SRX

 View Only
last person joined: 11 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  VLAN-problem

    Posted 09-01-2022 08:44

    Hi all,

    on my SRX300 I set up a couple of vlans.

    IRB.20, ge-0/0/2, ethernet-switching, mode access, zone office
    IRB.30, ge-0/0/3, ethernet-switching, mode access, zone media
    iface ge-0/0/5, port mode trunk going to the uplink switch containing these vlans and some more ....
    rules are to permit all traffic between the zones
    If I ping from irb.20 to irb.30 no answer on the client - even not the SRX interface IP ...3.1 ,  but answer from the srx itself.
    Whats going wrong ?

    Please be patient, I am not a network engineer :-)
    regards Max



     



    ------------------------------
    Max Prieler
    ------------------------------


  • 2.  RE: VLAN-problem
    Best Answer

    Posted 09-01-2022 10:22
    To troubleshoot we could start by looking at the status of the interfaces

    show interfaces terse

    Note that for irb virtual interface to come to the up/up status at least one physical interface in the same vlan has to be in the up/up status.

    If both the layer 2 and layer 3 ip interfaces are up/up

    Next phase is to confirm configurations
    make sure the vlan assignments for both layer 2 and layer 3 interfaces are correct

    confirm that security zones have the properly assigned interfaces

    confirm that the security policies are in place
    show security policies

    If policies are present as expected look for the test traffic sessions
    show security flow session

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
    http://puluka.com/home
    ------------------------------



  • 3.  RE: VLAN-problem

    Posted 09-01-2022 14:52

    Hi Steve, thx for Your patience:

    Ifaces up:

    root@srx300> show interfaces terse | grep ge-
    ge-0/0/0 up up
    ge-0/0/0.0 up up inet 192.168.1.5/28
    ge-0/0/1 up up
    ge-0/0/1.0 up up eth-switch
    ge-0/0/2 up up
    ge-0/0/2.0 up up eth-switch
    ge-0/0/3 up up
    ge-0/0/3.0 up up eth-switch
    ge-0/0/4 up down
    ge-0/0/4.0 up down eth-switch
    ge-0/0/5 up up
    ge-0/0/5.0 up up eth-switch
    ge-0/0/6 up down
    ge-0/0/7 up down
    ge-0/0/7.0 up down inet

    root@srx300> show interfaces terse | grep irb
    irb up up
    irb.1 up up inet 172.16.1.1/24
    irb.20 up up inet 172.16.2.1/24
    irb.30 up up inet 172.16.3.1/24
    irb.40 up up inet 172.16.4.1/24
    irb.50 up up inet 172.16.5.1/24

     policies in place:
    From zone: office, To zone: media
    Policy: office-to-media, State: enabled, Index: 7, Scope Policy: 0, Sequence number: 1
    Source vrf group: any
    Destination vrf group: any
    Source addresses: any
    Destination addresses: any
    Applications: any
    Dynamic Applications: any
    Action: permit

    Zones are correct:
    Security zone: office
    Send reset for non-SYN session TCP packets: Off
    Policy configurable: Yes
    Interfaces bound: 1
    Interfaces:
    irb.20
    Advanced-connection-tracking timeout: 1800

    Security zone: media
    Send reset for non-SYN session TCP packets: Off
    Policy configurable: Yes
    Interfaces bound: 1
    Interfaces:
    irb.30
    Advanced-connection-tracking timeout: 1800

    Policies are in place:
    From zone: office, To zone: media
    Policy: office-to-media, State: enabled, Index: 7, Scope Policy: 0, Sequence number: 1
    Source vrf group: any
    Destination vrf group: any
    Source addresses: any
    Destination addresses: any
    Applications: any
    Dynamic Applications: any
    Action: permit

    flow-debug:
    root@srx300> show log flow-debug | grep 172.16.3.10
    Sep 1 20:40:36 20:40:36.780376:CID-0:RT:<172.16.2.50/1->172.16.3.10/457;1,0x0> matched filter c2s:
    Sep 1 20:40:36 20:40:36.780376:CID-0:RT: irb.20:172.16.2.50->172.16.3.10, icmp, (8/0)
    Sep 1 20:40:36 20:40:36.780376:CID-0:RT: find flow: table 0x65e9098, hash 61216(0xffff), sa 172.16.2.50, da 172.16.3.10, sp 1, dp 457, proto 1, tok 8, conn-tag 0x00000000, vrf-grp-id 0
    Sep 1 20:40:36 20:40:36.780376:CID-0:RT: flow_first_in_dst_nat: in <irb.20>, out <N/A> dst_adr 172.16.3.10, sp 1, dp 457
    Sep 1 20:40:36 20:40:36.780376:CID-0:RT:flow_first_rule_dst_xlate: DST no-xlate: 0.0.0.0(0) to 172.16.3.10(457)
    Sep 1 20:40:36 20:40:36.780376:CID-0:RT:flow_first_routing: vr_id 0, call flow_route_lookup(): src_ip 172.16.2.50, x_dst_ip 172.16.3.10, in ifp irb.20, out ifp N/A sp 1, dp 457, ip_proto 1, tos 0
    Sep 1 20:40:36 20:40:36.780376:CID-0:RT:flow_ipv4_rt_lkup success 172.16.3.10, iifl 0x4a, oifl 0x4b
    Sep 1 20:40:36 20:40:36.780376:CID-0:RT: routed (x_dst_ip 172.16.3.10) from office (irb.20 in 0) to irb.30, Next-hop: 172.16.3.10
    Sep 1 20:40:36 20:40:36.780376:CID-0:RT: 172.16.2.50/2048 -> 172.16.3.10/19346 proto 1

    root@srx300> show log flow-debug | grep 172.16.3.10

    root@srx300> show log flow-debug | grep 172.16.3.10

    ping goes out, flow seems to be OK, but no answer back.

    root@srx300> show ethernet-switching table

    MAC flags (S - static MAC, D - dynamic MAC, L - locally learned, P - Persistent static, C - Control MAC
    SE - statistics enabled, NM - non configured MAC, R - remote PE MAC, O - ovsdb MAC)


    Ethernet switching table : 22 entries, 22 learned
    Routing instance : default-switch
    Vlan MAC MAC Age Logical NH RTR
    name address flags interface Index ID
    vlan-media 74:5e:1c:07:af:ba D - ge-0/0/5.0 0 0
    dest: vlan-media 90:09:d0:0c:94:56 D - ge-0/0/3.0 0 0
    vlan-media 94:db:56:68:1f:20 D - ge-0/0/5.0 0 0
    vlan-mgmt 24:f5:a2:5a:fb:d9 D - ge-0/0/5.0 0 0
    vlan-mgmt 24:f5:a2:5a:fc:00 D - ge-0/0/5.0 0 0
    vlan-mgmt 34:98:b5:a7:63:75 D - ge-0/0/5.0 0 0
    vlan-mgmt 80:cc:9c:98:fe:d0 D - ge-0/0/1.0 0 0
    vlan-mgmt c0:56:27:eb:60:86 D - ge-0/0/5.0 0 0
    source vlan-office 98:fa:9b:21:d0:ef D - ge-0/0/2.0 0 0

    switching table knows the mac for destination host.

    hmmmmmmmmmm ??????????
    regards Max



    ------------------------------
    Max Prieler
    ------------------------------