Knowledge Center Search


 

SRX Getting Started - Configure Ethernet ports for switching

  [KB16667] Show KB Properties

  [KB16667] Hide KB Properties

Categories:
Knowledge Base ID: KB16667
Last Updated: 30 May 2014
Version: 8.0

Summary:

This article provides examples of how to configure Ethernet ports for switching and information about how to verify and troubleshoot your configuration.

For other topics, go to the SRX Getting Started main page.

Problem or Goal:

Configure Ethernet ports for switching

Cause:

Solution:

This section contains the following:


Overview

The SRX Series products provide a comprehensive suite of Ethernet switching functionality. Ethernet switching features eliminate the need for Layer 2 switches in small branch offices and act as an aggregate switch in medium-sized branch offices.

J Series routers include Ethernet switching features, integrated routing and bridging, and support for several Layer 2 protocols. These features are also present in branch SRX Series Services Gateways (SRX100, SRX110, SRX210, SRX220, SRX240, SRX550 and SRX650). Switching is not available (and not needed) on the high-end SRX devices.  Switching is performed in the hardware, which allows full throughput without consuming CPU performance.

Important Note: Use of Ethernet Switching in chassis clusters requires the following Junos OS versions:
    SRX240 & SRX650 (Junos 11.1 or later)
    SRX210, SRX220 (Junos 11.2 or later)
    SRX550 (Junos 12.1 or later)
    SRX100 and SRX110 devices do not support ethernet-switching in clusters.  

   
For a configuration example in chassis clusters, refer to KB21422 - How to configure Ethernet Switching in Chassis Cluster mode.

For a list of devices and ports that support switching features, refer to KB15455 - Which ports on J-Series and SRX-Branch support Layer2 switching.


CLI Configuration

Two examples are provided. In the first example, the default Ethernet switch configuration is explained.  In the second example, two interfaces are assigned to a new, different VLAN.

Example 1
-- Default ethernet switch configuration.

The following procedure shows the default configuration for Ethernet switching on interfaces on a SRX210 device. The factory default configuration includes a predefined VLAN named vlan-trust and a VLAN interface named vlan.0 that is assigned to an IP address of 192.168.1.1/24 and as a Layer 3 interface. The VLAN interface is assigned to the trust security zone, which allows all services and protocols.

  1. An internal VLAN (vlan-trust) is defined to allow switching several interfaces:

  2. user@host# set vlans vlan-trust vlan-id 3

  3. Assign a VLAN interface as the Layer 3 interface to the predefined vlan-trust VLAN.:

  4. user@host#
    set vlans vlan-trust l3-interface vlan.0
  5. Configure a VLAN interface with an IP address for the VLAN. For branch deployments, the IP address is typically the gateway address. This layer 3 interface can has an IP address that is reachable from all hosts on its VLAN.
  6. user@host# set interfaces vlan unit 0 family inet address 192.168.1.1/24

  7. Assign all physical interfaces except ge-0/0/0 to an interface range with the name interfaces-trust:

  8. user@host# set interfaces interface-range interfaces-trust member ge-0/0/1
    user@host# set interfaces interface-range interfaces-trust member fe-0/0/2
    user@host#
    set interfaces interface-range interfaces-trust member fe-0/0/3
    user@host# set interfaces interface-range interfaces-trust member fe-0/0/4
    user@host# set interfaces interface-range interfaces-trust member fe-0/0/5
    user@host# set interfaces interface-range interfaces-trust member fe-0/0/6
    user@host# 
    set interfaces interface-range interfaces-trust member fe-0/0/7
  9. Assign the interface range to the VLAN vlan-trust.
  10. user@host# set interfaces interface-range interfaces-trust unit 0 family ethernet-switching vlan members vlan-trust
  11. Assign the VLAN interface to a security zone, and specify allowed host-inbound services and protocols. (It is a firewall, so the interface is mapped to zone trust where all services are enabled.)
user@host# set security zones security-zone trust interfaces vlan.0
user@host#
set security zones security-zone trust host-inbound-traffic system-services all
user@host# set security zones security-zone trust host-inbound-traffic protocols all

Example 2 -- Configure two interfaces into separate VLAN

The following procedure shows an example of configuring the fe-0/0/2 and fe-0/0/3 interfaces as Ethernet switch ports in a separate vlan (vlan100).    It is important to note that that interfaces have to be removed from interface-ranges before they can be added to other VLANs for switching (step 1 below).
  1. Before you can add an interface to switching you probably have to remove assignments.  Run the following command to see how it's configured:
    user@host# run show configuration | match <interface> | display set    

  2. If the interface is member of an interface-group in use, you need to untie it:
    user@host# delete interfaces interface-range <interface-range-name> member <interface>

    If there is an IP address assigned to the interface you have to remove it:
    user@host# delete interfaces <interface> unit 0 family inet

  3. Specify a new VLAN, which will be used for switching, in this case vlan 100:
  4. user@host# set vlans vlan-100 vlan-id 100

  5. Assign this VLAN interface as your Layer3 Interface on this VLAN:
  6. user@host# set vlans vlan-100 l3-interface vlan.100

  7. Configure a VLAN interface with an IP for this VLAN.   (It must be on a different L3 subnet than the other VLANs.)
  8. user@host# set interfaces vlan unit 100 family inet address 192.168.10.1/24

  9. Assign the fe-0/0/2 and fe-0/0/3 physical interfaces to an interface range with the name interfaces-vlan100.        

  10. user@host# set interfaces interface-range interfaces-vlan100 member fe-0/0/2
    user@host# set interfaces interface-range interfaces-vlan100 member fe-0/0/3

  11. Assign the interface range to the desired VLAN. (The default for new switching interfaces is port mode = access (untagged)).
  12. user@host# set interfaces interface-range interfaces-vlan100 unit 0 family ethernet-switching vlan members vlan-100 

  13. It is a firewall, so the VLAN interface must also be in a zone
  14. user@host# set security zones security-zone trust interfaces vlan.100

  15. Allow services on the VLAN interface if desired:
  16. user@host# set security zones security-zone trust interfaces vlan.100 host-inbound-traffic system-services <service>
    user@host# set security zones security-zone trust host-inbound-traffic protocols <protocol>


Application Note

Refer to the application note TN191 - J Series and Branch SRX Series Ethernet Switching Configuration Guide for an overview of the Junos OS Layer 2 features for J Series and branch SRX Series Services gateways.


Technical Documentation

Ethernet Interfaces Feature Guide for Security Devices


Verification & Troubleshooting    

The following commands are helpful for verifying and troubleshooting Ethernet switching and VLANs:

user@host> show ethernet-switching mac-learning-log         
Technical documentation reference:   show ethernet-switching mac-learning-log

user@host> show ethernet-switching table              
Technical documentation reference:   show ethernet-switching table

user@host> show vlans
user@host> show vlans <vlan> extensive

user@host> show ethernet-switching table interface <interface>

user@host> monitor interface <vlan interface>


Purpose:
Implementation

Related Links:

 

 

ASK THE KB

Question or KB ID:


 


 

 
Copyright© 1999-2012 Juniper Networks, Inc. All rights reserved.