Hi Folks,
I'm fairly new with Juniper devices and I'm having an issue with interVLAN routing on SRX650 (Cluster)
I've already read few topics regarding routing issues on SRX devices but it seems to be not working as expected.
I'm almost sure there is a silly mistake in my configuration
Background:
We have a cluter of SRX650's connected with two uplinks back to cisco CAT3850.
JUNOS Software Release [12.1X44-D35.5]
The following interfaces are merged into the redundant interface reth2
set interfaces ge-2/0/2 gigether-options redundant-parent reth2
set interfaces ge-2/0/6 gigether-options redundant-parent reth2
set interfaces ge-11/0/2 gigether-options redundant-parent reth2
set interfaces ge-11/0/6 gigether-options redundant-parent reth2
On the interface reth2 we have the following configuration:
set interfaces reth2 vlan-tagging
set interfaces reth2 redundant-ether-options redundancy-group 1
set interfaces reth2 unit 3 vlan-id 3
set interfaces reth2 unit 3 family inet address 10.32.1.254/24
set interfaces reth2 unit 43 vlan-id 43
set interfaces reth2 unit 43 family inet address 10.32.43.254/24
.
.
.
set interfaces reth2 unit 222 vlan-id 222
set interfaces reth2 unit 222 family inet address 10.32.222.254/24
Problem description
ex.
From the PC A (V43: 10.32.43.123) I can't ping the PC B (v222: 10.32.222.35)
FYI I can ping both devices within their subnets so there is no issue with icmp.
pzatorski@srx> ping 10.32.43.123 source 10.32.222.254
PING 10.32.43.123 (10.32.43.123): 56 data bytes
^C
--- 10.32.43.123 ping statistics ---
8 packets transmitted, 0 packets received, 100% packet loss
The gateways are pingable
pzatorski@srx> ping 10.32.43.254 source 10.32.222.254
PING 10.32.43.254 (10.32.43.254): 56 data bytes
64 bytes from 10.32.43.254: icmp_seq=0 ttl=64 time=0.972 ms
pzatorski@srx> show route | match 10.32.222.
10.32.222.0/24 *[Direct/0] 1d 10:36:33
10.32.222.254/32 *[Local/0] 1d 10:36:33
{primary:node0}
pzatorski@srx> show route | match 10.32.43.
10.32.43.0/24 *[Direct/0] 1d 10:36:36
10.32.43.254/32 *[Local/0] 1d 10:36:36
pzatorski@srx> show arp | match 10.32.43.123
00:50:56:82:59:e4 10.32.43.123 02v00114 veeam reth2.43 none
{primary:node0}
pzatorski@srx> show arp | match 10.32.222.35
00:50:56:88:00:1c 10.32.222.35 02v00107 reth2.222 none
reth2.43 up up inet 10.32.43.254/24
reth2.222 up up inet 10.32.222.254/24
from the security site I've attached zones to both interfaces (reth2.43 and .222)
set security zones security-zone management-v43 interfaces reth2.43 host-inbound-traffic system-services all
set security zones security-zone management-v43 interfaces reth2.43 host-inbound-traffic protocols all
set security zones security-zone admin-v222 interfaces reth2.222 host-inbound-traffic system-services all
set security zones security-zone admin-v222 interfaces reth2.222 host-inbound-traffic protocols all
I've configured bi-directional policies as well:
set security policies from-zone management-v43 to-zone admin-v222 policy 4 match source-address any
set security policies from-zone management-v43 to-zone admin-v222 policy 4 match destination-address any
set security policies from-zone management-v43 to-zone admin-v222 policy 4 match application any
set security policies from-zone management-v43 to-zone admin-v222 policy 4 then permit
set security policies from-zone admin-v222 to-zone management-v43 policy 5 match source-address any
set security policies from-zone admin-v222 to-zone management-v43 policy 5 match destination-address any
set security policies from-zone admin-v222 to-zone management-v43 policy 5 match application any
set security policies from-zone admin-v222 to-zone management-v43 policy 5 then permit
On the switch site the uplink interfaces are set to mode trunk.
your help is greatly appreciated!
Many thanks!
Patryk