SRX

 View Only
last person joined: 3 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  SRX320 VLAN Routing & Internet Access Issue

    Posted 11 days ago

    Hi, 

    I have a network where the SRX320 is used as the firewall between multiple VLAN gateways. The network is built as follows:

    • Core and Distribution:

      • An EX4400 serves as the backbone switch.
      • The EX4400 connects to 8 EX4100-F devices.
    • New Building:

      • Contains 5 EX4100 switches.
      • Supports multiple VLANs (VLAN 10, 20, 30, 40, 50, and 60) for user connectivity.
    • Old Building:

      • Contains 3 EX4100 switches.
      • Uses a single VLAN (VLAN 1) for all traffic.
    • Firewall & WAN Details:

      • The WAN (Internet-facing) port on the SRX320 is ge-0/0/0 with the following network details:
        • Network: 10.10.10.0/29
        • Default Gateway: 10.10.10.1
        • WAN IP Address: 10.10.10.2
      • The connection to the EX4400 is via port ge-0/0/6 on the SRX320, which connects to the corresponding trunk port on the EX4400. Both ends are configured with native VLAN 10.
      • All internal interfaces (for all VLANs) are assigned to the trust zone, allowing full inter-VLAN communication.

    The Problem

    I need all internal VLANs (from both the new and old buildings) to communicate with each other and access the Internet via the single WAN (untrust) port on the SRX320. I have tried two configuration methods on the SRX320:

    1. IRB-Based Configuration:

      • Defining an IRB interface for each VLAN with its respective IP gateway.
    2. VLAN Tagging (Router-on-a-Stick) Configuration:

      • Using subinterfaces with VLAN tagging on a physical port.

    Despite following standard configuration practices for both methods, neither approach has resulted in the desired connectivity between VLANs or proper Internet access.

    Question

    Am I missing any key configuration elements or steps in either method? Any guidance or suggestions to help resolve this issue would be greatly appreciated.

    I'm attaching the both txt files for SRX, one is with irb interfaces and other is vlan tagging.   Files include the full "show configuration" output as well as the "set" commands.



    ------------------------------
    BENGISU IREM AKDENIZ
    ------------------------------

    Attachment(s)

    txt
    SRX320-vlan-tagging.txt   9 KB 1 version
    txt
    srx-vlantag-set.txt   9 KB 1 version
    txt
    srx-irb-set.txt   9 KB 1 version
    txt
    SRX320-irb.txt   9 KB 1 version


  • 2.  RE: SRX320 VLAN Routing & Internet Access Issue

    Posted 10 days ago

    What steps did you perform to test the connectivity in each configuration? What happened as a result of those tests?

    The VLAN tagging configuration does not designate vlan 10 as the native one, but other than that I didn't notice anything obviously wrong.

    Go back to the basics. In "show interface extensive" take note of the L2 channel error counter. It indicates unexpected VLAN id. Double-check actual configuration on the EX port with "show ethernet-switching interface" (same on the SRX if you use IRB config), etc.



    ------------------------------
    Nikolay Semov
    ------------------------------



  • 3.  RE: SRX320 VLAN Routing & Internet Access Issue

    Posted 8 days ago

    Hi,

    I made a demo, and with this new configuration, I think the issue is resolved. I used one router as an ISP and connected it to the SRX320 via the WAN port. The ISP's IP address is 37.202.49.243, and the SRX's WAN port IP is 37.202.49.242.

    Currently, all VLANs can successfully communicate with each other except VLAN 1. Additionally, I can ping 37.202.49.243 from within the network without any issues.

    However, VLAN 1 is still unable to communicate. As I mentioned earlier, the network consists of two buildings, and one of them uses VLAN 1 for all its traffic.

    What could be causing VLAN 1 to be isolated while the other VLANs are working correctly? The SRX320 has a default VLAN called vlan-trust with VLAN ID 3, which is assigned to the irb.0 interface. I tried changing it to VLAN 1 to allow communication, but it didn't work. I then deleted it, created a new VLAN with VLAN ID 1, and assigned it to irb.0, but that also didn't work. I also assigned it to irb.1, but still no success. I have also added it to the trust zone, so that shouldn't be the problem either.

    I'm attaching the new SRX configuration file. By the way, the SRX is connected to a Ruijie switch, which has all the necessary VLANs configured and a trunk port. There are no native VLANs.

    My computer is connected to the switch as an access port in VLAN 20, and I can ping everywhere on the SRX. However, I cannot ping the switch in VLAN 1. When I assign a VLAN 5 IP address to the switch, I can ping it without any issues. But when I do the same for VLAN 1, I cannot ping it.

    Any insights or troubleshooting suggestions would be greatly appreciated.



    ------------------------------
    BENGISU IREM AKDENIZ
    ------------------------------

    Attachment(s)

    txt
    srx-nat set.txt   7 KB 1 version
    txt
    srx nat show.txt   9 KB 1 version


  • 4.  RE: SRX320 VLAN Routing & Internet Access Issue

    Posted 8 days ago

    Show switch config.



    ------------------------------
    Nikolay Semov
    ------------------------------



  • 5.  RE: SRX320 VLAN Routing & Internet Access Issue

    Posted 8 days ago

    The switch configuration doesn't seem to be the issue-I've tested every possibility.

    Current Configuration:

    vlan 5  
     name MGMT  
    vlan range 1,10,20  
     
    interface GigabitEthernet 0/6  
     description SRX320  
     switchport mode trunk  
     
    interface VLAN 1  
     ip address 192.168.1.130 255.255.255.0  
    !  
    interface VLAN 5  
     ip address 192.168.5.2 255.255.255.0  
    !  
    interface VLAN 10  
    !  
    ip route 0.0.0.0 0.0.0.0 192.168.5.1  
    !  

    With this configuration, I can successfully ping 192.168.5.2 from both the SRX and my computer. However, if I remove VLAN 5 and assign the IP to VLAN 1 instead, it stops working.

    And yes, I am correctly setting ip route 0.0.0.0 0.0.0.0 192.168.1.1.

    Any insights on why this happens?



    ------------------------------
    BENGISU IREM AKDENIZ
    ------------------------------



  • 6.  RE: SRX320 VLAN Routing & Internet Access Issue

    Posted 8 days ago

    Please see my previous post for suggested troubleshooting commands. Specifically, check the L2 Channel Error counter.

    If you see L2 channel errors on the SRX, please review the switch documentation -- it's possible that by default VLAN 1 is untagged on trunk ports. You'd have to figure out how to get it tagged on the switch, or you can configure it untagged on the SRX.



    ------------------------------
    Nikolay Semov
    ------------------------------



  • 7.  RE: SRX320 VLAN Routing & Internet Access Issue

    Posted 8 days ago

    How am I supposed to configure vlan 1 on ge-0/0/1 interface with vlan-tagging ?

    set interfaces ge-0/0/1 vlan-tagging

    set interfaces ge-0/0/1 unit 1 vlan-id 1
    set interfaces ge-0/0/1 unit 1 family inet address 192.168.1.1/24

    I have tried this and it didn't work too.



    ------------------------------
    BENGISU IREM AKDENIZ
    ------------------------------



  • 8.  RE: SRX320 VLAN Routing & Internet Access Issue

    Posted 10 days ago

    How about this…

    I have tried my srx's with comcast/xfinity. My thoughts on their advanced firewall which integrates with their list of gateways seems to have some limitations. I have seen the srx firewalls have a little trouble. But for me i think its inevitable due to the whole picture of that isp. The first thought I have is dns. It has everything to do with tagging and tagging is not an easy task. In fact I used another platform to start my tagging and it was port based at first. Not vlan. But you might try this.

    https://www.juniper.net/documentation/us/en/software/junos/cli-reference/topics/ref/statement/dhcp-client-edit-interfaces-srx.html

    no-dns-install



    https://www.juniper.net/documentation/us/en/software/junos/cli-reference/topics/ref/statement/firewall-install-disable-edit-flow-routing-options.html

    firewall-install-disable;




    So why try to disable the firewall. For me just going through these two statements was very helpful. Remember most isps have their own form of a firewall in their connection. But be careful. Also, the dnsalg is none standard port.



    ------------------------------
    Adrian Aguinaga
    B.S.C.M. I.T.T. Tech
    (Construction Management)
    A.A.S. I.T.T. Tech
    (Drafting & Design)
    ------------------------------



  • 9.  RE: SRX320 VLAN Routing & Internet Access Issue

    Posted 8 days ago

    @eugene1973

    firewall-install-disable is for BGP FlowSpec, and the configuration in question does not use BGP.

    The WAN interface has a static IP address, no DHCP client enabled, so no-dns-install is not applicable, but ... since you mentioned it ...

    @BENGISU IREM AKDENIZ

    Your DHCP address pools do not specify name DNS (name-server) address for LAN devices to use. You should probably add some.



    ------------------------------
    Nikolay Semov
    ------------------------------