Lets try again, this is a new config, similiar to what I need, but less vlans in the EX.
Corporate <--> SRX-fe-0/0/0 <--> SRX-fe-0/0/1 or fe-0/0/3 <--> EX ge-0/0/0 or ge-0/0/2
The VPN is over st0.0 to corporate.
The trunk fe-0/0/3 and ge-0/0/2 will not pass traffic.
The access port passes traffic to and from the SRX - EX
I am unable to ping the vlan 9 NETWORK-9
I will include the whole config of both SRX and EX. and some traceroutes and pings.
THIS IS THE SRX
admin@test> show configuration |display set |no-more
set version 10.4R10.8
set system host-name test
set system time-zone EST
set system root-authentication encrypted-password "SECRET"
set system name-server 10.10.10.10
set system name-server 10.20.10.10
set system name-resolution no-resolve-on-input
set system login user admin full-name Administrator
set system login user admin uid 2000
set system login user admin class super-user
set system login user admin authentication encrypted-password "SECRET"
set system services ssh
set system services telnet
set system services web-management https system-generated-certificate
set system services web-management https interface vlan.1
set system services web-management https interface fe-0/0/0.0
set system services web-management session idle-timeout 60
set system services dhcp pool 192.168.201.0/24 address-range low 192.168.201.50
set system services dhcp pool 192.168.201.0/24 address-range high 192.168.201.249
set system services dhcp pool 192.168.201.0/24 router 192.168.201.1
set system services dhcp propagate-settings fe-0/0/0
set system syslog archive size 100k
set system syslog archive files 3
set system syslog user * any emergency
set system syslog file messages any critical
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands error
set system max-configurations-on-flash 5
set system max-configuration-rollbacks 5
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set system ntp server us.ntp.pool.org
set interfaces fe-0/0/0 unit 0 family inet dhcp
set interfaces fe-0/0/1 unit 0 family ethernet-switching vlan members vlan1
set interfaces fe-0/0/2 unit 0 family ethernet-switching vlan members vlan1
set interfaces fe-0/0/3 unit 0 family ethernet-switching port-mode trunk
set interfaces fe-0/0/3 unit 0 family ethernet-switching vlan members all
set interfaces fe-0/0/4 unit 0 family ethernet-switching vlan members vlan1
set interfaces fe-0/0/5 unit 0 family ethernet-switching vlan members vlan1
set interfaces fe-0/0/6 unit 0 family ethernet-switching vlan members vlan1
set interfaces fe-0/0/7 unit 0 family ethernet-switching vlan members vlan1
set interfaces st0 unit 0 family inet address 192.168.200.201/24
set interfaces vlan unit 1 family inet address 192.168.201.1/24
set snmp description test
set snmp community Public authorization read-only
set routing-options static route 192.168.200.0/24 next-hop st0.0
set routing-options static route 10.0.0.0/8 next-hop st0.0
set routing-options static route 10.12.0.0/16 next-hop 192.168.201.10
set protocols stp
set security ike policy ike_pol_vpnloaner01 mode aggressive
set security ike policy ike_pol_vpnloaner01 proposal-set standard
set security ike policy ike_pol_vpnloaner01 pre-shared-key ascii-text "SECRET"
set security ike gateway gw_vpnloaner01 ike-policy ike_pol_vpnloaner01
set security ike gateway gw_vpnloaner01 address 75.112.77.34
set security ike gateway gw_vpnloaner01 local-identity hostname vpnloaner01
set security ike gateway gw_vpnloaner01 external-interface fe-0/0/0.0
set security ipsec policy ipsec_pol_vpnloaner01 perfect-forward-secrecy keys group1
set security ipsec policy ipsec_pol_vpnloaner01 proposal-set standard
set security ipsec vpn vpnloaner01 bind-interface st0.0
set security ipsec vpn vpnloaner01 ike gateway gw_vpnloaner01
set security ipsec vpn vpnloaner01 ike ipsec-policy ipsec_pol_vpnloaner01
set security ipsec vpn vpnloaner01 establish-tunnels immediately
set security nat source rule-set nsw_srcnat from zone Internal
set security nat source rule-set nsw_srcnat to zone Internet
set security nat source rule-set nsw_srcnat rule nsw-src-interface match source-address 0.0.0.0/0
set security nat source rule-set nsw_srcnat rule nsw-src-interface match destination-address 0.0.0.0/0
set security nat source rule-set nsw_srcnat rule nsw-src-interface then source-nat interface
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security zones security-zone Internal address-book address addr_192_168_201_0_24 192.168.201.0/24
set security zones security-zone Internal host-inbound-traffic system-services all
set security zones security-zone Internal interfaces vlan.1 host-inbound-traffic system-services ping
set security zones security-zone Internal interfaces vlan.1 host-inbound-traffic system-services dhcp
set security zones security-zone Internal interfaces vlan.1 host-inbound-traffic system-services http
set security zones security-zone Internal interfaces vlan.1 host-inbound-traffic system-services https
set security zones security-zone Internal interfaces vlan.1 host-inbound-traffic system-services ssh
set security zones security-zone Internal interfaces vlan.1 host-inbound-traffic system-services telnet
set security zones security-zone Internal interfaces vlan.1 host-inbound-traffic system-services snmp
set security zones security-zone Internet address-book address addr_192_168_0_0_16 192.168.0.0/16
set security zones security-zone Internet address-book address addr_10_0_0_0_8 10.0.0.0/8
set security zones security-zone Internet address-book address addr_192_168_200_0_24 192.168.200.0/24
set security zones security-zone Internet host-inbound-traffic system-services ike
set security zones security-zone Internet interfaces fe-0/0/0.0 host-inbound-traffic system-services ping
set security zones security-zone Internet interfaces fe-0/0/0.0 host-inbound-traffic system-services dhcp
set security zones security-zone Internet interfaces fe-0/0/0.0 host-inbound-traffic system-services https
set security zones security-zone Internet interfaces fe-0/0/0.0 host-inbound-traffic system-services ssh
set security zones security-zone Internet interfaces fe-0/0/0.0 host-inbound-traffic system-services ike
set security zones security-zone Internet interfaces fe-0/0/0.0 host-inbound-traffic system-services snmp
set security zones security-zone Internet interfaces st0.0 host-inbound-traffic system-services https
set security zones security-zone Internet interfaces st0.0 host-inbound-traffic system-services ping
set security zones security-zone Internet interfaces st0.0 host-inbound-traffic system-services ike
set security zones security-zone Internet interfaces st0.0 host-inbound-traffic system-services ssh
set security zones security-zone Internet interfaces st0.0 host-inbound-traffic system-services snmp
set security policies from-zone Internal to-zone Internet policy All_Internal_Internet match source-address any
set security policies from-zone Internal to-zone Internet policy All_Internal_Internet match destination-address any
set security policies from-zone Internal to-zone Internet policy All_Internal_Internet match application any
set security policies from-zone Internal to-zone Internet policy All_Internal_Internet then permit
set security policies from-zone Internal to-zone Internet policy policy_out_vpnloaner01 match source-address addr_192_168_201_0_24
set security policies from-zone Internal to-zone Internet policy policy_out_vpnloaner01 match destination-address addr_192_168_200_0_24
set security policies from-zone Internal to-zone Internet policy policy_out_vpnloaner01 match application any
set security policies from-zone Internal to-zone Internet policy policy_out_vpnloaner01 then permit
set security policies from-zone Internet to-zone Internal policy policy_in_vpnloaner01 match source-address addr_10_0_0_0_8
set security policies from-zone Internet to-zone Internal policy policy_in_vpnloaner01 match source-address addr_192_168_0_0_16
set security policies from-zone Internet to-zone Internal policy policy_in_vpnloaner01 match destination-address addr_192_168_201_0_24
set security policies from-zone Internet to-zone Internal policy policy_in_vpnloaner01 match application any
set security policies from-zone Internet to-zone Internal policy policy_in_vpnloaner01 then permit
set vlans NETWORK-9 description NETWORK-9
set vlans NETWORK-9 vlan-id 9
set vlans vlan1 vlan-id 3
set vlans vlan1 l3-interface vlan.1
admin@test>
THIS IS THE EX
{master:0}
root@EX-test> show configuration |display set |no-more
set version 12.3R6.6
set groups ezqos-voip class-of-service classifiers dscp ezqos-dscp-classifier import default
set groups ezqos-voip class-of-service classifiers dscp ezqos-dscp-classifier forwarding-class ezqos-voice-fc loss-priority low code-points 101110
set groups ezqos-voip class-of-service classifiers dscp ezqos-dscp-classifier forwarding-class ezqos-control-fc loss-priority low code-points 110000
set groups ezqos-voip class-of-service classifiers dscp ezqos-dscp-classifier forwarding-class ezqos-control-fc loss-priority low code-points 011000
set groups ezqos-voip class-of-service classifiers dscp ezqos-dscp-classifier forwarding-class ezqos-control-fc loss-priority low code-points 011010
set groups ezqos-voip class-of-service classifiers dscp ezqos-dscp-classifier forwarding-class ezqos-control-fc loss-priority low code-points 111000
set groups ezqos-voip class-of-service classifiers dscp ezqos-dscp-classifier forwarding-class ezqos-video-fc loss-priority low code-points 100010
set groups ezqos-voip class-of-service forwarding-classes class ezqos-best-effort queue-num 0
set groups ezqos-voip class-of-service forwarding-classes class ezqos-video-fc queue-num 4
set groups ezqos-voip class-of-service forwarding-classes class ezqos-voice-fc queue-num 5
set groups ezqos-voip class-of-service forwarding-classes class ezqos-control-fc queue-num 7
set groups ezqos-voip class-of-service scheduler-maps ezqos-voip-sched-maps forwarding-class ezqos-voice-fc scheduler ezqos-voice-scheduler
set groups ezqos-voip class-of-service scheduler-maps ezqos-voip-sched-maps forwarding-class ezqos-control-fc scheduler ezqos-control-scheduler
set groups ezqos-voip class-of-service scheduler-maps ezqos-voip-sched-maps forwarding-class ezqos-video-fc scheduler ezqos-video-scheduler
set groups ezqos-voip class-of-service scheduler-maps ezqos-voip-sched-maps forwarding-class ezqos-best-effort scheduler ezqos-data-scheduler
set groups ezqos-voip class-of-service schedulers ezqos-voice-scheduler buffer-size percent 20
set groups ezqos-voip class-of-service schedulers ezqos-voice-scheduler priority strict-high
set groups ezqos-voip class-of-service schedulers ezqos-control-scheduler buffer-size percent 10
set groups ezqos-voip class-of-service schedulers ezqos-control-scheduler priority strict-high
set groups ezqos-voip class-of-service schedulers ezqos-video-scheduler transmit-rate percent 70
set groups ezqos-voip class-of-service schedulers ezqos-video-scheduler buffer-size percent 20
set groups ezqos-voip class-of-service schedulers ezqos-video-scheduler priority low
set groups ezqos-voip class-of-service schedulers ezqos-data-scheduler transmit-rate percent 30
set groups ezqos-voip class-of-service schedulers ezqos-data-scheduler buffer-size percent 50
set groups ezqos-voip class-of-service schedulers ezqos-data-scheduler priority low
set apply-groups ezqos-voip
set system host-name EX-test
set system root-authentication encrypted-password "SECRET"
set system login user admin uid 2000
set system login user admin class super-user
set system login user admin authentication encrypted-password "SECRET"
set system services ssh protocol-version v2
set system services ssh max-sessions-per-connection 32
set system services telnet
set system services netconf ssh
set system services web-management http
set system services dhcp traceoptions file dhcp_logfile
set system services dhcp traceoptions level all
set system services dhcp traceoptions flag all
set system syslog user * any emergency
set system syslog file messages any notice
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands any
set system syslog file default-log-messages any any
set system syslog file default-log-messages match "(requested 'commit' operation)|(copying configuration to juniper.save)|(commit complete)|ifAdminStatus|(FRU power)|(FRU removal)|(FRU insertion)|(link UP)|transitioned|Transferred|transfer-file|(license add)|(license delete)|(package -X update)|(package -X delete)|(FRU Online)|(FRU Offline)|(plugged in)|(unplugged)|cm_device|(Master Unchanged, Members Changed)|(Master Changed, Members Changed)|(Master Detected, Members Changed)|(vc add)|(vc delete)|(Master detected)|(Master changed)|(Backup detected)|(Backup changed)|(interface vcp-)|(AIS_DATA_AVAILABLE)"
set system syslog file default-log-messages structured-data
set chassis alarm management-ethernet link-down ignore
set chassis auto-image-upgrade
set interfaces ge-0/0/0 unit 0 family ethernet-switching
set interfaces ge-0/0/1 unit 0 family ethernet-switching
set interfaces ge-0/0/2 unit 0 family ethernet-switching port-mode trunk
set interfaces ge-0/0/2 unit 0 family ethernet-switching native-vlan-id default
set interfaces ge-0/0/3 unit 0 family ethernet-switching
set interfaces ge-0/0/4 unit 0 family ethernet-switching
set interfaces ge-0/0/5 unit 0 family ethernet-switching
set interfaces ge-0/0/6 unit 0 family ethernet-switching
set interfaces ge-0/0/7 unit 0 family ethernet-switching
set interfaces ge-0/0/8 unit 0 family ethernet-switching
set interfaces ge-0/0/9 unit 0 family ethernet-switching
set interfaces ge-0/0/10 unit 0 family ethernet-switching
set interfaces ge-0/0/11 unit 0 family ethernet-switching
set interfaces ge-0/1/0 unit 0 family ethernet-switching
set interfaces ge-0/1/1 unit 0 family ethernet-switching
set interfaces vlan unit 0 family inet address 192.168.201.10/24
set interfaces vlan unit 1 family inet address 10.12.9.254/24
set interfaces vlan unit 2 family inet address 10.12.21.254/24
set snmp community Public authorization read-only
set snmp trap-group space targets 10.11.9.6
set routing-options static route 0.0.0.0/0 next-hop 192.168.201.1
set routing-options static route 10.10.0.0/16 next-hop 192.168.201.1
set protocols igmp-snooping vlan all
set protocols rstp
set protocols lldp interface all
set protocols lldp-med interface all
set class-of-service interfaces ge-* scheduler-map ezqos-voip-sched-maps
set class-of-service interfaces ge-* unit * classifiers dscp ezqos-dscp-classifier
set class-of-service interfaces ge-* unit * rewrite-rules dscp default
set ethernet-switching-options voip
set ethernet-switching-options storm-control interface all
set vlans NETWORK-9 description NETWORK-9
set vlans NETWORK-9 vlan-id 9
set vlans NETWORK-9 l3-interface vlan.1
set vlans UC-QUADS description "UC-QUADS Voice Traffic"
set vlans UC-QUADS vlan-id 21
set vlans UC-QUADS l3-interface vlan.2
set vlans default l3-interface vlan.0
set poe interface all
{master:0}
root@EX-test>
FROM SRX;
admin@test> ping 192.168.201.10
PING 192.168.201.10 (192.168.201.10): 56 data bytes
64 bytes from 192.168.201.10: icmp_seq=0 ttl=64 time=4.146 ms
64 bytes from 192.168.201.10: icmp_seq=1 ttl=64 time=3.705 ms
64 bytes from 192.168.201.10: icmp_seq=2 ttl=64 time=3.583 ms
^C
--- 192.168.201.10 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 3.583/3.811/4.146/0.242 ms
admin@test> ping 10.12.9.254
PING 10.12.9.254 (10.12.9.254): 56 data bytes
36 bytes from 10.12.9.254: Destination Host Unreachable
Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
4 5 00 0054 13b5 0 0000 40 01 c940 192.168.201.1 10.12.9.254
36 bytes from 10.12.9.254: Destination Host Unreachable
Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
4 5 00 0054 13b8 0 0000 40 01 c93d 192.168.201.1 10.12.9.254
36 bytes from 10.12.9.254: Destination Host Unreachable
Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
4 5 00 0054 13bb 0 0000 40 01 c93a 192.168.201.1 10.12.9.254
^C
--- 10.12.9.254 ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss
admin@test> traceroute 10.12.9.254
traceroute to 10.12.9.254 (10.12.9.254), 30 hops max, 40 byte packets
1 10.12.9.254 (10.12.9.254) 4.115 ms 3.816 ms 4.006 ms
2 10.12.9.254 (10.12.9.254) 10.510 ms !H 4.644 ms !H 4.449 ms !H
admin@test>
FROM EX
{master:0}
root@EX-test> ping 192.168.201.1
PING 192.168.201.1 (192.168.201.1): 56 data bytes
64 bytes from 192.168.201.1: icmp_seq=0 ttl=64 time=2.762 ms
64 bytes from 192.168.201.1: icmp_seq=1 ttl=64 time=2.826 ms
64 bytes from 192.168.201.1: icmp_seq=2 ttl=64 time=2.255 ms
^C
--- 192.168.201.1 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 2.255/2.614/2.826/0.255 ms
{master:0}
root@EX-test> ping 10.12.9.254
PING 10.12.9.254 (10.12.9.254): 56 data bytes
ping: sendto: No route to host
ping: sendto: No route to host
ping: sendto: No route to host
^C
--- 10.12.9.254 ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss
{master:0}