Routing

 View Only
last person joined: 3 days ago 

Ask questions and share experiences about ACX Series, CTP Series, MX Series, PTX Series, SSR Series, JRR Series, and all things routing, including portfolios and protocols.

  • 1.  Routing Between 2 VLANS on SRX-100 Router

    Posted 08-05-2011 11:44

    I have set up two VLANS on our router - one for a data network and one for a new VoIP system we are adding.

     

    There are 8 interfaces on the router:

    fe-0/0/0 - Uplink to WAN

    fe-0/0/1 - fe-0/0/6 - 192.168.1.0/24

    fe-0/0/7 - 192.168.10.0/24

     

    I have configure and tested the interfaces and they work for routing traffic locally to the subnet or externally to the WAN.  However, I can't route between the VLANS.

     

    root@outbound# run show interfaces terse

    ....

    vlan                    up    up
    vlan.0                  up    up   inet     192.168.1.1/24
    vlan.100                up    up   inet     192.168.10.1/24

     

    root@outbound# run show route

    inet.0: 8 destinations, 8 routes (7 active, 0 holddown, 1 hidden)
    + = Active Route, - = Last Active, * = Both

    0.0.0.0/0          *[Static/5] 1w2d 15:44:15
                        > to 209.191.17.225 via fe-0/0/0.0
    192.168.1.0/24     *[Direct/0] 24w2d 14:24:11
                        > via vlan.0
    192.168.1.1/32     *[Local/0] 24w6d 22:36:32
                          Local via vlan.0
    192.168.10.0/24    *[Direct/0] 00:17:57
                        > via vlan.100
    192.168.10.1/32    *[Local/0] 00:17:57
                          Local via vlan.100
    [edit]
    root@outbound# run show vlans
    Name           Tag     Interfaces
    default        1
                           None
    vlan-100       100
                           fe-0/0/7.0*
    vlan-trust     3
                           fe-0/0/1.0*, fe-0/0/2.0*, fe-0/0/3.0, fe-0/0/4.0*, fe-0/0/5.0, fe-0/0/6.0

     

    Please help as I am new to junos.

     

    Thanks!

    Tom



  • 2.  RE: Routing Between 2 VLANS on SRX-100 Router

    Posted 08-05-2011 12:38

    There could be some configurational issue.

     

    I could see vlan.0 configured but I show your interfaces fe-0/0/1 to fe-0/0/6 in vlan-3.

     

    You should have l3-interface defined in vlan-3.

     

    Please share your config.

     

    Also try ping from SRX ping 192.168.10.1 source 192.168.1.1 and let me know the result.

     

    Hope this would help..

     

    Accept the solution if this answers your query.



  • 3.  RE: Routing Between 2 VLANS on SRX-100 Router

    Posted 08-05-2011 12:47

    From the SRX I can:

     

    root@outbound> ping 192.168.10.1 source 192.168.1.1
    PING 192.168.10.1 (192.168.10.1): 56 data bytes
    64 bytes from 192.168.10.1: icmp_seq=0 ttl=64 time=0.310 ms
    64 bytes from 192.168.10.1: icmp_seq=1 ttl=64 time=0.317 ms

    ...
    --- 192.168.10.1 ping statistics ---
    7 packets transmitted, 7 packets received, 0% packet loss
    round-trip min/avg/max/stddev = 0.303/0.429/0.915/0.211 ms

    root@outbound> ping 192.168.1.1 source 192.168.10.1
    PING 192.168.1.1 (192.168.1.1): 56 data bytes
    64 bytes from 192.168.1.1: icmp_seq=0 ttl=64 time=1.778 ms
    64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=0.309 ms
    ...

    --- 192.168.1.1 ping statistics ---
    4 packets transmitted, 4 packets received, 0% packet loss
    round-trip min/avg/max/stddev = 0.309/0.822/1.778/0.596 ms

     

    I think these are the pertinent parts of the config:

     

    # Last changed: 2011-08-05 02:01:44 EDT
    version 10.1S4.1;
    system {
        host-name outbound;
        domain-name martinfg.com;
        time-zone America/New_York;
        root-authentication {
        }
        name-server {
            192.168.1.6;
            209.191.0.1;
        }
        services {
            ssh;
            telnet;
            xnm-clear-text;
            web-management {
                http {
                    interface vlan.0;
                }
                https {
                    system-generated-certificate;
                    interface vlan.0;
                }
            }
            dhcp {
                router {
                    192.168.1.1;
                }
                propagate-settings fe-0/0/0.0;
            }
        }
        syslog {
            archive size 100k files 3;
            user * {
                any emergency;
            }
            file messages {
                any critical;
                authorization info;
            }
            file interactive-commands {
                interactive-commands error;
            }
        }
        max-configurations-on-flash 5;
        max-configuration-rollbacks 5;
        license {
            autoupdate {
                url https://ae1.juniper.net/junos/key_retrieval;
            }
        }
    }
    interfaces {
        interface-range interfaces-trust {
            member fe-0/0/1;
            member fe-0/0/2;
            member fe-0/0/3;
            member fe-0/0/4;
            member fe-0/0/5;
            member fe-0/0/6;
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members vlan-trust;
                    }
                }
            }
        }
        interface-range interfaces-vlan100 {
            member fe-0/0/7;
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members vlan-100;
                    }
                }
            }
        }
        fe-0/0/0 {
            unit 0 {
                family inet {
                    address 209.191.17.226/27;
                }
            }
        }
        fe-0/0/1 {
            unit 0;
        }
        lo0 {
            unit 0 {
                family inet {
                    address 127.0.0.1/32;
                }
            }
        }
        vlan {
            unit 0 {
                family inet {
                    address 192.168.1.1/24;
                }
            }
            unit 100 {
                family inet {
                    address 192.168.10.1/24;
                }
            }
        }
    }
    routing-options {
        static {
            route 0.0.0.0/0 next-hop 209.191.17.225;
        }
    }

    vlans {
        vlan-100 {
            vlan-id 100;
            l3-interface vlan.100;
        }
        vlan-trust {
            vlan-id 3;
            l3-interface vlan.0;
        }
    }



  • 4.  RE: Routing Between 2 VLANS on SRX-100 Router

    Posted 08-05-2011 13:19

    You need a routed vlan interface (RVI) to enable inter-VLAN routing to happen.

     

    Supose that you had a VLAN named blue with VLAN ID 100 and a VLAN named orange with VLAN ID 200 and you wanted to route between the VLANs.

     

    set interfaces vlan unit 100 family inet address 192.168.1.1/24
    set interfaces vlan unit 200 family inet address 192.168.2.1/24

    set vlans blue l3-interface vlan.100
    set vlans orange l3-interface vlan.200

    Once you commit traffic from blue will be able to route to orange and vice versa.


    The SRX documentation doesn't really go into this from what I could see. The EX documentation explains it better and the concepts apply to Junos on the SRX:

     

    http://www.juniper.net/techpubs/en_US/junos10.4/topics/concept/bridging-vrf-ex-series.html



  • 5.  RE: Routing Between 2 VLANS on SRX-100 Router

    Posted 08-05-2011 13:36

    Thanks for the response, but is that not already in the config file above?

     

    Your first command, in my case, would set:

     

    interfaces {

    ....

        vlan {
            unit 0 {
                family inet {
                    address 192.168.1.1/24;
                }
            }
            unit 100 {
                family inet {
                    address 192.168.10.1/24;
                }
            }
        }

    }

     

    Your second commands set:

     

    vlans {
        vlan-100 {
            vlan-id 100;
            l3-interface vlan.100;
        }
        vlan-trust {
            vlan-id 3;
            l3-interface vlan.0;
        }
    }

     

    After commiting this, I still can't access resources on one VLAN from the other.

     

    I don't see the bridging between the two.  I am sorry, please advise again.

     

    Thanks so much for your help!

    Tom



  • 6.  RE: Routing Between 2 VLANS on SRX-100 Router

    Posted 08-05-2011 13:46

    I broke down your config to make sure I understand the config:

     

    fe-0/0/1 to fe-0/0/6 are vlan-trust members with VLAN-ID 3

     

    fe-0/0/7 is vlan-100 member with VLAN-ID 100

     

    VLAN 0 has IP 192.168.1.1/24

    VLAN 100 has IP 192.168.10.1/24

     

    VLAN 100 has L3/RVI setup so it is ready to go

    VLAN 3 has L3/RVI setup without an IP address

     

    If you want vlan-trust (ID 3) to be able to swap traffic with vlan-100 (ID 100) you just need an IP address for VLAN 3.

     

    The VLAN 0 IP will do nothing at this point because it is not attached to an interface and I don't see a VLAN 0 in the configuration anywhere other than with an IP assignment. This VLAN is not attached to any interfaces.

     

     



  • 7.  RE: Routing Between 2 VLANS on SRX-100 Router

    Posted 08-07-2011 13:23

    Thanks for your help.  I appreciate it greatly.

     

    vlan.0 is the initial LAN that the SRX100 initialized itself.  It is the base LAN it services 192.168.1.0/24

    It its initial configuration it created the vlan-trust with vlan-id 3 but its l3-interface was defined as vlan.0 

     

    Here is the conf when the Router was just servicing one LAN.  May be its easier if I asked, "From this initial config, what do I need to add if I want the interface fe-0/0/7 to support 192.168.10.0/24 and fully communicate with 192.168.1.0/24?"

     

    Thanks!

    Tom

     

    ## Last changed: 2011-05-24 23:05:21 EDT
    version 10.1S4.1;
    system {
        host-name outbound;
        domain-name martinfg.com;
        time-zone America/New_York;
        root-authentication {
     ....

       }
        name-server {
            192.168.1.6;
            209.191.0.1;
        }
        services {
            ssh;
            telnet;
            xnm-clear-text;
            web-management {
                http {
                    interface vlan.0;
                }
                https {
                    system-generated-certificate;
                    interface vlan.0;
                }
            }
            dhcp {
                router {
                    192.168.1.1;
                }
                propagate-settings fe-0/0/0.0;
            }
        }
        syslog {
            archive size 100k files 3;
            user * {
                any emergency;
            }
            file messages {
                any critical;
                authorization info;
            }
            file interactive-commands {
                interactive-commands error;
            }
        }
        max-configurations-on-flash 5;
        max-configuration-rollbacks 5;
        license {
            autoupdate {
                url https://ae1.juniper.net/junos/key_retrieval;
            }
        }
    }
    interfaces {
        interface-range interfaces-trust {
            member fe-0/0/1;
            member fe-0/0/2;
            member fe-0/0/3;
            member fe-0/0/4;
            member fe-0/0/5;
            member fe-0/0/6;
            member fe-0/0/7;
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members vlan-trust;
                    }
                }
            }
        }
        fe-0/0/0 {
            unit 0 {
                family inet {
                    address 209.191.17.226/27;
                }
            }
        }
        fe-0/0/1 {
            unit 0;
        }
        lo0 {
            unit 0 {
                family inet {
                    address 127.0.0.1/32;
                }
            }
        }
        vlan {
            unit 0 {
                family inet {
                    address 192.168.1.1/24;
                }
            }
        }
    }
    routing-options {
        static {
            route 0.0.0.0/0 next-hop 209.191.17.225;
        }
    }
    security {
     .....

    }
    vlans {
        vlan-trust {
            vlan-id 3;
            l3-interface vlan.0;
        }
    }



  • 8.  RE: Routing Between 2 VLANS on SRX-100 Router
    Best Answer

    Posted 08-08-2011 09:26

    The issue has been resolved.  The problem was rooted in the fact that the SRX100 is a firewall first and then a router.  The SRX100 configs itself with two policies  "trust to untrust" and "untrust to trust."  There was no "trust to trust".  

     

    Once I added a policy for "trust to trust", the router worked.

     

    Thanks for all your help.