Solved: Re: InterVLAN routing not working Cisco/Juniper network

Hassaan · ‎11-08-2019

Hi all,

As the title suggests I'm creating a network which is a mix of Juniper and Cisco switches with a Juniper srx240 firewall as the gateway to the outside world. I have an existing network consisting of Juniper EX family switches with our data centre also connected to these.

My network currently looks like this:

Connectivity with ping is successful between the following IPs:

172.16.2.146 and 172.16.2.148

dhcp server to 172.16.2.146

172.16.20.126 to 172.16.2.146

172.16.29.254 to 172.16.2.146

However connectivity is unsuccessful between the following:

172.16.20.126 to 172.16.2.148

172.16.29.254 to 172.16.2.148

I created an IP helper address on the cisco 9500 data VLAN SVI interface to the DHCP server.

But the issue right now is more local... basically despite the static routes in place it looks to me like interVLAN routing is not working even within the C9500.

I tried adding "ip routing", didn't work.

Moved the IP 172.16.2.146 to the physical interface on the C9500 (by applying "no switchport"), also didn't work.

I created a static route from the juniper side to the internal IPs on the Cisco side and that made things worse as it broke the whole connection between the C9500 and the SRX.

I feel like I'm missing something really obvious but it's starting to get frustrating. Hope someone here can provide a fresh perspective.

Happy to show my configs if required.

pieterh · ‎11-08-2019

both Juniper interfaces have an address (.148 and .149) in the same /29 network 172.16.2.145 - 172.16.2.150

is that intentional ?

View solution in original post

pieterh · ‎11-08-2019

some information is missing

you mention SVI's and VLAN's

but not on the 9200? -> here the management ip is also on a SVI? in the same vlan as the 9500?

and the connection between the 9200 and 9500 is a (vlan) trunk? or are they access ports?

Hassaan · ‎11-08-2019

Yes the management IPs are on an SVI on both 9500 and 9200. They are both configured with the same vlan ID.

The link between the 2 switches is a trunk and I have allowed both the management and data vlan on it.

pieterh · ‎11-08-2019

both Juniper interfaces have an address (.148 and .149) in the same /29 network 172.16.2.145 - 172.16.2.150

is that intentional ?

Hassaan · ‎11-08-2019

Yes it is intentional, but only for the reason of simplicity and trying to save subnet space (eventually the Juniper network will be phased out and was planning to keep the same addressing scheme).

Regardless, I changed the connection from firewall to c9500 to a different subnet 172.16.2.152/29, just in case it might be because some routing issue. Did not make any difference and I still have the same issue.

Hassaan · ‎11-08-2019

Looking at this further, i've now realized what the problem is. I did indeed need to put the two firewall interfaces on different subnets. When they are on the same subnet and i try to ping the firewall from the c9500 the firewall will get confused on choosing the return path.

I've now fixed this by creating a static route on the firewall for the return path to the now new different subnet.

I knew it would be something obvious.

Thanks pieterh for pointing me in the right direction.

I'll now try and get the dhcp working!