vSRX
Showing results for 
Search instead for 
Do you mean 
Reply
Visitor
Posts: 3
Registered: ‎11-26-2014
0 Kudos

vSRX vlan-tagging or irb not working

Hi Guys,

 

I am configuring an interface with vlan-tagging and traffic is not passing through on vSRX 15.1X49 - D70.3

 

Please see attachments

 

Same behavior of IRB interface and ethernet-swiching

 

Any ideias why ?

 

Thanks !

Trusted Contributor
Posts: 120
Registered: ‎03-31-2016
0 Kudos

Re: vSRX vlan-tagging or irb not working

Hi,

 

Have you tried putting this interface in any zone with host-inbound-traffic accordingly?

 

Thanks,

Vikas

Visitor
Posts: 3
Registered: ‎11-26-2014
0 Kudos

Re: vSRX vlan-tagging or irb not working

Hi,

 

Yes, I did.  The problem is still there.

 

It's weird that the same setup works fine on physical SRX but not on vSRX

 

Have anyone experienced this issue ?

 

Thanks,

Alex.

Highlighted
Distinguished Expert
Posts: 1,760
Registered: ‎06-06-2011
0 Kudos

Re: vSRX vlan-tagging or irb not working

[ Edited ]

Maybe the feature is not supported in the vSRX?

https://www.juniper.net/documentation/en_US/vsrx15.1x49/topics/concept/security-vsrx-feature-support...

 

can you provide a sanitized output of the configuration

[KUDOS PLEASE! If you think I earned it!
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]
Visitor
Posts: 3
Registered: ‎11-26-2014
0 Kudos

Re: vSRX vlan-tagging or irb not working

Please find below the config...

 

set version 15.1X49-D80.4
set system host-name test-vSRX
set system services ssh
set system services dhcp-local-server group JDHCP interface irb.88
set security flow traceoptions file nodhcptrace
set security flow traceoptions file size 1m
set security flow traceoptions file files 2
set security flow traceoptions flag basic-datapath
set security flow traceoptions packet-filter outgoing source-prefix 10.3.88.1/24
set security nat source rule-set lan-to-untrust from zone LAN
set security nat source rule-set lan-to-untrust to zone UNTRUST
set security nat source rule-set lan-to-untrust rule source-nat-lan match source-address 10.3.80.0/24
set security nat source rule-set lan-to-untrust rule source-nat-lan then source-nat interface
set security zones security-zone UNTRUST interfaces ge-0/0/0.0 host-inbound-traffic system-services dhcp
set security zones security-zone UNTRUST interfaces ge-0/0/0.0 host-inbound-traffic system-services ssh
set security zones security-zone UNTRUST interfaces ge-0/0/0.0 host-inbound-traffic system-services https
set security zones security-zone UNTRUST interfaces ge-0/0/0.0 host-inbound-traffic protocols all
set security zones security-zone LAN host-inbound-traffic system-services all
set security zones security-zone LAN host-inbound-traffic protocols all
set interfaces ge-0/0/0 unit 0 family inet dhcp-client
set interfaces ge-0/0/1 flexible-vlan-tagging
set interfaces ge-0/0/1 native-vlan-id 89
set interfaces ge-0/0/1 unit 0 vlan-id 89
set interfaces ge-0/0/1 unit 0 family inet address 10.3.89.1/24
set interfaces ge-0/0/1 unit 88 vlan-id 88
set interfaces ge-0/0/1 unit 88 family inet address 10.3.88.1/24
set access address-assignment pool pool-subnet88 family inet network 10.3.88.0/24
set access address-assignment pool pool-subnet88 family inet range range-subnet88 low 10.3.88.50
set access address-assignment pool pool-subnet88 family inet range range-subnet88 high 10.3.88.80
set access address-assignment pool pool-subnet88 family inet dhcp-attributes name-server 8.8.8.8
set access address-assignment pool pool-subnet88 family inet dhcp-attributes name-server 8.8.4.4
set access address-assignment pool pool-subnet88 family inet dhcp-attributes router 10.3.88.1
set access address-assignment pool pool-subnet88 family inet dhcp-attributes option 3 ip-address 10.3.88.1

 

Thanks !

Recognized Expert
Posts: 172
Registered: ‎01-06-2016
0 Kudos

Re: vSRX vlan-tagging or irb not working

How is the port-group configured on your hypervisor? On VMware with you have to define a port-group with vlan-id 4095 to allow tagged traffic. I'm not sure that it supports native-vlan mapping.

 

Please notice that ethernet-switching and irb's are not supported on vSRX - so using vlan-tagging on ge-0/0/0 or ge-0/0/1 is the right approach.

 

Example from my test-setup via a vSRX running 15.1x49-d75:

vmware-vsrx.PNG

 

 

 

 

--
Best regards,

Jonas Hauge Jensen
Systems Engineer, SEC Datacom A/S (Denmark)