I have read a lot of arcticls about the VLAN.IRB issue in SRX, but no solution is found up to this moment.
I am running SRX345 with the JUNOS "JUNOS 15.1X49-D110.4". no matter the global-mode is "switch" or "transparent-brige",
Trunk port in SRX can not ping to VLAN.IRB interface or VLAN segment in SRX ( SRX345 is gateway ).
Any solution/suggestion, thx ?
Could you please elaborate a bit more on your setup/requirement?
Clients --- SRX340 (L2/L3 mode as GW) ---- L3 connection --- Gateway
I'm running SRX300 with trunk ports vlans and attached irb's in different security zones and it works fine. Yes, there were issues in the earlier 15.1X49 releases (pre 15.1X49-D70 as I remember).
So please provide information regarding the setup you have, the configuration and what does not work - then we'll do our best to help you.
My configuration is straightforward, as below :
set security zones security-zone Internal host-inbound-traffic system-services allset security zones security-zone Internal host-inbound-traffic protocols allset security zones security-zone Internal interfaces irb.731 host-inbound-traffic system-services allset security zones security-zone Internal interfaces irb.731 host-inbound-traffic protocols allset security zones security-zone Internal interfaces irb.735 host-inbound-traffic system-services allset security zones security-zone Internal interfaces irb.735 host-inbound-traffic protocols allset security zones security-zone Internal interfaces irb.737 host-inbound-traffic system-services allset security zones security-zone Internal interfaces irb.737 host-inbound-traffic protocols allset security zones security-zone Internal interfaces irb.733 host-inbound-traffic system-services allset security zones security-zone Internal interfaces irb.733 host-inbound-traffic protocols allset interfaces ge-0/0/0 vlan-taggingset interfaces ge-0/0/0 native-vlan-id 1set interfaces ge-0/0/0 unit 0 family ethernet-switching interface-mode trunkset interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members 731set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members 733set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members 735set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members 737
set interfaces ge-0/0/2 unit 0 family ethernet-switching interface-mode accessset interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members 737
set interfaces irb unit 731 family inet address 10.73.1.254/24set interfaces irb unit 733 family inet address 10.73.3.254/24set interfaces irb unit 735 family inet address 10.73.5.254/24set interfaces irb unit 737 family inet address 10.73.7.254/24set routing-options static route 0.0.0.0/0 next-hop 10.73.7.1
set vlans VLAN731 vlan-id 731set vlans VLAN731 l3-interface irb.731set vlans VLAN733 vlan-id 733set vlans VLAN733 l3-interface irb.733set vlans VLAN735 vlan-id 735set vlans VLAN735 l3-interface irb.735set vlans VLAN737 vlan-id 737set vlans VLAN737 l3-interface irb.737
root@labtest-fw2> show ethernet-switching global-informationGlobal Configuration:
MAC aging interval : 300MAC learning : EnabledMAC statistics : DisabledMAC limit Count : 16383MAC limit hit : DisabledMAC packet action drop: DisabledLE aging time : 1200LE VLAN aging time : 1200Global Mode : Switching
root@labtest-fw2> show interfaces ge-0/0/0 terseInterface Admin Link Proto Local Remotege-0/0/0 up upge-0/0/0.0 up up eth-switchge-0/0/0.32767 up up
root@labtest-fw2> show interfaces ge-0/0/2 terseInterface Admin Link Proto Local Remotege-0/0/2 up upge-0/0/2.0 up up eth-switch
root@labtest-fw2> show ethernet-switching interface ge-0/0/0Routing Instance Name : default-switch.............
Logical Vlan TAG MAC STP Logical Tagginginterface members limit state interface flagsge-0/0/0.0 16383 tagged VLAN731 731 16383 Forwarding tagged VLAN733 733 16383 Forwarding tagged VLAN735 735 16383 Forwarding tagged VLAN737 737 16383 Forwarding tagged
root@labtest-fw2> show ethernet-switching interface ge-0/0/2Routing Instance Name : default-switch.........
Logical Vlan TAG MAC STP Logical Tagginginterface members limit state interface flagsge-0/0/2.0 16383 untagged VLAN737 737 16383 Forwarding untagged
root@labtest-fw2> show ethernet-switching table..................Ethernet switching table : 1 entries, 1 learnedRouting instance : default-switch Vlan MAC MAC Age Logical NH RTR name address flags interface Index ID VLAN737 00:0e:c6:8e:3e:9a D - ge-0/0/2.0 0 0
root@labtest-fw2> show route
inet.0: 19 destinations, 20 routes (19 active, 0 holddown, 0 hidden)+ = Active Route, - = Last Active, * = Both
0.0.0.0/0 *[Static/5] 15:41:21> to 10.73.7.1 via irb.737[Static/100] 15:41:21> to 10.73.3.1 via irb.73310.73.1.0/24 *[Direct/0] 15:41:22> via irb.7322.214.171.124/32 *[Local/0] 15:41:36Local via irb.73126.96.36.199/24 *[Direct/0] 15:41:22> via irb.73310.73.3.254/32 *[Local/0] 15:41:36Local via irb.73310.73.5.0/24 *[Direct/0] 15:41:22> via irb.73510.73.5.254/32 *[Local/0] 15:41:36Local via irb.73510.73.7.0/24 *[Direct/0] 15:41:22> via irb.73710.73.7.254/32 *[Local/0] 15:41:36Local via irb.737
root@labtest-fw2> show arpMAC Address Address Name Interface Flags00:0e:c6:8e:3e:9a 10.73.7.11 10.73.7.11 irb.737 none
root@labtest-fw2> ping 10.73.7.1 count 3PING 10.73.7.1 (10.73.7.1): 56 data bytes
--- 10.73.7.1 ping statistics ---3 packets transmitted, 0 packets received, 100% packet loss
1. SRX can not ping back to the client while the client can ping the SRX345, and ARP is correct to show the client MAC address and IP address.
2. Client can not ping to 10.73.1.1, 10.73.7.1, 10.73.5.1 ( these are sub-interfaces of another L3 device connected to SRX345) ... through the trunk port.
3. When I tried to ping to the client 10.73.7.11 as below:
root@labtest-fw2> ping 10.73.7.11 interface ge-0/0/2
error shows : no route to the host
Any special configuration for the irb inteface ?
Two things pops up in your configuration:
1. 'vlan-tagging' on ge-0/0/0 is for when you have several logical units on the same interface with different vlan tags. In this case you define the trunk under family ethernet-switching. Please remove this line.
2. When allowing vlans via a ethernet-switching trunk, you usually refer to vlan names even tags should be supported. Further indicated when you try to tab complete on allowed vlans:
user@fw# set interfaces ge-0/0/1.0 family ethernet-switching vlan members ?
<name> VLAN name, tag or range string
[ Open a set of values
all All VLANs
My guess is that 1) is your issue. If this doesn't solve, please try to refer to vlan names instead of tags.
...and remember to revert with the result 🙂
Great, after re-configure the trunk with vlan LABELS ( not vlan numbers ), the trunk port works great, thx a lot.
But the issue ping test from SRX345 to client still failed ( no matter I changed the interface ge-0/0/2.0 with vlan label or vlan number 😞
Again, "show arp" from SRX....see the client's IP and mac address, but ping fails
Thanks a lot
Based on your configuration I can see that your topology looks like this:
access port in vlan 737
Also I understand that you are trying to ping HostB (in above topology). If you run "show arp interface irb.737 no-resolve" and you see HostB's MAC address then the SRX should be generating a ping; it would be important to confirm if that ping is being received by HostB. Can you take a packet capture of HostB to confirm this situation? Can you plug a different device to that port and test the ping?
Also share the following command from the SRX when pinging hostB to confirm if a session is getting created:
> show security flow session protocol icmp destination-prefix [HostB_address]
Please also confirm that HostB is not expecting tagged packets. Note ge-0/0/2 is configure as an access port hence the packets will be sent untagged.
Are these connectivity issues ocurring on this vlan only? Can you try using a vlan tag different than 737 for that subnet?
Thanks so much for your kind help.
The issue is my full stupidness, it is the local firewall configuration issue.
Great that everything now works as expected 🙂
I did some testing and from what I can see, Junos 15.1X49 is missing a commit constraint check on having vlan-tagging and family ethernet-switching on the same interface. In later releases (tested on 19.2 and 19.3) you cannot commit a configuration with both defined on an interface.
Allowing vlans per vlan-id instead of names works as documented. I can both allow vlan names and vlan id (even a mix of both on the same port). The main issue here was having vlan-tagging defined on a switching interface and Junos not correctly throwing a commit error.