SRX

last person joined: 12 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
Expand all | Collapse all

SRX300 series VLAN interface

Regalis

Regalis06-10-2016 02:21

Erdem

Erdem10-15-2016 12:00

  • 1.  SRX300 series VLAN interface

     
    Posted 06-09-2016 06:35

    I have been configuring an SRX320 for the first time.

    [edit vlans]
    root@lab-01# run show version
    Hostname: lab-01
    Model: srx320
    Junos: 15.1X49-D45
    JUNOS Software Release [15.1X49-D45]

     

    I noticed that under a vlan I am unable to to put a vlan L3 interface on it. 

    [edit vlans]
    root@lab-01# set v-100 l3-interface vlan.100
    error: l3-interface: 'vlan.100': Only IRB interface is supported, e.g. irb.10

    [edit vlans]
    root@lab-01# show
    v-100 {
    vlan-id 100;
    }

    As you can see it refuses to add it. I tried using a IRB interface instead but this is not routable as stated in this link:

     

    http://www.juniper.net/documentation/en_US/junos12.3x48/topics/concept/security-mixed-mode-understanding.html

     

    How do you get a L3 interface onto a VLAN on the SRX300 series?

     

     



  • 2.  RE: SRX300 series VLAN interface

    Posted 06-09-2016 07:51

    Hello,

     

     

    I would like to inform you that starting from version 15.1X+ the vlan interface is no longer supported on SRX and instead irb interface will be used for the same purpose.

     

    You can use the following online converter tool to convert the configruation from the old configuration to the new supported configuration.

    https://www.juniper.net/customers/support/configtools/elstranslator/index.jsp 

     

    Or you can refer the below example for your configuration :-

     

    root@SRX320-Pro# show interfaces
    ge-0/0/0 {
    unit 0 {
    family ethernet-switching {
    interface-mode access;
    vlan {
    members mgmt;
    }
    }
    }
    }
    irb {
    unit 100 {
    family inet {
    address 10.219.33.8/26;
    }
    }
    }

    root@SRX320-Pro# show vlans
    mgmt {
    vlan-id 100;
    l3-interface irb.100;
    }

     

    You need to use irb interface in a zone for allowing the host-inbound traffic.
    Also When you configure a device as Ethernet switch , the mode changes to mix mode and during commit a warning will be seen for a reboot so you need to also reboot the SRX for this configuration to take effect.

     

    If nothing from the above works then refer the following document which is for EX series device but will be same for the SRX 320 device.

    https://www.juniper.net/techpubs/en_US/junos12.3/information-products/topic-collections/ex9200/software-all/getting-started-els.pdf

     

    Thanks,
    Pulkit Bhandari

    Please mark my response as Solution Accepted if it Helps, Kudos are Appreciated too. Smiley Happy



  • 3.  RE: SRX300 series VLAN interface

     
    Posted 06-09-2016 09:02

    Thanks for the response. I had already configured all those things, please see below:

     


    [edit]
    root@hen-fw-01# show vlans
    v-100 {
    vlan-id 100;
    l3-interface irb.100;
    }

    [edit]
    root@hen-fw-01# show interfaces ge-0/0/1
    unit 0 {
    family ethernet-switching {
    vlan {
    members v-100;
    }
    }
    }

    [edit]
    root@hen-fw-01# show interfaces irb
    description "LAN RVI";
    unit 100 {
    family inet {
    address 10.1.1.1/24;
    }
    }

     

    root@hen-fw-01# show security zones security-zone trust
    host-inbound-traffic {
    system-services {
    dhcp;
    ping;
    traceroute;
    bootp;
    }
    }
    interfaces {
    irb.100;
    }

     

    It does not work.



  • 4.  RE: SRX300 series VLAN interface

    Posted 06-09-2016 09:22

    Be sure to put the SRX300 into switching mode as well:  http://www.juniper.net/techpubs/en_US/junos15.1x49-d40/topics/concept/security-layer2-bridging-switching-overview.html

     

    By default SRX300 is in transparent bridging mode, which sends all the L2 traffic through the network processor.  By changing to switching mode it uses the L2 switch chip to forward L2 traffic at line-rate & only punts the L3 (IP) traffic up to the NP.

     

    HtH.

     

     -Blake


    #SRX300switching


  • 5.  RE: SRX300 series VLAN interface

     
    Posted 06-10-2016 00:07

    Hi,

     

    Unfortunately still not working.

     

    [edit]
    root@lab-fw-01# show protocols
    l2-learning {
    global-mode switching;
    }

     

    Thanks



  • 6.  RE: SRX300 series VLAN interface

    Posted 06-10-2016 00:48

    Hello,

     

     

    Have you rebooted the SRX after configuring the IRB interface.

     

    If not then please reboot it and check if it works becasue When we configure a device as Ethernet switch , the mode changes to mix mode and during commit a warning will be seen for a reboot so we need to also reboot the SRX for this configuration to take effect.

     

    Thanks,
    Pulkit Bhandari

    Please mark my response as Solution Accepted if it Helps, Kudos are Appreciated too. Smiley Happy



  • 7.  RE: SRX300 series VLAN interface

     
    Posted 06-10-2016 02:21

    Yes I have rebooted.



  • 8.  RE: SRX300 series VLAN interface
    Best Answer

    Posted 06-11-2016 03:20

    Hi Regalis,

     

    Make sure that all the physical interfaces which are configured under this vlan are up.

    There is a known issue that irb interface does not work when one of vlan members is down and will be fixed in upcoming relases, moreover LACP is not supported till 15.1X49-D45 , so make sure these config are not present on SRX.

     

    Regards

    Hemant

     



  • 9.  RE: SRX300 series VLAN interface

     
    Posted 06-13-2016 02:28

    I am glad this is a known issue - thought I was going mad. A pretty serious bug to be released in the first place though!

     

    I will check this out tomorrow and I will confirm.

     

    Do you know when these fixes will be released?

     

    Thanks



  • 10.  RE: SRX300 series VLAN interface

    Posted 06-13-2016 04:29

    Hi Regalis,

     

    This issue is fixed in 15.1X49-D50.

     

    Regards

    Hemant



  • 11.  RE: SRX300 series VLAN interface

     
    Posted 06-14-2016 02:04

    Hi Hermant,

     

    I have confirmed that that is the issue.

     

    Regarding the Junos version, I am using a SRX320 but 15.1X49-D50 is not available for the model, only 15.1X49-D45. I notice all the other SRX300 series do have this version so I have tried downloading this from the SRX340 page and using that. I assumed this would work as it is part of the sasme platform and the install package is titled 'SRX300 Series'. However, it fails installation:

     

    root@hen-fw-01> ...copy junos-srxsme-15.1X49-D50.3-domestic.tgz
    ERROR: Cannot use /cf/var/tmp/junos-srxsme-15.1X49-D50.3-domestic.tgz:
    sed: /tmp/.te1898: No such file or directory
    ERROR: It may have been corrupted during download.
    ERROR: Please try again, making sure to use a binary transfer.



  • 12.  RE: SRX300 series VLAN interface

    Posted 06-14-2016 07:00

    Hi Regalis,

     

    Do not use the image of other SRX300 series on your srx 325 model, please wait until the image is released.

    They may be same series but there is some diference in the architecture of each model and hence different image is required for each model.

     

    Regards

    Hemant

     

     



  • 13.  RE: SRX300 series VLAN interface

     
    Posted 06-14-2016 13:08

    OK thanks. Any idea when D50 will be realeased?



  • 14.  RE: SRX300 series VLAN interface

    Posted 07-05-2016 00:35

    I have first SRX340.

    #run show system software
    Information for junos:

    Comment:
    JUNOS Software Release [15.1X49-D45]

    I changed vlan interface with irb interface and everything looked ok but unfortunately was not.

     

    We use such configuration:

     

    [edit interfaces]

    vlan {
    unit 10 {
    family inet {
    address 5.5.5.2/29 {
    }
    }
    }

     

    [edit vlans]

    vlan-untrust {
    vlan-id 10;
    l3-interface vlan.10;
    }

     

    [edit interfaces]

    ge-0/0/1 {
    unit 0 {
    description Internet;
    family ethernet-switching {
    vlan {
    members vlan-untrust;
    }
    }
    }
    }

    ge-0/0/2 {
    unit 0 {
    description PUBdevice01;
    family ethernet-switching {
    vlan {
    members vlan-untrust;
    }
    }
    }
    }

    ge-0/0/3 {
    unit 0 {
    description PUBdevice02;
    family ethernet-switching {
    vlan {
    members vlan-untrust;
    }
    }
    }
    }

     

    On port ge-0/0/0 we have ISP input in ge-0/0/1 and ge-0/0/2 we have devices servers with public IP 5.5.5.3/29 and 5.5.5.4/29.

     

    And now the problem is:

    [edit security ike]


    gateway VPN_DC1 {
    ike-policy VPN_DC1;
    address 7.7.7.7;
    external-interface vlan.10;
    }

     

    Unfortunately on SRX340 I have info that:

    error: external-interface: 'irb.10': irb interface is not allowed as external-interface

     

    What I can to (of course without buy a switch between ISP and SRX).



  • 15.  RE: SRX300 series VLAN interface

    Posted 07-05-2016 03:29

    Hello,

     

     

    I believe you are hitting the below bug/PR:-

     

    PR:-PR1166714

    https://prsearch.juniper.net/InfoCenter/index?page=prcontent&id=PR1166714 

     

    Please try and upgrade to version 15.1X49-D50 to see if the issue resolves.

     

    Thanks,
    Pulkit Bhandari

    Please mark my response as Solution Accepted if it Helps, Kudos are Appreciated too. Smiley Happy

     

     



  • 16.  RE: SRX300 series VLAN interface

    Posted 07-05-2016 06:00

    When I try to upgrade:

     

    NOTICE: Validating configuration against junos-srxsme-15.1X49-D50.3-domestic.tgz.
    NOTICE: Use the 'no-validate' option to skip this if desired.
    Formatting alternate root (/dev/da0s2a)...
    /dev/da0s2a: 2518.0MB (5156848 sectors) block size 16384, fragment size 2048
    using 14 cylinder groups of 183.62MB, 11752 blks, 23552 inodes.
    super-block backups (for fsck -b #) at:
    32, 376096, 752160, 1128224, 1504288, 1880352, 2256416, 2632480, 3008544,
    3384608, 3760672, 4136736, 4512800, 4888864
    Checking compatibility with configuration
    Initializing...
    Verified manifest signed by PackageProductionEc_2016
    Using junos-15.1X49-D50.3-domestic from /altroot/cf/packages/install-tmp/junos-15.1X49-D50.3-domestic
    Copying package ...
    Verified manifest signed by PackageProductionEc_2016
    Hardware Database regeneration succeeded
    Validating against /config/juniper.conf.gz
    Network security daemon: <xnm:error xmlns="http://xml.juniper.net/xnm/1.1/xnm" xmlns:xnm="http://xml.juniper.net/xnm/1.1/xnm">
    Network security daemon: <source-daemon>nsd</source-daemon>
    Network security daemon: <edit-path>[edit security zones security-zone MPLS-143]</edit-path>
    Network security daemon: <statement>interfaces irb.1143</statement>
    Network security daemon: <message>Interface irb is not allowed in mix mode</message>
    Network security daemon: </xnm:error>
    mgd: error: configuration check-out failed
    Validation failed
    Validating against /config/rescue.conf.gz
    mgd: commit complete
    Validation succeeded
    ERROR: Current configuration not compatible with /altroot/cf/packages/install-tmp/junos-15.1X49-D50.3-domestic

     

     

    I feel that I regret this purchase 😞

     

     



  • 17.  RE: SRX300 series VLAN interface

    Posted 07-05-2016 12:36

    Important link: https://prsearch.juniper.net/InfoCenter/index?page=prcontent&id=PR1166714

     

    Ok, it's started to look better.

    I delete all problematic part of configuration and upgrade to the junos 15.1X49-D50.3

    I change global-mode to switching.

    It begins to look like "normal junos" in "normal SRX".

     

    Now i set external-interface irb.10 in ike gateway and commit check give me: 

    configuration check succeeds

    🙂

     



  • 18.  RE: SRX300 series VLAN interface

    Posted 07-11-2016 01:50

    Hi, Konrad

     

    May I contact you regarding your findings on SRX345 config issue you had? I got the same error message while migrating config from SRX240 (dead after firmware upgrade) to newly bought SRX345.

     

    Best regards,

    Vitaly



  • 19.  RE: SRX300 series VLAN interface

    Posted 09-13-2016 08:52

    You saved my day. I was struggeling with the VLAN and it took me half a day until I found this topic that solved my issue using the new release D50



  • 20.  RE: SRX300 series VLAN interface

    Posted 09-17-2016 07:50

    Hello Experts,

     

    I am implementing HA in SRX345 in L3 mode and I also need to set vlan in L3 mode. I have no issue in srx240 with Junos12.1x. I have individual interface on each node to access vlan  and switching fab interface is configured to transmit vlan traffic between nodes. Now I  am concerning to implement the same scenario in SRX345 and tried to set vlan 100 with irb.100  as below

    set interfaces ge-0/0/5 unit 0 family ethernet-switching interface-mode access
    set interfaces ge-0/0/5 unit 0 family ethernet-switching vlan members VLAN100

    set vlans VLAN100 vlan-id 100
    set vlans VLAN100 l3-interface irb.100

    set interfaces irb.100 family inet address 10.10.10.1/24

     

    Then when I check config, I got below message 

     

    #commit check
    warning: Interfaces are changed from route mode to mix mode. Please use the command request sy stem reboot on current node or all nodes in case of HA cluster!
    error: In routing-instance default-switch vlan VLAN100 configured under interface ge-0/0/5.0 do es not exist
    error: configuration check-out failed

     

    Now if I reboot the device, does it run only in switching mode  or both (route and switching)  ? Because I need both feature.  I can't implement fully in switching mode only.

     

    All your reply are appreciated 

     

    Regards

    Shyam



  • 21.  RE: SRX300 series VLAN interface

    Posted 09-27-2016 09:16

    We are also experiencing the same issue. Running 15.1X49-D60.7 and getting:

     

    warning: Interfaces are changed from route mode to mix mode. Please use the command request system reboot on current node or all nodes in case of HA cluster!
    [edit security zones security-zone data-trust]
    'interfaces irb.100'
    Interface irb is not allowed in mix mode
    error: configuration check-out failed

     

    Is there any work being done on getting SRX to work in mix mode?

     

     

     

     



  • 22.  RE: SRX300 series VLAN interface

    Posted 09-27-2016 21:58

    I too have just ran into this problem migrating from an SRX210H which worked perfectly well to a new SRX300.  I can't believe that a vendor large vendor such as juniper releases a product with reduced functionality compared to a product that has been around for years. It's not as if this has jumped up on them, they've chosen to release the product which is substandard.

     

    Dissapointing



  • 23.  RE: SRX300 series VLAN interface

    Posted 09-27-2016 23:02

    Hi Shyan,

     

    ethernet-switching is not supported on SRX300 series in chassis cluster. This is also stated in the release notes.

    I know that this is a target feature for a later release this year or early next year - but for now you have to stick with a ordinary logical IP interface.



  • 24.  RE: SRX300 series VLAN interface

    Posted 09-28-2016 06:38

    We're not using a chassis cluster, this is simply a single SRX300 with a L3 interface on a vlan and it fails out.

     

    Any ideas?



  • 25.  RE: SRX300 series VLAN interface

    Posted 09-28-2016 11:48

    Hi timamplex,

     

    A bit more detail, please - otherwise it's difficult to help you.

     

    What do you mean with "fails out"? Does it commit or does it not work after commit? periodic instability? Please provide configuration snippets and software version of your SRX300. 



  • 26.  RE: SRX300 series VLAN interface

    Posted 10-06-2016 13:57

    [edit security zones security-zone data-trust]
    'interfaces irb.100'
    Interface irb is not allowed in mix mode
    error: configuration check-out failed

     

    This is the exact error, you can't seem to commit and rebooting the SRX as suggested by some doesn't modify this behavior. This config works stable on a SRX100 device but adding vlan's as IRB L3 interfaces along with L2 ethernet interfaces on ports fails out every time.

     

    Is this not currently supported as stated above? Pretty disapointing since the SRX100 has been doing this a very long time.

     



  • 27.  RE: SRX300 series VLAN interface

    Posted 10-06-2016 14:03

    Hi timamplex,

     

    you need to ensure that l2-learning has been configured for switching and the srx hsa been rebooted afterwards:

     

    user@fw# show protocols
    l2-learning {
    global-mode switching;
    }

     

    if not configured, please do "set protocols l2-learning globa-mode switching", commit and reboot. Then try again.



  • 28.  RE: SRX300 series VLAN interface

    Posted 10-11-2016 07:24

    This worked but CPU utilization is ~ 71% now, is this sending all switch traffic to the routing engine and thus using CPU time for all switch traffic?

     

    Similar config on a SRX100 seeing 5-10% utilization.

     

     



  • 29.  RE: SRX300 series VLAN interface

    Posted 10-11-2016 07:38

    if you enabled l2-learning global-mode switching, inter-vlan traffic is handled by the switching chip. Only traffic destined outside the vlan will be send to the CPU.

     

    Where do you see the CPU load of 71%? via junos-commands or via top? Please provide output of the relevant commands.

     

    when looking at my own SRX300 I have the following scenario. Please have in mind that the flowd_octeon_hm process is intended to use almost all capacity on CPU1.

     

    jh@fw> show chassis routing-engine
    Routing Engine status:
        Temperature                 60 degrees C / 140 degrees F
        CPU temperature             77 degrees C / 170 degrees F
        Total memory              4096 MB Max  2499 MB used ( 61 percent)
          Control plane memory    2624 MB Max  2125 MB used ( 81 percent)
          Data plane memory       1472 MB Max   368 MB used ( 25 percent)
        5 sec CPU utilization:
          User                      10 percent
          Background                 0 percent
          Kernel                     2 percent
          Interrupt                  0 percent
          Idle                      88 percent
        Model                          RE-SRX300
        Serial ID                      XXXXXXXXXXXXX
        Start time                     2016-09-20 17:12:21 CEST
        Uptime                         20 days, 23 hours, 22 minutes, 30 seconds
        Last reboot reason             0x200:normal shutdown
        Load averages:                 1 minute   5 minute  15 minute
                                           0.12       0.23       0.20
    
    
    jh@fw> show system processes summary
    last pid: 79590;  load averages:  0.04,  0.19,  0.18  up 20+23:24:01    16:35:52
    162 processes: 17 running, 133 sleeping, 12 waiting
    
    Mem: 338M Active, 151M Inact, 1541M Wired, 432M Cache, 112M Buf, 1517M Free
    Swap:
    
    
      PID USERNAME   THR PRI NICE   SIZE    RES STATE  C   TIME   WCPU COMMAND
     1762 root         5 139    0  1552M   470M CPU1   1 564.6H 92.48% flowd_octeon_hm
       21 root         1 171   52     0K    16K RUN    0 404.8H 82.67% idle: cpu0

     

     



  • 30.  RE: SRX300 series VLAN interface

    Posted 10-11-2016 11:28

    Bit lower now but still quite high

     

     

    tima@tima-testlab-srx# run show chassis routing-engine
    Routing Engine status:
    Temperature 48 degrees C / 118 degrees F
    CPU temperature 62 degrees C / 143 degrees F
    Total memory 4096 MB Max 2417 MB used ( 59 percent)
    Control plane memory 2624 MB Max 2073 MB used ( 79 percent)
    Data plane memory 1472 MB Max 339 MB used ( 23 percent)
    5 sec CPU utilization:
    User 56 percent
    Background 0 percent
    Kernel 2 percent
    Interrupt 0 percent
    Idle 42 percent
    Model RE-SRX300
    Serial ID CV2016AF1000
    Start time 2016-10-11 19:10:30 EDT
    Uptime 3 hours, 7 minutes, 29 seconds
    Last reboot reason 0x200:normal shutdown
    Load averages: 1 minute 5 minute 15 minute
    0.80 0.67 0.60

     

     

     

     

     

    top shows

     

    last pid: 2211; load averages: 0.46, 0.51, 0.54 up 0+03:18:40 14:27:13
    87 processes: 3 running, 84 sleeping
    CPU states: 79.1% user, 0.0% nice, 1.1% system, 0.0% interrupt, 19.8% idle
    Mem: 291M Active, 128M Inact, 1564M Wired, 365M Cache, 112M Buf, 1629M Free

     

     

     



  • 31.  RE: SRX300 series VLAN interface

    Posted 10-14-2016 10:17

    Hi jonashauge,

     

    Will it work on vSRX 15.1X49-D50.3? There is no chance to configure "global-mode switching" on vSRX



  • 32.  RE: SRX300 series VLAN interface

    Posted 10-15-2016 11:57

    vSRX doesn't support switching as this is handled by the hypervisor (ESX, KVM etc.) so the global-mode switching command only makes sense on the physical devices (SRX300 series, SRX550M and SRX1500).



  • 33.  RE: SRX300 series VLAN interface

    Posted 01-15-2017 07:10

    Hi All,

     

    Like the OP, I am configuring my first srx300. 

    Have upgraded the software to 

     

    Hostname: fw01
    Model: srx300
    Junos: 15.1X49-D70.3
    JUNOS Software Release [15.1X49-D70.3]

     

    My problem is that I am unable to reach / ping the IRB interface ( ip address ).

    Is this a normal behaviour ? 

    At this version of the OS, is the IRB interface routable now ? 

    Can I use it as the gateway. 

     

    All the ports in the vlans ( vlan trust) are up 

     


    admin@fw01# run show vlans Routing instance VLAN name Tag Interfaces default-switch default 1 ge-0/0/3.0 ge-0/0/4.0 default-switch trust 10 ge-0/0/1.0* ge-0/0/2.0*
    admin@fw01# show vlans
    trust {
        vlan-id 10;
        interface ge-0/0/1.0;
        interface ge-0/0/2.0;
        l3-interface irb.0;
    }

     

    IRB 0 is in the trust security zone and ping host bound traffic are allowed. 

     

    pcadmin@jr-fw01# run show interfaces irb
    Physical interface: irb    , Enabled, Physical link is Up
      Interface index: 130, SNMP ifIndex: 502
      Type: Ethernet, Link-level type: Ethernet, MTU: 1514
      Device flags   : Present Running
      Interface flags: SNMP-Traps
      Link type      : Full-Duplex
      Link flags     : None
      Current address: 40:71:83:2b:06:30, Hardware address: 40:71:83:2b:06:30
      Last flapped   : Never
        Input packets : 0
        Output packets: 0
    
      Logical interface irb.0 (Index 72) (SNMP ifIndex 532)
        Flags: Up SNMP-Traps 0x0 Encapsulation: ENET2
        Bandwidth: 1000mbps
        Routing Instance: default-switch Bridging Domain: trust
        Input packets : 192
        Output packets: 6
        Security: Zone: trust
        Allowed host-inbound traffic : bootp bfd bgp dns dvmrp igmp ldp msdp nhrp
        ospf pgm pim rip router-discovery rsvp sap vrrp dhcp finger ftp tftp
        ident-reset http https ike netconf ping reverse-telnet reverse-ssh rlogin
        rpm rsh snmp snmp-trap ssh telnet traceroute xnm-clear-text xnm-ssl lsping
        ntp sip r2cp webapi-clear-text webapi-ssl
        Protocol inet, MTU: 1500
          Flags: Sendbcast-pkt-to-re
          Addresses, Flags: Is-Preferred Is-Primary
            Destination: 10.12.8/24, Local: 10.12.8.1, Broadcast: 10.12.8.255

    But no luck with the ping 

     

    @rain:firmware[542]$ ping 10.12.8.1
    PING 10.12.8.1 (10.12.8.1): 56 data bytes
    ping: sendto: No route to host
    ping: sendto: Host is down
    Request timeout for icmp_seq 0
    ping: sendto: Host is down
    Request timeout for icmp_seq 1
    ping: sendto: Host is down
    Request timeout for icmp_seq 2
    ping: sendto: Host is down
    Request timeout for icmp_seq 3
    ^C
    

     

    What else could be missing ? 

     

    thanks in advance ! 



  • 34.  RE: SRX300 series VLAN interface

    Posted 03-01-2017 10:32

    I'm seeing the same problem. My switched interface is not responding to traffic. I'm also running 15.1X49-D70.3

     

    I have the following configs

     

    set security nat source rule-set nsw_srcnat from zone VoIP
    set security policies from-zone VoIP to-zone Internet policy All_VoIP_Internet match source-address any
    set security policies from-zone VoIP to-zone Internet policy All_VoIP_Internet match destination-address any
    set security policies from-zone VoIP to-zone Internet policy All_VoIP_Internet match application any
    set security policies from-zone VoIP to-zone Internet policy All_VoIP_Internet then permit
    set security zones security-zone VoIP interfaces irb.211 host-inbound-traffic system-services ping
    set security zones security-zone VoIP interfaces irb.211 host-inbound-traffic system-services dhcp

     

    set interfaces ge-0/0/3 unit 0 family ethernet-switching interface-mode access
    set interfaces ge-0/0/3 unit 0 family ethernet-switching vlan members VoIP
    set interfaces irb unit 211 family inet address 192.168.211.1/24

     

    set protocols l2-learning global-mode switching


    set vlans VoIP vlan-id 211
    set vlans VoIP l3-interface irb.211

     

    I see the vlan up but am unable to ping the address the client got from DHCP.  Also there are no nat translations for that host.



  • 35.  RE: SRX300 series VLAN interface

    Posted 03-01-2017 11:39

    Hi Braeen,

     

    As I understand a client can receive a DHCP assigned address from the SRX300 with an IP within 192.168.211.0/24 - can you confirm this?

     

    please also provide the following information for further analysis:

     

    show interfaces irb.211

    show vlans

    show route

    show ethernet-switching table vlan-id 10

     

    Then we are hopefully able to help you solve this 🙂



  • 36.  RE: SRX300 series VLAN interface

    Posted 03-03-2017 13:03
    Yes the voip client appears to get an ip.  If I connect a PC I also get an ip from DHCP but am unable to get out

    root@ellisisland> show interfaces irb.211 Logical interface irb.211 (Index 73) (SNMP ifIndex 535) Flags: Up SNMP-Traps 0x0 Encapsulation: ENET2 Bandwidth: 1000mbps Routing Instance: default-switch Bridging Domain: VoIP Input packets : 41 Output packets: 2 Security: Zone: VoIP Allowed host-inbound traffic : dhcp ping Protocol inet, MTU: 1500 Flags: Sendbcast-pkt-to-re Addresses, Flags: Is-Preferred Is-Primary Destination: 192.168.211/24, Local: 192.168.211.1, Broadcast: 192.168.211.255 root@ellisisland> show vlans Routing instance VLAN name Tag Interfaces default-switch VoIP 211 ge-0/0/3.0* default-switch default 1 root@ellisisland> show route inet.0: 15 destinations, 15 routes (15 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 0.0.0.0/0 *[Access-internal/12] 00:02:17 > to 50.155.94.1 via ge-0/0/0.0 10.51.5.0/30 *[Direct/0] 00:02:24 > via ge-0/0/5.51 10.51.5.1/32 *[Local/0] 00:02:28 Local via ge-0/0/5.51 50.155.94.0/23 *[Direct/0] 00:02:17 > via ge-0/0/0.0 50.155.95.36/32 *[Local/0] 00:02:17 Local via ge-0/0/0.0 192.168.1.1/32 *[Local/0] 00:02:29 Reject 192.168.2.0/24 *[Direct/0] 00:02:24 > via ge-0/0/5.2 192.168.2.1/32 *[Local/0] 00:02:28 Local via ge-0/0/5.2 192.168.3.0/24 *[Direct/0] 00:02:24 > via ge-0/0/5.3 192.168.3.1/32 *[Local/0] 00:02:28 Local via ge-0/0/5.3 192.168.4.0/24 *[Direct/0] 00:02:24 > via ge-0/0/5.4 192.168.4.1/32 *[Local/0] 00:02:28 Local via ge-0/0/5.4 192.168.38.1/32 *[Local/0] 00:02:44 Reject 192.168.211.0/24 *[Direct/0] 00:02:25 > via irb.211 192.168.211.1/32 *[Local/0] 00:02:44 Local via irb.211 root@ellisisland> show ethernet-switching table vlan-id 10 root@ellisisland> show ethernet-switching table vlan-id 211 MAC flags (S - static MAC, D - dynamic MAC, L - locally learned, P - Persistent static, C - Control MAC SE - statistics enabled, NM - non configured MAC, R - remote PE MAC, O - ovsdb MAC) Ethernet switching table : 1 entries, 1 learned Routing instance : default-switch Vlan MAC MAC Age Logical NH RTR name address flags interface Index ID VoIP 00:18:61:30:30:45 D - ge-0/0/3.0 0 0


  • 37.  RE: SRX300 series VLAN interface

    Posted 04-11-2017 06:56

    Had the same issue, upgraded to 15.1X49-D75.5 and now the ping to IRB works 🙂

    before we had 15.1X49-D50 so it wasn't so old.



  • 38.  RE: SRX300 series VLAN interface

    Posted 05-23-2017 22:44

    What a shambles - that Juniper would mess up what was working well for years! The new SRX range and 15 software are so problematic that my company is looking at moving to another platform.



  • 39.  RE: SRX300 series VLAN interface

    Posted 02-02-2018 08:11

    Hello everyone im new here and im having a simmilar issue with a SRX320. This is my first time configuring a juniper router and i have installed the latest software on the juniper router. Im having a hard time getting an IRB interface in a security zone. Now i have already set my IRB interfaces to vlans. Im just not sure how to get the IRB's into security zones.

     

    I also applogize if this is not how you reply to a thread.

     

    Thank you



  • 40.  RE: SRX300 series VLAN interface

    Posted 09-18-2016 09:45
    This is still an issue in D50 and specifically the srx300 model, it is not fixed.


  • 41.  RE: SRX300 series VLAN interface

    Posted 09-21-2016 13:41

    Any timeline to fix it ???

     

    It is really big issue. The same feature is not in new prduct line which replace the EOL  products.



  • 42.  RE: SRX300 series VLAN interface

    Posted 10-11-2016 16:27
    Are your units hot to touch? Mine are really warm, almost too much I think, hopefully once software fixes the bug and the units run properly it will cool down.


  • 43.  RE: SRX300 series VLAN interface

    Posted 10-12-2016 00:25

    Hi Aaron,

     

    my unit is very hot due to being in a drawer with a EX2200-C-12P-2g directly on top 🙂

     

    Placed on a table, they are warm but not too hot to be touched.

     

    I wouldn't expect a fanless unit with the mentioned performance specifications to become much cooler with an updated software. The second CPU-core is reserved for forwarding and the flow_octeon process constantly polls the CPU making it rather loaded (as expected) and therefore producing heat 🙂



  • 44.  RE: SRX300 series VLAN interface

    Posted 10-15-2016 12:00
    Ok, thank you


  • 45.  RE: SRX300 series VLAN interface

    Posted 09-01-2017 06:03

    Hello, I have problem with DHCP helper on SRX300 with IRB interface.

    The same config with vlan interface works on SRX100, SRX300.

    Can you help? 

    Here is output of config:

     

     

    forwarding-options {
    helpers {
    bootp {
    relay-agent-option;
    description "central dhcp";
    server X.X.X.X;
    maximum-hop-count 15;
    client-response-ttl 128;
    vpn;
    interface {
    irb.X;
    }
    }
    }
    }

     

    Thank you.



  • 46.  RE: SRX300 series VLAN interface

    Posted 09-01-2017 06:18

    From release notes for 15.1X49-D60 and newer:

     

    Dynamic Host Configuration Protocol (DHCP) • Starting with Junos OS Release 15.1X49-D60, the legacy DHCPD (DHCP daemon) configuration on all SRX Series devices is being deprecated and only the new JDHCP CLI will be supported.

     

    The shown config is with the old DHCP daemon. You should move config down below the interface as seen here (also shown in release notes):

     

    set forwarding-options helpers bootp interface interface-name description
    set forwarding-options helpers bootp interface interface-name client-response-ttl
    set forwarding-options helpers bootp interface interface-name maximum-hop-count
    set forwarding-options helpers bootp interface interface-name minimum-wait-time
    set forwarding-options helpers bootp interface interface-name vpn
    set forwarding-options helpers bootp interface interface-name relay-agent-option
    set forwarding-options helpers bootp interface interface-name dhcp-option82
    

     



  • 47.  RE: SRX300 series VLAN interface

    Posted 09-01-2017 06:35

    It worked. Thank you a lot !