Hi all, I'm looking for any help out there as the documentation on this seem to be non existent. I'm attempting to upgrade from ex4200s to ex4300s and both times attempted I've had to rollback due to the 4300s not passing traffic through our securworks box.
Basically our firewall and secureworks box are on a l2 vlan(3991) that gets bridged to vlan 112. The problem is there is no reachability from the 4300 to the firewall. When I revert back to the 4200 same configuration(except for vlan vs irb) it works like it has for years. I set up a test lab to verify this with an SRX 210 acting as a transparent bridge and am able to replicate this without messing with production.
ex4300 results:
set interfaces ge-0/0/25 unit 0 family ethernet-switching interface-mode trunk
set interfaces ge-0/0/25 unit 0 family ethernet-switching vlan members secureworks
set interfaces ge-0/0/26 unit 0 family ethernet-switching interface-mode access
set interfaces ge-0/0/26 unit 0 family ethernet-switching vlan members externalNet112
set interfaces ge-0/0/27 unit 0 family ethernet-switching interface-mode access
set interfaces ge-0/0/27 unit 0 family ethernet-switching vlan members secureworks
set interfaces irb unit 112 family inet address 10.10.10.20/24
set vlans externalNet112 vlan-id 112
set vlans externalNet112 l3-interface irb.112
set vlans secureworks vlan-id 3991
root# run show arp no-resolve
MAC Address Address Interface Flags
28:c0:da:76:4a:40 10.10.10.21 ge-0/0/26.0 none
28:c0:da:7c:e7:f0 10.10.10.220 ge-0/0/26.0 none
Total entries: 2
root# run ping 10.10.10.21
PING 10.10.10.21 (10.10.10.21): 56 data bytes
^C
--- 10.10.10.21 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss
Here is the 4200:
set interfaces ge-0/0/25 unit 0 family ethernet-switching port-mode trunk
set interfaces ge-0/0/25 unit 0 family ethernet-switching vlan members secureworks
set interfaces ge-0/0/26 unit 0 family ethernet-switching port-mode access
set interfaces ge-0/0/26 unit 0 family ethernet-switching vlan members externalNet112
set interfaces ge-0/0/27 unit 0 family ethernet-switching vlan members secureworks
set interfaces vlan unit 112 family inet address 10.10.10.20/24
set vlans externalNet112 vlan-id 112
set vlans externalNet112 l3-interface vlan.112
set vlans secureworks vlan-id 3991
root# run show arp no-resolve
MAC Address Address Interface Flags
28:c0:da:76:4a:40 10.10.10.21 vlan.112 none
root# run ping 10.10.10.21
PING 10.10.10.21 (10.10.10.21): 56 data bytes
64 bytes from 10.10.10.21: icmp_seq=0 ttl=64 time=3.538 ms
64 bytes from 10.10.10.21: icmp_seq=1 ttl=64 time=1.655 ms
64 bytes from 10.10.10.21: icmp_seq=2 ttl=64 time=1.670 ms
64 bytes from 10.10.10.21: icmp_seq=3 ttl=64 time=1.783 ms
64 bytes from 10.10.10.21: icmp_seq=4 ttl=64 time=1.775 ms
^C
--- 10.10.10.21 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 1.655/2.084/3.538/0.729 ms
The only major difference I can see are that in the 4200(non-ELS) arp entries are learned on the vlan whereas the 4300 they are learned on the interface.
Any ideas would be greatly appreciated, I cannot be the only one to have experienced this although sometimes searching through Juniper answers it feels like it.
Thanks in advance