SRX

Expand all | Collapse all

VLAN tagging on SRX 100

Jump to Best Answer
  • 1.  VLAN tagging on SRX 100

    Posted 09-25-2017 21:13

    Hello everyone.

     

    I just bought SRX 100 and deleted all the default config.

     

    Please consider the following set up:

     

     

    Cisco R1 f1 199.199.199.10---------199.199.199.1 f0/0/0 SRX

     

    Cisco R1 and SRX should talk using dot q tag 10

    ISSUE:

    R1 can not ping 199.199.199.1 because SRX does not respond to R1's ARP request for 199.199.199.1:

     

     

     

    Capture34.PNG

     

     

    SRX Config:

     

    root> show configuration | display set
    set version 11.4R7.5
    set system root-authentication encrypted-password "$1$K8pkQCB3$PMhEh2V68NzABTnuUWOiv0"
    set system services ssh
    set system services telnet
    set system services xnm-clear-text
    set system services web-management http interface vlan.0
    set system services web-management https system-generated-certificate
    set system services web-management https interface vlan.0
    set system syslog archive size 100k
    set system syslog archive files 3
    set system syslog user * any emergency
    set system syslog file messages any critical
    set system syslog file messages authorization info
    set system syslog file interactive-commands interactive-commands error
    set system max-configurations-on-flash 5
    set system max-configuration-rollbacks 5
    set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
    set interfaces fe-0/0/0 vlan-tagging
    set interfaces fe-0/0/0 unit 0 vlan-id 20
    set interfaces fe-0/0/0 unit 0 family inet address 200.200.200.1/24
    set interfaces fe-0/0/0 unit 10 vlan-id 10
    set interfaces fe-0/0/0 unit 10 family inet address 199.199.199.1/24
    set interfaces fe-0/0/1 unit 0
    set interfaces fe-0/0/2 unit 0
    set interfaces fe-0/0/3 unit 0
    set interfaces fe-0/0/4 unit 0
    set interfaces fe-0/0/5 unit 0
    set interfaces fe-0/0/6 unit 0
    set interfaces fe-0/0/7 unit 0
    set security screen ids-option untrust-screen icmp ping-death
    set security screen ids-option untrust-screen ip source-route-option
    set security screen ids-option untrust-screen ip tear-drop
    set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
    set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
    set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
    set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
    set security screen ids-option untrust-screen tcp syn-flood timeout 20
    set security screen ids-option untrust-screen tcp land
    set security zones security-zone TRUST interfaces fe-0/0/0.10 host-inbound-traffic system-services all
    set security zones security-zone TRUST interfaces fe-0/0/0.10 host-inbound-traffic protocols all
    set security zones security-zone TRUST interfaces fe-0/0/0.0

     

     

    #########################

     

     

     

    what am i missing?

     

     

     

     



  • 2.  RE: VLAN tagging on SRX 100

     
    Posted 09-25-2017 21:22

    R1 port is in access mode or trunk mode?



  • 3.  RE: VLAN tagging on SRX 100

     
    Posted 09-26-2017 07:51

    According to the pcap the arp request is tagged.

     

    SRX100 uses 10/100 interfaces--is the link negotiated correctly?

     

    What does 'monitor traffic interface fe-0/0/0.10' show on the srx during the ping attempt?



  • 4.  RE: VLAN tagging on SRX 100

    Posted 09-26-2017 12:21

    R1  port is subinterface which expects dot1q tag from SRX.

     

    This is what I see on capture.

     

    1)  SRX sends traffic as untagged  out of f0/0/0 even though we have configured it with vlan-tagging which is why R1  ignores the traffic as there is no tag

     

     



  • 5.  RE: VLAN tagging on SRX 100
    Best Answer

     
    Posted 09-27-2017 00:20

    I dont see an issue with config. Try a reboot of SRX, if that dont fix try upgrade to any latest versions like 12.1X46 or 12.3X48 as 11.4 is very old.