On the SRX Branch Series each interface can be configured as either layer 2 or layer 3. These are shown below :
- Routed Ports – Layer 3 (inet)
- Bridge – Layer 2 (only used for transparent mode)
- Ethernet-switching – Layer 2 (switchport)
Within this article we will look at how to configure a trunk and access port as switchports (aka ethernet-switching).
Table of Contents
Trunk
Within this example we configure fe-0/0/0 as a trunk and only allow vlans 100, 110 and 120 across. Multiple layer 3 interfaces are then assigned to each of these vlans.
interfaces {
fe-0/0/0 {
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members [ vlan-100 vlan-110 vlan-120 ];
}
}
}
}
vlan {
unit 100 {
family inet {
address 10.1.100.1/24;
}
}
unit 110 {
family inet {
address 10.1.110.1/24;
}
}
unit 120 {
family inet {
address 10.1.120.1/24;
}
}
}
Next each vlan created and assigned an id, and the previously created interface.
vlans {
vlan-120 {
vlan-id 120;
l3-interface vlan.120;
}
vlan-110 {
vlan-id 110;
l3-interface vlan.110;
}
vlan-100 {
vlan-id 100;
l3-interface vlan.100;
}
}
Note : SRX clustering does not support ethernet-switching. Because of this if a L3 based trunk is needed then the following configuration can be used – http://forums.juniper.net/t5/SRX-Services-Gateway/Inter-Vlan-routing-SRX-240/
Access Port
Within this example we configure fe-0/0/1-7 as access-ports. Each port is assigned to the vlan-trust and finally a layer 3 interface is assigned to the vlan.
interfaces {
fe-0/0/1 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
fe-0/0/2 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
fe-0/0/3 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
fe-0/0/4 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
fe-0/0/5 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
fe-0/0/6 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
fe-0/0/7 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
vlan {
unit 0 {
family inet {
address 10.1.1.100/24;
}
}
}
}
Next the vlan is created and assigned an id, and the previously created interface.
vlans {
vlan-trust {
vlan-id 3;
l3-interface vlan.0;
}
}
Show Commands
Two commands that are great when either configuring ethernet switching on a Juniper SRX or troubleshooting are :
show ethernet-switching interfaces
root@srx> show ethernet-switching interfaces
Interface State VLAN members Tag Tagging Blocking
fe-0/0/0.0 up vlan-120 120 tagged unblocked
vlan-110 110 tagged unblocked
vlan-100 100 tagged unblocked
fe-0/0/1.0 up vlan-trust 3 untagged unblocked
fe-0/0/2.0 up vlan-trust 3 untagged unblocked
fe-0/0/3.0 down vlan-trust 3 untagged unblocked
fe-0/0/4.0 down vlan-trust 3 untagged unblocked
fe-0/0/5.0 down vlan-trust 3 untagged unblocked
fe-0/0/6.0 down vlan-trust 3 untagged unblocked
fe-0/0/7.0 down vlan-trust 3 untagged unblocked
show interfaces vlan terse
root@srx> show interfaces vlan terse
Interface Admin Link Proto Local Remote
vlan up up
vlan.0 up up inet 10.1.1.100/24
vlan.100 up up inet 10.1.100.1/24
vlan.110 up up inet 10.1.110.1/24
vlan.120 up up inet 10.1.120.1/24
- How to Configure a BIND Server on Ubuntu - March 15, 2018
- What is a BGP Confederation? - March 6, 2018
- Cisco – What is BGP ORF (Outbound Route Filtering)? - March 5, 2018
Want to become an IT Security expert?
Here is our hand-picked selection of the best courses you can find online:
Internet Security Deep Dive course
Complete Cyber Security Course – Hackers Exposed
CompTIA Security+ (SY0-601) Certification Complete course
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial