Junos OS

 View Only
last person joined: yesterday 

Ask questions and share experiences about Junos OS.
  • 1.  SRX 320 // No internet access from the trunk por // 15.1X49-D100.6 // l3-interface irb // ethernet-switching

    Posted 07-15-2017 02:41


    I need your help, please.

    I have configured one port Trunk and other ports in access, from the Trunk port I only go internet from the vlan that I have configured in the ports access mode (100,190,150), from the other vlans (155,160,165,170,175,180,185,200) no internet access from the trunk port .

    Thanks and regards



    JUNOS Software Release [15.1X49-D100.6]


    set system services ssh
    set system services telnet
    set system services xnm-clear-text
    set system services dhcp-local-server group Pool_Publico interface irb.200
    set system services dhcp-local-server group Pool_Produccion interface irb.150
    set system services dhcp-local-server group Pool_Accesos interface irb.155
    set system services dhcp-local-server group Pool_Artistas interface irb.160
    set system services dhcp-local-server group Pool_Vip interface irb.165
    set system services dhcp-local-server group Pool_Backstages interface irb.170
    set system services dhcp-local-server group Pool_Patrosinadores interface irb.175
    set system services dhcp-local-server group Pool_Streaming interface irb.185
    set system services dhcp-local-server group Pool_Camaras interface irb.190
    set system services dhcp-local-server group Pool_WT interface irb.100
    set system services web-management http interface irb.100
    set system services web-management https system-generated-certificate
    set system services web-management https interface irb.100
    set system services web-management session idle-timeout 60
    set system syslog archive size 100k
    set system syslog archive files 3
    set system syslog user * any emergency
    set system syslog file messages any critical
    set system syslog file messages authorization info
    set system syslog file interactive-commands interactive-commands error
    set system max-configurations-on-flash 5
    set system max-configuration-rollbacks 5
    set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
    set system ntp server us.ntp.pool.org
    set security log mode stream
    set security log report
    set security screen ids-option untrust-screen icmp ping-death
    set security screen ids-option untrust-screen ip source-route-option
    set security screen ids-option untrust-screen ip tear-drop
    set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
    set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
    set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
    set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
    set security screen ids-option untrust-screen tcp syn-flood timeout 20
    set security screen ids-option untrust-screen tcp land
    set security nat source rule-set Internet from zone TRUST
    set security nat source rule-set Internet to zone untrust
    set security nat source rule-set Internet rule Interface-Nat match source-address
    set security nat source rule-set Internet rule Interface-Nat then source-nat interface
    set security policies from-zone TRUST to-zone untrust policy Internet match source-address any
    set security policies from-zone TRUST to-zone untrust policy Internet match destination-address any
    set security policies from-zone TRUST to-zone untrust policy Internet match application any
    set security policies from-zone TRUST to-zone untrust policy Internet then permit
    set security zones security-zone TRUST host-inbound-traffic system-services ping
    set security zones security-zone TRUST host-inbound-traffic system-services ssh
    set security zones security-zone TRUST host-inbound-traffic system-services http
    set security zones security-zone TRUST host-inbound-traffic system-services https
    set security zones security-zone TRUST interfaces irb.150 host-inbound-traffic system-services all
    set security zones security-zone TRUST interfaces irb.150 host-inbound-traffic protocols all
    set security zones security-zone TRUST interfaces irb.155 host-inbound-traffic system-services all
    set security zones security-zone TRUST interfaces irb.155 host-inbound-traffic protocols all
    set security zones security-zone TRUST interfaces irb.160 host-inbound-traffic system-services all
    set security zones security-zone TRUST interfaces irb.160 host-inbound-traffic protocols all
    set security zones security-zone TRUST interfaces irb.165 host-inbound-traffic system-services all
    set security zones security-zone TRUST interfaces irb.165 host-inbound-traffic protocols all
    set security zones security-zone TRUST interfaces irb.170 host-inbound-traffic system-services all
    set security zones security-zone TRUST interfaces irb.170 host-inbound-traffic protocols all
    set security zones security-zone TRUST interfaces irb.175 host-inbound-traffic system-services all
    set security zones security-zone TRUST interfaces irb.175 host-inbound-traffic protocols all
    set security zones security-zone TRUST interfaces irb.180 host-inbound-traffic system-services all
    set security zones security-zone TRUST interfaces irb.180 host-inbound-traffic protocols all
    set security zones security-zone TRUST interfaces irb.185 host-inbound-traffic system-services all
    set security zones security-zone TRUST interfaces irb.185 host-inbound-traffic protocols all
    set security zones security-zone TRUST interfaces irb.190 host-inbound-traffic system-services all
    set security zones security-zone TRUST interfaces irb.190 host-inbound-traffic protocols all
    set security zones security-zone TRUST interfaces irb.200 host-inbound-traffic system-services all
    set security zones security-zone TRUST interfaces irb.200 host-inbound-traffic protocols all
    set security zones security-zone TRUST interfaces irb.100 host-inbound-traffic system-services all
    set security zones security-zone TRUST interfaces irb.100 host-inbound-traffic protocols all
    set security zones security-zone Internet
    set security zones security-zone untrust host-inbound-traffic system-services ping
    set security zones security-zone untrust interfaces ge-0/0/0.0
    set interfaces ge-0/0/0 unit 0 description *****WAN*****
    set interfaces ge-0/0/0 unit 0 family inet address
    set interfaces ge-0/0/0 unit 0 family inet address
    set interfaces ge-0/0/1 unit 0 description *****TRUNK*****
    set interfaces ge-0/0/1 unit 0 family ethernet-switching interface-mode trunk
    set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members Accesos
    set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members Artistas
    set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members Backstages
    set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members Camaras
    set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members MNGMT
    set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members PUBLICO
    set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members Patros
    set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members Prensa
    set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members Produccion
    set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members Streaming
    set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members VIP
    set interfaces ge-0/0/2 unit 0 description *****PRODUCCION*****
    set interfaces ge-0/0/2 unit 0 family ethernet-switching interface-mode access
    set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members Produccion
    set interfaces ge-0/0/3 unit 0 description *****CAMARAS*****
    set interfaces ge-0/0/3 unit 0 family ethernet-switching interface-mode access
    set interfaces ge-0/0/3 unit 0 family ethernet-switching vlan members Camaras
    set interfaces ge-0/0/4 gigether-options auto-negotiation
    set interfaces ge-0/0/4 unit 0 description *****WATAMBI*****
    set interfaces ge-0/0/4 unit 0 family ethernet-switching interface-mode access
    set interfaces ge-0/0/4 unit 0 family ethernet-switching vlan members MNGMT
    set interfaces ge-0/0/5 unit 0 description *****WATAMBI*****
    set interfaces ge-0/0/5 unit 0 family ethernet-switching interface-mode access
    set interfaces ge-0/0/5 unit 0 family ethernet-switching vlan members MNGMT
    set interfaces irb unit 100 family inet address
    set interfaces irb unit 150 family inet address
    set interfaces irb unit 155 family inet address
    set interfaces irb unit 160 family inet address
    set interfaces irb unit 165 family inet address
    set interfaces irb unit 170 family inet address
    set interfaces irb unit 175 family inet address
    set interfaces irb unit 180 family inet address
    set interfaces irb unit 185 family inet address
    set interfaces irb unit 190 family inet address
    set interfaces irb unit 200 family inet address
    set routing-options static route next-hop
    set protocols l2-learning global-mode switching
    set protocols rstp interface all
    set access address-assignment pool Pool_WT family inet network
    set access address-assignment pool Pool_WT family inet range Pool_WT low
    set access address-assignment pool Pool_WT family inet range Pool_WT high
    set access address-assignment pool Pool_WT family inet dhcp-attributes name-server
    set access address-assignment pool Pool_WT family inet dhcp-attributes name-server
    set access address-assignment pool Pool_WT family inet dhcp-attributes router
    set access address-assignment pool Pool_Publico family inet network
    set access address-assignment pool Pool_Publico family inet range Pool_Publico low
    set access address-assignment pool Pool_Publico family inet range Pool_Publico high
    set access address-assignment pool Pool_Publico family inet dhcp-attributes name-server
    set access address-assignment pool Pool_Publico family inet dhcp-attributes name-server
    set access address-assignment pool Pool_Publico family inet dhcp-attributes router
    set access address-assignment pool Pool_Produccion family inet network
    set access address-assignment pool Pool_Produccion family inet range Pool_Produccion low
    set access address-assignment pool Pool_Produccion family inet range Pool_Produccion high
    set access address-assignment pool Pool_Produccion family inet dhcp-attributes name-server
    set access address-assignment pool Pool_Produccion family inet dhcp-attributes name-server
    set access address-assignment pool Pool_Produccion family inet dhcp-attributes router
    set access address-assignment pool Pool_Accesos family inet network
    set access address-assignment pool Pool_Accesos family inet range Pool_Accesos low
    set access address-assignment pool Pool_Accesos family inet range Pool_Accesos high
    set access address-assignment pool Pool_Accesos family inet dhcp-attributes name-server
    set access address-assignment pool Pool_Accesos family inet dhcp-attributes name-server
    set access address-assignment pool Pool_Accesos family inet dhcp-attributes router
    set access address-assignment pool Pool_Artistas family inet network
    set access address-assignment pool Pool_Artistas family inet range Pool_Artistas low
    set access address-assignment pool Pool_Artistas family inet range Pool_Artistas high
    set access address-assignment pool Pool_Artistas family inet dhcp-attributes name-server
    set access address-assignment pool Pool_Artistas family inet dhcp-attributes name-server
    set access address-assignment pool Pool_Artistas family inet dhcp-attributes router
    set access address-assignment pool Pool_Vip family inet network
    set access address-assignment pool Pool_Vip family inet range Pool_Vip low
    set access address-assignment pool Pool_Vip family inet range Pool_Vip high
    set access address-assignment pool Pool_Vip family inet dhcp-attributes name-server
    set access address-assignment pool Pool_Vip family inet dhcp-attributes name-server
    set access address-assignment pool Pool_Vip family inet dhcp-attributes router
    set access address-assignment pool Pool_Backstages family inet network
    set access address-assignment pool Pool_Backstages family inet range Pool_Backstages low
    set access address-assignment pool Pool_Backstages family inet range Pool_Backstages high
    set access address-assignment pool Pool_Backstages family inet dhcp-attributes name-server
    set access address-assignment pool Pool_Backstages family inet dhcp-attributes name-server
    set access address-assignment pool Pool_Backstages family inet dhcp-attributes router
    set access address-assignment pool Pool_Patrocinadores family inet network
    set access address-assignment pool Pool_Patrocinadores family inet range Pool_Patrosinadores low
    set access address-assignment pool Pool_Patrocinadores family inet range Pool_Patrosinadores high
    set access address-assignment pool Pool_Patrocinadores family inet dhcp-attributes name-server
    set access address-assignment pool Pool_Patrocinadores family inet dhcp-attributes name-server
    set access address-assignment pool Pool_Patrocinadores family inet dhcp-attributes router
    set access address-assignment pool Pool_Prensa family inet network
    set access address-assignment pool Pool_Prensa family inet range Pool_Prensa low
    set access address-assignment pool Pool_Prensa family inet range Pool_Prensa high
    set access address-assignment pool Pool_Prensa family inet dhcp-attributes name-server
    set access address-assignment pool Pool_Prensa family inet dhcp-attributes name-server
    set access address-assignment pool Pool_Prensa family inet dhcp-attributes router
    set access address-assignment pool Pool_Streaming family inet network
    set access address-assignment pool Pool_Streaming family inet range Pool_Streaming low
    set access address-assignment pool Pool_Streaming family inet range Pool_Streaming high
    set access address-assignment pool Pool_Streaming family inet dhcp-attributes name-server
    set access address-assignment pool Pool_Streaming family inet dhcp-attributes name-server
    set access address-assignment pool Pool_Streaming family inet dhcp-attributes router
    set access address-assignment pool Pool_Camaras family inet network
    set access address-assignment pool Pool_Camaras family inet range Pool_Camaras low
    set access address-assignment pool Pool_Camaras family inet range Pool_Camaras high
    set access address-assignment pool Pool_Camaras family inet dhcp-attributes name-server
    set access address-assignment pool Pool_Camaras family inet dhcp-attributes name-server
    set access address-assignment pool Pool_Camaras family inet dhcp-attributes router
    set vlans Accesos vlan-id 155
    set vlans Accesos l3-interface irb.155
    set vlans Artistas vlan-id 160
    set vlans Artistas l3-interface irb.160
    set vlans Backstages vlan-id 170
    set vlans Backstages l3-interface irb.170
    set vlans Camaras vlan-id 190
    set vlans Camaras l3-interface irb.190
    set vlans MNGMT vlan-id 100
    set vlans MNGMT l3-interface irb.100
    set vlans PUBLICO vlan-id 200
    set vlans PUBLICO l3-interface irb.200
    set vlans Patros description PATROCINADORES
    set vlans Patros vlan-id 175
    set vlans Patros l3-interface irb.175
    set vlans Prensa vlan-id 180
    set vlans Prensa l3-interface irb.180
    set vlans Produccion vlan-id 150
    set vlans Produccion l3-interface irb.150
    set vlans Streaming vlan-id 185
    set vlans Streaming l3-interface irb.185
    set vlans VIP vlan-id 165
    set vlans VIP l3-interface irb.165


  • 2.  RE: SRX 320 // No internet access from the trunk por // 15.1X49-D100.6 // l3-interface irb // ethernet-switching

    Posted 07-16-2017 00:47

    Hello there,


    @atrix wrote:


    set protocols rstp interface all

    Check if Your ge-0/0/1 is blocked by RSTP.



  • 3.  RE: SRX 320 // No internet access from the trunk por // 15.1X49-D100.6 // l3-interface irb // ethernet-switching

    Posted 07-17-2017 01:04

    Hello, thanks for answering .

    I have not seen block by rstp, I have removed rstp but the problem continues

    Delete protocols rstp interface all


  • 4.  RE: SRX 320 // No internet access from the trunk por // 15.1X49-D100.6 // l3-interface irb // ethernet-switching

    Posted 07-16-2017 02:25

    You only have interfaces in those three vlans.

    You may also need another security policy to permit traffic from zone trust to-zone trust

  • 5.  RE: SRX 320 // No internet access from the trunk por // 15.1X49-D100.6 // l3-interface irb // ethernet-switching

    Posted 07-17-2017 01:05

    Hello, thanks for answering .

    I have created another security policy to allow traffic from zone trust to-zone trust, the problem is not solved

    set security policies from-zone TRUST to-zone TRUST policy vlans_to_inet match source-address any
    set security policies from-zone TRUST to-zone TRUST policy vlans_to_inet match destination-address any
    set security policies from-zone TRUST to-zone TRUST policy vlans_to_inet match application any
    set security policies from-zone TRUST to-zone TRUST policy vlans_to_inet then permit


  • 6.  RE: SRX 320 // No internet access from the trunk por // 15.1X49-D100.6 // l3-interface irb // ethernet-switching
    Best Answer

    Posted 07-17-2017 02:29

    The problem has been fixed with this


    Security-zone TRUST host-inbound-traffic system-services all
    Set security zones security-zone TRUST host-inbound-traffic protocols all