Juniper SRX300 Layer 2 Issues

I am going to make this as short as possible. I purchased an SRX300 to replace my SRX100 firewall. The one I noticed right out of the box was each interface was in routed interface. Unlike the older branch models (SRX1xy, SRX2xy, etc) the ports were in switching mode.

Also, the JunOS version is at 15.1X49-D45 In my case, I need these ports to do switching and not routing. Therefore, I went ahead and modified my SRX100 config to match the new SRX300. When I commit, the box barked at me stating something along this lines.

from-zone (trust) and to-zone (untrust) must be both L2 or L3 zones.
error: configuration check-out failed

I had no idea what it meant, so I removed my security policies and tried to commit again then I got this. It makes sense because the newer boxes uses irb interfaces now instead of vlan.

error: l3-interface: 'vlan.11': Only IRB interface is supported, e.g. irb.10

I replaced all vlan interfaces with irb interfaces then commit check then I got this.

error: interface-unit: 'irb.11': This interface cannot be configured in a zone
error: statement creation failed: irb.11

At this point, I have no idea what was happening. The box is not letting me to commit. Therefore, I fired up Chrome and went to Juniper release notes page for the 15.1X49-D45 that I currently have. I scrolled down to page 10, the layer 2 features, and found this paragraphs.

Support forenhancedLayer2transparentbridgemodeandswitchingmode—Starting with Junos OS Release 15.1X49-D40, the enhanced Layer 2 transparent bridge mode and switching mode features are supported on SRX300, SRX320, SRX340, SRX345, and SRX550M devices.

Use the set protocols l2-learning global-mode (transparent-bridge | switching) command to switch between the Layer 2 transparent bridge mode and switching mode. After switching the mode, you must reboot the device for the configuration to take effect. The layer 2 protocols supported in switching mode is Link Aggregation Control Protocol (LACP).

• LACP is not supported on SRX300 and SRX320 devices.
• LACP is not supported in transparent bridge mode.

The command set protocols l2-learning global-mode switching is the answer to my problems. However, it does not support LACP. I checked the newer versions’ release notes, and found the newer JunOS version support LACP. I upgraded the SRX300 and used the mentioned command. Everything works.

Oh! Before I forget, the set protocols l2-learning global-mode  will require for you to reboot the SRX.



About networkshinobi

My name is Karlo, I work as a Network Engineer. A little about myself. I started as a PC gamer back when I was in high school. PC gaming became my addiction and pushed me to learn more about computers. Slowly got my some certifications and landed an IT Tier 1 Helpdesk job. This job opened the door for me to work to push further on my certifications and going deeper into the IT world. My goal was to get my Cisco CCIE Routing and Switching, but my journey for CCIE has changed due to I always ended up working on non-Cisco network appliances. Therefore, I have to pivot and decided to jump to the dark side and go with Juniper. Hopefully, I would get my JNCIE in the near future. All the entries/post I made are based on my views, opinion and for educational purposes only. If you see some mistakes, feel free to drop some comments. I would appreciate all the helpful comments. Thanks
This entry was posted in Misc.. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s