Ive done some more checking and can see the following -
show interfaces irb terse
Interface Admin Link Proto Local Remote
irb up up
irb.0 up up inet 192.168.10.1/23
irb.1 up up inet 192.168.20.1/22
irb.2 up up inet 192.168.30.1/22
irb.3 up up inet 192.168.40.1/22
irb.4 up up inet 192.168.50.1/22
irb.5 up up inet 192.168.60.1/25
show vlans
Routing instance VLAN name Tag Interfaces
default-switch VLAN1 1254 ge-0/0/3.0*
default-switch VLAN2 851 ge-0/0/3.0*
default-switch VLAN3 850 ge-0/0/3.0*
default-switch Switch-Mgmt 2100 ge-0/0/3.0*
default-switch VLANCorporate 601 ge-0/0/3.0*
default-switch VLANGuest 652 ge-0/0/3.0*
default-switch default 1
Ethernet switching table : 283 entries, 283 learned
Routing instance : default-switch
Vlan MAC MAC Age Logical NH RTR
name address flags interface Index ID
VOIPCorporate XX:XX:CC:7b:63:XX D - ge-0/0/3.0 0 0
VOIPGuest XX:XX:XX:29:XX:XX D - ge-0/0/3.0 0 0
show route
0.0.0.0/0 *[Static/5] 03:00:56
> to X.X.X.X via ge-0/0/0.0
192.168.60.0/25 *[Direct/0] 6d 07:52:50
> via irb.5
192.168.50.0/22 *[Direct/0] 6d 07:52:50
> via irb.4
192.168.30.0/22 *[Direct/0] 6d 07:52:50
> via irb.2
192.168.40.0/22 *[Direct/0] 6d 07:52:50
> via irb.3
192.168.10.0/23 *[Direct/0] 6d 07:52:50
> via irb.0
192.168.20.0/22 *[Direct/0] 6d 07:52:50
> via irb.1
192.168.1.1/32 *[Local/0] 6d 07:53:48
Reject
192.168.168.0/24 *[Direct/0] 23:37:47
> via irb.6
From a PC on VLANCorporate (IRB0) with an IP address of 192.168.10.5/255.255.254.0 I can ping the IRB interface - 192.168.10.1 but nothing else. I cant even ping the IP assigned to any of the other IRB interfaces
From the SRX itself I can ping across to all VLANs with no issue and SSH to remote devices
This seems to say its a policy issue so I have the following Zones setup
VLANCorporate - IRB0
VLANGuest - IRB1
With Host Inbound Traffic Zone - ALL and Host Inbound Traffic Interface - ALL
Then rules setup for
VLANCorporate-ANY to VLANCorporate-ANY and permit
VLANGuest-ANY to VLANGuest-ANY and permit
VLANCorporate-ANY to VLANGuest-ANY and permit
VLANGuest-ANY to VLANCorporate-ANY and permit
But no traffic seems to pass and I do not see the hit counter on the Rule increase
------------------------------
C F
------------------------------
Original Message:
Sent: 03-09-2021 12:14
From: Yasmin Lara
Subject: IRB interface routing issues
Is your SRX in switching mode?
Check the output of show ethernet-switching global information it should say switching instead of Transparent bridge.
In transparent mode, irb to irb communication is not possible.
user@SRX300# run show ethernet-switching global-information
Global Configuration:
MAC aging interval : 300
MAC learning : Enabled
MAC statistics : Disabled
MAC limit Count : 16383
MAC limit hit : Disabled
MAC packet action drop : Disabled
LE aging time : 1200
LE VLAN aging time : 1200
Global Mode : Switching
Regards,
------------------------------
Yasmin Lara
Juniper Ambassador
JNCIE-SP, JNCIE-ENT, JNCIE-DC, JNCIE-SEC
JNCDS-DC, JNCIA-DevOps, JNCIP-CLOUD, CCNP-ENT
Original Message:
Sent: 03-08-2021 01:18
From: C F
Subject: IRB interface routing issues
I have a config that is becoming frustrating as i think i'm missing something obvious. Summary is that I have a number of VLANs that are trunked to a SRX340 that i've configured IRB interfaces and assigned IP addresses and everything is working as expected, with the SRX able to ping across all of the VLANs with no issues as the HP trunks the VLANs across on the interface attached to the SRX.
This means that when i'm connected into the SRX via SSH i can ping devices on all VLANs. Devices on the VLANs are able to access the Internet fine, but we cannot route between VLANs when using the SRX as the gateway.
Now, when i plug into the switch I can ping the switch, ping the SRX on the IP that is assigned to the IRB but cannot ping any other IRB interfaces or anything on any other VLAN. The intention is to have the SRX be the gateway for the inter vlan routing so we can restrict traffic.
I setup the IRBs into a separate Zone each and then a Security Policy to allow all traffic between Zones, but i cant ping across and cant see any hit counters increasing for the Security Policies.
Config is attached, any thoughts would be great.
------------------------------
C F
------------------------------