Routing

I am trying to add a new vlan, "vlan57" to my J2320 router. I believe I completed the configuration, but am unable to ping the virtual interface on the router or get through the router to the connected switch.

J2320---------port mode trunk ae0------------EX42000-----------------end device

Vlan57

192.168.57.1                                                   192.168.57.2                192.168.57.5/24

Vlan52

192.168.52.1                                                    192.168.52.3                192.168.52.14/22

When I ping the virtual interface on the router, it returns a, "Destination net unreachable".

When I ping the virtual interface on the switch from a different subnet I get TTL exced limit. 

If I ping from a server to the switch on the same subnet I get IMCP reply messages.

If I ping from a server to the router I get "Destination net unreachable".

If I look at the router's ARP table I do not see an entry for my switch 57.2 or my server 57.5

Yes I realize I am setting up router on a stick when I could just use the EX4200 for routing between vlans. Stupid, I know, but the so called senior network guy here is not the brightest. So good network design aside I still need to fix the routing issue. I have setup other vlans that worked just fine in the past on the same router, however I don't know what is different this time. While trouble shooting this I found that in my routing table shows the route is rejected. I then double checked my security settings and as far as I can tell those are correct as well. Below are some outputs from my router. I am trouble shooting vlan57, 192.168.57.1/24

JUNOS Software Release [12.1R2.9]

root@# run show route
inet.0: 16 destinations, 16 routes (16 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
0.0.0.0/0          *[Static/5] 2d 16:12:38
                    > to 192.168.32.1 via ge-0/0/0.0
192.168.32.0/24    *[Direct/0] 2d 16:12:38
                    > via ge-0/0/0.0
192.168.32.4/32    *[Local/0] 2d 16:12:41
                      Local via ge-0/0/0.0
192.168.36.0/24    *[Direct/0] 2d 16:12:31
                    > via ge-1/0/0.0
192.168.36.1/32    *[Local/0] 2d 16:12:35
                      Local via ge-1/0/0.0
192.168.40.0/22    *[Direct/0] 2d 16:12:29
                    > via vlan.40
192.168.40.1/32    *[Local/0] 2d 16:12:49
                      Local via vlan.40
192.168.44.0/22    *[Direct/0] 2d 16:12:29
                    > via vlan.44
192.168.44.1/32    *[Local/0] 2d 16:12:49
                      Local via vlan.44
192.168.52.0/22    *[Direct/0] 2d 16:12:29
                    > via vlan.52
192.168.52.1/32    *[Local/0] 2d 16:12:49
                      Local via vlan.52
192.168.56.0/24    *[Direct/0] 2d 16:12:32
                    > via ge-1/0/1.0
192.168.56.1/32    *[Local/0] 2d 16:12:35
                      Local via ge-1/0/1.0
192.168.57.1/32    *[Local/0] 2d 16:12:35
                      Reject                                        <I don' t know why this route is being rejected?  

root@# run show interfaces vlan terse
Interface               Admin Link Proto    Local                 Remote
vlan                    up    up
vlan.5                  up    down inet     192.168.60.1/24
vlan.40                 up    up   inet     192.168.40.1/22
vlan.44                 up    up   inet     192.168.44.1/22
vlan.52                 up    up   inet     192.168.52.1/22
vlan.57                 up    up   inet                                   < I don't know why the IP for this isn't showing up?
vlan.58                 up    down inet

root@# show interfaces vlan
...
unit 57 {
    family inet {
        address 192.168.57.1/24;

root@# show vlans
...
vlan57 {
    vlan-id 57;
    l3-interface vlan.57;

root@# show interfaces ae0
aggregated-ether-options {
    minimum-links 2;
    link-speed 1g;
}
unit 0 {
    family ethernet-switching {
        port-mode trunk;
        vlan {
            members [ vlan40 vlan44 vlan52 vlan57 ];
        }
    }
}

root@> show security zones
Security zone: trust
  Send reset for non-SYN session TCP packets: On
  Policy configurable: Yes
  Interfaces bound: 14
  Interfaces:
    ae0.0
    ge-0/0/0.0
    ge-1/0/0.0
    ge-1/0/1.0
    ge-1/0/2.0
    ge-1/0/3.0
    ge-1/0/4.0
    ge-1/0/5.0
    vlan.40
    vlan.44
    vlan.5
    vlan.52
    vlan.57
   
root@# show security zones security-zone trust
tcp-rst;
interfaces {

...
vlan.57 {
        host-inbound-traffic {
            system-services {
                ping;
            }
            protocols {
                ospf;
            }
        }
    }

root@> show security policies
Default policy: deny-all
From zone: trust, To zone: trust
  Policy: default-permit, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1
    Source addresses: any
    Destination addresses: any
    Applications: any
    Action: permit
From zone: trust, To zone: untrust
  Policy: default-permit, State: enabled, Index: 5, Scope Policy: 0, Sequence number: 1
    Source addresses: any
    Destination addresses: any
    Applications: any
    Action: permit
From zone: untrust, To zone: trust
  Policy: default-deny, State: enabled, Index: 6, Scope Policy: 0, Sequence number: 1
    Source addresses: any
    Destination addresses: any
    Applications: any
    Action: deny

Any ideas?

Thanks for your help

Peter

JNCIA, CCENT

Did you try "commit full" ? a quick look doesn't show my anything wrong or missing in the configuration.

Hi Screenie,

Thanks for looking at my probelm, however the commit full did not have any affect.

Peter

Strange, strange strange.

If you don't get it fixed before would you be willing to sent met the config (best in private message) so I can load on a srx in my lab friday? I don't have switches at home and not at the office before friday. It so basic, it should just work!

PS I also don't have J-series, but I do have a couple of SRX-es. The config should work there.

Hi hidayetkutulmus,

ae0 is up and I have 3 vlans that are running accrose that interface.

root@# run show interfaces terse
Interface               Admin Link Proto    Local                 Remote

ge-1/0/6.0              up    up      aenet    --> ae0.0
ge-1/0/7                 up    up
ge-1/0/7.0              up    up      aenet    --> ae0.0
ae0                         up    up
ae0.0                      up    up     eth-switch

Also yesterday I added ge-0/0/3.0 with an inet address of 192.168.37.1/30. At first I was able to ping this address and it showed correctly in my routing table. I then went to setup the ip on a firewall I was connecting to that port. By the time I did that I could no longer ping the new 192.168.37.1 address. Also the route in the table had switched to saying rejected as well.

Thank you

Peter

I think I just fuigured it out. It appears I had an IP conflict on my router. The 192.168.57.1/24 address I was configuring on the VLAN was already configured on an unsed physical interface. Once I removed the IP from the physical interface I can now ping my subinterface. I still can't reach the switch, but that is another issue I will be looking at now that I have this one fixed.

Thank you all for your help.