Switching

Hello 

Wondering if anyone can tell me if I'm totally wrong in what I've tried to setup.

I have setup two EX4200 in a virtual chassis. I have one SRX100 facing the internet.

Since the SRX100 only has 100Mbit interfaces I thought, lets aggregate 6 of them into a 600mbit link.

So I took fe-0/0/2 to fe-0/0/7 on the SRX100 and made an aggregated link, I then connected 3 interfaces to the first EX4200 and the next three to the second EX4200. I then created an aggregated link on the EX4200 chassis, with 3 interface from node0 and three from node1.

The ae0 comes correctly up with 600mbit.

As I have three different sones on the SRX100 I've made three different VLAN's and trunked them onto the aggregated link.

There is one cable from one of the EX4200 attached to another Cisco switch with alot of servers on it.

Now for the problem/question:

If I sit on the firewall and try to ping a few adresses assigned to machines connected to the Cisco switch, some of these work, others don't.

If I connect to a machine attached directly to the Cisco switch, all machines will answer pings.

Also, if I'm sitting on the EX4200 pinging, all machines on the Cisco switchs pings.

If I ping from the SRX100 some machines on the Cisco switch does not answer.

I find this abit odd, and I hope someone understood what I tried to outline here, and hopefully have and idea on what I might have done wrong.

Regards
TommyE

Could you share your configuration?

Hello 

Thanks for the quick answer.

I will paste the config later, when I get access to the units 🙂

Regards

Tommy

I think you'll need to create separate AE to connect to SRX Node0 and Node1. You can read the following.

http://forums.juniper.net/t5/SRX-Services-Gateway/AE-interface-as-members-of-RETH-SRX240-cluster/td-p/102352

Did you set the link speed on the lag members to 100mb on the switches? Is the lag a trunk port or just layer 3? If trunk is carrying all the vlans on the CISCO switches? When you say the pings do not work, what do you mean? Do you get an error or just it does sit and fail? If you do >show route to teh destination address you are trying to ping, do you have a route? You really should post the configs and tell us what troubleshooting steps you have taken so far so we do not waste time going over the ones you have tried already? What kind of security polices are on the SRX, do they account for traffic to all the machines on the CISCO?

Hello 

Thanks for the answers.

I will get the config as soon as I can access the units.

To clearify abit around the network.

The Cisco switch that is connected to one of the ports on the fist EX4200 is not on a trunk, it is connected to a port in portmode. This is to get more ports on the LAN

The EX4200 Chassis is there to break the different sones on the firewall into different ports. there is only a Trunk, with the vlan members, between the SRX100 and EX4200. The zones i break out are two dmz's, and LAN. They all goes to each block of physical ports on the EX4200. The SRX100 does the firewalling and routing.

There are a few secuity policies on the SRX100, and at first I thought I had them wrong, but I'm 99.9% sure that is not there, because I can get traficc thru the policies to other hosts, there is some "fishy" things going on here.

When I say ping doesn't work, I mean: from the SRX100, if I ping one of the hosts that does not work,it will not find the host at all. If I do a "show arp", not arp entries for that particular host shows up.

The strange thing for me, is that if I ping the same host from the EX4200 chassis it answers.

Regards

Tommy

on the SRX100 one of the hosts that does not work

>show route to the destination address you are trying to ping, do you have a route?

Can the host ping the SRX

From the SRX ping the host and specify the surce as the trunk interface that connects to the switch.

If it fails from the interface, then check the gateway of the host itself. From the switch ping the gateway on the SRX with the source as the interface that connects to the CISCO

Hello

Here are the config files.

Ip's have been changed to protect the inocent. The interface parts are the ones posted.

Removed all FW stuff, as I'm quite certain the problem is not there.

Regards

TommyE

Attachment(s)

srx100f.txt   6 KB 1 version

ex4200f.txt   11 KB 1 version

I am thinking that you can reach machines in vlan trust but not vlan-DMZ and MobileDMZ? is that correct? I do not see any layer 3 interface associated with those vlans.

    }
}
vlans {
    vlan-DMZ {
        vlan-id 10;
    }
    vlan-MobileDMZ {
        vlan-id 100;
    }
    vlan-Untrust {
        vlan-id 33;
    }
    vlan-trust {
        vlan-id 3;
        l3-interface vlan.0;
    }
}

Hello 

I finally got the chance to look into this problem again.

I could not really understand that there should be any problem with the config I had.

I then put the latest recommended software on both the SRX100 and the EX4200.

This meant downgrading the EX4200 and upgrading one revision on the SRX100.

After I did this, the problem went away, and everything works 100%

Thank for your help.

Regards

Tommy