SRX

Expand all | Collapse all

IRB interface routing issues

  • 1.  IRB interface routing issues

    Posted 03-08-2021 01:18
      |   view attached

    I have a config that is becoming frustrating as i think i'm missing something obvious. Summary is that I have a number of VLANs that are trunked to a SRX340 that i've configured IRB interfaces and assigned IP addresses and everything is working as expected, with the SRX able to ping across all of the VLANs with no issues as the HP trunks the VLANs across on the interface attached to the SRX.

    This means that when i'm connected into the SRX via SSH i can ping devices on all VLANs. Devices on the VLANs are able to access the Internet fine, but we cannot route between VLANs when using the SRX as the gateway.

    Now, when i plug into the switch I can ping the switch, ping the SRX on the IP that is assigned to the IRB but cannot ping any other IRB interfaces or anything on any other VLAN. The intention is to have the SRX be the gateway for the inter vlan routing so we can restrict traffic.

    I setup the IRBs into a separate Zone each and then a Security Policy to allow all traffic between Zones, but i cant ping across and cant see any hit counters increasing for the Security Policies.

    Config is attached, any thoughts would be great.




    ------------------------------
    C F
    ------------------------------

    Attachment(s)

    txt
    srx.txt   6 KB 1 version


  • 2.  RE: IRB interface routing issues

     
    Posted 03-08-2021 01:35
    And two devices that are unable to ping each other are both using the SRX as their default gateway?


  • 3.  RE: IRB interface routing issues

     
    Posted 03-08-2021 06:02
    Looks like you might be missing a intra-zone policy for the zone vlans to talk to each other.  This would be from zone vlans and to zone vlans.

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------



  • 4.  RE: IRB interface routing issues

     
    Posted 03-09-2021 12:14

    Is your SRX in switching mode? 

    Check the output of show ethernet-switching global information it should say switching instead of Transparent bridge.
    In transparent mode, irb to irb communication is not possible.  

    user@SRX300# run show ethernet-switching global-information

    Global Configuration:
    MAC aging interval : 300
    MAC learning : Enabled
    MAC statistics : Disabled
    MAC limit Count : 16383
    MAC limit hit : Disabled
    MAC packet action drop : Disabled
    LE aging time : 1200
    LE VLAN aging time : 1200
    Global Mode : Switching

    Regards, 



    ------------------------------
    Yasmin Lara
    Juniper Ambassador
    JNCIE-SP, JNCIE-ENT, JNCIE-DC, JNCIE-SEC
    JNCDS-DC, JNCIA-DevOps, JNCIP-CLOUD, CCNP-ENT
    ------------------------------



  • 5.  RE: IRB interface routing issues

    Posted 03-10-2021 01:58
    Correct. Confirmed that all devices have the SRX as the default GW and correct subnets

    ------------------------------
    C F
    ------------------------------



  • 6.  RE: IRB interface routing issues

    Posted 03-10-2021 01:58
    Confirmed that Switching mode is enabled

    ------------------------------
    C F
    ------------------------------



  • 7.  RE: IRB interface routing issues

    Posted 03-10-2021 02:00
    Ive done some more checking and can see the following - 

    show interfaces irb terse

    Interface Admin Link Proto Local Remote
    irb up up
    irb.0 up up inet 192.168.10.1/23
    irb.1 up up inet 192.168.20.1/22
    irb.2 up up inet 192.168.30.1/22
    irb.3 up up inet 192.168.40.1/22
    irb.4 up up inet 192.168.50.1/22
    irb.5 up up inet 192.168.60.1/25


    show vlans

    Routing instance VLAN name Tag Interfaces
    default-switch VLAN1 1254 ge-0/0/3.0*
    default-switch VLAN2 851 ge-0/0/3.0*
    default-switch VLAN3 850 ge-0/0/3.0*
    default-switch Switch-Mgmt 2100 ge-0/0/3.0*
    default-switch VLANCorporate 601 ge-0/0/3.0*
    default-switch VLANGuest 652 ge-0/0/3.0*
    default-switch default 1

    Ethernet switching table : 283 entries, 283 learned
    Routing instance : default-switch
    Vlan MAC MAC Age Logical NH RTR
    name address flags interface Index ID
    VOIPCorporate XX:XX:CC:7b:63:XX D - ge-0/0/3.0 0 0
    VOIPGuest XX:XX:XX:29:XX:XX D - ge-0/0/3.0 0 0

    show route

    0.0.0.0/0 *[Static/5] 03:00:56
    > to X.X.X.X via ge-0/0/0.0
    192.168.60.0/25 *[Direct/0] 6d 07:52:50
    > via irb.5
    192.168.50.0/22 *[Direct/0] 6d 07:52:50
    > via irb.4
    192.168.30.0/22 *[Direct/0] 6d 07:52:50
    > via irb.2
    192.168.40.0/22 *[Direct/0] 6d 07:52:50
    > via irb.3
    192.168.10.0/23 *[Direct/0] 6d 07:52:50
    > via irb.0
    192.168.20.0/22 *[Direct/0] 6d 07:52:50
    > via irb.1
    192.168.1.1/32 *[Local/0] 6d 07:53:48
    Reject
    192.168.168.0/24 *[Direct/0] 23:37:47
    > via irb.6

    From a PC on VLANCorporate (IRB0) with an IP address of 192.168.10.5/255.255.254.0 I can ping the IRB interface - 192.168.10.1 but nothing else. I cant even ping the IP assigned to any of the other IRB interfaces

    From the SRX itself I can ping across to all VLANs with no issue and SSH to remote devices

    This seems to say its a policy issue so I have the following Zones setup

    VLANCorporate - IRB0
    VLANGuest - IRB1

    With Host Inbound Traffic Zone - ALL and Host Inbound Traffic Interface - ALL

    Then rules setup for

    VLANCorporate-ANY to VLANCorporate-ANY and permit
    VLANGuest-ANY to VLANGuest-ANY and permit
    VLANCorporate-ANY to VLANGuest-ANY and permit
    VLANGuest-ANY to VLANCorporate-ANY and permit

    But no traffic seems to pass and I do not see the hit counter on the Rule increase

    ------------------------------
    C F
    ------------------------------



  • 8.  RE: IRB interface routing issues

     
    Posted 03-10-2021 05:55
    since you have the SRX as the gateway and validated routing and internal reachability, I agree that the symptoms seem to say the security policies are not correctly matching the traffic.

    Verify your newly created policies with this checklist.
    https://kb.juniper.net/InfoCenter/index?page=content&id=KB10113

    Then run the flow collect kb recommended in step four to gather the internal SRX processing information on the flow.  That should say why the policy is not being matched as expected.

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------



  • 9.  RE: IRB interface routing issues

     
    Posted 03-10-2021 20:37
    There is something strange about your routing table. 192.168.30.0/22 and 192.168.50.0/22 are NOT valid direct routes. 

    If your irb interfaces are configured as 


    Your routing table should look like this: 


    I don't understand why your routing table shows you those routes. 

    Regards, 


    ------------------------------
    Yasmin Lara
    Juniper Ambassador
    JNCIE-SP, JNCIE-ENT, JNCIE-DC, JNCIE-SEC
    JNCDS-DC, JNCIA-DevOps, JNCIP-CLOUD, CCNP-ENT
    ------------------------------



  • 10.  RE: IRB interface routing issues

    Posted 03-15-2021 05:07
    OK. So after a lot of trial and error it seems the issue may have been resolved (more testing to come when onsite)...

    After setting the device to permit-all everything was working correctly which further confirmed that the Security Policies were at fault.

    Looking further I recreated the policies between VLANs and it still didnt work. Then I realised that somehow the Dynamic Application was set to ANY for these policies. Changing this to None and now traffic is passing between the VLANs

    I had a feeling this would be something simple like this that was being missed, but pending further testing all seems ok now, hopefully!

    ------------------------------
    C F
    ------------------------------