Junos OS

 View Only
last person joined: 2 days ago 

Ask questions and share experiences about Junos OS.
  • 1.  SRX 320 // No internet access from the trunk por // 15.1X49-D100.6 // l3-interface irb // ethernet-switching

    Posted 07-15-2017 02:41

    Hello,

    I need your help, please.

    I have configured one port Trunk and other ports in access, from the Trunk port I only go internet from the vlan that I have configured in the ports access mode (100,190,150), from the other vlans (155,160,165,170,175,180,185,200) no internet access from the trunk port .

    Thanks and regards

     

     


    JUNOS Software Release [15.1X49-D100.6]

     

    set system services ssh
    set system services telnet
    set system services xnm-clear-text
    set system services dhcp-local-server group Pool_Publico interface irb.200
    set system services dhcp-local-server group Pool_Produccion interface irb.150
    set system services dhcp-local-server group Pool_Accesos interface irb.155
    set system services dhcp-local-server group Pool_Artistas interface irb.160
    set system services dhcp-local-server group Pool_Vip interface irb.165
    set system services dhcp-local-server group Pool_Backstages interface irb.170
    set system services dhcp-local-server group Pool_Patrosinadores interface irb.175
    set system services dhcp-local-server group Pool_Streaming interface irb.185
    set system services dhcp-local-server group Pool_Camaras interface irb.190
    set system services dhcp-local-server group Pool_WT interface irb.100
    set system services web-management http interface irb.100
    set system services web-management https system-generated-certificate
    set system services web-management https interface irb.100
    set system services web-management session idle-timeout 60
    set system syslog archive size 100k
    set system syslog archive files 3
    set system syslog user * any emergency
    set system syslog file messages any critical
    set system syslog file messages authorization info
    set system syslog file interactive-commands interactive-commands error
    set system max-configurations-on-flash 5
    set system max-configuration-rollbacks 5
    set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
    set system ntp server us.ntp.pool.org
    set security log mode stream
    set security log report
    set security screen ids-option untrust-screen icmp ping-death
    set security screen ids-option untrust-screen ip source-route-option
    set security screen ids-option untrust-screen ip tear-drop
    set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
    set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
    set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
    set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
    set security screen ids-option untrust-screen tcp syn-flood timeout 20
    set security screen ids-option untrust-screen tcp land
    set security nat source rule-set Internet from zone TRUST
    set security nat source rule-set Internet to zone untrust
    set security nat source rule-set Internet rule Interface-Nat match source-address 0.0.0.0/0
    set security nat source rule-set Internet rule Interface-Nat then source-nat interface
    set security policies from-zone TRUST to-zone untrust policy Internet match source-address any
    set security policies from-zone TRUST to-zone untrust policy Internet match destination-address any
    set security policies from-zone TRUST to-zone untrust policy Internet match application any
    set security policies from-zone TRUST to-zone untrust policy Internet then permit
    set security zones security-zone TRUST host-inbound-traffic system-services ping
    set security zones security-zone TRUST host-inbound-traffic system-services ssh
    set security zones security-zone TRUST host-inbound-traffic system-services http
    set security zones security-zone TRUST host-inbound-traffic system-services https
    set security zones security-zone TRUST interfaces irb.150 host-inbound-traffic system-services all
    set security zones security-zone TRUST interfaces irb.150 host-inbound-traffic protocols all
    set security zones security-zone TRUST interfaces irb.155 host-inbound-traffic system-services all
    set security zones security-zone TRUST interfaces irb.155 host-inbound-traffic protocols all
    set security zones security-zone TRUST interfaces irb.160 host-inbound-traffic system-services all
    set security zones security-zone TRUST interfaces irb.160 host-inbound-traffic protocols all
    set security zones security-zone TRUST interfaces irb.165 host-inbound-traffic system-services all
    set security zones security-zone TRUST interfaces irb.165 host-inbound-traffic protocols all
    set security zones security-zone TRUST interfaces irb.170 host-inbound-traffic system-services all
    set security zones security-zone TRUST interfaces irb.170 host-inbound-traffic protocols all
    set security zones security-zone TRUST interfaces irb.175 host-inbound-traffic system-services all
    set security zones security-zone TRUST interfaces irb.175 host-inbound-traffic protocols all
    set security zones security-zone TRUST interfaces irb.180 host-inbound-traffic system-services all
    set security zones security-zone TRUST interfaces irb.180 host-inbound-traffic protocols all
    set security zones security-zone TRUST interfaces irb.185 host-inbound-traffic system-services all
    set security zones security-zone TRUST interfaces irb.185 host-inbound-traffic protocols all
    set security zones security-zone TRUST interfaces irb.190 host-inbound-traffic system-services all
    set security zones security-zone TRUST interfaces irb.190 host-inbound-traffic protocols all
    set security zones security-zone TRUST interfaces irb.200 host-inbound-traffic system-services all
    set security zones security-zone TRUST interfaces irb.200 host-inbound-traffic protocols all
    set security zones security-zone TRUST interfaces irb.100 host-inbound-traffic system-services all
    set security zones security-zone TRUST interfaces irb.100 host-inbound-traffic protocols all
    set security zones security-zone Internet
    set security zones security-zone untrust host-inbound-traffic system-services ping
    set security zones security-zone untrust interfaces ge-0/0/0.0
    set interfaces ge-0/0/0 unit 0 description *****WAN*****
    set interfaces ge-0/0/0 unit 0 family inet address 192.168.0.12/24
    set interfaces ge-0/0/0 unit 0 family inet address 192.168.1.135/24
    set interfaces ge-0/0/1 unit 0 description *****TRUNK*****
    set interfaces ge-0/0/1 unit 0 family ethernet-switching interface-mode trunk
    set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members Accesos
    set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members Artistas
    set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members Backstages
    set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members Camaras
    set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members MNGMT
    set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members PUBLICO
    set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members Patros
    set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members Prensa
    set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members Produccion
    set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members Streaming
    set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members VIP
    set interfaces ge-0/0/2 unit 0 description *****PRODUCCION*****
    set interfaces ge-0/0/2 unit 0 family ethernet-switching interface-mode access
    set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members Produccion
    set interfaces ge-0/0/3 unit 0 description *****CAMARAS*****
    set interfaces ge-0/0/3 unit 0 family ethernet-switching interface-mode access
    set interfaces ge-0/0/3 unit 0 family ethernet-switching vlan members Camaras
    set interfaces ge-0/0/4 gigether-options auto-negotiation
    set interfaces ge-0/0/4 unit 0 description *****WATAMBI*****
    set interfaces ge-0/0/4 unit 0 family ethernet-switching interface-mode access
    set interfaces ge-0/0/4 unit 0 family ethernet-switching vlan members MNGMT
    set interfaces ge-0/0/5 unit 0 description *****WATAMBI*****
    set interfaces ge-0/0/5 unit 0 family ethernet-switching interface-mode access
    set interfaces ge-0/0/5 unit 0 family ethernet-switching vlan members MNGMT
    set interfaces irb unit 100 family inet address 192.168.100.1/24
    set interfaces irb unit 150 family inet address 192.168.150.1/24
    set interfaces irb unit 155 family inet address 192.168.155.1/24
    set interfaces irb unit 160 family inet address 192.168.160.1/24
    set interfaces irb unit 165 family inet address 192.168.165.1/24
    set interfaces irb unit 170 family inet address 192.168.170.1/24
    set interfaces irb unit 175 family inet address 192.168.175.1/24
    set interfaces irb unit 180 family inet address 192.168.180.1/24
    set interfaces irb unit 185 family inet address 192.168.185.1/24
    set interfaces irb unit 190 family inet address 192.168.190.1/24
    set interfaces irb unit 200 family inet address 172.16.0.1/16
    set routing-options static route 0.0.0.0/0 next-hop 192.168.0.1
    set protocols l2-learning global-mode switching
    set protocols rstp interface all
    set access address-assignment pool Pool_WT family inet network 192.168.100.0/24
    set access address-assignment pool Pool_WT family inet range Pool_WT low 192.168.100.101
    set access address-assignment pool Pool_WT family inet range Pool_WT high 192.168.100.140
    set access address-assignment pool Pool_WT family inet dhcp-attributes name-server 8.8.8.8
    set access address-assignment pool Pool_WT family inet dhcp-attributes name-server 8.8.4.4
    set access address-assignment pool Pool_WT family inet dhcp-attributes router 192.168.100.1
    set access address-assignment pool Pool_Publico family inet network 172.16.0.0/16
    set access address-assignment pool Pool_Publico family inet range Pool_Publico low 172.16.0.30
    set access address-assignment pool Pool_Publico family inet range Pool_Publico high 172.16.255.254
    set access address-assignment pool Pool_Publico family inet dhcp-attributes name-server 8.8.8.8
    set access address-assignment pool Pool_Publico family inet dhcp-attributes name-server 8.8.4.4
    set access address-assignment pool Pool_Publico family inet dhcp-attributes router 176.16.0.1
    set access address-assignment pool Pool_Produccion family inet network 192.168.150.0/24
    set access address-assignment pool Pool_Produccion family inet range Pool_Produccion low 192.168.150.30
    set access address-assignment pool Pool_Produccion family inet range Pool_Produccion high 192.168.150.254
    set access address-assignment pool Pool_Produccion family inet dhcp-attributes name-server 8.8.8.8
    set access address-assignment pool Pool_Produccion family inet dhcp-attributes name-server 8.8.4.4
    set access address-assignment pool Pool_Produccion family inet dhcp-attributes router 192.168.150.1
    set access address-assignment pool Pool_Accesos family inet network 192.168.155.0/24
    set access address-assignment pool Pool_Accesos family inet range Pool_Accesos low 192.168.155.30
    set access address-assignment pool Pool_Accesos family inet range Pool_Accesos high 192.168.155.254
    set access address-assignment pool Pool_Accesos family inet dhcp-attributes name-server 8.8.8.8
    set access address-assignment pool Pool_Accesos family inet dhcp-attributes name-server 8.8.4.4
    set access address-assignment pool Pool_Accesos family inet dhcp-attributes router 192.168.155.1
    set access address-assignment pool Pool_Artistas family inet network 192.168.160.0/24
    set access address-assignment pool Pool_Artistas family inet range Pool_Artistas low 192.168.160.30
    set access address-assignment pool Pool_Artistas family inet range Pool_Artistas high 192.168.160.254
    set access address-assignment pool Pool_Artistas family inet dhcp-attributes name-server 8.8.8.8
    set access address-assignment pool Pool_Artistas family inet dhcp-attributes name-server 8.8.4.4
    set access address-assignment pool Pool_Artistas family inet dhcp-attributes router 192.168.160.1
    set access address-assignment pool Pool_Vip family inet network 192.168.165.0/24
    set access address-assignment pool Pool_Vip family inet range Pool_Vip low 192.168.165.30
    set access address-assignment pool Pool_Vip family inet range Pool_Vip high 192.168.165.254
    set access address-assignment pool Pool_Vip family inet dhcp-attributes name-server 8.8.8.8
    set access address-assignment pool Pool_Vip family inet dhcp-attributes name-server 8.8.4.4
    set access address-assignment pool Pool_Vip family inet dhcp-attributes router 192.168.165.1
    set access address-assignment pool Pool_Backstages family inet network 192.168.170.0/24
    set access address-assignment pool Pool_Backstages family inet range Pool_Backstages low 192.168.170.30
    set access address-assignment pool Pool_Backstages family inet range Pool_Backstages high 192.168.170.254
    set access address-assignment pool Pool_Backstages family inet dhcp-attributes name-server 8.8.8.8
    set access address-assignment pool Pool_Backstages family inet dhcp-attributes name-server 8.8.4.4
    set access address-assignment pool Pool_Backstages family inet dhcp-attributes router 192.168.170.1
    set access address-assignment pool Pool_Patrocinadores family inet network 192.168.175.0/24
    set access address-assignment pool Pool_Patrocinadores family inet range Pool_Patrosinadores low 192.168.175.30
    set access address-assignment pool Pool_Patrocinadores family inet range Pool_Patrosinadores high 192.168.175.254
    set access address-assignment pool Pool_Patrocinadores family inet dhcp-attributes name-server 8.8.8.8
    set access address-assignment pool Pool_Patrocinadores family inet dhcp-attributes name-server 8.8.4.4
    set access address-assignment pool Pool_Patrocinadores family inet dhcp-attributes router 192.168.175.1
    set access address-assignment pool Pool_Prensa family inet network 192.168.180.0/24
    set access address-assignment pool Pool_Prensa family inet range Pool_Prensa low 192.168.180.30
    set access address-assignment pool Pool_Prensa family inet range Pool_Prensa high 192.168.180.254
    set access address-assignment pool Pool_Prensa family inet dhcp-attributes name-server 8.8.8.8
    set access address-assignment pool Pool_Prensa family inet dhcp-attributes name-server 8.8.4.4
    set access address-assignment pool Pool_Prensa family inet dhcp-attributes router 192.168.180.1
    set access address-assignment pool Pool_Streaming family inet network 192.168.185.0/24
    set access address-assignment pool Pool_Streaming family inet range Pool_Streaming low 192.168.185.30
    set access address-assignment pool Pool_Streaming family inet range Pool_Streaming high 192.168.185.254
    set access address-assignment pool Pool_Streaming family inet dhcp-attributes name-server 8.8.8.8
    set access address-assignment pool Pool_Streaming family inet dhcp-attributes name-server 8.8.4.4
    set access address-assignment pool Pool_Streaming family inet dhcp-attributes router 192.168.185.1
    set access address-assignment pool Pool_Camaras family inet network 192.168.190.0/24
    set access address-assignment pool Pool_Camaras family inet range Pool_Camaras low 192.168.190.30
    set access address-assignment pool Pool_Camaras family inet range Pool_Camaras high 192.168.190.254
    set access address-assignment pool Pool_Camaras family inet dhcp-attributes name-server 8.8.8.8
    set access address-assignment pool Pool_Camaras family inet dhcp-attributes name-server 8.8.4.4
    set access address-assignment pool Pool_Camaras family inet dhcp-attributes router 192.168.190.1
    set vlans Accesos vlan-id 155
    set vlans Accesos l3-interface irb.155
    set vlans Artistas vlan-id 160
    set vlans Artistas l3-interface irb.160
    set vlans Backstages vlan-id 170
    set vlans Backstages l3-interface irb.170
    set vlans Camaras vlan-id 190
    set vlans Camaras l3-interface irb.190
    set vlans MNGMT vlan-id 100
    set vlans MNGMT l3-interface irb.100
    set vlans PUBLICO vlan-id 200
    set vlans PUBLICO l3-interface irb.200
    set vlans Patros description PATROCINADORES
    set vlans Patros vlan-id 175
    set vlans Patros l3-interface irb.175
    set vlans Prensa vlan-id 180
    set vlans Prensa l3-interface irb.180
    set vlans Produccion vlan-id 150
    set vlans Produccion l3-interface irb.150
    set vlans Streaming vlan-id 185
    set vlans Streaming l3-interface irb.185
    set vlans VIP vlan-id 165
    set vlans VIP l3-interface irb.165


    #l3-interface
    #NAT
    #l2-learning
    #ethernet-switching
    #switching
    #l3-interfaceirb
    #irb
    #interface-modetrunk


  • 2.  RE: SRX 320 // No internet access from the trunk por // 15.1X49-D100.6 // l3-interface irb // ethernet-switching

    Posted 07-16-2017 00:47

    Hello there,

     


    @atrix wrote:

     

    set protocols rstp interface all

    Check if Your ge-0/0/1 is blocked by RSTP.

    HTH

    Thx
    Alex



  • 3.  RE: SRX 320 // No internet access from the trunk por // 15.1X49-D100.6 // l3-interface irb // ethernet-switching

    Posted 07-17-2017 01:04

    Hello, thanks for answering .

    I have not seen block by rstp, I have removed rstp but the problem continues

    Delete protocols rstp interface all

    regards



  • 4.  RE: SRX 320 // No internet access from the trunk por // 15.1X49-D100.6 // l3-interface irb // ethernet-switching

    Posted 07-16-2017 02:25

    You only have interfaces in those three vlans.

    You may also need another security policy to permit traffic from zone trust to-zone trust



  • 5.  RE: SRX 320 // No internet access from the trunk por // 15.1X49-D100.6 // l3-interface irb // ethernet-switching

    Posted 07-17-2017 01:05

    Hello, thanks for answering .

    I have created another security policy to allow traffic from zone trust to-zone trust, the problem is not solved


    set security policies from-zone TRUST to-zone TRUST policy vlans_to_inet match source-address any
    set security policies from-zone TRUST to-zone TRUST policy vlans_to_inet match destination-address any
    set security policies from-zone TRUST to-zone TRUST policy vlans_to_inet match application any
    set security policies from-zone TRUST to-zone TRUST policy vlans_to_inet then permit

    regards



  • 6.  RE: SRX 320 // No internet access from the trunk por // 15.1X49-D100.6 // l3-interface irb // ethernet-switching
    Best Answer

    Posted 07-17-2017 02:29

    The problem has been fixed with this

     

    Security-zone TRUST host-inbound-traffic system-services all
    Set security zones security-zone TRUST host-inbound-traffic protocols all