Hi Steve, thx for Your patience:
Ifaces up:
root@srx300> show interfaces terse | grep ge-
ge-0/0/0 up up
ge-0/0/0.0 up up inet 192.168.1.5/28
ge-0/0/1 up up
ge-0/0/1.0 up up eth-switch
ge-0/0/2 up up
ge-0/0/2.0 up up eth-switch
ge-0/0/3 up up
ge-0/0/3.0 up up eth-switch
ge-0/0/4 up down
ge-0/0/4.0 up down eth-switch
ge-0/0/5 up up
ge-0/0/5.0 up up eth-switch
ge-0/0/6 up down
ge-0/0/7 up down
ge-0/0/7.0 up down inet
root@srx300> show interfaces terse | grep irb
irb up up
irb.1 up up inet 172.16.1.1/24
irb.20 up up inet 172.16.2.1/24
irb.30 up up inet 172.16.3.1/24
irb.40 up up inet 172.16.4.1/24
irb.50 up up inet 172.16.5.1/24
policies in place:
From zone: office, To zone: media
Policy: office-to-media, State: enabled, Index: 7, Scope Policy: 0, Sequence number: 1
Source vrf group: any
Destination vrf group: any
Source addresses: any
Destination addresses: any
Applications: any
Dynamic Applications: any
Action: permit
Zones are correct:
Security zone: office
Send reset for non-SYN session TCP packets: Off
Policy configurable: Yes
Interfaces bound: 1
Interfaces:
irb.20
Advanced-connection-tracking timeout: 1800
Security zone: media
Send reset for non-SYN session TCP packets: Off
Policy configurable: Yes
Interfaces bound: 1
Interfaces:
irb.30
Advanced-connection-tracking timeout: 1800
Policies are in place:
From zone: office, To zone: media
Policy: office-to-media, State: enabled, Index: 7, Scope Policy: 0, Sequence number: 1
Source vrf group: any
Destination vrf group: any
Source addresses: any
Destination addresses: any
Applications: any
Dynamic Applications: any
Action: permit
flow-debug:
root@srx300> show log flow-debug | grep 172.16.3.10
Sep 1 20:40:36 20:40:36.780376:CID-0:RT:<172.16.2.50/1->172.16.3.10/457;1,0x0> matched filter c2s:
Sep 1 20:40:36 20:40:36.780376:CID-0:RT: irb.20:172.16.2.50->172.16.3.10, icmp, (8/0)
Sep 1 20:40:36 20:40:36.780376:CID-0:RT: find flow: table 0x65e9098, hash 61216(0xffff), sa 172.16.2.50, da 172.16.3.10, sp 1, dp 457, proto 1, tok 8, conn-tag 0x00000000, vrf-grp-id 0
Sep 1 20:40:36 20:40:36.780376:CID-0:RT: flow_first_in_dst_nat: in <irb.20>, out <N/A> dst_adr 172.16.3.10, sp 1, dp 457
Sep 1 20:40:36 20:40:36.780376:CID-0:RT:flow_first_rule_dst_xlate: DST no-xlate: 0.0.0.0(0) to 172.16.3.10(457)
Sep 1 20:40:36 20:40:36.780376:CID-0:RT:flow_first_routing: vr_id 0, call flow_route_lookup(): src_ip 172.16.2.50, x_dst_ip 172.16.3.10, in ifp irb.20, out ifp N/A sp 1, dp 457, ip_proto 1, tos 0
Sep 1 20:40:36 20:40:36.780376:CID-0:RT:flow_ipv4_rt_lkup success 172.16.3.10, iifl 0x4a, oifl 0x4b
Sep 1 20:40:36 20:40:36.780376:CID-0:RT: routed (x_dst_ip 172.16.3.10) from office (irb.20 in 0) to irb.30, Next-hop: 172.16.3.10
Sep 1 20:40:36 20:40:36.780376:CID-0:RT: 172.16.2.50/2048 -> 172.16.3.10/19346 proto 1
root@srx300> show log flow-debug | grep 172.16.3.10
root@srx300> show log flow-debug | grep 172.16.3.10
ping goes out, flow seems to be OK, but no answer back.
root@srx300> show ethernet-switching table
MAC flags (S - static MAC, D - dynamic MAC, L - locally learned, P - Persistent static, C - Control MAC
SE - statistics enabled, NM - non configured MAC, R - remote PE MAC, O - ovsdb MAC)
Ethernet switching table : 22 entries, 22 learned
Routing instance : default-switch
Vlan MAC MAC Age Logical NH RTR
name address flags interface Index ID
vlan-media 74:5e:1c:07:af:ba D - ge-0/0/5.0 0 0
dest: vlan-media 90:09:d0:0c:94:56 D - ge-0/0/3.0 0 0
vlan-media 94:db:56:68:1f:20 D - ge-0/0/5.0 0 0
vlan-mgmt 24:f5:a2:5a:fb:d9 D - ge-0/0/5.0 0 0
vlan-mgmt 24:f5:a2:5a:fc:00 D - ge-0/0/5.0 0 0
vlan-mgmt 34:98:b5:a7:63:75 D - ge-0/0/5.0 0 0
vlan-mgmt 80:cc:9c:98:fe:d0 D - ge-0/0/1.0 0 0
vlan-mgmt c0:56:27:eb:60:86 D - ge-0/0/5.0 0 0
source vlan-office 98:fa:9b:21:d0:ef D - ge-0/0/2.0 0 0
switching table knows the mac for destination host.
hmmmmmmmmmm ??????????
regards Max
------------------------------
Max Prieler
------------------------------
Original Message:
Sent: 09-01-2022 10:21
From: STEVE PULUKA
Subject: VLAN-problem
To troubleshoot we could start by looking at the status of the interfaces
show interfaces terse
Note that for irb virtual interface to come to the up/up status at least one physical interface in the same vlan has to be in the up/up status.
If both the layer 2 and layer 3 ip interfaces are up/up
Next phase is to confirm configurations
make sure the vlan assignments for both layer 2 and layer 3 interfaces are correct
confirm that security zones have the properly assigned interfaces
confirm that the security policies are in place
show security policies
If policies are present as expected look for the test traffic sessions
show security flow session
------------------------------
Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
http://puluka.com/home
Original Message:
Sent: 09-01-2022 05:25
From: Max Prieler
Subject: VLAN-problem
Hi all,
on my SRX300 I set up a couple of vlans.
IRB.20, ge-0/0/2, ethernet-switching, mode access, zone office
IRB.30, ge-0/0/3, ethernet-switching, mode access, zone media
iface ge-0/0/5, port mode trunk going to the uplink switch containing these vlans and some more ....
rules are to permit all traffic between the zones
If I ping from irb.20 to irb.30 no answer on the client - even not the SRX interface IP ...3.1 , but answer from the srx itself.
Whats going wrong ?
Please be patient, I am not a network engineer :-)
regards Max
------------------------------
Max Prieler
------------------------------