Juniper SRX210 routing vlans

Question

Ive got a Juniper SRX210 only using 2 ports

Model: srx210he-poe

JUNOS Software Release [11.4R2.14]

WAN

ge-0/0/0                up    up  
ge-0/0/0.0              up    up   inet     192.168.10.4/24

LAN

ge-0/0/1                up    up  
ge-0/0/1.0              up    up   eth-switch

vlan                    up    up  
vlan.0                  up    up   inet     192.168.1.1/24 

I would like to add internal routable ip space on 3 VLANs

VLAN 101 - 192.168.70.1/24
VLAN 102 - 10.10.0.1/24
VLAN 103 - 10.10.10.1/24

My desktop is on 192.168.1.22. I would like to be able to reach these three VLANs from my desktop, as I have servers and storage deployed in the above mentioned IP space. I've read a variety of docs on virtual routers, and creating routable subnets, but none seem to cut it for this configuration, or I'm simply not getting it. I also don't want to use the other 6 interfaces as they are only 10/100. Its for an OpenStack lab deployment, in a branch office, which requires tagged vlans. The problem arises where this particular device only has 2 GigE ports, one is the gateway WAN, the other is the port connected to the Extreme Summit 400-48T. So I really only have 1 useable port to trunk to the summit, and i need 3 tagged vlans 101, 102, 103 however I cant seem to accomodate it, from everything ive read and tried on virtual routers, trunk port and vlans, nothing seems to accomplish what im doing, and OpenStack needs the tagged vlans to functionally work The environment is simple I would think.

Hoping to achieve

ge-0/0/1                up    up  
ge-0/0/1.0              up    up   eth-switch

vlan                    up    up  
vlan.0                  up    up   inet     192.168.1.1/24
vlan.101 - 192.168.0.1/24
vlan.102 - 10.10.0.1/24
vlan.103 - 172.16.10.1/24

Answer 1

I'm not going to give the exact commands here, just the principles on what you need to accomplish, and things you need to understand.

• Are you REALLY using VLANs? How? On a switch? Multiple IP's on a single interface on your desktop?

• This is a firewall, unless you've downgraded to Junox 9.x then you may need to make firewall policy adjustments and NAT adjustments

• You can give VLAN.0 multiple IP addresses , if this is what you're doing elsewhere, yeah that'll work

• It would probably be best to create more VLANs and turn your port into a trunk, the device connected to the other end would have to accommodate VLAN tags though

Describe your setup more clearly, and I will give you a more specific answer.

Now the edits:

Step 1: Define the VLANs (Layer 2 Configuration)

set vlans vlan101 vlan-id 101 description mytexthere
set vlans vlan102 vlan-id 102 description mytexthere
set vlans vlan103 vlan-id 103 description mytexthere

Step 2: Define the L3 interfaces for said vlans

set interfaces vlan unit 101 family inet address 192.168.70.1/24
set interfaces vlan unit 102 family inet address 10.10.0.1/24
set interfaces vlan unit 103 family inet address 172.16.10.1/24

Step 3: Assign the L3 interfaces to a security zone

set security zones security-zone trust interfaces vlan.101 set security zones security-zone trust interfaces vlan.102 set security zones security-zone trust interfaces vlan.103

Step 4: Make sure that there is a policy that permits intra-zone traffic

set security policies from-zone trust to-zone trust policy default-permit match source-address any
set security policies from-zone trust to-zone trust policy default-permit match destination-address any
set security policies from-zone trust to-zone trust policy default-permit match application any
set security policies from-zone trust to-zone trust policy default-permit then permit

Step 5: Configure the port trunk, and tag the other VLANs to it

set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members vlan101
set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members vlan102
set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members vlan103