vSRX
Highlighted
vSRX

vSRX vlan-tagging or irb not working

‎04-20-2017 03:25 PM

Hi Guys,

 

I am configuring an interface with vlan-tagging and traffic is not passing through on vSRX 15.1X49 - D70.3

 

Please see attachments

 

Same behavior of IRB interface and ethernet-swiching

 

Any ideias why ?

 

Thanks !

Attachments

8 REPLIES 8
Highlighted
vSRX

Re: vSRX vlan-tagging or irb not working

‎04-20-2017 09:04 PM

Hi,

 

Have you tried putting this interface in any zone with host-inbound-traffic accordingly?

 

Thanks,

Vikas

Highlighted
vSRX

Re: vSRX vlan-tagging or irb not working

‎04-24-2017 03:52 PM

Hi,

 

Yes, I did.  The problem is still there.

 

It's weird that the same setup works fine on physical SRX but not on vSRX

 

Have anyone experienced this issue ?

 

Thanks,

Alex.

Highlighted
vSRX

Re: vSRX vlan-tagging or irb not working

[ Edited ]
‎05-04-2017 07:18 PM

Maybe the feature is not supported in the vSRX?

https://www.juniper.net/documentation/en_US/vsrx15.1x49/topics/concept/security-vsrx-feature-support...

 

can you provide a sanitized output of the configuration

[KUDOS PLEASE! If you think I earned it!
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]
Highlighted
vSRX

Re: vSRX vlan-tagging or irb not working

‎05-10-2017 05:48 PM

Please find below the config...

 

set version 15.1X49-D80.4
set system host-name test-vSRX
set system services ssh
set system services dhcp-local-server group JDHCP interface irb.88
set security flow traceoptions file nodhcptrace
set security flow traceoptions file size 1m
set security flow traceoptions file files 2
set security flow traceoptions flag basic-datapath
set security flow traceoptions packet-filter outgoing source-prefix 10.3.88.1/24
set security nat source rule-set lan-to-untrust from zone LAN
set security nat source rule-set lan-to-untrust to zone UNTRUST
set security nat source rule-set lan-to-untrust rule source-nat-lan match source-address 10.3.80.0/24
set security nat source rule-set lan-to-untrust rule source-nat-lan then source-nat interface
set security zones security-zone UNTRUST interfaces ge-0/0/0.0 host-inbound-traffic system-services dhcp
set security zones security-zone UNTRUST interfaces ge-0/0/0.0 host-inbound-traffic system-services ssh
set security zones security-zone UNTRUST interfaces ge-0/0/0.0 host-inbound-traffic system-services https
set security zones security-zone UNTRUST interfaces ge-0/0/0.0 host-inbound-traffic protocols all
set security zones security-zone LAN host-inbound-traffic system-services all
set security zones security-zone LAN host-inbound-traffic protocols all
set interfaces ge-0/0/0 unit 0 family inet dhcp-client
set interfaces ge-0/0/1 flexible-vlan-tagging
set interfaces ge-0/0/1 native-vlan-id 89
set interfaces ge-0/0/1 unit 0 vlan-id 89
set interfaces ge-0/0/1 unit 0 family inet address 10.3.89.1/24
set interfaces ge-0/0/1 unit 88 vlan-id 88
set interfaces ge-0/0/1 unit 88 family inet address 10.3.88.1/24
set access address-assignment pool pool-subnet88 family inet network 10.3.88.0/24
set access address-assignment pool pool-subnet88 family inet range range-subnet88 low 10.3.88.50
set access address-assignment pool pool-subnet88 family inet range range-subnet88 high 10.3.88.80
set access address-assignment pool pool-subnet88 family inet dhcp-attributes name-server 8.8.8.8
set access address-assignment pool pool-subnet88 family inet dhcp-attributes name-server 8.8.4.4
set access address-assignment pool pool-subnet88 family inet dhcp-attributes router 10.3.88.1
set access address-assignment pool pool-subnet88 family inet dhcp-attributes option 3 ip-address 10.3.88.1

 

Thanks !

Highlighted
vSRX

Re: vSRX vlan-tagging or irb not working

‎05-11-2017 01:50 AM

How is the port-group configured on your hypervisor? On VMware with you have to define a port-group with vlan-id 4095 to allow tagged traffic. I'm not sure that it supports native-vlan mapping.

 

Please notice that ethernet-switching and irb's are not supported on vSRX - so using vlan-tagging on ge-0/0/0 or ge-0/0/1 is the right approach.

 

Example from my test-setup via a vSRX running 15.1x49-d75:

vmware-vsrx.PNG

 

 

 

 


--
Best regards,

Jonas Hauge Klingenberg
Juniper Ambassador & Technology Architect, SEC DATACOM A/S (Denmark)
Highlighted
vSRX

Re: vSRX vlan-tagging or irb not working

‎06-05-2017 12:47 AM

Hello,

 

Can you share the topology? I want to see how you are connecting your vSRX ge-0/0/1.88 interface to adjacent vswitch or external switch.

 

Is vSwitch or Distributed switch connected to vSRX enabled for Virtual Guest tagging (where vSRX i.e. VM and external switch or other VM understand vlan tagging and the vSwitch/dvswitch just passes them)?

 

https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=10038...

 

https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=10042...

 

Regards,

 

Rushi

Highlighted
vSRX

Re: vSRX vlan-tagging or irb not working

[ Edited ]
‎06-26-2018 01:35 AM

I am also facing the same problem. Vlan-tagging isn't working for vSRX. Topology and vSRX configuration has been given for your reference. Kindly let me know whether Inter-Vlan is possible on vSRX or not?

N.B. This configuration is working on SRX340 in practical scenario.

Thanks in advance. 

Attachments

Highlighted
vSRX

Re: vSRX vlan-tagging or irb not working

‎06-27-2018 05:11 AM

Hello,

 

Are you trying this on VMWare deployment or KVM?

Can you share vswitch/ovs bridge configuration for interfaces connecting to any of the PCs & interface connected to vSRX?

 

Regards,

 

Rushi