SRX Services Gateway
Highlighted
SRX Services Gateway

SRX220H2 ethernet switching

‎10-22-2014 06:09 AM

Hi guys,

 

I have the following config:

 

    ge-0/0/5 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-dev;
                }
            }
        }
    }
    ge-0/0/6 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-dev;
                }
            }
        }
    }
vlan {
unit 10 {
            family inet {
                address 10.87.51.1/26;
            }
        }
}
vlans {
    vlan-dev {
        vlan-id 10;
        l3-interface vlan.10;
    }
}
       security-zone DevLab {
            interfaces {
                vlan.10 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                        protocols {
                            all;
                        }
                    }
                }
            }
}

 and have attached devices to ge-0/0/5 and ge-0/0/6 with IPs in the same network. But no ping between devices, or device - juniper SRX. Am I missing something? According to me this setup should work.

11 REPLIES 11
Highlighted
SRX Services Gateway

Re: SRX220H2 ethernet switching

‎10-23-2014 02:13 AM

you need to place the interfaces in zone and create policy to allow commuication. For example;

user@SRX220H2# show security zones
    security-zone dev {
        interfaces {
            ge-0/0/5.0;
            ge-0/0/6.0;
        }
    }
[edit]
user@SRX220H2# show security policies from-zone dev to-zone dev
policy trust-all {
    match {
        source-address any;
        destination-address any;
        application any;
    }
    then {
        permit;

 

maybe try using irb interfaces and bridge domains

[KUDOS PLEASE! If you think I earned it!
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]
Highlighted
SRX Services Gateway

Re: SRX220H2 ethernet switching

‎10-23-2014 02:32 AM

Thank you for the ideas. However, still no ping.

 

how security policies from-zone DevLab to-zone DevLab
policy trust-all {
    match {
        source-address any;
        destination-address any;
        application any;
    }
    then {
        permit;
    }
}

security-zone DevLab {
    interfaces {
        vlan.10 {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
        }
        ge-0/0/5.0 {
            host-inbound-traffic {
                system-services {
                    all;
                }
            }
        }
        ge-0/0/6.0 {
            host-inbound-traffic {
                system-services {
                    all;
                }
            }
        }
    }
}
Highlighted
SRX Services Gateway

Re: SRX220H2 ethernet switching

‎10-23-2014 02:54 AM

Can you provide below output?

 

root> show arp interface vlan.10

 

Thanks,

Suraj

Thanks,
Suraj
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too
Highlighted
SRX Services Gateway

Re: SRX220H2 ethernet switching

‎10-23-2014 03:13 AM

Hi ,

 

ge-0/0/5.0 and ge-0/0/6 interfaces should not be part of any security zones.

 

only vlan.10 should be part of security zones.

 

Both PC's should have configured with same subnet and they should be able to ping each other.

 

On the PC's . do arp -a and verify if PC-A is able to see PC-B MAC address .

 

From SRX , try to ping both PC's /

 

Regards
rparthi
 

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too

 

Highlighted
SRX Services Gateway

Re: SRX220H2 ethernet switching

‎10-23-2014 03:49 AM

Hi guys,

 

@

 

 

 

Highlighted
SRX Services Gateway

Re: SRX220H2 ethernet switching

‎10-23-2014 04:07 AM

I think you can try these steps.

 

Step 1

 

root>  monitor traffic interface vlan.0  ---> Check if you are getting any ARP/ICMP packets

Start wireshark on PCs ---> Check if you are getting any ARP/ICMP packets

 

Step 2

 

Initiate Ping from one of the devices to the other one

 

Step 3

 

If you are seeing ARP request and replies on SRX its most probably not an issue with SRX. Use wireshark on PCs to confirm if ICMP/ARP are going/received

 

If you are seeing packets going out of PCs on wireshark but not received on SRX make any small change on SRX like enabling telnet/ssh and do a "commit full" (hidden command) to forcefully push the configuration to dataplane.

 

Thanks,

Suraj

 

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too

Thanks,
Suraj
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too
Highlighted
SRX Services Gateway

Re: SRX220H2 ethernet switching

‎10-23-2014 04:33 AM

Thank you for the ideas.

 

I did tcpdump on the machine and run monitor traffic interface vlan.10 extensive on SRX - no arps from the remote side.

However the STP was on on SRX and I was able to see STP traffic from SRX to PC, but no ARPs.

 

13:23:57.068707 STP 802.1d, Config, Flags [none], bridge-id 8000.f4:b5:2f:86:d4:c0.8207, length 43

 

 

Highlighted
SRX Services Gateway

Re: SRX220H2 ethernet switching

‎10-23-2014 04:35 AM

did you try commit full as well?

 

Thanks,
Suraj

Thanks,
Suraj
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too
Highlighted
SRX Services Gateway

Re: SRX220H2 ethernet switching

‎10-23-2014 04:36 AM

Yes I did, no change

Highlighted
SRX Services Gateway

Re: SRX220H2 ethernet switching

‎10-23-2014 10:47 AM

Check if the SRX needs to be rebooted using this command:

>show security flow status

Here is another example. You do not have to use the interface-range, it is just one method.

http://kb.juniper.net/InfoCenter/index?page=content&id=KB16667&smlogin=true

[KUDOS PLEASE! If you think I earned it!
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]
Highlighted
SRX Services Gateway

Re: SRX220H2 ethernet switching

‎10-24-2014 12:02 AM

Thanks for your help guys.

I opened a case with Juniper support, they verified the config is ok and it should work, but for some reason it is not working. They are investigating further now. It could be a bug in this junos version, who knows. I'll post the solution here if anyone has the same problem.

Feedback