Switching

I have been handed a "working" JunOS configuration for a SRX240 where all physical ports are configured as a layer 2 bridge domain EG (I think this is called?):

unit 0 {
   family bridge {
      interface-mode access;
      vlan-id 192;
   }
}

This configuration then has a irb interface (shown below) so we can talk to the switch, but this doesnt work??

irb {
   unit 0 {
      family inet {
         address 192.168.20.2/24;
      }
   }
}

If it helps here is the show version output:

root@B003VIMNS1# show version
## Last changed: 2014-06-25 01:27:24 BST
version 11.4R7.5;

I know this is going to be trivial but I just cant see it, I have opened up all security policies so i know these arnt a problem.

Any suggestions?

Cheers, Tom

Do you have the bridge domain configured?

Check this link and see if this helps you:

http://kb.juniper.net/InfoCenter/index?page=content&id=KB21421

=====

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.

Hi Parau,

I can confirm that the domain bridge is set, please see below.

bridge-domains {
    Layer2-VLAN192 {
        domain-type bridge;
        vlan-id 192;
        routing-interface irb.0;
    }
}

Hi,

Can u describe exactly how it is not working.

1- If it is down

 a- the irb.0 interface not assigned to vlan 192

 b- no physical interface is up currently

2- if it is up

a- the irb.0 not assigned to security zone

b- no service is enabled on that zone

I suggest to attach the full configuration of the SRX plus describe exactly the problem with some troubelshooting commands if available ( like ping, trace, ...)

Running Configuration:

[edit]
root@B003VIMNS1# show
## Last changed: 2014-07-14 20:40:41 BST
version 11.4R7.5;
system {
    host-name SRX240;
    time-zone Europe/London;
    root-authentication {
        encrypted-password 
    }
    services {
        ssh;
        telnet;
        xnm-clear-text;
        web-management {
            http {
                interface irb.0;
            }
            https {
                system-generated-certificate;
                interface irb.0;
            }
        }
    }
    syslog {
        archive size 100k files 3;
        user * {
            any emergency;
        }
        file messages {
            any critical;
            authorization info;
        }
        file interactive-commands {
            interactive-commands error;
        }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
}
interfaces {
    ge-0/0/0 {
        gigether-options {
            auto-negotiation;
        }
        unit 0 {
            family bridge {
                interface-mode trunk;
                vlan-id-list 192;
            }
        }
    }
    ge-0/0/1 {
        gigether-options {
            auto-negotiation;
        }
        unit 0 {
            family bridge {
                interface-mode trunk;
                vlan-id-list 192;
            }
        }
    }
    ge-0/0/2 {
        gigether-options {
            auto-negotiation;
        }
        unit 0 {
            family bridge {
                interface-mode access;
                vlan-id 192;
            }
        }
    }
    ge-0/0/3 {
        gigether-options {
            auto-negotiation;
        }
        unit 0 {
            family bridge {
                interface-mode access;
                vlan-id 192;
            }
        }
    }
    ge-0/0/4 {
        gigether-options {
            auto-negotiation;
        }
        unit 0 {
            family bridge {
                interface-mode access;
                vlan-id 192;
            }
        }
    }
    ge-0/0/5 {
        gigether-options {
            auto-negotiation;
        }
        unit 0 {
            family bridge {
                interface-mode access;
                vlan-id 192;
            }
        }
    }
    ge-0/0/6 {
        gigether-options {
            auto-negotiation;
        }
        unit 0 {
            family bridge {
                interface-mode access;
                vlan-id 192;
            }
        }
    }
    ge-0/0/7 {
        gigether-options {
            auto-negotiation;
        }
        unit 0 {
            family bridge {
                interface-mode access;
                vlan-id 192;
            }
        }
    }
    ge-0/0/8 {
        gigether-options {
            auto-negotiation;
        }
        unit 0 {
            family bridge {
                interface-mode access;
                vlan-id 192;
            }
        }
    }
    ge-0/0/9 {
        gigether-options {
            auto-negotiation;
        }
        unit 0 {
            family bridge {
                interface-mode access;
                vlan-id 192;
            }
        }
    }
    ge-0/0/10 {
        gigether-options {
            auto-negotiation;
        }
        unit 0 {
            family bridge {
                interface-mode access;
                vlan-id 192;
            }
        }
    }
    ge-0/0/11 {
        gigether-options {
            auto-negotiation;
        }
        unit 0 {
            family bridge {
                interface-mode access;
                vlan-id 192;
            }
        }
    }
    ge-0/0/12 {
        gigether-options {
            auto-negotiation;
        }
        unit 0 {
            family bridge {
                interface-mode access;
                vlan-id 192;
            }
        }
    }
    ge-0/0/13 {
        gigether-options {
            auto-negotiation;
            source-address-filter {
                d4:be:d9:14:9a:74;
            }
        }
        unit 0 {
            family bridge {
                interface-mode access;
                vlan-id 192;
            }
        }
    }
    ge-0/0/14 {
        gigether-options {
            auto-negotiation;
        }
        unit 0 {
            family bridge {
                interface-mode access;
                vlan-id 192;
            }
        }
    }
    ge-0/0/15 {
        gigether-options {
            auto-negotiation;
        }
        unit 0 {
            family bridge {
                interface-mode access;
                vlan-id 192;
            }
        }
    }
    irb {
        unit 0 {
            family inet {
                address 192.168.20.2/24;
            }
        }
    }
}
protocols {
    stp;
}
security {
    application-firewall;
    flow {
        bridge {
            bypass-non-ip-unicast;
            bpdu-vlan-flooding;
        }
    }
    policies {
        from-zone TRUST to-zone TRUST {
            policy TRUST {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        global {
            policy GLOBAL {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        default-policy {
            permit-all;
        }
    }
    zones {
        security-zone TRUST {
            interfaces {
                ge-0/0/1.0;
                ge-0/0/2.0;
                ge-0/0/3.0;
                ge-0/0/4.0;
                ge-0/0/5.0;
                ge-0/0/6.0;
                ge-0/0/7.0;
                ge-0/0/8.0;
                ge-0/0/9.0;
                ge-0/0/10.0;
                ge-0/0/11.0;
                ge-0/0/12.0;
                ge-0/0/13.0;
                ge-0/0/14.0;
                ge-0/0/15.0;
                ge-0/0/0.0;
            }
        }
    }
}
bridge-domains {
    Layer2-VLAN192 {
        domain-type bridge;
        vlan-id 192;
        routing-interface irb.0;
    }
}

irb Interface Status:

root@B003VIMNS1> show interfaces irb
Physical interface: irb, Enabled, Physical link is Up
  Interface index: 129, SNMP ifIndex: 502
  Type: Ethernet, Link-level type: Ethernet, MTU: 1514
  Device flags   : Present Running
  Interface flags: SNMP-Traps
  Link type      : Full-Duplex
  Link flags     : None
  Current address: 08:81:f4:44:56:58, Hardware address: 08:81:f4:44:56:58
  Last flapped   : Never
    Input packets : 0
    Output packets: 0

  Logical interface irb.0 (Index 87) (SNMP ifIndex 548)
    Flags: Hardware-Down SNMP-Traps 0x0 Encapsulation: ENET2
    Bandwidth: 1000mbps
    Routing Instance: None Bridging Domain: None
    Input packets : 0
    Output packets: 0
    Security: Zone: Null
    Protocol inet, MTU: 1514
      Flags: Sendbcast-pkt-to-re, Is-Primary
      Addresses, Flags: Dest-route-down Is-Default Is-Preferred Is-Primary
        Destination: 192.168.20/24, Local: 192.168.20.2,
        Broadcast: 192.168.20.255

I have a laptop with IP 192.168.20.1/24 on port ge-0/0/1 that is unable to ping the irb interface and vice-versa.

Hi,

Now it is clear.

1- interface ge-0/0/1 is configured as trunk, if you configure it as access it will work or you can shift your laptop to ge-0/0/2

2- assign interface irb into TRUST zone

# set security zones security-zone TRUST interfaces irb.0 host-inbound-traffic system-services ping

Regards,
Mohamed Elhariry
2* JNCIE (SEC # 159, SP # 1059),JNCIP-ENT

[Click the "Star" for Kudos if you think I earned it!
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]

Hi Mohamed,

The interfaces being set to trunk was a good spot! However assigning thet interface to the TRUST zone failed. Please see below.

[edit]
root@B003VIMNS1# ...bound-traffic system-services ping
error: interface-unit: 'irb.0': This interface cannot be configured in a zone
error: statement creation failed: irb.0

Cheers,

     Tom

Yes u r correct it can't be assigned to zone.

Once connect your laptop to access port, it should work

plz add the following command to allow ping to irb interface

# set security zones security-zone TRUST host-inbound-traffic system-services ping

Regards,

Mohamed Elhariry

Still cant ping from the laptop to the irb or vice vera.

Running configuration is now:

root@B003VIMNS1# show
## Last changed: 2014-07-14 22:14:29 BST
version 11.4R7.5;
system {
    host-name B003VIMNS1;
    time-zone Europe/London;
    root-authentication {
        encrypted-password 
    }
    services {
        ssh;
        telnet;
        xnm-clear-text;
        web-management {
            http {
                interface irb.0;
            }
            https {
                system-generated-certificate;
                interface irb.0;
            }
        }
    }
    syslog {
        archive size 100k files 3;
        user * {
            any emergency;
        }
        file messages {
            any critical;
            authorization info;
        }
        file interactive-commands {
            interactive-commands error;
        }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
}
interfaces {
    ge-0/0/0 {
        gigether-options {
            auto-negotiation;
        }
        unit 0 {
            family bridge {
                interface-mode access;
                vlan-id 192;
            }
        }
    }
    ge-0/0/1 {
        gigether-options {
            auto-negotiation;
        }
        unit 0 {
            family bridge {
                interface-mode access;
                vlan-id 192;
            }
        }
    }
    ge-0/0/2 {
        gigether-options {
            auto-negotiation;
        }
        unit 0 {
            family bridge {
                interface-mode access;
                vlan-id 192;
            }
        }
    }
    ge-0/0/3 {
        gigether-options {
            auto-negotiation;
        }
        unit 0 {
            family bridge {
                interface-mode access;
                vlan-id 192;
            }
        }
    }
    ge-0/0/4 {
        gigether-options {
            auto-negotiation;
        }
        unit 0 {
            family bridge {
                interface-mode access;
                vlan-id 192;
            }
        }
    }
    ge-0/0/5 {
        gigether-options {
            auto-negotiation;
        }
        unit 0 {
            family bridge {
                interface-mode access;
                vlan-id 192;
            }
        }
    }
    ge-0/0/6 {
        gigether-options {
            auto-negotiation;
        }
        unit 0 {
            family bridge {
                interface-mode access;
                vlan-id 192;
            }
        }
    }
    ge-0/0/7 {
        gigether-options {
            auto-negotiation;
        }
        unit 0 {
            family bridge {
                interface-mode access;
                vlan-id 192;
            }
        }
    }
    ge-0/0/8 {
        gigether-options {
            auto-negotiation;
        }
        unit 0 {
            family bridge {
                interface-mode access;
                vlan-id 192;
            }
        }
    }
    ge-0/0/9 {
        gigether-options {
            auto-negotiation;
        }
        unit 0 {
            family bridge {
                interface-mode access;
                vlan-id 192;
            }
        }
    }
    ge-0/0/10 {
        gigether-options {
            auto-negotiation;
        }
        unit 0 {
            family bridge {
                interface-mode access;
                vlan-id 192;
            }
        }
    }
    ge-0/0/11 {
        gigether-options {
            auto-negotiation;
        }
        unit 0 {
            family bridge {
                interface-mode access;
                vlan-id 192;
            }
        }
    }
    ge-0/0/12 {
        gigether-options {
            auto-negotiation;
        }
        unit 0 {
            family bridge {
                interface-mode access;
                vlan-id 192;
            }
        }
    }
    ge-0/0/13 {
        gigether-options {
            auto-negotiation;
            }
        }
        unit 0 {
            family bridge {
                interface-mode access;
                vlan-id 192;
            }
        }
    }
    ge-0/0/14 {
        gigether-options {
            auto-negotiation;
        }
        unit 0 {
            family bridge {
                interface-mode access;
                vlan-id 192;
            }
        }
    }
    ge-0/0/15 {
        gigether-options {
            auto-negotiation;
        }
        unit 0 {
            family bridge {
                interface-mode access;
                vlan-id 192;
            }
        }
    }
    irb {
        unit 0 {
            family inet {
                address 192.168.20.2/24;
            }
        }
    }
}
protocols {
    stp;
}
security {
    application-firewall;
    flow {
        bridge {
            bypass-non-ip-unicast;
            bpdu-vlan-flooding;
        }
    }
    policies {
        from-zone TRUST to-zone TRUST {
            policy TRUST {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        global {
            policy GLOBAL {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        default-policy {
            permit-all;
        }
    }
    zones {
        security-zone TRUST {
            host-inbound-traffic {
                system-services {
                    ping;
                    telnet;
                }
            }
            interfaces {
                ge-0/0/1.0;
                ge-0/0/2.0;
                ge-0/0/3.0;
                ge-0/0/4.0;
                ge-0/0/5.0;
                ge-0/0/6.0;
                ge-0/0/7.0;
                ge-0/0/8.0;
                ge-0/0/9.0;
                ge-0/0/10.0;
                ge-0/0/11.0;
                ge-0/0/12.0;
                ge-0/0/13.0;
                ge-0/0/14.0;
                ge-0/0/15.0;
                ge-0/0/0.0;
            }
        }
    }
}
bridge-domains {
    Layer2-VLAN192 {
        domain-type bridge;
        vlan-id 192;
        routing-interface irb.0;
    }
}

ge-0/0/1 status is:

root@B003VIMNS1> show interfaces ge-0/0/1
Physical interface: ge-0/0/1, Enabled, Physical link is Up
  Interface index: 135, SNMP ifIndex: 509
  Link-level type: Ethernet, MTU: 1514, Link-mode: Full-duplex, Speed: 1000mbps,
  BPDU Error: None, MAC-REWRITE Error: None, Loopback: Disabled,
  Source filtering: Disabled, Flow control: Enabled, Auto-negotiation: Enabled,
  Remote fault: Online
  Device flags   : Present Running
  Interface flags: SNMP-Traps Internal: 0x0
  Link flags     : None
  CoS queues     : 8 supported, 8 maximum usable queues
  Current address: 08:81:f4:44:55:a9, Hardware address: 08:81:f4:44:55:a9
  Last flapped   : 2014-07-14 21:35:05 BST (00:51:42 ago)
  Input rate     : 0 bps (0 pps)
  Output rate    : 0 bps (0 pps)
  Active alarms  : None
  Active defects : None
  Interface transmit statistics: Disabled

irb status is:

root@B003VIMNS1> show interfaces irb
Physical interface: irb, Enabled, Physical link is Up
  Interface index: 129, SNMP ifIndex: 502
  Type: Ethernet, Link-level type: Ethernet, MTU: 1514
  Device flags   : Present Running
  Interface flags: SNMP-Traps
  Link type      : Full-Duplex
  Link flags     : None
  Current address: 08:81:f4:44:56:58, Hardware address: 08:81:f4:44:56:58
  Last flapped   : Never
    Input packets : 0
    Output packets: 0

  Logical interface irb.0 (Index 87) (SNMP ifIndex 548)
    Flags: Hardware-Down SNMP-Traps 0x0 Encapsulation: ENET2
    Bandwidth: 1000mbps
    Routing Instance: None Bridging Domain: None
    Input packets : 0
    Output packets: 0
    Security: Zone: Null
    Protocol inet, MTU: 1514
      Flags: Sendbcast-pkt-to-re, Is-Primary
      Addresses, Flags: Dest-route-down Is-Default Is-Preferred Is-Primary
        Destination: 192.168.20/24, Local: 192.168.20.2,
        Broadcast: 192.168.20.255

It should work as per the KB

http://kb.juniper.net/InfoCenter/index?page=content&id=KB21421

I tried before and working fine. not sure why it is not working. for SRX --> laptop might be windows firewall on laptop prevent ping but laptop --> SRX no idea

Okay, thanks for your help I will try to load that configuration up and then if that works I will rebuild off that. 

Cheers, Tom

By the way did you reboot the SRX once convert from layer-3 to layer-2 ?

Loaded the configration from the provided link http://kb.juniper.net/InfoCenter/index?page=content&id=KB21421.

Then restated the device ensuring the CAT was plugged into ge-0/0/7.

Thanks for everyones help on this one its been driving me mad for days!