SRX

Hi Guys,

I am from cisco world and i am little bit confused about router on stick and switch trunk on juniper.

 

I have one switch EX3200 Series for local VLAN and router SRX220  as router on stick to connect to WAN.

I have 2 vlans configured on  EX3200 Series and link between on EX3200 to SRX220 is trunk and all vlan are permitted. the link on SRX220 to EX3200 is configured as vlan tag and each vlan l3 ip add

I conf vlan on   EX3200 with their vlan id and l3 ip @.

My probleme is , cant ping any ip on router and even ip in the same vlan, however ping between vlan on switch ok.

I read some infornations about that but nothing is clear.

 

Link between  EX3200  and  SRX220 on switch EX3200  is trunk or not if it's how to configure it?

 

enclosed with the config 

 

Thanks for help, and quick action very appreciate.

 

Hi

You'll need to configure the ge-0/0/0.10 & ge-0/0/0.90 in security zones and configure security policies between the zones to allow the traffic. Note that even if they are in the same zone, you'll still need to configure a security policy i.e. from-zone trust to-zone trust.

Hope this helps.

thank you your answer

Do have any idee how to do that because when even i tried to config

 

edit interfaces ge-0/0/0 unit 0 family inet

set add ip @

 

commit check i have that message : HA Management cannot be configured

 

it's possible to disable the firewall completely ?

 

Thank you

        from-zone trust to-zone trust {
            policy trust-to-trust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;

configure the ge-0/0/0.10 & ge-0/0/0.90 on Router on stick or my switch ??

i don't have these interfaces  neither on EX3200 nor SRX220.

Please

Thank you

Is this a standalone SRX or a chassis cluster?  If this is supposed to be a standalone device, check if it is configured as part of a cluster by running the show chassis cluster status command and if it is, run the set chassis cluster cluster-id 0 node 0 reboot command to disbale the cluster and reboot the device.  Once this is done you should not see this error.

 

To configure the interface as part of  security zone, you'll need to do this under the edit security zones hierarchy i.e. set security zones security-zone trust interface ge-0/0/0.10.

 

If you require no security functionality whatsoever for this particular area of your network, you would be better off investing in a branch level router rather than an SRX device.

Hi

thank for your help. i can now conf interface inet and add vlan inter to trust but ping was still timeout.

Finaly i did :

 

delete security

set security forwarding-options family mpls mode packet-based

 

(from some comment SRX220 is by default a firewall - meaning "flow-based forwarding)

 

Now i can ping all

Thank

---

delete security

set security forwarding-options family mpls mode packet-based

---

I just wan't to give a huge thank you for this. I've be working with Cisco devices for a while, and I figured I would pick up some Juniper and HPE units to try out some inter-brand configurations. I bought an HP A-MSR20-12-T and had a router-on-a-stick config with one of my cisco switches up in about 15 minutes, with never having used an HP router before. Now the JSRX-210H I've been trying to do the same thing for about a week unitl I came across this thread. Thank you thank you and thank you again. I don't understand why something so simple was such a pain to figure out.