I figured it out after checking /var/log/messages and seeing this: rpd[1712]: WARNING: Ethernet-switching interface fe-0/0/0.0 detected in the routing instance 'priv-blah' configuration. This configuration will cause traffic to be dropped
I forgot this would happen and set up a new security zone called l2-priv-blah and allowed full communication between it and trust-priv-blah in the security policies, then removed fe-0/0/0 from the trust-priv-blah security zone and the priv-blah routing instance. Worked great. Matt Freitag Network Engineer I Information Technology Michigan Technological University (906) 487-3696 <%28906%29%20487-3696> https://www.mtu.edu/ https://www.it.mtu.edu/ On Tue, Dec 20, 2016 at 1:43 PM, Matt Freitag <mlfre...@mtu.edu> wrote: > All, I have an SRX100B on Junos 12.1X46-D40.2. It's configured as a remote > end of a site-to-site VPN. The site-to-site VPN works fine as verified by > show security ike security-associations. > > I'm having trouble with a layer 3 VLAN interface in a separate routing > instance from the normal one. The interface is named vlan.224. > > "show vlans" shows no physical interfaces in VLAN 224 even though > fe-0/0/0.0 is a configured member of the VLAN. > > The layer 3 interface won't advertise its presence to the rest of the > network through OSPF because the logical interface is down because there > aren't any interfaces assigned to the VLAN. > > Even though there are interfaces assigned to the VLAN why does it think > there are no interfaces assigned to the VLAN? > > I already have a ticket with TAC and reached out to my SE but wondered if > the community has any insights or suggestions. I have a hunch that this is > happening because the sort of thing I'm trying is not allowed. > > Thank you for your time. > > Here is a brief config snippet illustrating how interfaces and VLANs > should be set up and the output of "show interfaces vlan terse" and "show > vlans": > > interfaces { > fe-0/0/0 { > unit 0 { > family ethernet-switching { > port-mode access; > vlan { > members vlan0224; > } > } > } > } > vlan { > unit 224 { > family inet { > address priv-network/22; > } > } > } > } > vlans { > vlan0224 { > vlan-id 224; > interface { > fe-0/0/0.0; > } > l3-interface vlan.224; > } > } > > mlfreita@srx> show interfaces vlan terse > Interface Admin Link Proto Local Remote > vlan up up > vlan.224 up down inet priv-network/22 > > mlfreita@srx> show vlans > Name Tag Interfaces > default 1 > None > vlan0224 224 > None > > Matt Freitag > Network Engineer I > Information Technology > Michigan Technological University > (906) 487-3696 <%28906%29%20487-3696> > https://www.mtu.edu/ > https://www.it.mtu.edu/ > _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp