r/Juniper Search in r/Juniper Log In

r/Juniper • 4 yr. ago

packetheavy

SRX VLAN Configuration

I’m currently working with an SRX340 to implement PoC configuration prior to moving to SRX380s.

I want to implement vlans in way that will allow for the most flexible use of the ports on the device, because
of this I don’t think that I can bind vlans as units of a single interface. My goal is to have several vlans
defined and have them trunked on some ports and access mode on some other ports.

Based on my current research, I think I configure the vlans as units of the irb interface but I’m lost as to how
to set the physical ports to trunk or access mode to utilize the defined vlans.

Any help is appreciated.

Thanks

3 17 Share

Add a comment

Sort by: Best Search Comments

techworkreddit3 • 4y ago

You need to create the irb interfaces and then associate them with the appropriate vlans. Once you
have your vlan tied to the irb interface you have to assign them to the appropriate ports.

To create the vlans and irb interfaces appropriately:

set interface irb unit 0 family inet address [Link]/24

set vlans vlan-test l3-interface irb.0

set vlans vlan-test vlan-id 10

To assign the vlan to an interface as trunked:

set interface ge-0/0/1 unit 0 family ethernet-switching interface-mode trunk

set interface ge-0/0/1 unit 0 family ethernet-switching vlan members vlan-test

set interface ge-0/0/1 unit 0 family ethernet-switching vlan members vlan-other

To assign the vlan to an interface tagged:

set interface ge-0/0/1 unit 0 family ethernet-switching native-vlan-id 10

set interface ge-0/0/1 unit 0 family ethernet-switching interface-mode trunk
r/Juniper Log In
set interface ge-0/0/1 unit 0 family ethernet-switching vlan members vlan-other

To assign the vlan to an interface untagged:

set interface ge-0/0/1 unit 0 family ethernet-switching interface-mode access

set interface ge-0/0/1 unit 0 family ethernet-switching vlan members vlan-test

3 Reply

JuniperMS • 4y ago

Cannot forget set protocols l2-learning global-mode switching. A reboot is required.

3 Reply

techworkreddit3 • 4y ago

You're completely right. I forgot that's not set by default. That should be the first thing you do
so you can reboot and then work on the vlan configs

2 Reply

packetheavy OP • 4y ago

This is awesome help, thankyou.

Do I put everything in unit 0 or create a unit per vlan?

The question applies to both the irb and the ge interface config.

Thanks

1 Reply

packetheavy OP • 4y ago

This is what I set so far, it doesn't appear to be working:

interfaces {

ge-0/0/3 {

unit 0 {

family ethernet-switching {

interface-mode trunk;

vlan {

members [ vlan-corp vlan-inside ];

}
}

r/Juniper Log In
}

fxp0 {

unit 0 {

family inet {

address [Link]/24;

irb {

unit 10 {

family inet {

address [Link]/24;

unit 11 {

family inet {

address [Link]/24;

vlans {

vlan-corp {

vlan-id 10;

l3-interface irb.10;

}
}

r/Juniper Log In
vlan-inside {

vlan-id 11;

l3-interface irb.11;

protocols {

l2-learning {

global-mode switching;

rstp {

interface all;

1 Reply

techworkreddit3 • 4y ago

Can you show the results of the operational command

root@srx>show interfaces irb.10

root@srx>show interfacese irb.11

1 Reply

1 more reply

techworkreddit3 • 4y ago

It's also worth noting that you need to update the security policies and security zones for this,
because is a firewall you need to allow communication between the respective interfaces.

set security zones security-zone civilcorp interfaces irb.10

set security zones security-zone civilcorp interfaces irb.10 host-inbound-traffic

system-services ping

set security zones security-zone inside interfaces irb.11

set security zones security-zone inside interfaces irb.11 host-inbound-traffic

system-services ping
 Log match
r/Juniper from-zone civilcorp to-zone inside policy allow_all
set security policies In
source-address any

set security policies from-zone civilcorp to-zone inside policy allow_all match
destination-address any

set security policies from-zone civilcorp to-zone inside policy allow_all match
application any

set security policies from-zone civilcorp to-zone inside policy allow_all then
permit

set security policies from-zone inside to-zone civilcorp policy allow_all match
source-address any

set security policies from-zone inside to-zone civilcorp policy allow_all match
destination-address any

set security policies from-zone inside to-zone civilcorp policy allow_all match
application any

set security policies from-zone inside to-zone civilcorp policy allow_all then
permit

This defines the security zones and then allows ping between the two zones. It also creates a
default policy to allow all traffic through the between the two zones, which is very far from best
practice but lets you get connectivity up. You have to define traffic from both directions.

1 Reply

packetheavy OP • 4y ago

Okay, so apparently I missed the part where I needed to write security context to make a
ping work from the unit itself, I have this resolved, thankyou so much for the assist.

1 Reply

techworkreddit3 • 4y ago

No problem! Just as a note. You can set global policies to establish a baseline rule for
all security zones. A good use of this would be to deny all traffic, that way only the
traffic you specifically allow will be transiting the device.

1 Reply

studiox_swe • 4y ago

Are you saying you want several VLANs as LAYER2 or LAYER3?

I would strongly discourage the usage of a firewall as a switch, its a router. So you should have l3
interfaces. It's fine to have multiple L3 interfaces on a single physical interface with its own VLAN of
course.

-3 Reply
 -3 Reply

4 more replies r/Juniper Log In

fb35523 • 4y ago

On the SRX380, you could just hook up two 10 G ports as a LAG to the switches and have all VLANs
going through there. If you're deploying a cluster, you should consider the various possibilities like
where to run the LAGs and how to distribute them, all depending on what the rest of your network
looks like.

1 Reply

pjacksone • 4y ago

I need to try this out. I am completely nee to juniper gear. Got the network pack from juniper and most
and am trying to setup the network in my house. Been quite confusing

1 Reply

r/Juniper • 4 yr. ago

L2 Vlans and Trunk Port

2 upvotes · 14 comments

r/networking • 4 yr. ago

Config Help: Simple stretched fabric between Arista and Juniper EVPN/VXLAN
15 upvotes · 11 comments

r/Proxmox • 16 days ago

How do Ansible and Terraform fit into Proxmox?

102 upvotes · 33 comments

r/Proxmox • 3 days ago

What’s the Most Indispensable Container or VM in Your Proxmox Node/Cluster?

116 upvotes · 251 comments

r/homelab • 4 yr. ago

VMWare VLAN configuration

2 upvotes · 2 comments

r/Proxmox • 18 days ago

Quick guide to add telegram notifications using the new Webhooks

145 upvotes · 20 comments

r/mikrotik • 4 yr. ago

rb4011 Vlan configuration question
r/Juniper Log In
7 upvotes · 30 comments

r/Proxmox • 26 days ago

Proxmox 8 vGPU in VMs and LXC Containers

117 upvotes · 17 comments

r/Proxmox • 19 days ago

Proxmox + ChatGPT = Amazing

231 upvotes · 149 comments

r/Proxmox • 1 mo. ago

Enabling vGPU on Proxmox 8 with Kernel Updates

139 upvotes · 35 comments

r/Proxmox • 17 days ago

Proxmox Advanced Management Scripts Update (Current V1.24)

436 upvotes · 23 comments

r/Cisco • 9 days ago

First server
2

130 upvotes · 25 comments

r/Ubiquiti • 4 yr. ago

EdgeRouter X configuration
1 upvote · 8 comments

r/Cisco • 4 yr. ago

VxLAN L2VNI no connectivity

1 upvote · 5 comments

r/Proxmox • 28 days ago

Proxmox Advanced Management Scripts

453 upvotes · 64 comments

r/Juniper • 4 yr. ago

Set VLAN priority for traffic encapsulated in VXLAN

6 upvotes · 4 comments

r/networking • 4 yr. ago

 r/networking 4 yr. ago

VXLAN RT Problem on Nexusr/Juniper Log In

11 upvotes · 15 comments

r/homelab • 4 yr. ago

Help setup OPNSense, Proxmox, OpenWRT with VLANs to test

9 upvotes · 5 comments

r/vmware • 4 yr. ago

Vmware Virtual Machines Native VLAN

2 upvotes · 3 comments

r/unRAID • 4 yr. ago

New machine - upgrade advice please re. SSD for VMs

7 upvotes · 8 comments

r/fortinet • 4 yr. ago

NPU VDOM Accelerated Links - Using VLANs

3 upvotes · 7 comments

r/networking • 14 days ago

Replacing Core Switch - Update

128 upvotes · 21 comments

r/mikrotik • 4 yr. ago

Mikrotik hEX RB750gr3 VLAN Setup Issue

1 upvote · 1 comment

r/vmware • 4 days ago

Broadcom stock fell 17.4% today

143 upvotes · 31 comments

r/SCCM • 17 days ago

SCCM team laid off in India?? That can't be real, can it?
146 upvotes · 132 comments

TOP POSTS

Reddit

reReddit: Top posts of November 9, 2020

 Reddit r/Juniper Log In

reReddit: Top posts of November 2020

Reddit

reReddit: Top posts of 2020