SRX Services Gateway
Showing results for 
Search instead for 
Do you mean 
Reply
Highlighted
Visitor
Posts: 4
Registered: ‎05-04-2016
0 Kudos
Accepted Solution

SRX240 Need Help with vlan Routing

[ Edited ]

I am new to the SRX and I am having problems routing between vlans and I hope someone can help.

 

This is a picture of my configuration:

 

firewall test setup drawing.jpg

 

 

I am trying to route traffic between vlan.10 and vlan.800 (between zones trust and untrust.

from the 192.168.100.2.  I cannot ping any address on the 10.1.8.0 network and from 10.1.8.71.  Also I cannot ping any address on the 192.168.100.0 network.  From the SRX240 I can ping everything.

 

Here is the configuration that I am using:

 

 

root@dpr-fw> show configuration 
## Last commit: 2017-01-14 00:05:23 UTC by root
version 12.3X48-D35.7;
system {
    host-name dpr-fw;
    root-authentication {
        encrypted-password "."; ## SECRET-DATA
    }
    name-server {
        208.67.222.222;
        208.67.220.220;
    }
    services {
        ssh;
        xnm-clear-text;
        web-management {
            http {
                interface vlan.300;
            }
            https {
                system-generated-certificate;
                interface vlan.300;
            }
        }
    }                                   
    syslog {
        archive size 100k files 3;
        user * {
            any emergency;
        }
        file messages {
            any critical;
            authorization info;
        }
        file interactive-commands {
            interactive-commands error;
        }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
}
security {
    screen {                            
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;
                }
                land;
            }
        }
    }
    policies {
        from-zone trust to-zone untrust {
            policy trust-to-untrust {   
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone untrust to-zone trust {
            policy untrust-to-trust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone trust to-zone trust { 
            policy trust-to-trust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        default-policy {
            permit-all;
        }
    }
    zones {
        security-zone trust {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;                
                }
            }
            interfaces {
                vlan.800 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                        protocols {
                            all;
                        }
                    }
                }
            }
        }
        security-zone untrust {
            inactive: screen untrust-screen;
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;                
                }
            }
            interfaces {
                vlan.10 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                        protocols {
                            all;
                        }
                    }
                }
            }
        }
        security-zone fw-manage {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }                       
            }
            interfaces {
                vlan.300;
            }
        }
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members utility;
                }
            }
        }
    }
    ge-0/0/4 {
        unit 0 {
            family ethernet-switching {
                port-mode access;
                vlan {
                    members vlan-untrust;
                }
            }
        }
    }
    ge-0/0/5 {
        unit 0 {
            family ethernet-switching {
                port-mode access;
                vlan {
                    members vlan-untrust;
                }
            }
        }
    }
    ge-0/0/8 {
        unit 0 {
            family ethernet-switching {
                port-mode access;
                vlan {
                    members vlan-trust;
                }
            }
        }                               
    }
    vlan {
        unit 10 {
            family inet {
                address 192.168.100.88/24;
            }
        }
        unit 300 {
            family inet {
                address 10.1.3.88/24;
            }
        }
        unit 800 {
            family inet {
                address 10.1.8.88/24;
            }
        }
    }
}
protocols {
    igmp {
        interface all;
    }                                   
    stp;
    igmp-snooping {
        vlan all;
    }
}
vlans {
    utility {
        vlan-id 300;
        l3-interface vlan.300;
    }
    vlan-trust {
        vlan-id 800;
        l3-interface vlan.800;
    }
    vlan-untrust {
        vlan-id 10;
        l3-interface vlan.10;
    }
}

 

If anybody can help me figure out what is wrong I would appreciate it.

 

 

 

 

 

 

 

 

 

Distinguished Expert
Posts: 649
Registered: ‎06-22-2011
0 Kudos

Re: SRX240 Need Help with vlan Routing

Do a flow traceoption to see how the traffic is being handled.

 

https://kb.juniper.net/InfoCenter/index?page=content&id=KB16110

Super Contributor
Posts: 202
Registered: ‎07-18-2012
0 Kudos

Re: SRX240 Need Help with vlan Routing

Hi Folks,

This example shows how to set up a new zone and add three application servers to that zone. Then you provide communication between a host (PC) in the trust zone to the servers in the newly created zone and also facilitate communication between two servers within the zone.

 

To meet this requirement, you need an interzone security policy to allow traffic between two zones and an intrazone policy to allow traffic between servers within a zone.

 

http://www.juniper.net/documentation/en_US/junos15.1x49/topics/example/security-srx-device-zone-and-...

-Python
#Please mark my solution as accepted if it helped, Kudos are appreciated as well.
Recognized Expert
Posts: 336
Registered: ‎01-18-2010
0 Kudos

Re: SRX240 Need Help with vlan Routing

Are all of your hosts using x.x.x.88 as their gateways?

Visitor
Posts: 4
Registered: ‎05-04-2016
0 Kudos

Re: SRX240 Need Help with vlan Routing

That was the problem. I had the gateway on each box pointed to the interface as the next-hop.  Once I changed the routing table to point the next-hop to the routable vlan interface on the SRX I could ping in both directions.  That was a stupid mistake!  Thanks so much for the help!

Recognized Expert
Posts: 336
Registered: ‎01-18-2010
0 Kudos

Re: SRX240 Need Help with vlan Routing

👍

New User
Posts: 1
Registered: ‎06-26-2017
0 Kudos

Re: SRX240 Need Help with vlan Routing

[ Edited ]

Hi Folks,

 

I'm fairly new with Juniper devices and I'm having an issue with interVLAN routing on SRX650 (Cluster)

I've already read few topics regarding routing issues on SRX devices but it seems to be not working as expected.

I'm almost sure there is a silly mistake in my configuration

 

Background:

We have a cluter of SRX650's connected with two uplinks back to cisco CAT3850.
JUNOS Software Release [12.1X44-D35.5]

 

The following interfaces are merged into the redundant interface reth2

 

set interfaces ge-2/0/2 gigether-options redundant-parent reth2
set interfaces ge-2/0/6 gigether-options redundant-parent reth2
set interfaces ge-11/0/2 gigether-options redundant-parent reth2
set interfaces ge-11/0/6 gigether-options redundant-parent reth2

 

On the interface reth2 we have the following configuration:

 

set interfaces reth2 vlan-tagging
set interfaces reth2 redundant-ether-options redundancy-group 1
set interfaces reth2 unit 3 vlan-id 3
set interfaces reth2 unit 3 family inet address 10.32.1.254/24
set interfaces reth2 unit 43 vlan-id 43
set interfaces reth2 unit 43 family inet address 10.32.43.254/24

.

.

.
set interfaces reth2 unit 222 vlan-id 222
set interfaces reth2 unit 222 family inet address 10.32.222.254/24

 

Problem description

ex.

From the PC A (V43: 10.32.43.123) I can't ping the PC B (v222: 10.32.222.35)

 

FYI I can ping both devices within their subnets so there is no issue with icmp.

 

pzatorski@srx> ping 10.32.43.123 source 10.32.222.254
PING 10.32.43.123 (10.32.43.123): 56 data bytes
^C
--- 10.32.43.123 ping statistics ---
8 packets transmitted, 0 packets received, 100% packet loss

 

The gateways are pingable

pzatorski@srx> ping 10.32.43.254 source 10.32.222.254
PING 10.32.43.254 (10.32.43.254): 56 data bytes
64 bytes from 10.32.43.254: icmp_seq=0 ttl=64 time=0.972 ms

 

pzatorski@srx> show route | match 10.32.222.
10.32.222.0/24     *[Direct/0] 1d 10:36:33
10.32.222.254/32   *[Local/0] 1d 10:36:33

{primary:node0}
pzatorski@srx> show route | match 10.32.43.
10.32.43.0/24      *[Direct/0] 1d 10:36:36
10.32.43.254/32    *[Local/0] 1d 10:36:36

 

pzatorski@srx> show arp | match 10.32.43.123
00:50:56:82:59:e4 10.32.43.123    02v00114 veeam reth2.43            none

{primary:node0}
pzatorski@srx> show arp | match 10.32.222.35
00:50:56:88:00:1c 10.32.222.35    02v00107 reth2.222           none

 

reth2.43                up    up   inet     10.32.43.254/24

reth2.222                up    up   inet     10.32.222.254/24

 

from the security site I've attached zones to both interfaces (reth2.43 and .222)

set security zones security-zone management-v43 interfaces reth2.43 host-inbound-traffic system-services all
set security zones security-zone management-v43 interfaces reth2.43 host-inbound-traffic protocols all

set security zones security-zone admin-v222 interfaces reth2.222 host-inbound-traffic system-services all
set security zones security-zone admin-v222 interfaces reth2.222 host-inbound-traffic protocols all

 

I've configured bi-directional policies as well:

set security policies from-zone management-v43 to-zone admin-v222 policy 4 match source-address any
set security policies from-zone management-v43 to-zone admin-v222 policy 4 match destination-address any
set security policies from-zone management-v43 to-zone admin-v222 policy 4 match application any
set security policies from-zone management-v43 to-zone admin-v222 policy 4 then permit
set security policies from-zone admin-v222 to-zone management-v43 policy 5 match source-address any
set security policies from-zone admin-v222 to-zone management-v43 policy 5 match destination-address any
set security policies from-zone admin-v222 to-zone management-v43 policy 5 match application any
set security policies from-zone admin-v222 to-zone management-v43 policy 5 then permit

 

On the switch site the uplink interfaces are set to mode trunk.

 

your help is greatly appreciated!

Many thanks!

Patryk

 

 

 

Trusted Contributor
Posts: 54
Registered: ‎03-11-2011
0 Kudos

Re: SRX240 Need Help with vlan Routing

Hi Patryk,

Are uplinks on c3850 configured as etherchannels?