vSRX
Showing results for 
Search instead for 
Do you mean 
Reply
Visitor
Posts: 3
Registered: ‎11-26-2014
0 Kudos

vSRX vlan-tagging or irb not working

Hi Guys,

 

I am configuring an interface with vlan-tagging and traffic is not passing through on vSRX 15.1X49 - D70.3

 

Please see attachments

 

Same behavior of IRB interface and ethernet-swiching

 

Any ideias why ?

 

Thanks !

Highlighted
Trusted Contributor
Posts: 123
Registered: ‎03-31-2016
0 Kudos

Re: vSRX vlan-tagging or irb not working

Hi,

 

Have you tried putting this interface in any zone with host-inbound-traffic accordingly?

 

Thanks,

Vikas

Visitor
Posts: 3
Registered: ‎11-26-2014
0 Kudos

Re: vSRX vlan-tagging or irb not working

Hi,

 

Yes, I did.  The problem is still there.

 

It's weird that the same setup works fine on physical SRX but not on vSRX

 

Have anyone experienced this issue ?

 

Thanks,

Alex.

Distinguished Expert
Posts: 1,808
Registered: ‎06-06-2011
0 Kudos

Re: vSRX vlan-tagging or irb not working

[ Edited ]

Maybe the feature is not supported in the vSRX?

https://www.juniper.net/documentation/en_US/vsrx15.1x49/topics/concept/security-vsrx-feature-support...

 

can you provide a sanitized output of the configuration

[KUDOS PLEASE! If you think I earned it!
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]
Visitor
Posts: 3
Registered: ‎11-26-2014
0 Kudos

Re: vSRX vlan-tagging or irb not working

Please find below the config...

 

set version 15.1X49-D80.4
set system host-name test-vSRX
set system services ssh
set system services dhcp-local-server group JDHCP interface irb.88
set security flow traceoptions file nodhcptrace
set security flow traceoptions file size 1m
set security flow traceoptions file files 2
set security flow traceoptions flag basic-datapath
set security flow traceoptions packet-filter outgoing source-prefix 10.3.88.1/24
set security nat source rule-set lan-to-untrust from zone LAN
set security nat source rule-set lan-to-untrust to zone UNTRUST
set security nat source rule-set lan-to-untrust rule source-nat-lan match source-address 10.3.80.0/24
set security nat source rule-set lan-to-untrust rule source-nat-lan then source-nat interface
set security zones security-zone UNTRUST interfaces ge-0/0/0.0 host-inbound-traffic system-services dhcp
set security zones security-zone UNTRUST interfaces ge-0/0/0.0 host-inbound-traffic system-services ssh
set security zones security-zone UNTRUST interfaces ge-0/0/0.0 host-inbound-traffic system-services https
set security zones security-zone UNTRUST interfaces ge-0/0/0.0 host-inbound-traffic protocols all
set security zones security-zone LAN host-inbound-traffic system-services all
set security zones security-zone LAN host-inbound-traffic protocols all
set interfaces ge-0/0/0 unit 0 family inet dhcp-client
set interfaces ge-0/0/1 flexible-vlan-tagging
set interfaces ge-0/0/1 native-vlan-id 89
set interfaces ge-0/0/1 unit 0 vlan-id 89
set interfaces ge-0/0/1 unit 0 family inet address 10.3.89.1/24
set interfaces ge-0/0/1 unit 88 vlan-id 88
set interfaces ge-0/0/1 unit 88 family inet address 10.3.88.1/24
set access address-assignment pool pool-subnet88 family inet network 10.3.88.0/24
set access address-assignment pool pool-subnet88 family inet range range-subnet88 low 10.3.88.50
set access address-assignment pool pool-subnet88 family inet range range-subnet88 high 10.3.88.80
set access address-assignment pool pool-subnet88 family inet dhcp-attributes name-server 8.8.8.8
set access address-assignment pool pool-subnet88 family inet dhcp-attributes name-server 8.8.4.4
set access address-assignment pool pool-subnet88 family inet dhcp-attributes router 10.3.88.1
set access address-assignment pool pool-subnet88 family inet dhcp-attributes option 3 ip-address 10.3.88.1

 

Thanks !

Recognized Expert
Posts: 173
Registered: ‎01-06-2016
0 Kudos

Re: vSRX vlan-tagging or irb not working

How is the port-group configured on your hypervisor? On VMware with you have to define a port-group with vlan-id 4095 to allow tagged traffic. I'm not sure that it supports native-vlan mapping.

 

Please notice that ethernet-switching and irb's are not supported on vSRX - so using vlan-tagging on ge-0/0/0 or ge-0/0/1 is the right approach.

 

Example from my test-setup via a vSRX running 15.1x49-d75:

vmware-vsrx.PNG

 

 

 

 

--
Best regards,

Jonas Hauge Jensen
Systems Engineer, SEC Datacom A/S (Denmark)
Distinguished Expert
Posts: 554
Registered: ‎08-23-2015
0 Kudos

Re: vSRX vlan-tagging or irb not working

Hello,

 

Can you share the topology? I want to see how you are connecting your vSRX ge-0/0/1.88 interface to adjacent vswitch or external switch.

 

Is vSwitch or Distributed switch connected to vSRX enabled for Virtual Guest tagging (where vSRX i.e. VM and external switch or other VM understand vlan tagging and the vSwitch/dvswitch just passes them)?

 

https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=10038...

 

https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=10042...

 

Regards,

 

Rushi