SRX Services Gateway
Reply
Visitor
dfairchild
Posts: 3
Registered: ‎01-07-2010
0

EX4200 VC and SRX650 in HA Cluster Vlans do nto work.

Hello smart people,

 

First of all this is a new install, I updated everything to 10.4.r1 per juniper's suggestion.

 

 

I followed the juniper articels to set this up

I have the ex4200 in a virtual chassis.

I have the srx650 in an HA cluster.

 

 

Here are the configs.

 

EX4200 configs

version 10.4R1.9;
system {
    host-name MDC-DMZ-SW1;
    root-authentication {
        encrypted-password bJwKXaK.O48rs; ## SECRET-DATA
    }
    services {
        ssh {
            protocol-version v2;
        }
        netconf {
            ssh;
        }
        web-management {
            http;
        }
    }
    syslog {
        user * {
            any emergency;
        }
        file messages {
            any notice;
            authorization info;
        }
        file interactive-commands {
            interactive-commands any;
        }
    }
}
chassis {
    aggregated-devices {
        ethernet {
            device-count 8;
        }
    }
}
interfaces {
    interface-range Switchports {
        member-range ge-4/0/0 to ge-4/0/47;
    }
    ge-0/0/0 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/1 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/2 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/3 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/4 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/5 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/6 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/7 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/8 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/9 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/10 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/11 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/12 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/13 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/14 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/15 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/16 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/17 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/18 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/19 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/20 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/21 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/22 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/23 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/1/0 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/1/0 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/1/1 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/1/1 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/1/2 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/1/3 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-1/0/0 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-1/0/1 {
        unit 0 {
            family ethernet-switching {
                port-mode access;
            }
        }
    }
    ge-1/0/2 {
        unit 0 {
            family ethernet-switching {
                port-mode access;
                vlan {
                    members LTM;
                }
            }
        }
    }
    ge-1/0/3 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-1/0/4 {
        unit 0 {
            family ethernet-switching {
                port-mode trunk;
                vlan {
                    members [ 1000 1001 ];
                }
            }
        }
    }
    ge-1/0/5 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-1/0/6 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-1/0/24 {
        unit 0 {
            family ethernet-switching {
                port-mode trunk;
                vlan {
                    members [ LTM LTM-PCI ];
                }
                native-vlan-id 502;
            }
        }
    }
    ge-1/0/25 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-1/0/45 {
        ether-options {
            802.3ad ae0;
        }
    }
    ge-1/0/46 {
        ether-options {
            802.3ad ae1;
        }
    }
    ge-1/0/47 {
        ether-options {
            802.3ad ae1;
        }
    }
    ge-3/0/0 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-3/0/1 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-3/0/2 {
        unit 0 {
            family ethernet-switching {
                port-mode access;
                vlan {
                    members LTM;
                }
            }
        }
    }
    ge-3/0/3 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-3/0/4 {
        unit 0 {
            family ethernet-switching {
                port-mode trunk;
                vlan {
                    members [ 1000 1001 ];
                }
            }
        }
    }
    ge-3/0/24 {
        unit 0 {
            family ethernet-switching {
                port-mode trunk;
                vlan {
                    members [ LTM LTM-PCI ];
                }
                native-vlan-id 502;
            }
        }
    }
    ge-3/0/45 {
        ether-options {
            802.3ad ae0;
        }
    }
    ge-3/0/46 {
        ether-options {
            802.3ad ae1;
        }
    }
    ge-3/0/47 {
        ether-options {
            802.3ad ae1;
        }
    }
    ae0 {
        aggregated-ether-options {
            link-speed 1g;
        }
        unit 0 {
            family ethernet-switching;
        }
    }
    ae1 {
        aggregated-ether-options {
            minimum-links 2;
            link-speed 1g;
        }
        unit 0 {
            family ethernet-switching;
        }
    }
    ae2 {
        aggregated-ether-options {
            link-speed 1g;
        }
        unit 0 {
            family ethernet-switching;
        }
    }
    vme {
        unit 0 {
            family inet {
                address 10.251.2.112/24;
            }
        }
    }
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop 10.251.2.254;
    }
}
protocols {
    igmp-snooping {
        vlan all;
    }
    stp {
        bridge-priority 24k;
    }
    rstp {
        disable;
    }
    mstp {
        disable;
        bridge-priority 24k;
    }
    lldp {
        interface all;
    }
    lldp-med {
        interface all;
    }
}
ethernet-switching-options {
    storm-control {
        interface all;
    }
}
vlans {
    DMZ {
        vlan-id 1000;
        interface {
            ge-1/0/25.0;
            ge-3/0/4.0;
        }
    }
    LTM {
        vlan-id 502;
        interface {
            ge-1/0/2.0;
            ge-1/0/24.0;
            ge-3/0/24.0;
            ge-3/0/2.0;
            ge-1/0/0.0;
            ge-1/0/1.0;
            ge-1/0/3.0;
            ge-1/0/4.0;
            ge-1/0/5.0;
            ge-1/0/6.0;
            ge-3/0/3.0;
            ge-3/0/1.0;
            ge-3/0/0.0;
        }
    }
    LTM-PCI {
        vlan-id 503;
    }
    Server {
        vlan-id 1001;
        interface {
            ge-1/0/4.0;
            ge-3/0/4.0;
        }
    }
    core {
        vlan-id 4;
        interface {
            ae1.0;
        }
    }
    untrust {
        vlan-id 500;
        interface {
            ae0.0;
        }
    }
}
poe {
    interface all;
}
virtual-chassis {
    member 1 {
        mastership-priority 255;
    }
    member 3 {
        mastership-priority 200;
    }
}

SRX650 configs

 

version 10.4R1.9;
groups {
    node0 {
        system {
            host-name MDC-DMZ-FW1;
        }
        interfaces {
            fxp0 {
                unit 0 {
                    family inet {
                        address 10.251.2.102/24;
                    }
                }
            }
        }
    }
    node1 {
        system {
            host-name MDC-DMZ-FW2;
        }
        interfaces {
            fxp0 {
                unit 0 {
                    family inet {
                        address 10.251.2.102/24;
                    }
                }
            }
        }
    }
}
apply-groups "${node}";
system {
    root-authentication {
        encrypted-password "$1$m6mZ/jPj$qAaxd2A2ZvVOvmuJd8W3X0"; ## SECRET-DATA
    }
    name-server {
        208.67.222.222;
        208.67.220.220;
    }
    services {
        ssh;
        telnet;
    }
    syslog {
        user * {
            any emergency;
        }
        file messages {
            any critical;
            authorization info;
        }
        file interactive-commands {
            interactive-commands error;
        }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
}
chassis {
    cluster {
        reth-count 10;
        node 0; ## Warning: 'node' is deprecated
        node 1; ## Warning: 'node' is deprecated
        redundancy-group 0 {
            node 0 priority 100;
            node 1 priority 1;
        }
        redundancy-group 1 {
            node 0 priority 100;
            node 1 priority 1;
            interface-monitor {
                ge-2/0/0 weight 255;
                ge-11/0/0 weight 255;
                ge-2/0/1 weight 255;
                ge-11/0/1 weight 255;
                ge-2/0/2 weight 255;
                ge-11/0/2 weight 255;
                ge-2/0/3 weight 255;
                ge-11/0/3 weight 255;
                ge-2/0/4 weight 255;
                ge-11/0/4 weight 255;
                ge-2/0/5 weight 255;
                ge-11/0/5 weight 255;
                ge-2/0/6 weight 255;
                ge-11/0/6 weight 255;
            }
        }
    }
}
interfaces {
    ge-2/0/0 {
        gigether-options {
            redundant-parent reth0;
        }
    }
    ge-2/0/1 {
        gigether-options {
            redundant-parent reth1;
        }
    }
    ge-2/0/2 {
        gigether-options {
            redundant-parent reth2;
        }
    }
    ge-2/0/3 {
        gigether-options {
            redundant-parent reth3;
        }
    }
    ge-2/0/4 {
        gigether-options {
            redundant-parent reth4;
        }
    }
    ge-2/0/5 {
        gigether-options {
            redundant-parent reth5;
        }
    }
    ge-2/0/6 {
        gigether-options {
            redundant-parent reth6;
        }
    }
    ge-11/0/0 {
        gigether-options {
            redundant-parent reth0;
        }
    }
    ge-11/0/1 {
        gigether-options {
            redundant-parent reth1;
        }
    }
    ge-11/0/2 {
        gigether-options {
            redundant-parent reth2;
        }
    }
    ge-11/0/3 {
        gigether-options {
            redundant-parent reth3;
        }
    }
    ge-11/0/4 {
        gigether-options {
            redundant-parent reth4;
        }
    }
    ge-11/0/5 {
        gigether-options {
            redundant-parent reth5;
        }
    }
    ge-11/0/6 {
        gigether-options {
            redundant-parent reth6;
        }
    }
    fab0 {
        fabric-options {
            member-interfaces {
                ge-0/0/2;
            }
        }
    }
    fab1 {
        fabric-options {
            member-interfaces {
                ge-9/0/2;
            }
        }
    }
    reth0 {
        description "Firewall DMZ to Internet Connection";
        vlan-tagging;
        redundant-ether-options {
            redundancy-group 1;
        }
        unit 0 {
            vlan-id 500;
            family inet {
                address 192.168.67.6/29;
            }
        }
    }
    reth1 {
        description "Firewall DMZ to Core connection";
        vlan-tagging;
        redundant-ether-options {
            redundancy-group 1;
        }
        unit 0 {
            vlan-id 4;
            family inet {
                address 10.251.4.1/24;
            }
        }
    }
    reth2 {
        description "LTM connection to firewall";
        vlan-tagging;
        redundant-ether-options {
            redundancy-group 1;
        }
        unit 0 {
            vlan-id 502;
            family inet {
                address 192.168.67.17/29;
            }
        }
    }
    reth3 {
        vlan-tagging;
        redundant-ether-options {
            redundancy-group 1;
        }
        unit 0 {
            vlan-id 503;
            family inet {
                address 192.168.67.30/29;
            }
        }
    }
    reth4 {
        vlan-tagging;
        redundant-ether-options {
            redundancy-group 1;
        }
        unit 0 {
            vlan-id 504;
            family inet {
                address 10.0.0.1/29;
            }
        }
    }
    reth5 {
        vlan-tagging;
        redundant-ether-options {
            redundancy-group 1;
        }
        unit 0 {
            vlan-id 505;
            family inet {
                address 10.0.0.9/29;
            }
        }
    }
    reth6 {
        vlan-tagging;
        redundant-ether-options {
            redundancy-group 1;
        }
        unit 0 {
            vlan-id 506;
            family inet {
                address 10.0.0.17/29;
            }
        }
    }
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop 10.251.2.254;
    }
}
security {
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;
                }
                land;
            }
        }
    }
    zones {
        security-zone untrust {
            interfaces {
                reth0.0;
            }
        }
        security-zone core {
            interfaces {
                reth1.0;
            }
        }
        security-zone ltm {
            interfaces {
                reth2.0 {
                    host-inbound-traffic {
                        system-services {
                            ping;
                        }
                    }
                }
            }
        }
        security-zone ltm-pci {
            interfaces {
                reth3.0;
            }
        }
        security-zone trust {
            interfaces {
                reth4.0;
                reth5.0;
                reth6.0;
            }
        }
    }
    policies {
        from-zone ltm to-zone ltm {
            policy allow-test {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
}
routing-instances {
    BDN-vFW {
        description "Bulk Data Network virtual firewall, BDN";
    }
    EXT-vFW {
        description "External Virtual Firewall, LTM, LTM PCI, Untrust, DMZ";
        instance-type virtual-router;
        interface reth2.0;
    }
    INT-vFW {
        description "Internal Virtual Firewall, Core";
    }
    PCI-DMZ-vFW {
        description "DMZ PCI Virtual firewall, LTM-PCI";
    }
    PCI-vFW {
        description "PCI Virtual firewall, PCI";
    }
    VEND-vFW {
        description "Vendor Virtual firewall, Vendor";
    }
}

 

 

The problem is this. The vlan 502... the firewall cannot reach any of the devices on this vlan... the devices on the vlan can see and ping each other so it sees the problem is with the port ge-1/0/2 and ge-3/0/2 on the EX4200 or the SRX650 config im not sure which.

 

Any help or guidance is apprieacted. I have opened a ticket with juniper but so far nothing has come of it. We even hired a consultant to do all this for us he seems really knowledgable and baffled by why this is not working.

 

Thanks!!

 

Distinguished Expert
keithr
Posts: 979
Registered: ‎09-10-2009

Re: EX4200 VC and SRX650 in HA Cluster Vlans do nto work.

You have the ports set to access mode (untagged) on your EX4200, and tagged on the SRX reth2 interface.

 

Also, you seem to be double-defining VLAN membership on your EX4200.  I recommend choosing one method or the other -- define VLAN membership under the VLAN stanza of the config (the way I usually do it), or define VLAN membership at the interface level.  Doing it in both places can get real confusing real fast.

 

But, I think the problem you're having is because you have untagged ports on your EX going to tagged ports on your SRX.  Change one side or the other.

 

-kr


---
If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated.
Visitor
hexidecimal
Posts: 1
Registered: ‎02-17-2011
0

Re: EX4200 VC and SRX650 in HA Cluster Vlans do nto work.

[ Edited ]

Did you ever resolve this issue? Since you have so many access ports assigned to vlan 502, I can only assume that you plan on putting more than 6 hosts on that subnet. Looking at the configuration on the SRX it looks like you gave that subnet a /29. Was that intentional?

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.