Please see my previous post for suggested troubleshooting commands. Specifically, check the L2 Channel Error counter.
If you see L2 channel errors on the SRX, please review the switch documentation -- it's possible that by default VLAN 1 is untagged on trunk ports. You'd have to figure out how to get it tagged on the switch, or you can configure it untagged on the SRX.
Original Message:
Sent: 02-06-2025 10:29
From: BENGISU IREM AKDENIZ
Subject: SRX320 VLAN Routing & Internet Access Issue
The switch configuration doesn't seem to be the issue-I've tested every possibility.
Current Configuration:
vlan 5
name MGMT
vlan range 1,10,20
interface GigabitEthernet 0/6
description SRX320
switchport mode trunk
interface VLAN 1
ip address 192.168.1.130 255.255.255.0
!
interface VLAN 5
ip address 192.168.5.2 255.255.255.0
!
interface VLAN 10
!
ip route 0.0.0.0 0.0.0.0 192.168.5.1
!
With this configuration, I can successfully ping 192.168.5.2 from both the SRX and my computer. However, if I remove VLAN 5 and assign the IP to VLAN 1 instead, it stops working.
And yes, I am correctly setting ip route 0.0.0.0 0.0.0.0 192.168.1.1.
Any insights on why this happens?
------------------------------
BENGISU IREM AKDENIZ
Original Message:
Sent: 02-06-2025 09:31
From: Nikolay Semov
Subject: SRX320 VLAN Routing & Internet Access Issue
Show switch config.
------------------------------
Nikolay Semov
Original Message:
Sent: 02-06-2025 07:05
From: BENGISU IREM AKDENIZ
Subject: SRX320 VLAN Routing & Internet Access Issue
Hi,
I made a demo, and with this new configuration, I think the issue is resolved. I used one router as an ISP and connected it to the SRX320 via the WAN port. The ISP's IP address is 37.202.49.243, and the SRX's WAN port IP is 37.202.49.242.
Currently, all VLANs can successfully communicate with each other except VLAN 1. Additionally, I can ping 37.202.49.243 from within the network without any issues.
However, VLAN 1 is still unable to communicate. As I mentioned earlier, the network consists of two buildings, and one of them uses VLAN 1 for all its traffic.
What could be causing VLAN 1 to be isolated while the other VLANs are working correctly? The SRX320 has a default VLAN called vlan-trust with VLAN ID 3, which is assigned to the irb.0 interface. I tried changing it to VLAN 1 to allow communication, but it didn't work. I then deleted it, created a new VLAN with VLAN ID 1, and assigned it to irb.0, but that also didn't work. I also assigned it to irb.1, but still no success. I have also added it to the trust zone, so that shouldn't be the problem either.
I'm attaching the new SRX configuration file. By the way, the SRX is connected to a Ruijie switch, which has all the necessary VLANs configured and a trunk port. There are no native VLANs.
My computer is connected to the switch as an access port in VLAN 20, and I can ping everywhere on the SRX. However, I cannot ping the switch in VLAN 1. When I assign a VLAN 5 IP address to the switch, I can ping it without any issues. But when I do the same for VLAN 1, I cannot ping it.
Any insights or troubleshooting suggestions would be greatly appreciated.
------------------------------
BENGISU IREM AKDENIZ
Original Message:
Sent: 02-04-2025 14:27
From: Nikolay Semov
Subject: SRX320 VLAN Routing & Internet Access Issue
What steps did you perform to test the connectivity in each configuration? What happened as a result of those tests?
The VLAN tagging configuration does not designate vlan 10 as the native one, but other than that I didn't notice anything obviously wrong.
Go back to the basics. In "show interface extensive" take note of the L2 channel error counter. It indicates unexpected VLAN id. Double-check actual configuration on the EX port with "show ethernet-switching interface" (same on the SRX if you use IRB config), etc.
------------------------------
Nikolay Semov
Original Message:
Sent: 02-03-2025 07:34
From: BENGISU IREM AKDENIZ
Subject: SRX320 VLAN Routing & Internet Access Issue
Hi,
I have a network where the SRX320 is used as the firewall between multiple VLAN gateways. The network is built as follows:
Core and Distribution:
- An EX4400 serves as the backbone switch.
- The EX4400 connects to 8 EX4100-F devices.
New Building:
- Contains 5 EX4100 switches.
- Supports multiple VLANs (VLAN 10, 20, 30, 40, 50, and 60) for user connectivity.
Old Building:
- Contains 3 EX4100 switches.
- Uses a single VLAN (VLAN 1) for all traffic.
Firewall & WAN Details:
- The WAN (Internet-facing) port on the SRX320 is ge-0/0/0 with the following network details:
- Network: 10.10.10.0/29
- Default Gateway: 10.10.10.1
- WAN IP Address: 10.10.10.2
- The connection to the EX4400 is via port ge-0/0/6 on the SRX320, which connects to the corresponding trunk port on the EX4400. Both ends are configured with native VLAN 10.
- All internal interfaces (for all VLANs) are assigned to the trust zone, allowing full inter-VLAN communication.
The Problem
I need all internal VLANs (from both the new and old buildings) to communicate with each other and access the Internet via the single WAN (untrust) port on the SRX320. I have tried two configuration methods on the SRX320:
IRB-Based Configuration:
- Defining an IRB interface for each VLAN with its respective IP gateway.
VLAN Tagging (Router-on-a-Stick) Configuration:
- Using subinterfaces with VLAN tagging on a physical port.
Despite following standard configuration practices for both methods, neither approach has resulted in the desired connectivity between VLANs or proper Internet access.
Question
Am I missing any key configuration elements or steps in either method? Any guidance or suggestions to help resolve this issue would be greatly appreciated.
I'm attaching the both txt files for SRX, one is with irb interfaces and other is vlan tagging. Files include the full "show configuration" output as well as the "set" commands.
------------------------------
BENGISU IREM AKDENIZ
------------------------------