SRX

Hello,

I have a server with two NICs and two ip addresses on separate VLANs and separate subnets that don't overlap.  Each NIC has a separate interface on the Juniper SRX240H2.

eth0 is setup on 172.16.2.0/24 with ip address 172.16.2.2 and gateway 172.16.2.1 and connected to ge-0/0/14 on vlan2

eth1 is setup on 172.16.3.0/24 with ip address 172.16.3.2 and gateway 172.16.3.1 and connected to ge-0/0/15 on vlan4

i only have a default route setup for eth1 which is 172.16.3.1 and associated with my Juniper MAC address - (made up) dc:38:e1:27:44:44.

when i look at the arp entries eth0 is incomplete because it can't have the same mac address association with a different IP on the same server.  I can ping 172.16.2.1 but the server doesnt know how to send it back to the juniper interface on ge-0/0/14 on vlan2.  I can ping 172.16.3.1 fine and all traffic goes out there by default because the gateway is defined in my server routing table and the ARP entry exists.  I have tried source based routing with iproute2 on the server, but the only trouble I have is pinging ge-0/0/14 or 172.16.2.1.

How do I make my server send traffic out eth0 when it is sent to the eth0 address and send traffic out eth1 when it is sent to eth1 if the MAC address is the same on ge-0/0/14 and ge-0/0/15?  Is there a way to make a fake MAC address for ge-0/0/14?

Please let me know if you need more configuration information.  The server is a debian box.

Junos generates a different mac address for every interface and sub-interface on the SRX.

Are you saying the server sees the same mac address for two different SRX interfaces?

use show interface extensive for each one and look at the Hardware Address to verify what mac address is assigned in Junos to each sub interface with the ip address assigned in the subnet of your server.

So it looks like for some reason vlan.2 and vlan.4 members (my server on both NICs) are picking up the MAC address for vlan physical or vlan.1 logical.  It looks like all of the vlans are pulling the mac address into them (vlans1-4) for all of the gateways on the interfaces i have setup to my wireless access points, another juniper switch, and clients/servers from vlan/vlan1. ???

My server output for arp -a shows the IP address associated with dc:38:e1:22:44:28 instead of the ones on ge-0/0/14 and ge-0/0/15.

arp -a

? (172.16.3.1) at dc:38:e1:22:44:28 [ether] on eth1

This is another subnet i have where a client is connected to my Ruckus Access Point.

C:\>arp -a

Interface: 192.168.2.3 --- 0x5
  Internet Address      Physical Address      Type
  192.168.2.1           dc-38-e1-22-44-28     dynamic
  224.0.0.22            01-00-5e-00-00-16     static
  239.255.255.250       01-00-5e-7f-ff-fa     static
  255.255.255.255       ff-ff-ff-ff-ff-ff     static

Physical interface: vlan, Enabled, Physical link is Up
  Interface index: 133, SNMP ifIndex: 506, Generation: 136
  Type: VLAN, Link-level type: VLAN, MTU: 1518, Clocking: Unspecified, Speed: 2000mbps
  Device flags   : Present Running
  Link type      : Full-Duplex
  Physical info  : Unspecified
  CoS queues     : 8 supported, 8 maximum usable queues
  Hold-times     : Up 0 ms, Down 0 ms
  Current address: dc:38:e1:22:44:28, Hardware address: dc:38:e1:22:44:28
  Alternate link address: Unspecified
  Last flapped   : 2018-01-21 09:14:10 GMT-6 (22:53:25 ago)
  Statistics last cleared: Never
  Traffic statistics:
   Input  bytes  :            334985086                60952 bps
   Output bytes  :           4789899141              1060152 bps
   Input  packets:              2408905                   79 pps
   Output packets:              4269342                  108 pps
  Egress queues: 8 supported, 4 in use
  Queue counters:       Queued packets  Transmitted packets      Dropped packets
    0 best-effort              4269160              4269160                    0
    1 expedited-fo                   0                    0                    0
    2 assured-forw                   0                    0                    0
    3 network-cont                 183                  183                    0
  Queue number:         Mapped forwarding classes
    0                   best-effort
    1                   expedited-forwarding
    2                   assured-forwarding
    3                   network-control
  Input errors:
    Errors: 0, Drops: 0, Framing errors: 0, Runts: 0, Giants: 0, Policed discards: 8169,
    Resource errors: 0
  Output errors:
    Carrier transitions: 0, Errors: 0, Drops: 0, MTU errors: 0, Resource errors: 0

  Logical interface vlan.1 (Index 69) (SNMP ifIndex 548) (Generation 134)
    Flags: SNMP-Traps 0x0 VLAN-Tag [ 0x8100.3 ]  Encapsulation: ENET2
    Bandwidth: 0
    Traffic statistics:
     Input  bytes  :            313004057
     Output bytes  :           4723840517
     Input  packets:              2305696
     Output packets:              4175316
    Local statistics:
     Input  bytes  :                77414
     Output bytes  :               579930
     Input  packets:                  966
     Output packets:                11893
    Transit statistics:
     Input  bytes  :            312926643                33568 bps
     Output bytes  :           4723260587              1019984 bps
     Input  packets:              2304730                   67 pps
     Output packets:              4163423                   85 pps
    Security: Zone: Home
    Allowed host-inbound traffic : bootp bfd bgp dns dvmrp igmp ldp msdp nhrp ospf pgm pim rip
    router-discovery rsvp sap vrrp dhcp finger ftp tftp ident-reset http https ike netconf ping
    reverse-telnet reverse-ssh rlogin rpm rsh snmp snmp-trap ssh telnet traceroute xnm-clear-text
    xnm-ssl lsping ntp sip r2cp webapi-clear-text webapi-ssl
    Flow Statistics :
    Flow Input statistics :
      Self packets :                     2459
      ICMP packets :                     3041
      VPN packets :                      0
      Multicast packets :                1519
      Bytes permitted by policy :        255441875
      Connections established :          44483
    Flow Output statistics:
      Multicast packets :                0
      Bytes permitted by policy :        3931842743
    Flow error statistics (Packets dropped due to):
      Address spoofing:                  0
      Authentication failed:             0
      Incoming NAT errors:               0
      Invalid zone received packet:      0
      Multiple user authentications:     0
      Multiple incoming NAT:             0
      No parent for a gate:              0
      No one interested in self packets: 0
      No minor session:                  0
      No more sessions:                  0
      No NAT gate:                       0
      No route present:                  1482
      No SA for incoming SPI:            0
      No tunnel found:                   0
      No session for a gate:             0
      No zone or NULL zone binding       0
      Policy denied:                     0
      Security association not active:   0
      TCP sequence number out of window: 0
      Syn-attack protection:             0
      User authentication errors:        0
    Protocol inet, MTU: 1500, Generation: 148, Route table: 0
      Flags: Sendbcast-pkt-to-re
      Addresses, Flags: Is-Preferred Is-Primary
        Destination: 192.168.1/24, Local: 192.168.1.1, Broadcast: 192.168.1.255, Generation: 142

Physical interface: ge-0/0/14, Enabled, Physical link is Up
  Interface index: 148, SNMP ifIndex: 527, Generation: 151
  Link-level type: Ethernet, MTU: 1514, Link-mode: Full-duplex, Speed: 1000mbps, BPDU Error: None,
  MAC-REWRITE Error: None, Loopback: Disabled, Source filtering: Disabled, Flow control: Disabled,
  Auto-negotiation: Enabled, Remote fault: Online
  Device flags   : Present Running
  Interface flags: SNMP-Traps Internal: 0x0
  Link flags     : None
  CoS queues     : 8 supported, 8 maximum usable queues
  Hold-times     : Up 0 ms, Down 0 ms
  Current address: dc:38:e1:22:44:26, Hardware address: dc:38:e1:22:44:26
  Last flapped   : 2018-01-21 11:03:27 GMT-6 (21:04:07 ago)
  Statistics last cleared: Never
  Traffic statistics:
   Input  bytes  :                17182                    0 bps
   Output bytes  :                23504                    0 bps
   Input  packets:                  249                    0 pps
   Output packets:                  270                    0 pps
  Input errors:
    Errors: 0, Drops: 0, Framing errors: 0, Runts: 0, Policed discards: 0, L3 incompletes: 0,
    L2 channel errors: 0, L2 mismatch timeouts: 0, FIFO errors: 0, Resource errors: 0
  Output errors:
    Carrier transitions: 9, Errors: 0, Drops: 0, Collisions: 0, Aged packets: 0, FIFO errors: 0,
    HS link CRC errors: 0, MTU errors: 0, Resource errors: 0
  Egress queues: 8 supported, 4 in use
  Queue counters:       Queued packets  Transmitted packets      Dropped packets
    0 best-effort                    0                    0                    0
    1 expedited-fo                   0                    0                    0
    2 assured-forw                   0                    0                    0
    3 network-cont                   0                    0                    0
  Queue number:         Mapped forwarding classes
    0                   best-effort
    1                   expedited-forwarding
    2                   assured-forwarding
    3                   network-control
  Active alarms  : None
  Active defects : None
  MAC statistics:                      Receive         Transmit
    Total octets                         17182            23504
    Total packets                          249              270
    Unicast packets                         87              270
    Broadcast packets                      162                0
    Multicast packets                        0                0
    CRC/Align errors                         0                0
    FIFO errors                              0                0
    MAC control frames                       0                0
    MAC pause frames                         0                0
    Oversized frames                         0
    Jabber frames                            0
    Fragment frames                          0
    VLAN tagged frames                       0
    Code violations                          0
  Filter statistics:
    Input packet count                       0
    Input packet rejects                     0
    Input DA rejects                         0
    Input SA rejects                         0
    Output packet count                                       0
    Output packet pad count                                   0
    Output packet error count                                 0
    CAM destination filters: 1, CAM source filters: 0
  Autonegotiation information:
    Negotiation status: Complete
    Link partner:
        Link mode: Full-duplex, Flow control: None, Remote fault: OK,
        Link partner Speed: 1000 Mbps
    Local resolution:
        Flow control: None, Remote fault: Link OK
  Packet Forwarding Engine configuration:
    Destination slot: 0
  CoS information:
    Direction : Output
    CoS transmit queue               Bandwidth               Buffer Priority   Limit
                              %            bps     %           usec
    0 best-effort            95      950000000    95              0      low    none
    3 network-control         5       50000000     5              0      low    none
  Interface transmit statistics: Disabled

  Logical interface ge-0/0/14.0 (Index 87) (SNMP ifIndex 544) (Generation 152)
    Flags: SNMP-Traps 0x0 Encapsulation: ENET2
    Traffic statistics:
     Input  bytes  :                17602
     Output bytes  :                23504
     Input  packets:                  256
     Output packets:                  270
    Local statistics:
     Input  bytes  :                  420
     Output bytes  :                    0
     Input  packets:                    7
     Output packets:                    0
    Transit statistics:
     Input  bytes  :                17182                    0 bps
     Output bytes  :                23504                    0 bps
     Input  packets:                  249                    0 pps
     Output packets:                  270                    0 pps
    Security: Zone: VPN
    Allowed host-inbound traffic : bootp bfd bgp dns dvmrp igmp ldp msdp nhrp ospf pgm pim rip
    router-discovery rsvp sap vrrp dhcp finger ftp tftp ident-reset http https ike netconf ping
    reverse-telnet reverse-ssh rlogin rpm rsh snmp snmp-trap ssh telnet traceroute xnm-clear-text
    xnm-ssl lsping ntp sip r2cp webapi-clear-text webapi-ssl
    Flow Statistics :
    Flow Input statistics :
      Self packets :                     0
      ICMP packets :                     0
      VPN packets :                      0
      Multicast packets :                0
      Bytes permitted by policy :        0
      Connections established :          0
    Flow Output statistics:
      Multicast packets :                0
      Bytes permitted by policy :        0
    Flow error statistics (Packets dropped due to):
      Address spoofing:                  0
      Authentication failed:             0
      Incoming NAT errors:               0
      Invalid zone received packet:      0
      Multiple user authentications:     0
      Multiple incoming NAT:             0
      No parent for a gate:              0
      No one interested in self packets: 0
      No minor session:                  0
      No more sessions:                  0
      No NAT gate:                       0
      No route present:                  0
      No SA for incoming SPI:            0
      No tunnel found:                   0
      No session for a gate:             0
      No zone or NULL zone binding       0
      Policy denied:                     0
      Security association not active:   0
      TCP sequence number out of window: 0
      Syn-attack protection:             0
      User authentication errors:        0
    Protocol eth-switch, MTU: 0, Generation: 166, Route table: 0
      Flags: None

Physical interface: ge-0/0/15, Enabled, Physical link is Up
  Interface index: 149, SNMP ifIndex: 528, Generation: 152
  Link-level type: Ethernet, MTU: 1514, Link-mode: Full-duplex, Speed: 1000mbps, BPDU Error: None,
  MAC-REWRITE Error: None, Loopback: Disabled, Source filtering: Disabled, Flow control: Disabled,
  Auto-negotiation: Enabled, Remote fault: Online
  Device flags   : Present Running
  Interface flags: SNMP-Traps Internal: 0x0
  Link flags     : None
  CoS queues     : 8 supported, 8 maximum usable queues
  Hold-times     : Up 0 ms, Down 0 ms
  Current address: dc:38:e1:22:44:27, Hardware address: dc:38:e1:22:44:27
  Last flapped   : 2018-01-21 11:03:27 GMT-6 (21:04:07 ago)
  Statistics last cleared: Never
  Traffic statistics:
   Input  bytes  :                78294                    0 bps
   Output bytes  :               202054                    0 bps
   Input  packets:                  763                    0 pps
   Output packets:                  732                    0 pps
  Input errors:
    Errors: 0, Drops: 0, Framing errors: 0, Runts: 0, Policed discards: 0, L3 incompletes: 0,
    L2 channel errors: 0, L2 mismatch timeouts: 0, FIFO errors: 0, Resource errors: 0
  Output errors:
    Carrier transitions: 9, Errors: 0, Drops: 0, Collisions: 0, Aged packets: 0, FIFO errors: 0,
    HS link CRC errors: 0, MTU errors: 0, Resource errors: 0
  Egress queues: 8 supported, 4 in use
  Queue counters:       Queued packets  Transmitted packets      Dropped packets
    0 best-effort                    0                    0                    0
    1 expedited-fo                   0                    0                    0
    2 assured-forw                   0                    0                    0
    3 network-cont                   0                    0                    0
  Queue number:         Mapped forwarding classes
    0                   best-effort
    1                   expedited-forwarding
    2                   assured-forwarding
    3                   network-control
  Active alarms  : None
  Active defects : None
  MAC statistics:                      Receive         Transmit
    Total octets                         78294           202054
    Total packets                          763              732
    Unicast packets                        736              732
    Broadcast packets                       27                0
    Multicast packets                        0                0
    CRC/Align errors                         0                0
    FIFO errors                              0                0
    MAC control frames                       0                0
    MAC pause frames                         0                0
    Oversized frames                         0
    Jabber frames                            0
    Fragment frames                          0
    VLAN tagged frames                       0
    Code violations                          0
  Filter statistics:
    Input packet count                       0
    Input packet rejects                     0
    Input DA rejects                         0
    Input SA rejects                         0
    Output packet count                                       0
    Output packet pad count                                   0
    Output packet error count                                 0
    CAM destination filters: 1, CAM source filters: 0
  Autonegotiation information:
    Negotiation status: Complete
    Link partner:
        Link mode: Full-duplex, Flow control: None, Remote fault: OK,
        Link partner Speed: 1000 Mbps
    Local resolution:
        Flow control: None, Remote fault: Link OK
  Packet Forwarding Engine configuration:
    Destination slot: 0
  CoS information:
    Direction : Output
    CoS transmit queue               Bandwidth               Buffer Priority   Limit
                              %            bps     %           usec
    0 best-effort            95      950000000    95              0      low    none
    3 network-control         5       50000000     5              0      low    none
  Interface transmit statistics: Disabled

  Logical interface ge-0/0/15.0 (Index 88) (SNMP ifIndex 545) (Generation 153)
    Flags: SNMP-Traps 0x0 Encapsulation: ENET2
    Traffic statistics:
     Input  bytes  :                79478
     Output bytes  :               202054
     Input  packets:                  778
     Output packets:                  732
    Local statistics:
     Input  bytes  :                 1184
     Output bytes  :                    0
     Input  packets:                   15
     Output packets:                    0
    Transit statistics:
     Input  bytes  :                78294                    0 bps
     Output bytes  :               202054                    0 bps
     Input  packets:                  763                    0 pps
     Output packets:                  732                    0 pps
    Security: Zone: VPN2
    Allowed host-inbound traffic : bootp bfd bgp dns dvmrp igmp ldp msdp nhrp ospf pgm pim rip
    router-discovery rsvp sap vrrp dhcp finger ftp tftp ident-reset http https ike netconf ping
    reverse-telnet reverse-ssh rlogin rpm rsh snmp snmp-trap ssh telnet traceroute xnm-clear-text
    xnm-ssl lsping ntp sip r2cp webapi-clear-text webapi-ssl
    Flow Statistics :
    Flow Input statistics :
      Self packets :                     0
      ICMP packets :                     0
      VPN packets :                      0
      Multicast packets :                0
      Bytes permitted by policy :        0
      Connections established :          0
    Flow Output statistics:
      Multicast packets :                0
      Bytes permitted by policy :        0
    Flow error statistics (Packets dropped due to):
      Address spoofing:                  0
      Authentication failed:             0
      Incoming NAT errors:               0
      Invalid zone received packet:      0
      Multiple user authentications:     0
      Multiple incoming NAT:             0
      No parent for a gate:              0
      No one interested in self packets: 0
      No minor session:                  0
      No more sessions:                  0
      No NAT gate:                       0
      No route present:                  0
      No SA for incoming SPI:            0
      No tunnel found:                   0
      No session for a gate:             0
      No zone or NULL zone binding       0
      Policy denied:                     0
      Security association not active:   0
      TCP sequence number out of window: 0
      Syn-attack protection:             0
      User authentication errors:        0
    Protocol eth-switch, MTU: 0, Generation: 167, Route table: 0
      Flags: None

  Logical interface vlan.2 (Index 70) (SNMP ifIndex 549) (Generation 135)
    Flags: SNMP-Traps 0x0 VLAN-Tag [ 0x8100.2 ]  Encapsulation: ENET2
    Bandwidth: 0
    Traffic statistics:
     Input  bytes  :                 4636
     Output bytes  :                19844
     Input  packets:                   87
     Output packets:                  280
    Local statistics:
     Input  bytes  :                  952
     Output bytes  :                 9780
     Input  packets:                   34
     Output packets:                  180
    Transit statistics:
     Input  bytes  :                 3684                    0 bps
     Output bytes  :                10064                    0 bps
     Input  packets:                   53                    0 pps
     Output packets:                  100                    0 pps
    Security: Zone: VPN
    Allowed host-inbound traffic : bootp bfd bgp dns dvmrp igmp ldp msdp nhrp ospf pgm pim rip
    router-discovery rsvp sap vrrp dhcp finger ftp tftp ident-reset http https ike netconf ping
    reverse-telnet reverse-ssh rlogin rpm rsh snmp snmp-trap ssh telnet traceroute xnm-clear-text
    xnm-ssl lsping ntp sip r2cp webapi-clear-text webapi-ssl
    Flow Statistics :
    Flow Input statistics :
      Self packets :                     55
      ICMP packets :                     55
      VPN packets :                      0
      Multicast packets :                0
      Bytes permitted by policy :        4456
      Connections established :          76
    Flow Output statistics:
      Multicast packets :                0
      Bytes permitted by policy :        10096
    Flow error statistics (Packets dropped due to):
      Address spoofing:                  0
      Authentication failed:             0
      Incoming NAT errors:               0
      Invalid zone received packet:      0
      Multiple user authentications:     0
      Multiple incoming NAT:             0
      No parent for a gate:              0
      No one interested in self packets: 0
      No minor session:                  0
      No more sessions:                  0
      No NAT gate:                       0
      No route present:                  0
      No SA for incoming SPI:            0
      No tunnel found:                   0
      No session for a gate:             0
      No zone or NULL zone binding       0
      Policy denied:                     0
      Security association not active:   0
      TCP sequence number out of window: 0
      Syn-attack protection:             0
      User authentication errors:        0
    Protocol inet, MTU: 1500, Generation: 149, Route table: 0
      Flags: Sendbcast-pkt-to-re
      Addresses, Flags: Is-Preferred Is-Primary
        Destination: 172.16.2/24, Local: 172.16.2.1, Broadcast: 172.16.2.255,
        Generation: 144

 
  Logical interface vlan.4 (Index 72) (SNMP ifIndex 550) (Generation 137)
    Flags: SNMP-Traps 0x0 VLAN-Tag [ 0x8100.5 ]  Encapsulation: ENET2
    Bandwidth: 0
    Traffic statistics:
     Input  bytes  :                61912
     Output bytes  :               190078
     Input  packets:                  707
     Output packets:                  742
    Local statistics:
     Input  bytes  :                 1792
     Output bytes  :                 4536
     Input  packets:                   24
     Output packets:                   66
    Transit statistics:
     Input  bytes  :                60120                    0 bps
     Output bytes  :               185542                    0 bps
     Input  packets:                  683                    0 pps
     Output packets:                  676                    0 pps
    Security: Zone: VPN2
    Allowed host-inbound traffic : bootp bfd bgp dns dvmrp igmp ldp msdp nhrp ospf pgm pim rip
    router-discovery rsvp sap vrrp dhcp finger ftp tftp ident-reset http https ike netconf ping
    reverse-telnet reverse-ssh rlogin rpm rsh snmp snmp-trap ssh telnet traceroute xnm-clear-text
    xnm-ssl lsping ntp sip r2cp webapi-clear-text webapi-ssl
    Flow Statistics :
    Flow Input statistics :
      Self packets :                     26
      ICMP packets :                     52
      VPN packets :                      0
      Multicast packets :                0
      Bytes permitted by policy :        57322
      Connections established :          269
    Flow Output statistics:
      Multicast packets :                0
      Bytes permitted by policy :        160758
    Flow error statistics (Packets dropped due to):
      Address spoofing:                  0
      Authentication failed:             0
      Incoming NAT errors:               0
      Invalid zone received packet:      0
      Multiple user authentications:     0
      Multiple incoming NAT:             0
      No parent for a gate:              0
      No one interested in self packets: 0
      No minor session:                  0
      No more sessions:                  0
      No NAT gate:                       0
      No route present:                  0
      No SA for incoming SPI:            0
      No tunnel found:                   0
      No session for a gate:             0
      No zone or NULL zone binding       0
      Policy denied:                     0
      Security association not active:   0
      TCP sequence number out of window: 0
      Syn-attack protection:             0
      User authentication errors:        0
    Protocol inet, MTU: 1500, Generation: 151, Route table: 0
      Flags: Sendbcast-pkt-to-re
      Addresses, Flags: Is-Preferred Is-Primary
        Destination: 172.16.3/24, Local: 172.16.3.1, Broadcast: 172.16.3.255, Generation: 148

From what I see you have the same base mac-address on all vlan.X interfaces which is causing the issue you are seeing.

On SRX apparantly you cannot change mac-address on a vlan/irb interface (tested on SRX300 with Junos 15.1X49-D120).

Only alternative I can come up with is deactivate vlan.4 and move the configuration directly to ge-0/0/15.0 so it function as a L3 IFL instead of a switchport. Then the mac-address will be different from vlan.2 and can also be changed with 'set interface ge-0/0/15 mac xx:xx:xx:xx:xx'.

But I must admit it's a strange limitation.

Interestingly enough, I removed a hard-code associated on the Juniper with the MAC address on my server's NICs with the 172.16.2.2 and 172.16.3.2 addresses and now it is working fine.....   absolutely no idea why.  I added these before because of some troubleshooting and issues I was having.  Now i just turned on source routing on my server and everything is working great!  But as far as the limitations are concerned, I saw some other people complaining about the same thing.  Thanks for taking a look, if i run into some more issues I'll do as you have advised below.