SRX

Hi, Guys,

I have read a lot of arcticls about the VLAN.IRB issue in SRX, but no solution is found up to this moment.

I am running SRX345 with the JUNOS "JUNOS 15.1X49-D110.4". no matter the global-mode is "switch" or "transparent-brige",

Trunk port in SRX can not ping to VLAN.IRB interface or VLAN segment in SRX ( SRX345 is gateway ).

Any solution/suggestion, thx ?

Hello Ben,

Could you please elaborate a bit more on your setup/requirement?

Clients --- SRX340 (L2/L3 mode as GW) ---- L3 connection --- Gateway

Regards,

Vikas

I'm running SRX300 with trunk ports vlans and attached irb's in different security zones and it works fine. Yes, there were issues in the earlier 15.1X49 releases (pre 15.1X49-D70 as I remember).

So please provide information regarding the setup you have, the configuration and what does not work - then we'll do our best to help you.

Hi, Guys,

My configuration is straightforward, as below :

set security zones security-zone Internal host-inbound-traffic system-services all
set security zones security-zone Internal host-inbound-traffic protocols all
set security zones security-zone Internal interfaces irb.731 host-inbound-traffic system-services all
set security zones security-zone Internal interfaces irb.731 host-inbound-traffic protocols all
set security zones security-zone Internal interfaces irb.735 host-inbound-traffic system-services all
set security zones security-zone Internal interfaces irb.735 host-inbound-traffic protocols all
set security zones security-zone Internal interfaces irb.737 host-inbound-traffic system-services all
set security zones security-zone Internal interfaces irb.737 host-inbound-traffic protocols all
set security zones security-zone Internal interfaces irb.733 host-inbound-traffic system-services all
set security zones security-zone Internal interfaces irb.733 host-inbound-traffic protocols all
set interfaces ge-0/0/0 vlan-tagging
set interfaces ge-0/0/0 native-vlan-id 1
set interfaces ge-0/0/0 unit 0 family ethernet-switching interface-mode trunk
set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members 731
set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members 733
set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members 735
set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members 737

set interfaces ge-0/0/2 unit 0 family ethernet-switching interface-mode access
set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members 737

set interfaces irb unit 731 family inet address 10.73.1.254/24
set interfaces irb unit 733 family inet address 10.73.3.254/24
set interfaces irb unit 735 family inet address 10.73.5.254/24
set interfaces irb unit 737 family inet address 10.73.7.254/24
set routing-options static route 0.0.0.0/0 next-hop 10.73.7.1

set vlans VLAN731 vlan-id 731
set vlans VLAN731 l3-interface irb.731
set vlans VLAN733 vlan-id 733
set vlans VLAN733 l3-interface irb.733
set vlans VLAN735 vlan-id 735
set vlans VLAN735 l3-interface irb.735
set vlans VLAN737 vlan-id 737
set vlans VLAN737 l3-interface irb.737

root@labtest-fw2> show ethernet-switching global-information
Global Configuration:

MAC aging interval : 300
MAC learning : Enabled
MAC statistics : Disabled
MAC limit Count : 16383
MAC limit hit : Disabled
MAC packet action drop: Disabled
LE aging time : 1200
LE VLAN aging time : 1200
Global Mode : Switching

root@labtest-fw2> show interfaces ge-0/0/0 terse
Interface                      Admin       Link             Proto            Local                 Remote
ge-0/0/0                     up              up
ge-0/0/0.0                  up              up               eth-switch
ge-0/0/0.32767         up              up

root@labtest-fw2> show interfaces ge-0/0/2 terse
Interface                     Admin        Link            Proto            Local                Remote
ge-0/0/2                    up               up
ge-0/0/2.0                 up               up               eth-switch

root@labtest-fw2> show ethernet-switching interface ge-0/0/0
Routing Instance Name : default-switch
.............

Logical            Vlan              TAG            MAC              STP                     Logical                        Tagging
interface         members                         limit               state                   interface flags
ge-0/0/0.0                                              16383                                                                           tagged
                        VLAN731     731            16383           Forwarding                                             tagged
                        VLAN733     733            16383           Forwarding                                             tagged
                        VLAN735      735           16383           Forwarding                                             tagged
                        VLAN737      737           16383           Forwarding                                             tagged

root@labtest-fw2> show ethernet-switching interface ge-0/0/2
Routing Instance Name : default-switch
.........

Logical              Vlan                             TAG                     MAC                 STP                 Logical                    Tagging
interface           members                                                 limit                  state                interface flags
ge-0/0/2.0                                                                        16383                                                                      untagged
                           VLAN737                    737                    16383              Forwarding                                     untagged

root@labtest-fw2> show ethernet-switching table
..................
Ethernet switching table : 1 entries, 1 learned
Routing instance : default-switch
    Vlan                          MAC                           MAC                  Age                        Logical              NH                  RTR
    name                        address                       flags                                                  interface          Index               ID
    VLAN737                00:0e:c6:8e:3e:9a      D                        -                             ge-0/0/2.0       0                      0

root@labtest-fw2> show route

inet.0: 19 destinations, 20 routes (19 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0 *[Static/5] 15:41:21
> to 10.73.7.1 via irb.737
[Static/100] 15:41:21
> to 10.73.3.1 via irb.733
10.73.1.0/24 *[Direct/0] 15:41:22
> via irb.731
10.73.1.254/32 *[Local/0] 15:41:36
Local via irb.731
10.73.3.0/24 *[Direct/0] 15:41:22
> via irb.733
10.73.3.254/32 *[Local/0] 15:41:36
Local via irb.733
10.73.5.0/24 *[Direct/0] 15:41:22
> via irb.735
10.73.5.254/32 *[Local/0] 15:41:36
Local via irb.735
10.73.7.0/24 *[Direct/0] 15:41:22
> via irb.737
10.73.7.254/32 *[Local/0] 15:41:36
Local via irb.737

............

root@labtest-fw2> show arp
MAC Address Address Name Interface Flags
00:0e:c6:8e:3e:9a 10.73.7.11 10.73.7.11 irb.737 none

root@labtest-fw2> ping 10.73.7.1 count 3
PING 10.73.7.1 (10.73.7.1): 56 data bytes

--- 10.73.7.1 ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss

Problems:

1. SRX can not ping back to the client while the client can ping the SRX345, and ARP is correct to show the client MAC address and IP address.

2. Client can not ping to 10.73.1.1, 10.73.7.1, 10.73.5.1 ( these are sub-interfaces of another L3 device connected to SRX345) ... through the trunk port.

3. When I tried to ping to the client 10.73.7.11 as below:

    root@labtest-fw2> ping 10.73.7.11 interface ge-0/0/2

    error shows : no route to the host

   Any special configuration for the irb inteface ?

Many thanks

Two things pops up in your configuration:

1. 'vlan-tagging' on ge-0/0/0 is for when you have several logical units on the same interface with different vlan tags. In this case you define the trunk under family ethernet-switching. Please remove this line.

2. When allowing vlans via a ethernet-switching trunk, you usually refer to vlan names even tags should be supported. Further indicated when you try to tab complete on allowed vlans:

user@fw# set interfaces ge-0/0/1.0 family ethernet-switching vlan members ?
Possible completions:
  <name>               VLAN name, tag or range string
  [                    Open a set of values
  all                  All VLANs
  guest                tag(20)
  internal             tag(10)

My guess is that 1) is your issue. If this doesn't solve, please try to refer to vlan names instead of tags.

...and remember to revert with the result 🙂

Hi, jonashauge,

Great, after re-configure the trunk with vlan LABELS ( not vlan numbers ), the trunk port works great, thx a lot.

But the issue ping test from SRX345 to client still failed ( no matter I changed the interface ge-0/0/2.0 with vlan label or vlan number 😞

Again, "show arp" from SRX....see the client's IP and mac address, but ping fails

Thanks a lot

BenBen,

Based on your configuration I can see that your topology looks like this:

                             irb.737
HostA----Trunk----(ge-0/0/0)-SRX
                              |
			(ge-0/0/2)
			      |
			access port in vlan 737
			      |
			      |
			    HostB

Also I understand that you are trying to ping HostB (in above topology). If you run "show arp interface irb.737 no-resolve" and you see HostB's MAC address then the SRX should be generating a ping; it would be important to confirm if that ping is being received by HostB. Can you take a packet capture of HostB to confirm this situation? Can you plug a different device to that port and test the ping?

Also share the following command from the SRX when pinging hostB to confirm if a session is getting created:

> show security flow session protocol icmp destination-prefix [HostB_address]

Please also confirm that HostB is not expecting tagged packets. Note ge-0/0/2 is configure as an access port hence the packets will be sent untagged.

Are these connectivity issues ocurring on this vlan only? Can you try using a vlan tag different than 737 for that subnet?

Hi, Guys,

Thanks so much for your kind help.

The issue is my full stupidness, it is the local firewall configuration issue.

Many thanks

Great that everything now works as expected 🙂

I did some testing and from what I can see, Junos 15.1X49 is missing a commit constraint check on having vlan-tagging and family ethernet-switching on the same interface. In later releases (tested on 19.2 and 19.3) you cannot commit a configuration with both defined on an interface.

Allowing vlans per vlan-id instead of names works as documented. I can both allow vlan names and vlan id (even a mix of both on the same port). The main issue here was having vlan-tagging defined on a switching interface and Junos not correctly throwing a commit error.