SRX

 View Only
last person joined: 23 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  ISIS And new VR Routing Instance

     
    Posted 12-12-2017 08:48

    Hi,

     

    I am trring to test some new security policies and have configured new zones and VRs.... but the Junos SRX seems to handle it different to the old ScreenOS....

     

    So I cretaed 2 x new VR labelled as Green-VR and Customer-VR.... I then created 2 x zones labelled as Green-DMZ and Customer-Network.... I then applied interface ge-0/0/2 to the Green side and interface ge-0/04 to the Customer side. 

     

    Okay, all good so far and committed okay....

     

    So, then I complete the following command:

     

    set interfaces ge-0/02 unit0 family iso

     

    Commit okay

     

    set protocols isis interface ge-0/0/2.0

     

    And I get the following error:

     

    [edit protocols isis]
      'interface ge-0/0/2.0'
        IS-IS: interface is not in this instance
    error: configuration check-out failed

     

    Presumably because ISIS does not know about the new VR and needs to know about it... but how? I can't find any documenttion about this...

     

    The SRX config is very simple:

     

    set version 15.1X49-D110.4
    set system root-authentication encrypted-password "$5$z0x/bUE1$7a0.XL.aD8Tj4HrTCLYWvinpjKFmI79nFjbCJF8HXj4"
    set system name-server 8.8.8.8
    set system name-server 8.8.4.4
    set system login user Clive uid 2000
    set system login user Clive class super-user
    set system login user Clive authentication encrypted-password "$5$Qx1BnOI.$haJ9bhIUBcROyvUpibcE4UkYuYSuB8qTIMufMaaA7q9"
    set system login user Jim uid 2003
    set system login user Jim class super-user
    set system login user Jim authentication encrypted-password "$5$2jd10ZcZ$WH.lj5bRlh7P4qV3tEDJnM2hwkAiT3OAADRi3j5Wqb8"
    set system login user Lee uid 2002
    set system login user Lee class super-user
    set system login user Lee authentication encrypted-password "$5$EGzUTmfP$9ySV5xu4jyoPAno2qfRCjjDsAg1r9hreOFSu7luLXE/"
    set system login user Oliver uid 2004
    set system login user Oliver class super-user
    set system login user Oliver authentication encrypted-password "$5$nHRTwAfF$O.7LJxttsI8Rgb8Qd/n0oEszEKk4CsE3GyLpyVcl5y/"
    set system login user Stephen uid 2001
    set system login user Stephen class super-user
    set system login user Stephen authentication encrypted-password "$5$okr6bMjJ$bRThHm0wAqEB6T.QmSlbv.VRx31GvaNPhlC4K.0tHmD"
    set system services ssh
    set system services xnm-clear-text
    set system services netconf ssh
    set system services dhcp-local-server group jdhcp-group interface ge-0/0/1.0
    set system services web-management https system-generated-certificate
    set system syslog user * any emergency
    set system syslog file messages any notice
    set system syslog file messages authorization info
    set system syslog file interactive-commands interactive-commands any
    set system max-configurations-on-flash 5
    set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
    set system phone-home server https://redirect.juniper.net
    set system phone-home rfc-complaint
    set security log mode stream
    set security log report
    set security forwarding-options family inet6 mode flow-based
    set security forwarding-options family iso mode packet-based
    set security screen ids-option untrust-screen icmp ping-death
    set security screen ids-option untrust-screen ip source-route-option
    set security screen ids-option untrust-screen ip tear-drop
    set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
    set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
    set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
    set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
    set security screen ids-option untrust-screen tcp syn-flood timeout 20
    set security screen ids-option untrust-screen tcp land
    set security nat source rule-set trust-to-untrust from zone trust
    set security nat source rule-set trust-to-untrust to zone untrust
    set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 0.0.0.0/0
    set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat interface
    set security policies from-zone trust to-zone trust policy default-permit match source-address any
    set security policies from-zone trust to-zone trust policy default-permit match destination-address any
    set security policies from-zone trust to-zone trust policy default-permit match application any
    set security policies from-zone trust to-zone trust policy default-permit then permit
    set security policies from-zone trust to-zone untrust policy default-permit match source-address any
    set security policies from-zone trust to-zone untrust policy default-permit match destination-address any
    set security policies from-zone trust to-zone untrust policy default-permit match application any
    set security policies from-zone trust to-zone untrust policy default-permit then permit
    set security zones security-zone trust host-inbound-traffic system-services all
    set security zones security-zone trust host-inbound-traffic protocols all
    set security zones security-zone trust interfaces ge-0/0/1.0
    set security zones security-zone trust interfaces ge-0/0/3.0
    set security zones security-zone trust interfaces xe-0/0/16.0
    set security zones security-zone trust interfaces xe-0/0/17.0
    set security zones security-zone untrust screen untrust-screen
    set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services dhcp
    set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services tftp
    set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services https
    set security zones security-zone NineGroup-DMZ interfaces ge-0/0/2.0
    set security zones security-zone Customer-Network interfaces ge-0/0/4.0
    set interfaces ge-0/0/0 unit 0 family inet dhcp-client update-server
    set interfaces ge-0/0/1 unit 0 family inet
    set interfaces ge-0/0/2 unit 0 description TO-THW-RADIUS-SERVER
    set interfaces ge-0/0/2 unit 0 family inet address 172.16.16.39/24
    set interfaces ge-0/0/2 unit 0 family iso
    set interfaces ge-0/0/3 unit 0 family inet
    set interfaces ge-0/0/4 unit 0 family inet address 192.168.1.2/24
    set interfaces ge-0/0/4 unit 0 family iso
    set interfaces xe-0/0/16 unit 0 description Group-ae2
    set interfaces xe-0/0/16 unit 0 family inet
    set interfaces xe-0/0/17 unit 0 family inet
    set interfaces xe-0/0/18 unit 0 description Group-ae2
    set interfaces ae2 unit 0 description TO-THW-CORE-01-ae2
    set interfaces ae2 unit 0 family iso
    set interfaces fxp0 unit 0 family inet address 185.89.120.8/24
    set interfaces lo0 unit 0 family inet address 195.80.0.3/32
    set interfaces lo0 unit 0 family iso address 49.0001.1950.0080.0003.00
    set interfaces lo0 unit 0 family inet6 address 2a05:d840:000e:ffff:ffff:ffff:0000:0001/128
    set routing-options static route 172.16.16.0/24 next-hop 172.16.16.39
    set protocols isis export export_statics
    set protocols isis level 1 authentication-key "$9$sxYJD.mT3/t5QtOIcvM-VwYaZDikPTz"
    set protocols isis level 1 authentication-type md5
    set protocols isis level 2 authentication-key "$9$Yo2ZjmPQn9pTzpBRSMWdbs2JGjHqfQF"
    set protocols isis level 2 authentication-type md5
    set protocols isis interface ae2.0
    set protocols isis interface lo0.0 passive
    set policy-options policy-statement export_statics term 1 from protocol static
    set policy-options policy-statement export_statics term 1 then accept
    set access address-assignment pool junosDHCPPool family inet network 192.168.2.0/24
    set access address-assignment pool junosDHCPPool family inet range junosRange low 192.168.2.2
    set access address-assignment pool junosDHCPPool family inet range junosRange high 192.168.2.254
    set access address-assignment pool junosDHCPPool family inet dhcp-attributes router 192.168.2.1
    set access address-assignment pool junosDHCPPool family inet dhcp-attributes propagate-settings ge-0/0/0.0
    set routing-instances Customer-VR instance-type virtual-router
    set routing-instances Customer-VR interface ge-0/0/4.0
    set routing-instances NineGroup-VR instance-type virtual-router
    set routing-instances NineGroup-VR interface ge-0/0/2.0

     

    Thanks



  • 2.  RE: ISIS And new VR Routing Instance

    Posted 12-12-2017 08:52

    Hello,

    Please try 

    set routing-instances  Green-VR protocols isis interface  ge-0/0/2.0

    HTH

    Thx

    Alex



  • 3.  RE: ISIS And new VR Routing Instance

     
    Posted 12-12-2017 09:14

    Hi,

     

    Yes, I kind of thought that. I managed to find that command after hunting and also thank you for posting here.

    I have entered the command into the VRs (both as you have suggested). I committed and then completed a :

     

    run show route

     

    To see what the result would be and there is still no route to the required networks (and it is directly connected)..... I know that ping is not currently enabled but there is also a "No route to host" showing..... Very weird



  • 4.  RE: ISIS And new VR Routing Instance

    Posted 12-12-2017 10:57

    Hello,

    It looks You don't have NET in this VR and hence no ISIS adjacency.

    Please add these lines:

    set interfaces lo0.100 family iso address <NET>
    set interfaces lo0.100 family inet set routing-instances Custom-VR interfaces lo0.100 set routing-instances Custom-VR protocols isis interface lo0.100

    As to why You cannot ping to directly-connected IP - please make sure You issue ping command with "routing-instance" option.

    HTH

    Thx

    Alex



  • 5.  RE: ISIS And new VR Routing Instance

     
    Posted 12-13-2017 00:42

    Hi,

     

    Thanks for the response. Yes, I enterred all of that configuration.... I did not ping from the routing-instance.... that is probably the issue then.... I will do that.... thank you.

     

    Why would I use lo0.100 ? Is this so I can seperate the same physical interface across multiple VRs... i.e lo0.100 to Custom-vr1 ,  lo0.200 Custom-vr2 , lo0.300 trust-vr and so on?



  • 6.  RE: ISIS And new VR Routing Instance
    Best Answer

    Posted 12-13-2017 06:51

    Hello,


    @adgwytc wrote:

     

    Why would I use lo0.100 ? Is this so I can seperate the same physical interface across multiple VRs... i.e lo0.100 to Custom-vr1 ,  lo0.200 Custom-vr2 , lo0.300 trust-vr and so on?


    The best practice is to have lo0.0 in global table and lo0.X (where X>0) in custom routing instances, one unique lo0.X per instance.

    Apart from providing a stable interface to have Your router-id advertised from, they usually have CoPP filters assigned which can vary by instance (i.e. if You don't have DHCP server/client enabled in routing-instance, then no point allowing DHCP into Your control plane via that instance, etc)

    Also, the lo0.0 or lo0.X is the best place to have ISO NET assigned.

    You can have NET assigned to ge-0/0/2.0 if You have only 1 logical subinterface in Your custom VR.

    HTH

    Thx
    Alex



  • 7.  RE: ISIS And new VR Routing Instance

     
    Posted 12-19-2017 21:27

    Hi Folks,

    Just my 2 cents on this..

     

    Similar configurations with logical systems in the box,

     

    https://forums.juniper.net/t5/Routing/How-To-Build-a-service-provider-network-with-a-single-Juniper/ta-p/302237