So we have an SRX5800 cluster, with both devices having two SRX5K-SPC-2-10-40 SPC cards installed in FPC slots 10 & 11 (the highest slots).

If we want to add a new SRX5K-SPC-2-10-40, what is the process? Considering that if I'm reading the following page correctly, we cannot simply just add a new card into slot 9 since it's a lower slot:

https://www.juniper.net/documentation/en_US/release-independent/junos/topics/task/installation/spc-srx5800-installing.html

• If you are only adding first-generation SRX5K-SPC-2-10-40 SPCs to the chassis, you must install them so that the new SPCs are not the SPCs with the lowest-numbered slots in the chassis. For example, if the chassis already has two SPCs with one SPC each in slots 2 and 3, you cannot install additional SPCs in slots 0 or 1 using this procedure.

Hi Wojtek,

You can refer to the attachment.

Thanks,

Kay

Hi ,

The procedure you are mentioned is applicable when you are doing ISHU (In-service Hardware Upgrade - No impact). If service impact is acceptable, you can install the new SPC by shutting down both boxes same time. Otherwise, you may have to install SPC individually on each node by breaking cluster (More work to do)

Looks like there is a problem with 124.65.160.169 gateway reachibility.

Can you please try:

ping 124.65.160.169 source 124.65.160.172
show arp interface reth3.0

Regards, Wojtek

Hi Alfaromeo and thank you for your feedback.

I can confirm thtat we're running the same vSRX's 17.3R1.10 version.

We'll upgrade at the 17.4 as soon as possible (to see if this effectively will resolve the problem) and give you a feedback.

Hi Wojtek,

You can refer to the attachment.

Thanks,

Kay

Is it because this reth3.0 in down status?

Yes. How is the ISPs modem connected to the SRX? Is there a switch in between or is is directly connected to node 0?

Regards, Wojtek

Tried to upgrade too...

Right now my junos space from yesterday night is trying to upgrade the DMI schema!!!! :-|
Then I can't provide you the feedback...
Waiting for it  :-)

Here is the connection table

FW1 ge-0/0/6 > port 10 (vlan12) SW1 port 13 (vlan12) > ISP modem

FW2 ge-5/0/6 > port 11 (vlan12) SW1  

ge-0/0/6 {
      gigether-options {
             redundant-parent reth3;
      }
}

ge-5/0/6 {
      gigether-options {
             redundant-parent reth3;
      }
}

reth3 {
        redundant-ether-options {
                 redundancy-group 1;
        }
        unit 0 {
               family inet {
                      address 124.65.160.172/29;
                }
         }
}

I found a strange state on Reth3 and both FW physcial interfaces are connected cables

Reth3 link state shows 'Interface Not Found'

I'm not sure is it the reason.....

I've just noticed that reth count is configured to 3. It has to be increased to 4

set chassis cluster reth-count 4;

Regards, Wojtek

Dear Spuluka, 

i tried all of this but result is same.

this is my srx log

-------------------------

loader>

U-Boot 1.1.6-JNPR-1.9 (Build time: May 17 2010 - 06:30:31)

SRX_650 board revision major:0, minor:11, serial #: AAEW1937

OCTEON CN5650-SCP pass 2.1, Core clock: 700 MHz, DDR clock: 333 MHz (666 Mhz data rate)

DRAM:  2048 MB

Starting Memory POST...

Checking datalines... OK

Checking address lines... OK

Checking 512K memory for U-Boot... OK.

Running U-Boot CRC Test... OK.

Flash:  8 MB

USB:   scanning bus for devices... 3 USB Device(s) found

       scanning bus for storage devices... 1 Storage Device(s) found

Clearing DRAM........ done

Fuse: 0x0fff, Coremask: 0x0fff

BIST check passed.

0:00:00.0 Vendor/Device ID = 0x850910b5

0:01:01.0 Vendor/Device ID = 0x850910b5

0:02:00.0 Vendor/Device ID = 0xb68014e4

Boot Media: usb internal-compact-flash external-compact-flash

Net:   octeth0, octeth1, octeth2, octeth3

  ide 0: Model: CF 2GB Firm: 20080112 Ser#: 2012B     0000165041

            Type: Removable Hard Disk

            Capacity: 2000.7 MB = 1.9 GB (4097520 x 512)

POST Passed

Press SPACE to abort autoboot in 1 seconds

ELF file is 32 bit

Loading .text @ 0x8f000078 (244680 bytes)

Loading .rodata @ 0x8f03bc40 (13940 bytes)

Loading .rodata.str1.4 @ 0x8f03f2b4 (16432 bytes)

Loading set_Xcommand_set @ 0x8f0432e4 (100 bytes)

Loading .rodata.cst4 @ 0x8f043348 (20 bytes)

Loading .data @ 0x8f044000 (5608 bytes)

Loading .data.rel.ro @ 0x8f0455e8 (120 bytes)

Loading .data.rel @ 0x8f045660 (136 bytes)

Clearing .bss @ 0x8f0456e8 (11656 bytes)

## Starting application at 0x8f000078 ...

Consoles: U-Boot console

Found compatible API, ver. 1.9

FreeBSD/MIPS U-Boot bootstrap loader, Revision 1.9

(builder@zigeth.juniper.net, Mon May 17 05:45:58 UTC 2010)

Memory: 2048MB

[7]Booting from internal-compact-flash slice 3

Un-Protected 1 sectors

writing to flash...

Protected 1 sectors

Error on read (no IRQ) dev 0 blk 2584513: status 0x51

Error on read (no IRQ) dev 0 blk 2584513: status 0x51

Error on read (no IRQ) dev 0 blk 2584513: status 0x51

Error on read (no IRQ) dev 0 blk 2584513: status 0x51

can't load '/kernel'

Error on read (no IRQ) dev 0 blk 2584513: status 0x51

can't load '/kernel.old'

Press Enter to stop auto bootsequencing and to enter loader prompt.

Type '?' for a list of commands, 'help' for more detailed help.

loader> install file:///junos-srxsme-12.3X48-D70.3-domestic.tgz

/kernel data=0xb9e924+0x13c950 syms=[0x4+0x91d20+0x4+0xd6145]

Kernel entry at 0x801000c0 ...

init regular console

Primary ICache: Sets 64 Size 128 Asso 4

Primary DCache: Sets 1 Size 128 Asso 64

Secondary DCache: Sets 2048 Size 128 Asso 8

GDB: debug ports: uart

GDB: current port: uart

KDB: debugger backends: ddb gdb

KDB: current backend: ddb

kld_map_v: 0x8ff80000, kld_map_p: 0x0

Copyright (c) 1996-2018, Juniper Networks, Inc.

All rights reserved.

Copyright (c) 1992-2006 The FreeBSD Project.

Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994

        The Regents of the University of California. All rights reserved.

JUNOS 12.3X48-D70.3 #0: 2018-05-17 09:31:28 UTC

    builder@kuzuryu.juniper.net:/volume/build/junos/12.3/service/12.3X48-D70.3/obj-octeon/junos/bsd/kernels/JSRXNLE/kernel

JUNOS 12.3X48-D70.3 #0: 2018-05-17 09:31:28 UTC

    builder@kuzuryu.juniper.net:/volume/build/junos/12.3/service/12.3X48-D70.3/obj-octeon/junos/bsd/kernels/JSRXNLE/kernel

real memory  = 2147483648 (2048MB)

avail memory = 922796032 (880MB)

FreeBSD/SMP: Multiprocessor System Detected: 12 CPUs

Security policy loaded: Junos MAC/veriexec (mac_veriexec)

Security policy loaded: JUNOS MAC/pcap (mac_pcap)

Security policy loaded: JUNOS MAC/runasnonroot (mac_runasnonroot)

MAC/veriexec fingerprint module loaded: SHA256

MAC/veriexec fingerprint module loaded: SHA1

netisr_init: !debug_mpsafenet, forcing maxthreads from 12 to 1

cpu0 on motherboard

: CAVIUM's OCTEON 56XX CPU Rev. 0.9 with no FPU implemented

        L1 Cache: I size 32kb(128 line), D size 8kb(128 line), sixty four way.

        L2 Cache: Size 2048kb, 8 way

obio0 on motherboard

uart0: <Octeon-16550 channel 0> on obio0

uart0: console (9600,n,8,1)

twsi0 on obio0

dwc0: <Synopsis DWC OTG Controller Driver> on obio0

usb0: <USB Bus for DWC OTG Controller> on dwc0

usb0: USB revision 2.0

uhub0: vendor 0x0000 DWC OTG root hub, class 9/0, rev 2.00/1.00, addr 1

uhub0: 1 port with 1 removable, self powered

uhub1: vendor 0x0409 product 0x005a, class 9/0, rev 2.00/1.00, addr 2

uhub1: single transaction translator

uhub1: 4 ports with 4 removable, self powered

umass0: JetFlash Mass Storage Device, rev 2.00/11.00, addr 3

pcib0: <Cavium on-chip PCIe HOST bridge> on obio0

Disabling Octeon big bar support

PCIe: Waiting for port 0 to finish reset

PCIe: Port 0 link active, 4 lanes

PCIe: Waiting for port 1 to finish reset

PCIe: Port 1 link active, 4 lanes

pcib0: Initialized controller

pci0: <PCI bus> on pcib0

pcib2: <PCI-PCI bridge> irq 0 at device 0.0 on pci0

pci1: <PCI bus> on pcib2

pcib3: <PCI-PCI bridge> irq 0 at device 1.0 on pci1

pci2: <PCI bus> on pcib3

pci2: <network, ethernet> at device 0.0 (no driver attached)

pcib4: <PCI-PCI bridge> irq 0 at device 2.0 on pci1

pci3: <PCI bus> on pcib4

atapci0: <SiI 3132 SATA300 controller> mem 0x100000-0x10007f,0x104000-0x107fff irq 0 at device 0.0 on pci3

unknown: Allocating IRQ for intpin 1, device atapci failed, i2cid

pcib0: Allocating IRQ for atapci failed

atapci0: unable to map interrupt

device_attach: atapci0 attach returned 6

pcib5: <PCI-PCI bridge> irq 0 at device 3.0 on pci1

pci4: <PCI bus> on pcib5

pcib6: <PCI-PCI bridge> mem 0x200000-0x21ffff irq 0 at device 0.0 on pci4

pci5: <PCI bus> on pcib6

pcib7: <PCI-PCI bridge> irq 0 at device 1.0 on pci5

pci6: <PCI bus> on pcib7

pcib8: <PCI-PCI bridge> irq 0 at device 2.0 on pci5

pci7: <PCI bus> on pcib8

pcib9: <PCI-PCI bridge> irq 0 at device 3.0 on pci5

pci8: <PCI bus> on pcib9

pcib10: <PCI-PCI bridge> irq 0 at device 4.0 on pci5

pci9: <PCI bus> on pcib10

pcib11: <PCI-PCI bridge> irq 0 at device 5.0 on pci5

pci10: <PCI bus> on pcib11

pcib12: <PCI-PCI bridge> irq 0 at device 6.0 on pci5

pci11: <PCI bus> on pcib12

pcib13: <PCI-PCI bridge> irq 0 at device 7.0 on pci5

pci12: <PCI bus> on pcib13

pcib14: <PCI-PCI bridge> irq 0 at device 4.0 on pci1

pci13: <PCI bus> on pcib14

pcib1: <Cavium on-chip PCIe HOST bridge> on obio0

pci14: <PCI bus> on pcib1

pci14: <processor> at device 0.0 (no driver attached)

CF error busy

CF timeout busy

CF error busy

CompactFlash model CF 2GB

ata0: <Octeon Compact Flash Driver> on obio0

gblmem0 on obio0

octpkt0: <Octeon RGMII> on obio0

cfi0: <AMD/Fujitsu - 8MB> on obio0

Timecounter "mips" frequency 700000000 Hz quality 0

###PCB Group initialized for udppcbgroup

###PCB Group initialized for tcppcbgroup

md0: Preloaded image </isofs-install-srxsme> 16795648 bytes at 0x80f430e4

WARNING: Expected rawoffset 2584512, found 63

da0 at umass-sim0 bus 0 target 0 lun 0

da0: <JetFlash Transcend 2GB 1100> Removable Direct Access SCSI-4 device

da0: 40.000MB/s transfers

da0: 1920MB (3932160 512 byte sectors: 255H 63S/T 244C)

Trying to mount root from cd9660:/dev/md0

WARNING: preposterous time in file system

Kernel thread "wkupdaemon" (pid 47) exited prematurely.

WARNING: clock 11297 days greater than file system time

tty: not found

Starting JUNOS installation:

    Source Package: disk0:/junos-srxsme-12.3X48-D70.3-domestic.tgz

    Target Media  : internal

    Product       : srx650

Computing slice and partition sizes for /dev/ad0 ...

Attempting to save existing configuration...

Could not find any existing configuration.

Formatting target media /dev/ad0 ...

Preparing to create slices on /dev/ad0

/dev/ad0: 4097520 sectors [C:4065 H:16 S:63 SS:512]

Shrinking sWARNING: Expected rawoffset 2584512, found 63

WARNING: Expected rawoffset 3968496, found 63

lice 1 by 64 blocks for alignment

Shrinking slice 2 by 32 blocks for alignment

Shrinking slice 3 by 464 blocks for alignment

1+0 records in

1+0 records out

512 bytes transferred in 0.000260 secs (1968363 bytes/sec)

Creating slices:

g c4065 h16 s63

p 1    0xA5 2048 1292224

p 2    0xA5 1294272 1292256

p 3    0xA5 2586528 1383984

p 4    0xA5 3970512 127008

a 1

******* Working on device /dev/ad0 *******

fdisk: /tmp/mbr: length must be a multiple of sector size

ERROR: Execution failed for command fdisk

Waiting (max 60 seconds) for system process `vnlru_mem' to stop...done

Waiting (max 60 seconds) for system process `vnlru' to stop...done

Waiting (max 60 seconds) for system process `bufdaemon' to stop...done

Waiting (max 60 seconds) for system process `syncer' to stop...

Syncing disks, vnodes remaining...1 0 done

syncing disks... All buffers synced.

Uptime: 12s

Resetting all PIMs

Rebooting...

cpu_reset: Stopping other CPUs

U-Boot 1.1.6-JNPR-1.9 (Build time: May 17 2010 - 06:30:31)

SRX_650 board revision major:0, minor:11, serial #: AAEW1937

OCTEON CN5650-SCP pass 2.1, Core clock: 700 MHz, DDR clock: 333 MHz (666 Mhz data rate)

DRAM:  2048 MB

Starting Memory POST...

Checking datalines... OK

Checking address lines... OK

Checking 512K memory for U-Boot... OK.

Running U-Boot CRC Test... OK.

Flash:  8 MB

USB:   scanning bus for devices... 3 USB Device(s) found

       scanning bus for storage devices... 1 Storage Device(s) found

Clearing DRAM........ done

Fuse: 0x0fff, Coremask: 0x0fff

BIST check passed.

0:00:00.0 Vendor/Device ID = 0x850910b5

0:01:01.0 Vendor/Device ID = 0x850910b5

0:02:00.0 Vendor/Device ID = 0xb68014e4

Boot Media: usb internal-compact-flash external-compact-flash

Net:   octeth0, octeth1, octeth2, octeth3

  ide 0: Model: CF 2GB Firm: 20080112 Ser#: 2012B     0000165041

            Type: Removable Hard Disk

            Capacity: 2000.7 MB = 1.9 GB (4097520 x 512)

POST Passed

Press SPACE to abort autoboot in 1 seconds

ELF file is 32 bit

Loading .text @ 0x8f000078 (244680 bytes)

Loading .rodata @ 0x8f03bc40 (13940 bytes)

Loading .rodata.str1.4 @ 0x8f03f2b4 (16432 bytes)

Loading set_Xcommand_set @ 0x8f0432e4 (100 bytes)

Loading .rodata.cst4 @ 0x8f043348 (20 bytes)

Loading .data @ 0x8f044000 (5608 bytes)

Loading .data.rel.ro @ 0x8f0455e8 (120 bytes)

Loading .data.rel @ 0x8f045660 (136 bytes)

Clearing .bss @ 0x8f0456e8 (11656 bytes)

## Starting application at 0x8f000078 ...

Consoles: U-Boot console

Found compatible API, ver. 1.9

FreeBSD/MIPS U-Boot bootstrap loader, Revision 1.9

(builder@zigeth.juniper.net, Mon May 17 05:45:58 UTC 2010)

Memory: 2048MB

[8]Booting from usb slice 1

Un-Protected 1 sectors

writing to flash...

Protected 1 sectors

\

can't load '/kernel'

can't load '/kernel.old'

Press Enter to stop auto bootsequencing and to enter loader prompt.

Type '?' for a list of commands, 'help' for more detailed help.

loader>

Hi,

From what I can see and what I have read, it looks like the "allowed-sources" in the REST API has to be inserted with a host address only. Maybe I have missed something somewhere:

We have developers accessing from two subnet ranges (/24) in Azure..... as they cannot readily state what address from the /24 they will be coming from, I do want to have to insert 254 address x 2 in the REST API "Allowed-sources"......

Is there a way of allowing a whole subnet access without resorting to individual addresses please?

Thanks

Hi everyone.

Let say we have SRX and only Global Security Policy that allows all Traffic.  In Global Policy, no zone pair is checked, traffic is evaulated against the Global policy alone.

This is what I see:

1) When all zones were deleted, no transit traffic flows though Global Policy allows all traffic

2) Zones are still needed even if use Global Policy alone on the SRX for Transit traffic.

My questions is why do we need zones when using Global Policy only as no zone is checked in Global policy?

Thanks and have a nice weekend!!

Interfaces that are not explicitly assigned to any zone are assigned to special Null zone.  By design traffic hitting null zone is dropped.

Even though you do not have to specify zones in global policies you can

An example:

set security policies global policy Pa match source-address any
set security policies global policy Pa match destination-address any
set security policies global policy Pa match application any
set security policies global policy Pa match from-zone zone1
set security policies global policy Pa match from-zone zone2
set security policies global policy Pa match to-zone zone3
set security policies global policy Pa match to-zone zone4
set security policies global policy Pa then permit

As you can see global policies are more flexible than just permitting/denying traffic from all zones.

Regards, Wojtek

It looks like you internal flash drive on the SRX650 has failed.

ERROR: Execution failed for command fdisk

If you have hardware support, open a ticket and get an RMA started on the device.

If you don't have any support, you have two options:

1-if you have another of the same model, you can run a snapshot of the device to USB and then boot and run the SRX from the USB instead of the internal flash.

2-you can open the case (which would void support if you have it) and try to see if the internal flash is removable in this model.  Some it is in a slot and others not.  I don't know what the case is on the SRX650.

Unfortunately, subnets are not allowed only ip addresses.

This is based on the assumption (not correct here) that the calls will be made from some sort of permanent server platform.  So that is one option, setup a common VM that all in both teams can use to initiate the REST calls.

The other option is to insert some kind of NAT in the path between these subnets and the SRX that can change the source address for these calls to a common single shared address.

I opened ticket with JTAC and they got me going. We removed vpn-monitor then added proxy-id for one VPN and traffic selector for second VPN. My static routes now appear correctly and VPNs are working.

Thanks for all the assistance.

I have the follwing design:

every thing in design working fine except pingable from L3 Core (Vlan1) to irb.1  and from irb.1 to L2 Switch (Vlan1) not pinging, while i tested directly between L3 Core Switch and L2 Switch without SRX1400 is working fine

L3 core trunk port configuration:

interface GigabitEthernet3/12
switchport trunk encapsulation dot1q
switchport mode trunk
spanning-tree portfast

SRX1400 full configuration:

--- JUNOS 12.3X48-D30.7 built 2016-04-28 23:06:10 UTC
admin@CIG-HQ> show configuration | no-more
## Last commit: 2018-06-10 13:57:58 AST by admin
version 12.3X48-D30.7;
system {
host-name CIG-HQ;
time-zone Asia/Riyadh;
root-authentication {
encrypted-password "$1$0Vlub5Bk$LRLDbkWelNyywtRN5EF.L/"; ## SECRET-DATA
}
login {
user admin {
uid 2001;
class super-user;
authentication {
encrypted-password "$1$5cHL8ROh$f2jSRb/fVeJE4.a8ZHfQc1"; ## SECRET-DATA
}
}
}
services {
ssh;
telnet;
web-management {
http;
}
}
}
security {
policies {
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone untrust to-zone trust {
policy untrust-to-trust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust13 to-zone untrust13 {
policy trust13-to-untrust13 {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone untrust13 to-zone trust13 {
policy untrust13-to-trust13 {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust10 to-zone untrust10 {
policy trust10-to-untrust10 {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone untrust10 to-zone trust10 {
policy untrust10-to-trust10 {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust500 to-zone untrust500 {
policy trust500-to-untrust500 {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone untrust500 to-zone trust500 {
policy untrust500-to-trust500 {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust51 to-zone untrust51 {
policy trust51-to-untrust51 {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone untrust51 to-zone trust51 {
policy untrust51-to-trust51 {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust5 to-zone untrust5 {
policy trust5-to-untrust5 {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone untrust5 to-zone trust5 {
policy untrust5-to-trust5 {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust15 to-zone untrust15 {
policy trust15-to-untrust15 {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone untrust15 to-zone trust15 {
policy untrust15-to-trust15 {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone untrust {
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
all;
}
}
}
ge-2/0/8.0 {
host-inbound-traffic {
system-services {
all;
}
}
}
}
}
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
}
interfaces {
ge-0/0/1.0;
ge-2/0/9.0;
}
}
security-zone untrust13 {
interfaces {
ge-0/0/2.0 {
host-inbound-traffic {
system-services {
all;
}
}
}
}
}
security-zone trust13 {
host-inbound-traffic {
system-services {
all;
}
}
interfaces {
ge-0/0/3.0;
}
}
security-zone untrust10 {
interfaces {
ge-2/0/2.0 {
host-inbound-traffic {
system-services {
all;
}
}
}
}
}
security-zone trust10 {
host-inbound-traffic {
system-services {
all;
}
}
interfaces {
ge-0/0/6.0;
}
}
security-zone untrust12 {
interfaces {
ge-2/0/3.0 {
host-inbound-traffic {
system-services {
all;
}
}
}
}
}
security-zone trust12 {
host-inbound-traffic {
system-services {
all;
}
}
interfaces {
ge-0/0/7.0;
}
}
security-zone untrust14 {
interfaces {
ge-2/0/4.0 {
host-inbound-traffic {
system-services {
all;
}
}
}
}
}
security-zone trust14 {
host-inbound-traffic {
system-services {
all;
}
}
interfaces {
ge-0/0/8.0;
}
}
security-zone untrust16 {
interfaces {
ge-2/0/6.0 {
host-inbound-traffic {
system-services {
all;
}
}
}
}
}
security-zone trust16 {
host-inbound-traffic {
system-services {
all;
}
}
interfaces {
ge-0/0/10.0;
}
}
security-zone untrust17 {
interfaces {
ge-2/0/7.0 {
host-inbound-traffic {
system-services {
all;
}
}
}
}
}
security-zone trust17 {
host-inbound-traffic {
system-services {
all;
}
}
interfaces {
ge-0/0/11.0;
}
}
security-zone untrust51 {
interfaces {
ge-2/0/12.0 {
host-inbound-traffic {
system-services {
all;
}
}
}
}
}
security-zone trust51 {
host-inbound-traffic {
system-services {
all;
}
}
interfaces {
ge-2/0/13.0;
}
}
security-zone untrust500 {
interfaces {
ge-2/0/14.0 {
host-inbound-traffic {
system-services {
all;
}
}
}
}
}
security-zone trust500 {
host-inbound-traffic {
system-services {
all;
}
}
interfaces {
ge-2/0/15.0;
}
}
security-zone untrust5 {
interfaces {
ge-2/0/10.0 {
host-inbound-traffic {
system-services {
all;
}
}
}
}
}
security-zone trust5 {
host-inbound-traffic {
system-services {
all;
}
}
interfaces {
ge-2/0/11.0;
}
}
security-zone untrust15 {
interfaces {
ge-2/0/5.0 {
host-inbound-traffic {
system-services {
all;
}
}
}
}
}
security-zone trust15 {
host-inbound-traffic {
system-services {
all;
}
}
interfaces {
ge-0/0/9.0;
}
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family bridge {
interface-mode access;
vlan-id 9;
}
}
}
ge-0/0/1 {
unit 0 {
family bridge {
interface-mode access;
vlan-id 9;
}
}
}
ge-0/0/2 {
unit 0 {
family bridge {
interface-mode access;
vlan-id 13;
}
}
}
ge-0/0/3 {
unit 0 {
family bridge {
interface-mode access;
vlan-id 13;
}
}
}
ge-0/0/6 {
unit 0 {
family bridge {
interface-mode access;
vlan-id 10;
}
}
}
ge-0/0/7 {
unit 0 {
family bridge {
interface-mode access;
vlan-id 12;
}
}
}
ge-0/0/8 {
unit 0 {
family bridge {
interface-mode access;
vlan-id 14;
}
}
}
ge-0/0/9 {
unit 0 {
family bridge {
interface-mode trunk;
vlan-id-list 1-17;
}
}
}
ge-0/0/10 {
unit 0 {
family bridge {
interface-mode access;
vlan-id 16;
}
}
}
ge-0/0/11 {
unit 0 {
family bridge {
interface-mode access;
vlan-id 17;
}
}
}
ge-2/0/2 {
unit 0 {
family bridge {
interface-mode access;
vlan-id 10;
}
}
}
ge-2/0/3 {
unit 0 {
family bridge {
interface-mode access;
vlan-id 12;
}
}
}
ge-2/0/4 {
unit 0 {
family bridge {
interface-mode access;
vlan-id 14;
}
}
}
ge-2/0/5 {
unit 0 {
family bridge {
interface-mode trunk;
vlan-id-list 1-17;
}
}
}
ge-2/0/6 {
unit 0 {
family bridge {
interface-mode access;
vlan-id 16;
}
}
}
ge-2/0/7 {
unit 0 {
family bridge {
interface-mode access;
vlan-id 17;
}
}
}
ge-2/0/8 {
unit 0 {
family bridge {
interface-mode access;
vlan-id 9;
}
}
}
ge-2/0/9 {
unit 0 {
family bridge {
interface-mode access;
vlan-id 9;
}
}
}
ge-2/0/10 {
unit 0 {
family inet {
address 172.22.22.2/30;
}
}
}
ge-2/0/11 {
unit 0 {
family inet {
address 10.5.0.1/24;
}
}
}
ge-2/0/12 {
unit 0 {
family bridge {
interface-mode access;
vlan-id 51;
}
}
}
ge-2/0/13 {
unit 0 {
family bridge {
interface-mode access;
vlan-id 51;
}
}
}
ge-2/0/14 {
unit 0 {
family bridge {
interface-mode access;
vlan-id 500;
}
}
}
ge-2/0/15 {
unit 0 {
family bridge {
interface-mode access;
vlan-id 500;
}
}
}
irb {
unit 0 {
family inet {
address 130.1.10.1/16;
}
}
unit 1 {
family inet {
address 10.1.0.200/16;
}
}
unit 4 {
family inet {
address 10.14.10.10/16;
}
}
unit 5 {
family inet {
address 10.15.10.10/16;
}
}
unit 6 {
family inet {
address 10.16.10.10/16;
}
}
unit 7 {
family inet {
address 10.17.10.10/16;
}
}
unit 8 {
family inet {
address 10.8.0.10/16;
}
}
unit 10 {
family inet {
address 10.10.10.10/16;
}
}
unit 12 {
family inet {
address 10.50.1.10/24;
}
}
unit 13 {
family inet {
address 172.18.10.10/16;
}
}
}
}
snmp {
community public {
authorization read-only;
}
}
routing-instances {
nournet {
instance-type virtual-router;
interface ge-2/0/10.0;
interface ge-2/0/11.0;
routing-options {
static {
route 0.0.0.0/0 next-hop 10.5.0.3;
route 130.1.0.0/16 next-hop 172.22.22.1;
route 10.0.0.0/8 next-hop 172.22.22.1;
route 192.168.0.0/16 next-hop 172.22.22.1;
}
}
}
}
bridge-domains {
vlan1 {
domain-type bridge;
vlan-id 1;
routing-interface irb.1;
}
vlan15 {
domain-type bridge;
vlan-id 15;
routing-interface irb.5;
}
vlan500 {
domain-type bridge;
vlan-id 500;
routing-interface irb.13;
}
vlan51 {
domain-type bridge;
vlan-id 51;
routing-interface irb.12;
}
vlan8 {
domain-type bridge;
vlan-id 8;
routing-interface irb.8;
}
}

admin@CIG-HQ>

You have to assign irb.1 to security or functional zone and specify ping under host-inbound-traffic.

Regards, Wojtek