/0/0 {
  gigether-options {
  redundant-parent reth1;
 }
}


reth1 {
  description "trunk interface";
  redundant-ether-options {
  redundancy-group 1;
  }

  unit 0 {
  family ethernet-switching {
   port-mode trunk;
    vlan {
     members all;
    }
  }
 }
}



vlan {
    unit 4 {
        family inet {
            address 4.4.4.4/24;
        }
    unit 3 {
        family inet {
            address 3.3.3.3/24;
        }
    unit 2 {
        family inet {
            address 2.2.2.2/24;
        }

    }
 }



}


vlans {

 vlan_mgmt {
    vlan-id 4;
    l3-interface vlan.4;
 }

 vlan_vm_servers {
    vlan-id 3;
    l3-interface vlan.3;
 }

 vlan_inet {
    vlan-id 2;
    l3-interface vlan.2;
 }


}

 

Highlighted
SRX Services Gateway

Re: l3 vlans for trunks and access ports

‎06-01-2012 08:25 AM

Looks good to me from a basic config.  There are other things to consider like your security zones, policies, etc but should work.

 

Still not sure why you don't just put the workstations on a switch and not connect them to the SRX.....

Highlighted
SRX Services Gateway

Re: l3 vlans for trunks and access ports

‎06-03-2012 09:30 PM

There is small problem - switch is only 10G, or there is no switch, but a chassis blade server with 10G. Thats why i need to connect end users or management links from servers to SRX.

Highlighted
SRX Services Gateway

Re: l3 vlans for trunks and access ports

‎06-06-2012 01:20 AM

and there's some trouble with  SRX-GP-2XE-SFPP-TX module on my SRX650, this module does not support family ethernet-switching on its 10G ports? is there any solution to fix this?

or any documentation about it?

 

root@SRX650-node0# set interfaces xe-2/0/0 unit 0 family ?
Possible completions:
+ apply-groups         Groups from which to inherit configuration data
+ apply-groups-except  Don't inherit configuration data from these groups
> bridge               Layer-2 bridging parameters
> ccc                  Circuit cross-connect parameters
> inet                 IPv4 parameters
> inet6                IPv6 protocol parameters
> iso                  OSI ISO protocol parameters
> mlfr-end-to-end      Multilink Frame Relay end-to-end protocol parameters
> mlfr-uni-nni         Multilink Frame Relay UNI NNI protocol parameters
> mlppp                Multilink PPP protocol parameters
> mpls                 MPLS protocol parameters
> tcc                  Translational cross-connect parameters
> vpls                 Virtual private LAN service parameters

 

Highlighted
SRX Services Gateway

Re: l3 vlans for trunks and access ports

‎06-06-2012 05:39 AM

If it is just an active-standby configuration, I would put those two interfaces into a reth group, then configure the reth interface with vlan-tagging and however many sub-interfaces as you need, each with it's own respective VLAN tag.  You should only use family ethernet-switching if you need to have two or more (active) physical interfaces in the same broadcast domain at the same time.

 

Ron

JNCIE-SEC #127
JNCIE-ENT #489
Highlighted
SRX Services Gateway

Re: l3 vlans for trunks and access ports

‎06-06-2012 05:52 AM

Hi Ron!

If i put two xe (10G) interfaces under rethX interface - there is no "family ethernet-switching" under rethX too.

When i use rethX with vlan-tagging and create many sub interfaces - rethX.vlan_id , i couldnt use this vlan on another ports.

 

"family ethernet-switching" - is available on 4 built-in GE interfaces and on SRX-GP-24GE module on my SRX650.

Highlighted
SRX Services Gateway

Re: l3 vlans for trunks and access ports

‎06-06-2012 08:38 AM

You are correct, you could not use those same VLAN's for other ports on the box.  I assumed you were using those VLANs just for the servers.  If they need to be in the same broadcast domain as your 1-gig ports, they would need to have family ethernet-switching, which they do not support.

 

Ron

JNCIE-SEC #127
JNCIE-ENT #489
Highlighted
SRX Services Gateway

Re: l3 vlans for trunks and access ports

‎10-24-2014 06:05 AM

so if i do this type of config :

 

set interfaces ge-2/0/0 gigether-options redundant-parent reth1
set interfaces ge-2/0/1 gigether-options redundant-parent reth1
set interfaces ge-11/0/0 gigether-options redundant-parent reth1
set interfaces ge-11/0/1 gigether-options redundant-parent reth1
set interfaces reth1 redundant-ether-options redundancy-group 1
set interfaces reth1 redundant-ether-options lacp passive
set interfaces reth1 redundant-ether-options lacp periodic slow

 

plus this command :

#set interfaces reth0 unit 0 family ethernet-switching port-mode trunk vlan members all

 

and add some vlan in the end .... :

 

set vlans x vlan-id 2
set vlans y vlan-id 3

 

give them a L3 :

 

set interfaces vlan unit 2 family inet address x.x.x.x/x

set vlans x l3-interface vlan.2

set interfaces vlan unit 3 family inet address x.x.x.x/x

set vlans y l3-interface vlan.3

 

 

will it work ?

 

 

Feedback