SRX

Previously we used SRX100 and SRX110 routers.

Now we have switched to the SRX300 and there's a lot of problems getting our old configs to run on it.

It seems to boil down to this new transparent mode.

The router rejects our NAT and insists on these new IRB interfaces or it won't run. Both times informing us that it's in transparent mode.

How do we get out of this transparent mode and put the router back to the way the SRX100s used to work?

Thanks for reading 🙂

Hello,

You need to use the command "set protocols l2-learning global-mode switching" and then commit and reboot the SRX 300 once to change it from transparent mode to the way SRX100 used to work.

Also on new SRX 300  vlan interface is not there and instead IRB interface are used for it. Hence if you had any vlan interface on SRX 100 then it will be replaced by IRB interface on SRX 300.

You can use the following online converter tool to convert the configruation from the old configuration to the new supported configuration.

https://www.juniper.net/customers/support/configtools/elstranslator/index.jsp 

Or you can refer the below example for your configuration :-

root@SRX320-Pro# show interfaces
ge-0/0/0 {
unit 0 {
family ethernet-switching {
interface-mode access;
vlan {
members mgmt;
}
}
}
}
irb {
unit 100 {
family inet {
address 10.219.33.8/26;
}
}
}

root@SRX320-Pro# show vlans
mgmt {
vlan-id 100;
l3-interface irb.100;
}

You can also refer the below thread which might give you answers to some of your queries realted to this new SRX 300.

https://forums.juniper.net/t5/SRX-Services-Gateway/SRX300-series-VLAN-interface/m-p/292928

Thanks,
Pulkit Bhandari
Please mark my response as Solution Accepted if it Helps, Kudos are Appreciated too. 🙂

Thanks mate, I'll give it a try tomorrow.

I knew there must be a command somewhere but couldn't find it online, I think the SRX300s are very new.

The online converter tool unfortunately gives the config as a list of set commands which then stop working about half way through....

Yes, that solution worked PulkitB

set protocols l2-learning global-mode switching

got the router out of transparent mode 🙂

However, now we have another problem. We can't ping the interfaces on the router.

I should be able to make my pc 10.0.0.5, connect it to a data port and ping 10.0.0.245

My config:

## Last commit: 2016-08-09 00:39:56 GMT+10 by root
version 15.1X49-D50.3;
system {
host-name .......;
time-zone GMT+10;
root-authentication {
encrypted-password "blah blah blah"; ## SECRET-DATA
}
name-server {
8.8.8.8;
}
name-resolution {
no-resolve-on-input;
}
services {
.....
}
syslog {
......
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
archival {
.......
}
license {
autoupdate {
......
}
}
ntp {
server 0.oceania.pool.ntp.org;
}
}
security {
alg {
sip disable;
ike-esp-nat {
enable;
}
}
flow {
tcp-mss {
all-tcp {
mss 1400;
}
}
}
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
policies {
from-zone DataNetwork to-zone VoiceNetwork {
policy data2voice {
description "Allows traffic between Data and Voice zones";
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone VoiceNetwork to-zone DataNetwork {
policy voice2data {
description "Allows traffic between Voice and Data zones";
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone DataNetwork {
description "Data vlan";
interfaces {
irb.1 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
}
}
security-zone VoiceNetwork {
description "Voice vlan";
interfaces {
irb.20 {
host-inbound-traffic {
system-services {
all;
}
}
}
}
}
}
}
interfaces {
ge-0/0/0 {
description "Data Port";
unit 0 {
family ethernet-switching {
interface-mode access;
vlan {
members default;
}
}
}
}
ge-0/0/1 {
description "Voice Port";
unit 0 {
family ethernet-switching {
interface-mode access;
vlan {
members Voice-VLAN;
}
}
}
}
.....
.....(more of the same).....
.....
irb {
unit 1 {
description Data;
family inet {
address 10.0.0.245/24;
}
}
unit 20 {
description Voice;
family inet {
address 10.2.2.1/24;
}
}
}
vlan {
unit 1 {
description Data;
family inet {
address 10.0.0.245/24;
}
}
unit 20 {
description Voice;
family inet {
address 10.2.2.1/24;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 10.0.0.254;
}
}
protocols {
l2-learning {
global-mode switching;
}
}
vlans {
Voice-VLAN {
description "Voice Network";
vlan-id 20;
l3-interface irb.20;
}
default {
description "Data Network";
vlan-id 1;
l3-interface irb.1;
}
}

Hello,

IT was good to hear that the command helped you to do away with the transparetn mode on SRX 300.

regarding your other concern please delete the vlan interfaces as you have already configured IRB interface and then check if you are able to get the ping working. You can delete the VLAN interfaces using the command "delete interfaces vlan".

If the ping still does not work please share the output of "show interfaces terse" from the SRX.

Thanks,

Pulkit Bhandari

I found that if the vlan-id is configured as 1 it will stop the data vlan from pinging the voice vlan, however the voice vlan can still ping the data vlan.

When I changed the vlan-id to 10, it pinged both ways.

Interfaces{

…

vlan {

        unit 1 {                                                                                         ## make it unit 10 and it works

            description Data;

            family inet {

                address 10.0.0.245/24;

            }

        }

        unit 20 {

            description Voice;

            family inet {

                address 10.2.2.1/24;

           }

        }

    }

}

…

vlans {

    Voice-VLAN {

        description "Voice Network";

        vlan-id 20;

        l3-interface irb.20;

    }

    default {

        description "Data Network";

        vlan-id 1;                                                    ## make it vlan-id 10 and it works

        l3-interface irb.1;

    }

}

Must be a bug in the software ?????

If you have the energy for it, you should probably report this on an official ticket.  This is a pretty obvious bug that should get entered into the PR database and fixed by development.

Hello,

This is an already reported issue under PR 1190969. Please refer the below link.

https://prsearch.juniper.net/InfoCenter/index?page=prcontent&id=PR1190969

It should be solved in the coming releases for this code train.

Hope this Helps 🙂

Thanks,
Pulkit Bhandari
Please mark my response as Solution Accepted if it Helps, Kudos are Appreciated too. 🙂