SRX

SRX not routing after making interface trunk

  • 1.  SRX not routing after making interface trunk

    Posted 06-17-2021 11:53
    We have an SRX300 with port ge-0/0/0 to internet and port ge-0/0/1 to an Aruba access point.  With a single vlan, everything works correctly.  However, when we add a second vlan (id-200) for guest network, non-guests still work, but guests cannot access the internet.  The Aruba is adding the vlan tag, we can see clients getting different (correct) ip ranges from the SRX dhcp.  

    Here is our config. 

     
    ## Last changed: 2021-06-17 08:41:15 PDT
    version 21.1R1.11;
    system {
        host-name Test;
        root-authentication {
            encrypted-password "$6$PZExoiD8$K36iVzSwXHKWCB6RwqBdLlo0Ae7j1QMAqvmujpMPtXJpPsrjpIjPMkuqKeVoZPtACJC/RlouVUQ05bS3MeXy0."; ## SECRET-DATA
        }
        services {
            ssh {
                root-login allow;
            }
            netconf {
                ssh;
            }
            dhcp-local-server {
                pool-match-order {
                    ip-address-first;
                }
                group jdhcp-group {
                    interface irb.0;
                }
                group guest-group {
                    interface irb.200;
                }
            }
            web-management {
                https {
                    system-generated-certificate;
                }
            }
        }
        time-zone PST8PDT;
        name-server {
            8.8.8.8;
            8.8.4.4;
        }
        name-resolution {
            no-resolve-on-input;
        }
        syslog {
            archive size 100k files 3;
            user * {
                any emergency;
            }
            file messages {
                any notice;
                authorization info;
            }
            file interactive-commands {
                interactive-commands any;
            }
        }
        max-configurations-on-flash 5;
        max-configuration-rollbacks 5;
        license {
            autoupdate {
                url https://ae1.juniper.net/junos/key_retrieval;
            }
        }
        ntp {
            server north-america.pool.ntp.org version 4 prefer;
        }
    }
    security {
        screen {
            ids-option untrust-screen {
                icmp {
                    ping-death;
                }
                ip {
                    source-route-option;
                    tear-drop;
                }
                tcp {
                    syn-flood {
                        alarm-threshold 1024;
                        attack-threshold 200;
                        source-threshold 1024;
                        destination-threshold 2048;
                        timeout 20;
                    }
                    land;
                }
            }
        }
        nat {
            source {
                rule-set trust-to-untrust {
                    from zone trust;
                    to zone untrust;
                    rule source-nat-rule {
                        match {
                            source-address 0.0.0.0/0;
                        }
                        then {
                            source-nat {
                                interface;
                            }
                        }
                    }
                }
                rule-set Zone_guest-Zone_untrust {
                    from zone guest;
                    to zone untrust;
                    rule guest-to-internet {
                        match {
                            source-address 0.0.0.0/0;
                        }
                        then {
                            source-nat {
                                interface;
                            }
                        }
                    }
                }
            }
        }
        policies {
            from-zone trust to-zone trust {
                policy trust-to-trust {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
            from-zone trust to-zone untrust {
                policy trust-to-untrust {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                        log {
                            session-init;
                            session-close;
                        }
                    }
                }
            }
            from-zone junos-host to-zone trust {
                policy mgmt-to-trust {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                        dynamic-application any;
                        url-category none;
                    }
                    then {
                        permit;
                    }
                }
            }
            from-zone guest to-zone guest {
                policy guest-to-guest {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
            from-zone guest to-zone untrust {
                policy guest-to-untrust {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
            pre-id-default-policy {
                then {
                    log {
                        session-close;
                    }
                }
            }
        }
        zones {
            functional-zone management {
                interfaces {
                    ge-0/0/2.0 {
                        host-inbound-traffic {
                            system-services {
                                https;
                                ssh;
                            }
                        }
                    }
                }
            }
            security-zone trust {
                host-inbound-traffic {
                    system-services {
                        all;
                    }
                    protocols {
                        all;
                    }
                }
                interfaces {
                    irb.0;
                }
            }
            security-zone untrust {
                screen untrust-screen;
                interfaces {
                    ge-0/0/0.0 {
                        host-inbound-traffic {
                            system-services {
                                dhcp;
                                tftp;
                                https;
                            }
                        }
                    }
                    ge-0/0/7.0 {
                        host-inbound-traffic {
                            system-services {
                                dhcp;
                                tftp;
                            }
                        }
                    }
                }
            }
            security-zone guest {
                host-inbound-traffic {
                    system-services {
                        all;
                    }
                    protocols {
                        all;
                    }
                }
                interfaces {
                    irb.200;
                }
            }
        }
    }
    interfaces {
        ge-0/0/0 {
            unit 0 {
                family inet {
                    dhcp {
                        update-server;
                    }
                }
            }
        }
        ge-0/0/1 {
            unit 0 {
                family ethernet-switching {
                    interface-mode trunk;
                    vlan {
                        members [ vlan-trust guest-vlan ];
                    }
                }
            }
        }
        ge-0/0/2 {
            unit 0 {
                family inet {
                    address 192.168.10.1/24;
                }
            }
        }
        ge-0/0/3 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members vlan-trust;
                    }
                }
            }
        }
        ge-0/0/4 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members vlan-trust;
                    }
                }
            }
        }
        ge-0/0/5 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members vlan-trust;
                    }
                }
            }
        }
        ge-0/0/6 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members vlan-trust;
                    }
                }
            }
        }
        ge-0/0/7 {
            unit 0 {
                family inet {
                    dhcp {
                        update-server;
                    }
                }
            }
        }
        irb {
            unit 0 {
                family inet {
                    address 192.168.1.1/24;
                }
            }
            unit 200 {
                family inet {
                    address 10.20.30.1/23;
                }
            }
        }
    }
    access {
        address-assignment {
            pool junosDHCPPool {
                family inet {
                    network 192.168.1.0/24;
                    range junosRange {
                        low 192.168.1.2;
                        high 192.168.1.254;
                    }
                    dhcp-attributes {
                        name-server {
                            8.8.8.8;
                        }
                        router {
                            192.168.1.1;
                        }
                        propagate-settings ge-0/0/0.0;
                    }
                }
            }
            pool guest-pool {
                family inet {
                    network 10.20.30.0/23;
                    range guest-range {
                        low 10.20.30.100;
                        high 10.20.31.254;
                    }
                    dhcp-attributes {
                        name-server {
                            8.8.8.8;
                        }
                        router {
                            10.20.30.1;
                        }
                        propagate-settings ge-0/0/0.0;
                    }
                }
            }
        }
    }
    vlans {
        guest-vlan {
            vlan-id 200;
            l3-interface irb.200;
        }
        vlan-trust {
            vlan-id 1;
            l3-interface irb.0;
        }
    }
    protocols {
        l2-learning {
            global-mode switching;
        }
        rstp {
            interface all;
        }
    }
    ​


    ------------------------------
    Terrence Magee
    ------------------------------