How to create layer 2 trunk port and access vlans on a Juniper SRX

Introduction

Creating vlans on a Juniper SRX is not as straight forward if you’re used to Cisco gear for example. In this article I hope to explain how to create:

      • One port as a trunk port
      • Other ports as access port
      • Add a mgmt L3 interface

Creating the trunk port

Let’s first create the trunk port. The interface fe-0/0/0 is used as a uplink port to another switch, and this ports carriers multiple tagged vlans. And it carriers only tagged vlans. No untagged vlan is allowed on this port.

To configure the port as a trunk port, the  port-mode has to be set to “trunk” and the allowed vlans needs to be configured. In this case the tagged vlan id’s are: 100,102:

set interfaces fe-0/0/0 description UPLINK-BB-SLV-LAN-P1.0.12
set interfaces fe-0/0/0 unit 0 family ethernet-switching port-mode trunk
set interfaces fe-0/0/0 unit 0 family ethernet-switching vlan members vlan-102
set interfaces fe-0/0/0 unit 0 family ethernet-switching vlan members vlan-100

Note that the vlan names are used, which at this point still needs to be created. It’s also possible to specify the vlanid here:

set interfaces fe-0/0/0 description UPLINK-BB-SLV-LAN-P1.0.12
set interfaces fe-0/0/0 unit 0 family ethernet-switching port-mode trunk
set interfaces fe-0/0/0 unit 0 family ethernet-switching vlan members 102
set interfaces fe-0/0/0 unit 0 family ethernet-switching vlan members 100

Create the vlans

Creating the vlans is straightforward:

set vlans vlan-100 vlan-id 100
set vlans vlan-102 vlan-id 102

Create the access ports

Creating the access ports is just like creating a trunk port, accept the port-mode is set to .. yes you guessed it.. ‘access‘.  So let’s assume we want to set the ports fe0/0/01 – fe0/0/7 as access ports with vlan 102.

set interfaces fe-0/0/1 unit 0 family ethernet-switching port-mode access
set interfaces fe-0/0/1 unit 0 family ethernet-switching vlan members vlan-102
set interfaces fe-0/0/2 unit 0 family ethernet-switching port-mode access
set interfaces fe-0/0/2 unit 0 family ethernet-switching vlan members vlan-102
set interfaces fe-0/0/3 unit 0 family ethernet-switching port-mode access
set interfaces fe-0/0/3 unit 0 family ethernet-switching vlan members vlan-102
set interfaces fe-0/0/4 unit 0 family ethernet-switching port-mode access
set interfaces fe-0/0/4 unit 0 family ethernet-switching vlan members vlan-102
set interfaces fe-0/0/5 unit 0 family ethernet-switching port-mode access
set interfaces fe-0/0/5 unit 0 family ethernet-switching vlan members vlan-102
set interfaces fe-0/0/6 unit 0 family ethernet-switching port-mode access
set interfaces fe-0/0/6 unit 0 family ethernet-switching vlan members vlan-102
set interfaces fe-0/0/7 unit 0 family ethernet-switching port-mode access
set interfaces fe-0/0/7 unit 0 family ethernet-switching vlan members vlan-102

However, this is a lot of typing. With junos it’s possible to use an interface range configuration. This is somewhat different to Cisco’s IOS or IOS-XE.

To use a interface range, first create a interface range name. For example ‘access-ports’. Then the name ‘access-ports’ can be used to add members. Next the properties of the interfaces can be assigned.

This might sound complex, but it’s quite simple and easy to use (and powerful):

set interfaces interface-range access-ports member "fe-0/0/[1-7]"
set interfaces interface-range access-ports unit 0 family ethernet-switching port-mode access
set interfaces interface-range access-ports unit 0 family ethernet-switching vlan members vlan-102

Assign the interfaces to the vlans

In the last step, the interfaces needs to be assigned to the vlans. So to assign the trunk port and access port to vlan 102 we need to do the following:

set vlans vlan-102 interface fe-0/0/0.0
set vlans vlan-102 interface fe-0/0/1.0
set vlans vlan-102 interface fe-0/0/2.0
set vlans vlan-102 interface fe-0/0/3.0
set vlans vlan-102 interface fe-0/0/4.0
set vlans vlan-102 interface fe-0/0/5.0
set vlans vlan-102 interface fe-0/0/6.0
set vlans vlan-102 interface fe-0/0/7.0

Note: the interfaces added are added by using the unit number, which is 0 here.

The above could be done in one command: simply by using the previous defined interface range ‘access-port’:

set vlans vlan-102 interface access-ports

When the an interface range is used, the trunk ports needs to be added as well:

set vlans vlan-102 interface fe-0/0/0.0

At this point the configuration can be committed:

commit

At this point, the layer 2 configuration is complete. The most easiest way to check if everything works is to look at the mac table. The command to do this is:

show ethernet-switching mac-learning-log

If everything is well it’s shows the learned mac addresses.

Create a Layer 3 management interface

To manage the SRX, it might be handy to have management vlan. In this case vlan id 100 is used.

To add a layer 3 vlan interface the next configuration is needed:

First create the vlan interface:

set interfaces vlan unit 100 family inet address 10.90.0.14/24

Next the interface can be added to the vlan 100:

set vlans vlan-100 l3-interface vlan.100

To activate to configuration don’t forget to do a commit:

commit