vSRX
vSRX

vSRX vlan-tagging or irb not working

04.20.17   |  
‎04-20-2017 03:25 PM

Hi Guys,

 

I am configuring an interface with vlan-tagging and traffic is not passing through on vSRX 15.1X49 - D70.3

 

Please see attachments

 

Same behavior of IRB interface and ethernet-swiching

 

Any ideias why ?

 

Thanks !

Attachments

6 REPLIES
vSRX

Re: vSRX vlan-tagging or irb not working

04.20.17   |  
‎04-20-2017 09:04 PM

Hi,

 

Have you tried putting this interface in any zone with host-inbound-traffic accordingly?

 

Thanks,

Vikas

vSRX

Re: vSRX vlan-tagging or irb not working

04.24.17   |  
‎04-24-2017 03:52 PM

Hi,

 

Yes, I did.  The problem is still there.

 

It's weird that the same setup works fine on physical SRX but not on vSRX

 

Have anyone experienced this issue ?

 

Thanks,

Alex.

vSRX

Re: vSRX vlan-tagging or irb not working

[ Edited ]
05.04.17   |  
‎05-04-2017 07:18 PM

Maybe the feature is not supported in the vSRX?

https://www.juniper.net/documentation/en_US/vsrx15.1x49/topics/concept/security-vsrx-feature-support...

 

can you provide a sanitized output of the configuration

[KUDOS PLEASE! If you think I earned it!
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]
Highlighted
vSRX

Re: vSRX vlan-tagging or irb not working

05.10.17   |  
‎05-10-2017 05:48 PM

Please find below the config...

 

set version 15.1X49-D80.4
set system host-name test-vSRX
set system services ssh
set system services dhcp-local-server group JDHCP interface irb.88
set security flow traceoptions file nodhcptrace
set security flow traceoptions file size 1m
set security flow traceoptions file files 2
set security flow traceoptions flag basic-datapath
set security flow traceoptions packet-filter outgoing source-prefix 10.3.88.1/24
set security nat source rule-set lan-to-untrust from zone LAN
set security nat source rule-set lan-to-untrust to zone UNTRUST
set security nat source rule-set lan-to-untrust rule source-nat-lan match source-address 10.3.80.0/24
set security nat source rule-set lan-to-untrust rule source-nat-lan then source-nat interface
set security zones security-zone UNTRUST interfaces ge-0/0/0.0 host-inbound-traffic system-services dhcp
set security zones security-zone UNTRUST interfaces ge-0/0/0.0 host-inbound-traffic system-services ssh
set security zones security-zone UNTRUST interfaces ge-0/0/0.0 host-inbound-traffic system-services https
set security zones security-zone UNTRUST interfaces ge-0/0/0.0 host-inbound-traffic protocols all
set security zones security-zone LAN host-inbound-traffic system-services all
set security zones security-zone LAN host-inbound-traffic protocols all
set interfaces ge-0/0/0 unit 0 family inet dhcp-client
set interfaces ge-0/0/1 flexible-vlan-tagging
set interfaces ge-0/0/1 native-vlan-id 89
set interfaces ge-0/0/1 unit 0 vlan-id 89
set interfaces ge-0/0/1 unit 0 family inet address 10.3.89.1/24
set interfaces ge-0/0/1 unit 88 vlan-id 88
set interfaces ge-0/0/1 unit 88 family inet address 10.3.88.1/24
set access address-assignment pool pool-subnet88 family inet network 10.3.88.0/24
set access address-assignment pool pool-subnet88 family inet range range-subnet88 low 10.3.88.50
set access address-assignment pool pool-subnet88 family inet range range-subnet88 high 10.3.88.80
set access address-assignment pool pool-subnet88 family inet dhcp-attributes name-server 8.8.8.8
set access address-assignment pool pool-subnet88 family inet dhcp-attributes name-server 8.8.4.4
set access address-assignment pool pool-subnet88 family inet dhcp-attributes router 10.3.88.1
set access address-assignment pool pool-subnet88 family inet dhcp-attributes option 3 ip-address 10.3.88.1

 

Thanks !

vSRX

Re: vSRX vlan-tagging or irb not working

05.11.17   |  
‎05-11-2017 01:50 AM

How is the port-group configured on your hypervisor? On VMware with you have to define a port-group with vlan-id 4095 to allow tagged traffic. I'm not sure that it supports native-vlan mapping.

 

Please notice that ethernet-switching and irb's are not supported on vSRX - so using vlan-tagging on ge-0/0/0 or ge-0/0/1 is the right approach.

 

Example from my test-setup via a vSRX running 15.1x49-d75:

vmware-vsrx.PNG

 

 

 

 

--
Best regards,

Jonas Hauge Jensen
Systems Engineer, SEC Datacom A/S (Denmark)
vSRX

Re: vSRX vlan-tagging or irb not working

06.05.17   |  
‎06-05-2017 12:47 AM

Hello,

 

Can you share the topology? I want to see how you are connecting your vSRX ge-0/0/1.88 interface to adjacent vswitch or external switch.

 

Is vSwitch or Distributed switch connected to vSRX enabled for Virtual Guest tagging (where vSRX i.e. VM and external switch or other VM understand vlan tagging and the vSwitch/dvswitch just passes them)?

 

https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=10038...

 

https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=10042...

 

Regards,

 

Rushi