SRX

last person joined: 2 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  no route to host- on LAG interfaces

    Posted 07-11-2017 05:45

    I have configured a LAG using LACP between SRX 4100 and Cisco ASA.

     

    the link showing up but can't ping from SRX even its own interface, getting no route to host.

     

    SRX configuration:

    set chassis aggregated-devices ethernet device-count 1

    set interfaces xe-0/0/3 ether-options 802.3ad ae0
    set interfaces xe-0/0/4 ether-options 802.3ad ae0
    set interfaces ae0 aggregated-ether-options lacp active
    set interfaces ae0 unit 0 family inet address 10.212.5.254/24
    set vlans INTERFW interface ae0.0

     

    set security zones security-zone INTERFW interfaces ae0.0 host-inbound-traffic system-services all

     

     

    Cisco ASA:

     

    interface Port-channel3.2205
    vlan 2205
    nameif INTERFW
    security-level 10
    ip address 10.212.5.1 255.255.255.0

     

    access-group INTERFW_IN in interface INTERFW

    access-list INTERFW_IN extended permit ip any any log 

     

    interface GigabitEthernet0/3
    channel-group 3 mode active
    no nameif
    no security-level
    no ip address
    !
    interface GigabitEthernet0/4
    channel-group 3 mode active
    no nameif
    no security-level
    no ip address

     

     

    root@> ping 10.212.5.1
    PING 10.212.5.1 (10.212.5.1): 56 data bytes
    ping: sendto: No route to host
    ping: sendto: No route to host
    ^C
    --- 10.212.5.1 ping statistics ---
    2 packets transmitted, 0 packets received, 100% packet loss

    root@> ping 10.212.5.254
    PING 10.212.5.254 (10.212.5.254): 56 data bytes
    ping: sendto: No route to host
    ping: sendto: No route to host

     

     

    any idea what I am missing?



  • 2.  RE: no route to host- on LAG interfaces

     
    Posted 07-11-2017 06:16

    I looks like you're tagging traffic on the Cisco with vlan 2205 but not on the Juniper side?



  • 3.  RE: no route to host- on LAG interfaces

    Posted 07-11-2017 06:23

    I believe I am tagging on Juniper side as well.

     

    set vlans INTERFW vlan-id 2205
    set vlans INTERFW interface ae0.0



  • 4.  RE: no route to host- on LAG interfaces
    Best Answer

     
    Posted 07-11-2017 07:01

    try this:

     

    del interfaces ae0 unit 0
set interfaces ae0 vlan-tagging
set interfaces ae0 unit 2205 vlan-id 2205
set interfaces ae0 unit 2205 family inet address 10.212.5.254/24

copy security zones security-zone INTERFW interfaces ae0.0 to ae0.2205 
del security zones security-zone INTERFW interfaces ae0.0

     



  • 5.  RE: no route to host- on LAG interfaces

    Posted 07-11-2017 07:08

    that works a charm and issue sorted.

     

    could you please explain how this works? I am not a guru of Juniper.



  • 6.  RE: no route to host- on LAG interfaces

    Posted 07-11-2017 07:17

    On most Juniper devices you can both have switching port with vlan trunks a routed/layer3 ports with "subinterfaces". Switchports are configured as "family ethernet-switching" where layer3-interfaces as "family inet" or "family inet6".

     

    Overall you cannot have both switching and layer3 ports on the same interface, so you have to choose which directing you want to go.

     

    If you should do the proposed solution with vlans and switching you would do something like this:

     

    set chassis aggregated-devices ethernet device-count 1
set interfaces xe-0/0/3 ether-options 802.3ad ae0
set interfaces xe-0/0/4 ether-options 802.3ad ae0
set interfaces ae0 aggregated-ether-options lacp active
set interfaces ae0 unit 0 family ethernet-switching interface-mode trunk
set interfaces ae0 unit 0 family ethernet-switching vlan members INTERFW
set vlans INTERFW l3-interface irb.2205
    set vlans INTERFW vlan-id 2205
set interfaces irb.2205 family inet address 10.212.5.254/24
set security zones security-zone INTERFW interface irb.2205

    In my own oppinion I try to avoid switching on the firewalls if they are in chassis cluster. It works but add more complexicity in regards to failover, fabric-links etc.



  • 7.  RE: no route to host- on LAG interfaces

    Posted 07-11-2017 07:20

    and btw... the SRX4100 and SRX4200 series does not have a switching chip, so you can only do it as described smicker 🙂



  • 8.  RE: no route to host- on LAG interfaces

     
    Posted 07-11-2017 07:29

    Sure--you can provide layer 3 services to a interface receiving tagged traffic in two ways, by tagging a layer 3 subinterface (mapped to a vlan id), or creating a routed vlan interface (SVI in Cisco) that is mapped to a vlan-id via the l3-interface option. Simply assigning a layer 3 interface (ae0.0 in your first example) to a layer 2 vlan doesn't work, though it seems logical to do so.

     

    set interfaces ae0 vlan-tagging
set interfaces ae0 unit 2205 vlan-id 2205
set interfaces ae0 unit 2205 family inet address 10.212.5.254/24

    or

     

    set interfaces vlan unit 2205 family inet address 10.212.5.254/24
set interfaces ae0 unit 0 family ethernet-switching port-mode trunk
set interfaces ae0 unit 0 family ethernet-switching vlan members INTERFW
set vlans INTERFW vlan-id 2205
set vlans INTERFW l3-interface vlan.2205


  • 9.  RE: no route to host- on LAG interfaces

    Posted 07-11-2017 07:37

    Thanks for clarification guys, much appreciated.