Junos
Showing results for 
Search instead for 
Do you mean 
Reply
Visitor
Posts: 4
Registered: ‎07-13-2017
0 Kudos
Accepted Solution

SRX 320 // No internet access from the trunk por // 15.1X49-D100.6 // l3-interface irb // ethernet-switching

Hello,

I need your help, please.

I have configured one port Trunk and other ports in access, from the Trunk port I only go internet from the vlan that I have configured in the ports access mode (100,190,150), from the other vlans (155,160,165,170,175,180,185,200) no internet access from the trunk port .

Thanks and regards

 

 


JUNOS Software Release [15.1X49-D100.6]

 

set system services ssh
set system services telnet
set system services xnm-clear-text
set system services dhcp-local-server group Pool_Publico interface irb.200
set system services dhcp-local-server group Pool_Produccion interface irb.150
set system services dhcp-local-server group Pool_Accesos interface irb.155
set system services dhcp-local-server group Pool_Artistas interface irb.160
set system services dhcp-local-server group Pool_Vip interface irb.165
set system services dhcp-local-server group Pool_Backstages interface irb.170
set system services dhcp-local-server group Pool_Patrosinadores interface irb.175
set system services dhcp-local-server group Pool_Streaming interface irb.185
set system services dhcp-local-server group Pool_Camaras interface irb.190
set system services dhcp-local-server group Pool_WT interface irb.100
set system services web-management http interface irb.100
set system services web-management https system-generated-certificate
set system services web-management https interface irb.100
set system services web-management session idle-timeout 60
set system syslog archive size 100k
set system syslog archive files 3
set system syslog user * any emergency
set system syslog file messages any critical
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands error
set system max-configurations-on-flash 5
set system max-configuration-rollbacks 5
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set system ntp server us.ntp.pool.org
set security log mode stream
set security log report
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security nat source rule-set Internet from zone TRUST
set security nat source rule-set Internet to zone untrust
set security nat source rule-set Internet rule Interface-Nat match source-address 0.0.0.0/0
set security nat source rule-set Internet rule Interface-Nat then source-nat interface
set security policies from-zone TRUST to-zone untrust policy Internet match source-address any
set security policies from-zone TRUST to-zone untrust policy Internet match destination-address any
set security policies from-zone TRUST to-zone untrust policy Internet match application any
set security policies from-zone TRUST to-zone untrust policy Internet then permit
set security zones security-zone TRUST host-inbound-traffic system-services ping
set security zones security-zone TRUST host-inbound-traffic system-services ssh
set security zones security-zone TRUST host-inbound-traffic system-services http
set security zones security-zone TRUST host-inbound-traffic system-services https
set security zones security-zone TRUST interfaces irb.150 host-inbound-traffic system-services all
set security zones security-zone TRUST interfaces irb.150 host-inbound-traffic protocols all
set security zones security-zone TRUST interfaces irb.155 host-inbound-traffic system-services all
set security zones security-zone TRUST interfaces irb.155 host-inbound-traffic protocols all
set security zones security-zone TRUST interfaces irb.160 host-inbound-traffic system-services all
set security zones security-zone TRUST interfaces irb.160 host-inbound-traffic protocols all
set security zones security-zone TRUST interfaces irb.165 host-inbound-traffic system-services all
set security zones security-zone TRUST interfaces irb.165 host-inbound-traffic protocols all
set security zones security-zone TRUST interfaces irb.170 host-inbound-traffic system-services all
set security zones security-zone TRUST interfaces irb.170 host-inbound-traffic protocols all
set security zones security-zone TRUST interfaces irb.175 host-inbound-traffic system-services all
set security zones security-zone TRUST interfaces irb.175 host-inbound-traffic protocols all
set security zones security-zone TRUST interfaces irb.180 host-inbound-traffic system-services all
set security zones security-zone TRUST interfaces irb.180 host-inbound-traffic protocols all
set security zones security-zone TRUST interfaces irb.185 host-inbound-traffic system-services all
set security zones security-zone TRUST interfaces irb.185 host-inbound-traffic protocols all
set security zones security-zone TRUST interfaces irb.190 host-inbound-traffic system-services all
set security zones security-zone TRUST interfaces irb.190 host-inbound-traffic protocols all
set security zones security-zone TRUST interfaces irb.200 host-inbound-traffic system-services all
set security zones security-zone TRUST interfaces irb.200 host-inbound-traffic protocols all
set security zones security-zone TRUST interfaces irb.100 host-inbound-traffic system-services all
set security zones security-zone TRUST interfaces irb.100 host-inbound-traffic protocols all
set security zones security-zone Internet
set security zones security-zone untrust host-inbound-traffic system-services ping
set security zones security-zone untrust interfaces ge-0/0/0.0
set interfaces ge-0/0/0 unit 0 description *****WAN*****
set interfaces ge-0/0/0 unit 0 family inet address 192.168.0.12/24
set interfaces ge-0/0/0 unit 0 family inet address 192.168.1.135/24
set interfaces ge-0/0/1 unit 0 description *****TRUNK*****
set interfaces ge-0/0/1 unit 0 family ethernet-switching interface-mode trunk
set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members Accesos
set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members Artistas
set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members Backstages
set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members Camaras
set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members MNGMT
set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members PUBLICO
set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members Patros
set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members Prensa
set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members Produccion
set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members Streaming
set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members VIP
set interfaces ge-0/0/2 unit 0 description *****PRODUCCION*****
set interfaces ge-0/0/2 unit 0 family ethernet-switching interface-mode access
set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members Produccion
set interfaces ge-0/0/3 unit 0 description *****CAMARAS*****
set interfaces ge-0/0/3 unit 0 family ethernet-switching interface-mode access
set interfaces ge-0/0/3 unit 0 family ethernet-switching vlan members Camaras
set interfaces ge-0/0/4 gigether-options auto-negotiation
set interfaces ge-0/0/4 unit 0 description *****WATAMBI*****
set interfaces ge-0/0/4 unit 0 family ethernet-switching interface-mode access
set interfaces ge-0/0/4 unit 0 family ethernet-switching vlan members MNGMT
set interfaces ge-0/0/5 unit 0 description *****WATAMBI*****
set interfaces ge-0/0/5 unit 0 family ethernet-switching interface-mode access
set interfaces ge-0/0/5 unit 0 family ethernet-switching vlan members MNGMT
set interfaces irb unit 100 family inet address 192.168.100.1/24
set interfaces irb unit 150 family inet address 192.168.150.1/24
set interfaces irb unit 155 family inet address 192.168.155.1/24
set interfaces irb unit 160 family inet address 192.168.160.1/24
set interfaces irb unit 165 family inet address 192.168.165.1/24
set interfaces irb unit 170 family inet address 192.168.170.1/24
set interfaces irb unit 175 family inet address 192.168.175.1/24
set interfaces irb unit 180 family inet address 192.168.180.1/24
set interfaces irb unit 185 family inet address 192.168.185.1/24
set interfaces irb unit 190 family inet address 192.168.190.1/24
set interfaces irb unit 200 family inet address 172.16.0.1/16
set routing-options static route 0.0.0.0/0 next-hop 192.168.0.1
set protocols l2-learning global-mode switching
set protocols rstp interface all
set access address-assignment pool Pool_WT family inet network 192.168.100.0/24
set access address-assignment pool Pool_WT family inet range Pool_WT low 192.168.100.101
set access address-assignment pool Pool_WT family inet range Pool_WT high 192.168.100.140
set access address-assignment pool Pool_WT family inet dhcp-attributes name-server 8.8.8.8
set access address-assignment pool Pool_WT family inet dhcp-attributes name-server 8.8.4.4
set access address-assignment pool Pool_WT family inet dhcp-attributes router 192.168.100.1
set access address-assignment pool Pool_Publico family inet network 172.16.0.0/16
set access address-assignment pool Pool_Publico family inet range Pool_Publico low 172.16.0.30
set access address-assignment pool Pool_Publico family inet range Pool_Publico high 172.16.255.254
set access address-assignment pool Pool_Publico family inet dhcp-attributes name-server 8.8.8.8
set access address-assignment pool Pool_Publico family inet dhcp-attributes name-server 8.8.4.4
set access address-assignment pool Pool_Publico family inet dhcp-attributes router 176.16.0.1
set access address-assignment pool Pool_Produccion family inet network 192.168.150.0/24
set access address-assignment pool Pool_Produccion family inet range Pool_Produccion low 192.168.150.30
set access address-assignment pool Pool_Produccion family inet range Pool_Produccion high 192.168.150.254
set access address-assignment pool Pool_Produccion family inet dhcp-attributes name-server 8.8.8.8
set access address-assignment pool Pool_Produccion family inet dhcp-attributes name-server 8.8.4.4
set access address-assignment pool Pool_Produccion family inet dhcp-attributes router 192.168.150.1
set access address-assignment pool Pool_Accesos family inet network 192.168.155.0/24
set access address-assignment pool Pool_Accesos family inet range Pool_Accesos low 192.168.155.30
set access address-assignment pool Pool_Accesos family inet range Pool_Accesos high 192.168.155.254
set access address-assignment pool Pool_Accesos family inet dhcp-attributes name-server 8.8.8.8
set access address-assignment pool Pool_Accesos family inet dhcp-attributes name-server 8.8.4.4
set access address-assignment pool Pool_Accesos family inet dhcp-attributes router 192.168.155.1
set access address-assignment pool Pool_Artistas family inet network 192.168.160.0/24
set access address-assignment pool Pool_Artistas family inet range Pool_Artistas low 192.168.160.30
set access address-assignment pool Pool_Artistas family inet range Pool_Artistas high 192.168.160.254
set access address-assignment pool Pool_Artistas family inet dhcp-attributes name-server 8.8.8.8
set access address-assignment pool Pool_Artistas family inet dhcp-attributes name-server 8.8.4.4
set access address-assignment pool Pool_Artistas family inet dhcp-attributes router 192.168.160.1
set access address-assignment pool Pool_Vip family inet network 192.168.165.0/24
set access address-assignment pool Pool_Vip family inet range Pool_Vip low 192.168.165.30
set access address-assignment pool Pool_Vip family inet range Pool_Vip high 192.168.165.254
set access address-assignment pool Pool_Vip family inet dhcp-attributes name-server 8.8.8.8
set access address-assignment pool Pool_Vip family inet dhcp-attributes name-server 8.8.4.4
set access address-assignment pool Pool_Vip family inet dhcp-attributes router 192.168.165.1
set access address-assignment pool Pool_Backstages family inet network 192.168.170.0/24
set access address-assignment pool Pool_Backstages family inet range Pool_Backstages low 192.168.170.30
set access address-assignment pool Pool_Backstages family inet range Pool_Backstages high 192.168.170.254
set access address-assignment pool Pool_Backstages family inet dhcp-attributes name-server 8.8.8.8
set access address-assignment pool Pool_Backstages family inet dhcp-attributes name-server 8.8.4.4
set access address-assignment pool Pool_Backstages family inet dhcp-attributes router 192.168.170.1
set access address-assignment pool Pool_Patrocinadores family inet network 192.168.175.0/24
set access address-assignment pool Pool_Patrocinadores family inet range Pool_Patrosinadores low 192.168.175.30
set access address-assignment pool Pool_Patrocinadores family inet range Pool_Patrosinadores high 192.168.175.254
set access address-assignment pool Pool_Patrocinadores family inet dhcp-attributes name-server 8.8.8.8
set access address-assignment pool Pool_Patrocinadores family inet dhcp-attributes name-server 8.8.4.4
set access address-assignment pool Pool_Patrocinadores family inet dhcp-attributes router 192.168.175.1
set access address-assignment pool Pool_Prensa family inet network 192.168.180.0/24
set access address-assignment pool Pool_Prensa family inet range Pool_Prensa low 192.168.180.30
set access address-assignment pool Pool_Prensa family inet range Pool_Prensa high 192.168.180.254
set access address-assignment pool Pool_Prensa family inet dhcp-attributes name-server 8.8.8.8
set access address-assignment pool Pool_Prensa family inet dhcp-attributes name-server 8.8.4.4
set access address-assignment pool Pool_Prensa family inet dhcp-attributes router 192.168.180.1
set access address-assignment pool Pool_Streaming family inet network 192.168.185.0/24
set access address-assignment pool Pool_Streaming family inet range Pool_Streaming low 192.168.185.30
set access address-assignment pool Pool_Streaming family inet range Pool_Streaming high 192.168.185.254
set access address-assignment pool Pool_Streaming family inet dhcp-attributes name-server 8.8.8.8
set access address-assignment pool Pool_Streaming family inet dhcp-attributes name-server 8.8.4.4
set access address-assignment pool Pool_Streaming family inet dhcp-attributes router 192.168.185.1
set access address-assignment pool Pool_Camaras family inet network 192.168.190.0/24
set access address-assignment pool Pool_Camaras family inet range Pool_Camaras low 192.168.190.30
set access address-assignment pool Pool_Camaras family inet range Pool_Camaras high 192.168.190.254
set access address-assignment pool Pool_Camaras family inet dhcp-attributes name-server 8.8.8.8
set access address-assignment pool Pool_Camaras family inet dhcp-attributes name-server 8.8.4.4
set access address-assignment pool Pool_Camaras family inet dhcp-attributes router 192.168.190.1
set vlans Accesos vlan-id 155
set vlans Accesos l3-interface irb.155
set vlans Artistas vlan-id 160
set vlans Artistas l3-interface irb.160
set vlans Backstages vlan-id 170
set vlans Backstages l3-interface irb.170
set vlans Camaras vlan-id 190
set vlans Camaras l3-interface irb.190
set vlans MNGMT vlan-id 100
set vlans MNGMT l3-interface irb.100
set vlans PUBLICO vlan-id 200
set vlans PUBLICO l3-interface irb.200
set vlans Patros description PATROCINADORES
set vlans Patros vlan-id 175
set vlans Patros l3-interface irb.175
set vlans Prensa vlan-id 180
set vlans Prensa l3-interface irb.180
set vlans Produccion vlan-id 150
set vlans Produccion l3-interface irb.150
set vlans Streaming vlan-id 185
set vlans Streaming l3-interface irb.185
set vlans VIP vlan-id 165
set vlans VIP l3-interface irb.165

Distinguished Expert
Posts: 2,249
Registered: ‎08-21-2009
0 Kudos

Re: SRX 320 // No internet access from the trunk por // 15.1X49-D100.6 // l3-interface irb // ethernet-switching

Hello there,

 


atrix wrote:

 

set protocols rstp interface all

Check if Your ge-0/0/1 is blocked by RSTP.

HTH

Thx
Alex

_____________________________________________________________________

Please ask Your Juniper account team about Juniper Professional Services offerings.
Juniper PS can design, test & build the network/part of the network as per Your requirements

+++++++++++++++++++++++++++++++++++++++++++++

Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
Highlighted
Distinguished Expert
Posts: 1,937
Registered: ‎06-06-2011
0 Kudos

Re: SRX 320 // No internet access from the trunk por // 15.1X49-D100.6 // l3-interface irb // ethernet-switching

[ Edited ]

You only have interfaces in those three vlans.

You may also need another security policy to permit traffic from zone trust to-zone trust

[KUDOS PLEASE! If you think I earned it!
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]
Visitor
Posts: 4
Registered: ‎07-13-2017
0 Kudos

Re: SRX 320 // No internet access from the trunk por // 15.1X49-D100.6 // l3-interface irb // ethernet-switching

Hello, thanks for answering .

I have not seen block by rstp, I have removed rstp but the problem continues

Delete protocols rstp interface all

regards

Visitor
Posts: 4
Registered: ‎07-13-2017
0 Kudos

Re: SRX 320 // No internet access from the trunk por // 15.1X49-D100.6 // l3-interface irb // ethernet-switching

Hello, thanks for answering .

I have created another security policy to allow traffic from zone trust to-zone trust, the problem is not solved


set security policies from-zone TRUST to-zone TRUST policy vlans_to_inet match source-address any
set security policies from-zone TRUST to-zone TRUST policy vlans_to_inet match destination-address any
set security policies from-zone TRUST to-zone TRUST policy vlans_to_inet match application any
set security policies from-zone TRUST to-zone TRUST policy vlans_to_inet then permit

regards

Visitor
Posts: 4
Registered: ‎07-13-2017
0 Kudos

Re: SRX 320 // No internet access from the trunk por // 15.1X49-D100.6 // l3-interface irb // ethernet-switching

The problem has been fixed with this

 

Security-zone TRUST host-inbound-traffic system-services all
Set security zones security-zone TRUST host-inbound-traffic protocols all