SRX

Hello experts,

Hope you are doing well.

I'm very new to juniper and have been tasked with testing juniper vSRX. The issue i'm having is I can't get my irb interfaces inside trust zone. After researching in forums, I've found that transparent mode needs to be disabled by putting in the command "set protocols l2-learning global-mode switching" and then reboot. I've done this but even after rebooting the vSRX shows Global mode as Transparent bridge (see img vsrx1.jpg). Please can someone advise if I'm missing any thing, or this is a bug etc? below is the config. I just want to test the devices in vlan 10 and 20 to be able to communicate to internet. Your advise/help is much appreciated.

root> show configuration
## Last commit: 2020-08-03 07:28:32 UTC by root
version 20200609.165031.6_builder.r1115480;
system {
root-authentication {
encrypted-password "$6$mr8vHc28$cDObHnV2hYL7zS7XD8et/FWGOjFeuJtbJFpyNBiESLvR4xZlpYLvijo5icJbYt8NpVRS37dTsmKGuAD5clKIq0"; ## SECRET-DATA
}
services {
ssh;
web-management {
http {
interface fxp0.0;
}
https {
system-generated-certificate;
interface [ fxp0.0 ge-0/0/0.0 ];
}
}
}
domain-name www.vsrx3.com;
name-server {
4.2.2.2;
}
syslog {
user * {
any emergency;
}
file messages {
any any;
authorization info;
}
file interactive-commands {
interactive-commands any;
}
}
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
}
security {
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
queue-size 2000; ## Warning: 'queue-size' is deprecated
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set LAN-TO-WAN {
from zone trust;
to zone untrust;
rule LAN-TO-WAN {
match {
source-address 0.0.0.0/0;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}
policies {
from-zone trust to-zone trust {
policy default-permit {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone untrust {
policy default-permit {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone trust {
tcp-rst;
host-inbound-traffic {
system-services {
all;
ping;
}
}
}
security-zone untrust {
screen untrust-screen;
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
ping;
https;
ssh;
telnet;
snmp;
}
}
}
}
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address 192.168.0.200/24;
}
}
}
ge-0/0/1 {
unit 0 {
family ethernet-switching {
interface-mode trunk;
vlan {
members [ WIRED WLAN ALL all ];
}
}
}
}
fxp0 {
unit 0;
}
irb {
unit 10 {
family inet {
address 10.10.10.1/24;
}
}
unit 20 {
family inet {
address 10.10.20.1/24;
}
}
}
}
protocols {
l2-learning {
global-mode switching;
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 192.168.0.1;
}
}
vlans {
WIRED {
vlan-id 20;
l3-interface irb.20;
}
WLAN {
vlan-id 10;
l3-interface irb.10;
}
}

root>

Hi,

ethernet swithing is not supported on vSRX - that is only branch SRX devices which has this capability.

For a list of supported features on vSRX, please see this link: https://www.juniper.net/documentation/en_US/vsrx/topics/concept/security-vsrx-feature-support.html

Instead of doing switching trunk, just change ge-0/0/1 to a vlan-tagged interface with IPs defined directly on the logical units:

set interfaces ge-0/0/1 vlan-tagging
set interfaces ge-0/0/1.10 vlan-id 10
set interfaces ge-0/0/1.10 family inet address 10.10.10.1/24
set security zones security-zones trust interface ge-0/0/1.10

 ...and remember to delete the vlans and irb interfaces 🙂

I hope this helps.

Hi Jonas,

Firstly many thanks for your response and your suggestion. after applying your given commands, It fixed the issue of WIN client machine not able to ping the internet. Also thanks for providing the feature link tool, I would have never imagined about some functions don't work on virtual devices.

Another question as it relates, do i need to apply similar interface settings for vQFX as shown in the diagram, which is in between vSRX and WIN client, or irb interface in vQFX are meant to be configured as below?

root# run show configuration interfaces irb
unit 10 {
family inet {
address 10.10.10.1/24;
}
}
unit 20 {
family inet {
address 10.10.20.1/24;
}
}

{master:0}[edit]
root#

root# run show configuration vlans
WIRED {
description Wired-LAN;
vlan-id 20;
l3-interface irb.20;
}
WLAN {
description WLAN;
vlan-id 10;
l3-interface irb.10;
}
default {
vlan-id 1;
}

Thanks

Zeeshan

Hi - good that it helped you 🙂 Please mark my answer as an accepted solution so other people with similar issues can use it.

Regarding vQFX; I expect the config shown is right but remember that compared to vSRX you need two VMs (control plane and forwarding plane) to operate a vQFX.

If you have issues with the vQFX I would recommend you to create a new thread with the vQFX specific issues.

Thanks Jonas, I'll create a new thread for vQFX.

Strangely tho, with that same config on vQFX, client on VLAN 10 was able to reach internet but after some time the client on VLAN10 stopped routing to internet, not sure why and what happened suddenly.

on vQFX i had to remove the irb l3-interfaces assiged to the vlans and also delete the irb interfaces. then the clients were able to route to internet. 🙂