SRX Services Gateway
Highlighted
SRX Services Gateway

SRX1400 Trunk Issue

[ Edited ]
‎06-10-2018 04:41 AM

I have the follwing design:

 

1.jpg

every thing in design working fine except pingable from L3 Core (Vlan1) to irb.1  and from irb.1 to L2 Switch (Vlan1) not pinging, while i tested directly between L3 Core Switch and L2 Switch without SRX1400 is working fine

 

L3 core trunk port configuration:

interface GigabitEthernet3/12
switchport trunk encapsulation dot1q
switchport mode trunk
spanning-tree portfast

 

SRX1400 full configuration:

 

 

--- JUNOS 12.3X48-D30.7 built 2016-04-28 23:06:10 UTC
admin@CIG-HQ> show configuration | no-more
## Last commit: 2018-06-10 13:57:58 AST by admin
version 12.3X48-D30.7;
system {
host-name CIG-HQ;
time-zone Asia/Riyadh;
root-authentication {
encrypted-password "$1$0Vlub5Bk$LRLDbkWelNyywtRN5EF.L/"; ## SECRET-DATA
}
login {
user admin {
uid 2001;
class super-user;
authentication {
encrypted-password "$1$5cHL8ROh$f2jSRb/fVeJE4.a8ZHfQc1"; ## SECRET-DATA
}
}
}
services {
ssh;
telnet;
web-management {
http;
}
}
}
security {
policies {
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone untrust to-zone trust {
policy untrust-to-trust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust13 to-zone untrust13 {
policy trust13-to-untrust13 {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone untrust13 to-zone trust13 {
policy untrust13-to-trust13 {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust10 to-zone untrust10 {
policy trust10-to-untrust10 {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone untrust10 to-zone trust10 {
policy untrust10-to-trust10 {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust500 to-zone untrust500 {
policy trust500-to-untrust500 {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone untrust500 to-zone trust500 {
policy untrust500-to-trust500 {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust51 to-zone untrust51 {
policy trust51-to-untrust51 {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone untrust51 to-zone trust51 {
policy untrust51-to-trust51 {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust5 to-zone untrust5 {
policy trust5-to-untrust5 {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone untrust5 to-zone trust5 {
policy untrust5-to-trust5 {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust15 to-zone untrust15 {
policy trust15-to-untrust15 {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone untrust15 to-zone trust15 {
policy untrust15-to-trust15 {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone untrust {
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
all;
}
}
}
ge-2/0/8.0 {
host-inbound-traffic {
system-services {
all;
}
}
}
}
}
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
}
interfaces {
ge-0/0/1.0;
ge-2/0/9.0;
}
}
security-zone untrust13 {
interfaces {
ge-0/0/2.0 {
host-inbound-traffic {
system-services {
all;
}
}
}
}
}
security-zone trust13 {
host-inbound-traffic {
system-services {
all;
}
}
interfaces {
ge-0/0/3.0;
}
}
security-zone untrust10 {
interfaces {
ge-2/0/2.0 {
host-inbound-traffic {
system-services {
all;
}
}
}
}
}
security-zone trust10 {
host-inbound-traffic {
system-services {
all;
}
}
interfaces {
ge-0/0/6.0;
}
}
security-zone untrust12 {
interfaces {
ge-2/0/3.0 {
host-inbound-traffic {
system-services {
all;
}
}
}
}
}
security-zone trust12 {
host-inbound-traffic {
system-services {
all;
}
}
interfaces {
ge-0/0/7.0;
}
}
security-zone untrust14 {
interfaces {
ge-2/0/4.0 {
host-inbound-traffic {
system-services {
all;
}
}
}
}
}
security-zone trust14 {
host-inbound-traffic {
system-services {
all;
}
}
interfaces {
ge-0/0/8.0;
}
}
security-zone untrust16 {
interfaces {
ge-2/0/6.0 {
host-inbound-traffic {
system-services {
all;
}
}
}
}
}
security-zone trust16 {
host-inbound-traffic {
system-services {
all;
}
}
interfaces {
ge-0/0/10.0;
}
}
security-zone untrust17 {
interfaces {
ge-2/0/7.0 {
host-inbound-traffic {
system-services {
all;
}
}
}
}
}
security-zone trust17 {
host-inbound-traffic {
system-services {
all;
}
}
interfaces {
ge-0/0/11.0;
}
}
security-zone untrust51 {
interfaces {
ge-2/0/12.0 {
host-inbound-traffic {
system-services {
all;
}
}
}
}
}
security-zone trust51 {
host-inbound-traffic {
system-services {
all;
}
}
interfaces {
ge-2/0/13.0;
}
}
security-zone untrust500 {
interfaces {
ge-2/0/14.0 {
host-inbound-traffic {
system-services {
all;
}
}
}
}
}
security-zone trust500 {
host-inbound-traffic {
system-services {
all;
}
}
interfaces {
ge-2/0/15.0;
}
}
security-zone untrust5 {
interfaces {
ge-2/0/10.0 {
host-inbound-traffic {
system-services {
all;
}
}
}
}
}
security-zone trust5 {
host-inbound-traffic {
system-services {
all;
}
}
interfaces {
ge-2/0/11.0;
}
}
security-zone untrust15 {
interfaces {
ge-2/0/5.0 {
host-inbound-traffic {
system-services {
all;
}
}
}
}
}
security-zone trust15 {
host-inbound-traffic {
system-services {
all;
}
}
interfaces {
ge-0/0/9.0;
}
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family bridge {
interface-mode access;
vlan-id 9;
}
}
}
ge-0/0/1 {
unit 0 {
family bridge {
interface-mode access;
vlan-id 9;
}
}
}
ge-0/0/2 {
unit 0 {
family bridge {
interface-mode access;
vlan-id 13;
}
}
}
ge-0/0/3 {
unit 0 {
family bridge {
interface-mode access;
vlan-id 13;
}
}
}
ge-0/0/6 {
unit 0 {
family bridge {
interface-mode access;
vlan-id 10;
}
}
}
ge-0/0/7 {
unit 0 {
family bridge {
interface-mode access;
vlan-id 12;
}
}
}
ge-0/0/8 {
unit 0 {
family bridge {
interface-mode access;
vlan-id 14;
}
}
}
ge-0/0/9 {
unit 0 {
family bridge {
interface-mode trunk;
vlan-id-list 1-17;
}
}
}
ge-0/0/10 {
unit 0 {
family bridge {
interface-mode access;
vlan-id 16;
}
}
}
ge-0/0/11 {
unit 0 {
family bridge {
interface-mode access;
vlan-id 17;
}
}
}
ge-2/0/2 {
unit 0 {
family bridge {
interface-mode access;
vlan-id 10;
}
}
}
ge-2/0/3 {
unit 0 {
family bridge {
interface-mode access;
vlan-id 12;
}
}
}
ge-2/0/4 {
unit 0 {
family bridge {
interface-mode access;
vlan-id 14;
}
}
}
ge-2/0/5 {
unit 0 {
family bridge {
interface-mode trunk;
vlan-id-list 1-17;
}
}
}
ge-2/0/6 {
unit 0 {
family bridge {
interface-mode access;
vlan-id 16;
}
}
}
ge-2/0/7 {
unit 0 {
family bridge {
interface-mode access;
vlan-id 17;
}
}
}
ge-2/0/8 {
unit 0 {
family bridge {
interface-mode access;
vlan-id 9;
}
}
}
ge-2/0/9 {
unit 0 {
family bridge {
interface-mode access;
vlan-id 9;
}
}
}
ge-2/0/10 {
unit 0 {
family inet {
address 172.22.22.2/30;
}
}
}
ge-2/0/11 {
unit 0 {
family inet {
address 10.5.0.1/24;
}
}
}
ge-2/0/12 {
unit 0 {
family bridge {
interface-mode access;
vlan-id 51;
}
}
}
ge-2/0/13 {
unit 0 {
family bridge {
interface-mode access;
vlan-id 51;
}
}
}
ge-2/0/14 {
unit 0 {
family bridge {
interface-mode access;
vlan-id 500;
}
}
}
ge-2/0/15 {
unit 0 {
family bridge {
interface-mode access;
vlan-id 500;
}
}
}
irb {
unit 0 {
family inet {
address 130.1.10.1/16;
}
}
unit 1 {
family inet {
address 10.1.0.200/16;
}
}
unit 4 {
family inet {
address 10.14.10.10/16;
}
}
unit 5 {
family inet {
address 10.15.10.10/16;
}
}
unit 6 {
family inet {
address 10.16.10.10/16;
}
}
unit 7 {
family inet {
address 10.17.10.10/16;
}
}
unit 8 {
family inet {
address 10.8.0.10/16;
}
}
unit 10 {
family inet {
address 10.10.10.10/16;
}
}
unit 12 {
family inet {
address 10.50.1.10/24;
}
}
unit 13 {
family inet {
address 172.18.10.10/16;
}
}
}
}
snmp {
community public {
authorization read-only;
}
}
routing-instances {
nournet {
instance-type virtual-router;
interface ge-2/0/10.0;
interface ge-2/0/11.0;
routing-options {
static {
route 0.0.0.0/0 next-hop 10.5.0.3;
route 130.1.0.0/16 next-hop 172.22.22.1;
route 10.0.0.0/8 next-hop 172.22.22.1;
route 192.168.0.0/16 next-hop 172.22.22.1;
}
}
}
}
bridge-domains {
vlan1 {
domain-type bridge;
vlan-id 1;
routing-interface irb.1;
}
vlan15 {
domain-type bridge;
vlan-id 15;
routing-interface irb.5;
}
vlan500 {
domain-type bridge;
vlan-id 500;
routing-interface irb.13;
}
vlan51 {
domain-type bridge;
vlan-id 51;
routing-interface irb.12;
}
vlan8 {
domain-type bridge;
vlan-id 8;
routing-interface irb.8;
}
}

admin@CIG-HQ>

 

 

 

 

11 REPLIES 11
SRX Services Gateway

Re: SRX1400 Trunk Issue

‎06-10-2018 11:47 AM

You have to assign irb.1 to security or functional zone and specify ping under host-inbound-traffic.

 

Regards, Wojtek

SRX Services Gateway

Re: SRX1400 Trunk Issue

‎06-11-2018 01:11 AM

it`s give me error message:

 

[edit]
admin@CIG-HQ# set security zones security-zone trust15 interfaces irb.1
error: interface-unit: 'irb.1': This interface cannot be configured in a zone
error: statement creation failed: irb.1

SRX Services Gateway

Re: SRX1400 Trunk Issue

‎06-11-2018 02:33 AM

I don't have high end SRX at my disposal so this is just an educated guess..

I would try the following

ge-0/0/9 {
vlan-tagging
unit 0 {
family bridge {
interface-mode trunk;
vlan-id-list 2-17;
}
}
unit 1 {
family bridge {
interface-mode trunk;
vlan-id-list 1;
}

And then assign ge-0/0/9.1 to the security policy and allow host inbout traffic.

 

Regards, Wojtek

SRX Services Gateway

Re: SRX1400 Trunk Issue

‎06-11-2018 02:49 AM

Instead of vla-id list, can you try configuing only one vlan (access port) on these ports on SRX and check if you are able to ping through SRX?

 

https://kb.juniper.net/InfoCenter/index?page=content&id=KB21421

Thanks,
Suraj
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too
SRX Services Gateway

Re: SRX1400 Trunk Issue

‎06-11-2018 04:32 AM

i am tring that but still pinging not wotk

SRX Services Gateway

Re: SRX1400 Trunk Issue

‎06-11-2018 05:02 AM

All the examples I've found are using subinterfaces on the trunk with single vlan id in the vlan-id-list

 

ge-0/0/9 {
vlan-tagging
unit 1 {
family bridge {
interface-mode trunk;
vlan-id-list 1;
unit 2 {
family bridge {
interface-mode trunk;
vlan-id-list 2;
unit 3 {
family bridge {
interface-mode trunk;
vlan-id-list 3;

#and so forth
}

Can you try this approach?

Regards, Wojtek

 

SRX Services Gateway

Re: SRX1400 Trunk Issue

‎06-11-2018 05:34 AM

when i transfered all ports to access vlan 1, its working for vlan 1 only

SRX Services Gateway

Re: SRX1400 Trunk Issue

‎06-12-2018 01:25 AM

I am tried it, still no pinging, i dont no why this thing happen only in vlan 1?

SRX Services Gateway

Re: SRX1400 Trunk Issue

‎06-12-2018 02:10 AM

Can you try to configure VLAN 1 as native on the trunk interfaces?

native-vlan-id 1;

Also please see a note from configuration guide

If you are using Layer 2 switches, you will need to set BPDU options to help prevent
STP misconfigurations that can lead to network outages. First, enable
bypass-non-ip-unicast to allow BPDUs. Next, set the bpdu-vlan-flooding option to
limit flooding of BPDUs to each VLAN; otherwise BPDUs received on one port will
be sent to all other ports even if ports are in different VLANs.

 

Regards, Wojtek

SRX Services Gateway

Re: SRX1400 Trunk Issue

‎06-12-2018 04:04 AM

it`s given me this message:

admin@CIG-HQ# set interfaces ge-0/0/9 vlan-tagging native-vlan-id 1

[edit]
admin@CIG-HQ# commit
[edit interfaces ge-0/0/9 native-vlan-id]
'native-vlan-id 1'
native-vlan-id can be specified with flexible-vlan-tagging mode or with interface-mode trunk
error: commit failed: (statements constraint check failed)

 

 

and i added this commands as you mintion:

 

security {
flow {
bridge {
bypass-non-ip-unicast;
bpdu-vlan-flooding;

 

SRX Services Gateway

Re: SRX1400 Trunk Issue

‎06-12-2018 05:18 AM

Just replace vlan-tagging with flexible-vlan-tagging and try again.

 

delete interfaces ge-0/0/9 vlan-tagging 
set interfaces ge-0/0/9 flexible-vlan-tagging 
set interfaces ge-0/0/9 native-vlan-id 1

Regards, Wojtek