Juniper SRX100 with Cisco 2960G
Hi Guys,
I am connecting 2 Juniper SRX100 with Cisco 2960G with straight through cable
SRX100 ge-0/0/0 (vlan 10)(ip 1.1.1.1/24)
(vlan 10)cisco 2960G gig 0/9 | cisco 2960G gig 0/10 (vlan10)
SRX100 ge-0/0/0 (vlan 10) (ip 1.1.1.2/24)
I checked mac address table on cisco 2960G, both SRX are showing up there.
But when I try to ping across its not going through.
1st SRX100 ge-0/0/0 ip 1.1.1.1 ====> I can ping 1.1.1.1 but can not 1.1.1.2
2nd SRX100 ge-0/0/0 ip 1.1.1.2 ====> I can ping 1.1.1.2 but can not 1.1.1.1
I checked speed 100mbps on SRX and cisco BW is 100mbps
both are full duplex as well
Please advise me solution what should be causing problem here, I appreciate your help.
Thanks,
Ravi
I am connecting 2 Juniper SRX100 with Cisco 2960G with straight through cable
SRX100 ge-0/0/0 (vlan 10)(ip 1.1.1.1/24)
(vlan 10)cisco 2960G gig 0/9 | cisco 2960G gig 0/10 (vlan10)
SRX100 ge-0/0/0 (vlan 10) (ip 1.1.1.2/24)
I checked mac address table on cisco 2960G, both SRX are showing up there.
But when I try to ping across its not going through.
1st SRX100 ge-0/0/0 ip 1.1.1.1 ====> I can ping 1.1.1.1 but can not 1.1.1.2
2nd SRX100 ge-0/0/0 ip 1.1.1.2 ====> I can ping 1.1.1.2 but can not 1.1.1.1
I checked speed 100mbps on SRX and cisco BW is 100mbps
both are full duplex as well
Please advise me solution what should be causing problem here, I appreciate your help.
Thanks,
Ravi
Comments
-
lrb
Member Posts: 526
Are the ge-0/0/0 interfaces on both the SRX's in the same security-zone? Is there a host-inbound-traffic system-services ping on the zone that the interfaces are part of? -
ravi888
Registered Users Posts: 6 ■□□□□□□□□□
Hi Lrd ,
I really appreciate your response, here is the show interface output.
1st SRX
root# show interfaces
fe-0/0/0 {
vlan-tagging;
unit 0 {
vlan-id 10;
family inet {
address 1.1.1.1/24;
}
}
}
2nd SRX
root# show interfaces
fe-0/0/0 {
vlan-tagging;
unit 0 {
vlan-id 10;
family inet {
address 1.1.1.2/24;
}
}
}
Ping out from 1st SRX
root> ping 1.1.1.1
PING 1.1.1.1 (1.1.1.1): 56 data bytes
64 bytes from 1.1.1.1: icmp_seq=0 ttl=64 time=0.261 ms
64 bytes from 1.1.1.1: icmp_seq=1 ttl=64 time=0.251 ms
64 bytes from 1.1.1.1: icmp_seq=2 ttl=64 time=0.264 ms
64 bytes from 1.1.1.1: icmp_seq=3 ttl=64 time=0.258 ms
^C
--- 1.1.1.1 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.251/0.259/0.264/0.005 ms
root> ping 1.1.1.2
PING 1.1.1.2 (1.1.1.2): 56 data bytes
^C
--- 1.1.1.2 ping statistics ---
4 packets transmitted, 0 packets received, 100% packet loss
Interface are on default zone, do I still need to apply security zone one them?
----Juniper SRX100
root> show interfaces fe-0/0/0
Physical interface: fe-0/0/0, Enabled, Physical link is Up
Interface index: 131, SNMP ifIndex: 116
Link-level type: Ethernet, MTU: 1518, Link-mode: Full-duplex, Speed: 100mbps,
BPDU Error: None, MAC-REWRITE Error: None, Loopback: Disabled,
Source filtering: Disabled, Flow control: Enabled
Device flags : Present Running
Interface flags: SNMP-Traps Internal: 0x0
CoS queues : 8 supported, 8 maximum usable queues
Current address: 00:26:88:45:5e:80, Hardware address: 00:26:88:45:5e:80
Last flapped : 2012-01-10 11:30:23 UTC (14:14:48 ago)
Input rate : 0 bps (0 pps)
Output rate : 0 bps (0 pps)
Active alarms : None
Active defects : None
Logical interface fe-0/0/0.0 (Index 64) (SNMP ifIndex 117)
Flags: SNMP-Traps 0x0 VLAN-Tag [ 0x8100.10 ] Encapsulation: ENET2
Input packets : 1
Output packets: 3399
Security: Zone: Null
Protocol inet, MTU: 1500
Flags: Is-Primary
Addresses, Flags: Is-Default Is-Preferred Is-Primary
Destination: 1.1.1/24, Local: 1.1.1.1, Broadcast: 1.1.1.255
Logical interface fe-0/0/0.32767 (Index 6
(SNMP ifIndex 150)
Flags: SNMP-Traps 0x0 VLAN-Tag [ 0x0000.0 ] Encapsulation: ENET2
Input packets : 0
Output packets: 0
Security: Zone: Null
CISCO 2960G SW
Switch#sh int gig0/9
GigabitEthernet0/9 is up, line protocol is up (connected)
Hardware is Gigabit Ethernet, address is fcfb.fbd7.8d09 (bia fcfb.fbd7.8d09)
MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
reliability 248/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 100Mb/s, media type is 10/100/1000BaseTX
input flow-control is off, output flow-control is unsupported
ARP type: ARPA, ARP Timeout 04:00:00
Last input never, output 00:00:01, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
3 packets input, 217472 bytes, 0 no buffer
Received 2 broadcasts (0 multicasts)
3395 runts, 0 giants, 0 throttles
3395 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 0 multicast, 0 pause input
0 input packets with dribble condition detected
37730 packets output, 2781508 bytes, 0 underruns
0 output errors, 0 collisions, 1 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier, 0 PAUSE output
0 output buffer failures, 0 output buffers swapped out
After I configured vlans on SRX and Cisco switches, SRX are not showing up in cisco sw mac address-table.
Please advise, I really appreciate your help.
Thanks,
Ravi -
zoidberg
Member Posts: 365 ■■■■□□□□□□
No traffic escapes the Null zone. Everything is dropped. Put your interfaces in a custom security zone and add host-inbound-services ping to the zone (or specifically to the interface in the zone) and then it should work. -
ravi888
Registered Users Posts: 6 ■□□□□□□□□□
Hi Zoidberg,
Thanks for your response, I configured zone and host-inbound-service here is the configuration,
root> show configuration
## Last commit: 2012-01-11 02:31:41 UTC by root
version 9.6R1.13;
interfaces {
fe-0/0/0 {
vlan-tagging;
unit 0 {
vlan-id 10;
family inet {
address 1.1.1.1/24;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 1.1.1.2;
}
}
security {
zones {
security-zone zone1 {
host-inbound-traffic {
system-services {
all;
}
}
interfaces {
fe-0/0/0.0;
}
}
}
}
and following the configuration of Cisco SW interfaces on which I have connected
interface GigabitEthernet0/9
switchport access vlan 10
!
interface GigabitEthernet0/10
switchport access vlan 10
2nd SRX config
root@ft1-srx100-cbr> show configuration
## Last commit: 2012-01-11 02:21:25 UTC by root
version 9.6R1.13;
interfaces {
fe-0/0/0 {
vlan-tagging;
unit 0 {
vlan-id 10;
family inet {
address 1.1.1.2/24;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 1.1.1.1;
}
}
security {
zones {
security-zone zone1 {
host-inbound-traffic {
system-services {
all;
}
}
interfaces {
fe-0/0/0.0;
}
}
}
}
Please advise, I really appreciate your help.
Thanks,
Ravi -
zoidberg
Member Posts: 365 ■■■■□□□□□□
Adding this to both SRXs should get your pings working.
set security zones security-zone NAME interfaces fe-0/0/0.0 host-inbound-traffic system-services ping
Once you move beyond pings, you will need similar configuration. For example, if you want to ospf peer between them you would need to permit ospf with set security zones security-zone NAME host-inbound-traffic protocols ospf. If you want to be able to ssh into those interfaces, you would need to set security zones security-zone NAME host-inbound-traffic system-services ssh. Everything is blocked unless you tell it otherwise.
To get transit traffic working through the SRXs, you will need to put any new interfaces into zones and you will need to create polices for any traffic between zones, and even between interfaces in the same zone. If you have two interfaces in ZONE-A, you will need to create a policy from-zone ZONE-A to-zone ZONE-A to enable traffic between them. Or, change the default policy from deny to permit, set security policies default-policy permit-all, but the preferred mode is to leave the default as deny and explicitly permit only the traffic you want. -
ravi888
Registered Users Posts: 6 ■□□□□□□□□□
Thanks guys for your help 
It works
Thanks again
$$$$$$$$$$$$ Resolved $$$$$$$$$$$$$$$$
