SRX

Expand all | Collapse all

Routing-Instance and ISIS Routing

Jump to Best Answer
  • 1.  Routing-Instance and ISIS Routing

     
    Posted 12-20-2017 09:02

    Hi all,

     

    SRX1500

     

    I have created two new VRs and also, thanks to Kingsman, enabled ISIS on these VRs with the following command:

     

    set routing-instance Customer-VR protocols isis interface ae2.0

    set interface ae2 unit 0 family iso

    set interface lo0 unit 0 family iso address 49.0001.xxxx.xxxx.xxxx.00

    set protocols isis level 1 authentication-type md5

    set protocols isis level 2 authentication-type mds

    set protocols isis level 1 authentication-key xxxxxxxx

    set protocols isis level 2 authentication-key xxxxxxxx

     

    I have also placed ae2 into the routing-instance

     

    But yet, I cannot get any ISIS routes to show in the routing tables....

     

    I have configured ISIS on the second SRX that has no new defined routing-instance and it works fine.... with dual-stack

    Any help would be greatly appreciated.

    Thanks

     



  • 2.  RE: Routing-Instance and ISIS Routing

    Posted 12-20-2017 09:08

    Hi,

     

    Can you paste your full configuration?

     

    Did you create a physical loop to create VR and running ISIS between VR?  

     

     



  • 3.  RE: Routing-Instance and ISIS Routing

     
    Posted 12-20-2017 09:16

    No Physical loop

     

    Just placed the interfaces into the VRs.

    Here is the full config..

     

    Clive@THW-SRX-01# run show configuration | display set
    set version 15.1X49-D110.4
    set system host-name THW-SRX-01
    set system root-authentication encrypted-password "$5$z0x/bUE1$7a0.XL.aD8Tj4HrTCLYWvinpjKFmI79nFjbCJF8HXj4"
    set system name-server 8.8.8.8
    set system name-server 8.8.4.4
    set system login user Clive uid 2000
    set system login user Clive class super-user
    set system login user Clive authentication encrypted-password "$5$Qx1BnOI.$haJ9bhIUBcROyvUpibcE4UkYuYSuB8qTIMufMaaA7q9"
    set system login user Jim uid 2003
    set system login user Jim class super-user
    set system login user Jim authentication encrypted-password "$5$2jd10ZcZ$WH.lj5bRlh7P4qV3tEDJnM2hwkAiT3OAADRi3j5Wqb8"
    set system login user Lee uid 2002
    set system login user Lee class super-user
    set system login user Lee authentication encrypted-password "$5$EGzUTmfP$9ySV5xu4jyoPAno2qfRCjjDsAg1r9hreOFSu7luLXE/"
    set system login user Oliver uid 2004
    set system login user Oliver class super-user
    set system login user Oliver authentication encrypted-password "$5$nHRTwAfF$O.7LJxttsI8Rgb8Qd/n0oEszEKk4CsE3GyLpyVcl5y/"
    set system login user Stephen uid 2001
    set system login user Stephen class super-user
    set system login user Stephen authentication encrypted-password "$5$okr6bMjJ$bRThHm0wAqEB6T.QmSlbv.VRx31GvaNPhlC4K.0tHmD"
    set system services ssh
    set system services xnm-clear-text
    set system services netconf ssh
    set system services dhcp-local-server group jdhcp-group interface ge-0/0/1.0
    set system services web-management https system-generated-certificate
    set system syslog user * any emergency
    set system syslog file messages any notice
    set system syslog file messages authorization info
    set system syslog file interactive-commands interactive-commands any
    set system max-configurations-on-flash 5
    set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
    set system phone-home server https://redirect.juniper.net
    set system phone-home rfc-complaint
    set chassis aggregated-devices ethernet device-count 2
    set security log mode stream
    set security log report
    set security forwarding-options family inet6 mode flow-based
    set security forwarding-options family iso mode packet-based
    set security screen ids-option untrust-screen icmp ping-death
    set security screen ids-option untrust-screen ip source-route-option
    set security screen ids-option untrust-screen ip tear-drop
    set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
    set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
    set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
    set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
    set security screen ids-option untrust-screen tcp syn-flood timeout 20
    set security screen ids-option untrust-screen tcp land
    set security nat source rule-set trust-to-untrust from zone trust
    set security nat source rule-set trust-to-untrust to zone untrust
    set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 0.0.0.0/0
    set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat interface
    set security policies from-zone trust to-zone trust policy default-permit match source-address any
    set security policies from-zone trust to-zone trust policy default-permit match destination-address any
    set security policies from-zone trust to-zone trust policy default-permit match application any
    set security policies from-zone trust to-zone trust policy default-permit then permit
    set security policies from-zone trust to-zone untrust policy default-permit match source-address any
    set security policies from-zone trust to-zone untrust policy default-permit match destination-address any
    set security policies from-zone trust to-zone untrust policy default-permit match application any
    set security policies from-zone trust to-zone untrust policy default-permit then permit
    set security policies from-zone Customer-Network to-zone NineGroup-DMZ policy CliveTest match source-address any
    set security policies from-zone Customer-Network to-zone NineGroup-DMZ policy CliveTest match destination-address any
    set security policies from-zone Customer-Network to-zone NineGroup-DMZ policy CliveTest match application any
    set security policies from-zone Customer-Network to-zone NineGroup-DMZ policy CliveTest then permit
    set security policies from-zone NineGroup-DMZ to-zone Customer-Network policy CliveTest1 match source-address any
    set security policies from-zone NineGroup-DMZ to-zone Customer-Network policy CliveTest1 match destination-address any
    set security policies from-zone NineGroup-DMZ to-zone Customer-Network policy CliveTest1 match application any
    set security policies from-zone NineGroup-DMZ to-zone Customer-Network policy CliveTest1 then permit
    set security zones security-zone trust host-inbound-traffic system-services all
    set security zones security-zone trust host-inbound-traffic protocols all
    set security zones security-zone trust interfaces ge-0/0/1.0
    set security zones security-zone trust interfaces ge-0/0/3.0
    set security zones security-zone untrust screen untrust-screen
    set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services dhcp
    set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services tftp
    set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services https
    set security zones security-zone NineGroup-DMZ
    set security zones security-zone Customer-Network host-inbound-traffic system-services all
    set security zones security-zone Customer-Network host-inbound-traffic protocols all
    set security zones security-zone Customer-Network interfaces ae2.0
    set interfaces ge-0/0/0 unit 0 family inet dhcp-client update-server
    set interfaces ge-0/0/1 unit 0 family inet
    set interfaces ge-0/0/2 unit 0 family inet address 195.80.0.37/30
    set interfaces ge-0/0/2 unit 0 family iso
    set interfaces ge-0/0/2 unit 0 family inet6 address 2a05:d840:0030:ffff:ffff:ffff:0000:0001/127
    set interfaces ge-0/0/3 unit 0 family inet
    set interfaces ge-0/0/4 unit 0 family inet address 192.168.1.2/24
    set interfaces ge-0/0/4 unit 0 family iso
    set interfaces xe-0/0/16 description Group-ae2
    set interfaces xe-0/0/16 gigether-options 802.3ad ae2
    set interfaces xe-0/0/17 unit 0 family inet
    set interfaces xe-0/0/18 description Group-ae2
    set interfaces xe-0/0/18 gigether-options 802.3ad ae2
    set interfaces ae2 unit 0 description TO-THW-CORE-01-ae2
    set interfaces ae2 unit 0 family inet address 195.80.0.18/30
    set interfaces ae2 unit 0 family iso
    set interfaces ae2 unit 0 family inet6 address 2a05:d840:002b:ffff:ffff:ffff:0000:0002/127
    set interfaces fxp0 unit 0 family inet address 185.89.120.8/24
    set interfaces lo0 unit 0 family inet address 195.80.0.3/32
    set interfaces lo0 unit 0 family iso address 49.0001.1950.0080.0004.00
    set interfaces lo0 unit 0 family inet6 address 2a05:d840:000e:ffff:ffff:ffff:0000:0001/128
    set routing-options static route 172.16.16.0/24 next-hop 172.16.16.39
    set protocols isis export export_statics
    set protocols isis level 1 authentication-key "$9$zyOuFCuREyKWxSrxdwgUDP5QF9AuO1hyl"
    set protocols isis level 1 authentication-type md5
    set protocols isis level 2 authentication-key "$9$Xqsxb2ZGi.fzjHz6CuEhvWLxVw24aUik"
    set protocols isis level 2 authentication-type md5
    set protocols isis interface lo0.0
    set policy-options policy-statement export_statics term 1 from protocol static
    set policy-options policy-statement export_statics term 1 then accept
    set access address-assignment pool junosDHCPPool family inet network 192.168.2.0/24
    set access address-assignment pool junosDHCPPool family inet range junosRange low 192.168.2.2
    set access address-assignment pool junosDHCPPool family inet range junosRange high 192.168.2.254
    set access address-assignment pool junosDHCPPool family inet dhcp-attributes router 192.168.2.1
    set access address-assignment pool junosDHCPPool family inet dhcp-attributes propagate-settings ge-0/0/0.0
    set routing-instances Customer-VR instance-type virtual-router
    set routing-instances Customer-VR interface ae2.0
    set routing-instances Customer-VR protocols isis level 1 authentication-key "$9$29gGiPfz6CuQFu1EyW8VwYgZUik.5z3"
    set routing-instances Customer-VR protocols isis level 1 authentication-type md5
    set routing-instances Customer-VR protocols isis level 2 authentication-key "$9$lOzeLNsYoGjq4aqfQnpuhSre8XNdb2oJ"
    set routing-instances Customer-VR protocols isis level 2 authentication-type md5
    set routing-instances Customer-VR protocols isis interface ae2.0
    set routing-instances NineGroup-VR instance-type virtual-router
    set routing-instances NineGroup-VR interface ge-0/0/2.0
    set routing-instances NineGroup-VR protocols isis interface ge-0/0/2.0

     

    Thank you



  • 4.  RE: Routing-Instance and ISIS Routing

    Posted 12-20-2017 09:26
    Hi,

    Do you see isis adjacency up in the VR? I don’t see any iso address configured in VR.

    Create one loopback, assign ISO address to it and add in Customer-VR

    Set interface lo0.10 family iso address 49.xxxx.xxxx.xxxx.xxxx.00

    set routing-instance Customer-VR interface lo0.10


    Let us know if it still doesn’t work.


  • 5.  RE: Routing-Instance and ISIS Routing

    Posted 12-20-2017 12:21

    Hi,

     

    You can also configure the ISO address in ae2 interface at both end. Below is the sample config:

     

    set routing-instances VR2 instance-type virtual-router
    set routing-instances VR2 interface ge-0/0/0.0
    set routing-instances VR2 protocols isis interface ge-0/0/0.0

    set interfaces ge-0/0/0 unit 0 family iso address 49.0001.1950.0080.0004.00

     

    set routing-instances VR1 instance-type virtual-router
    set routing-instances VR1 interface ge-0/0/0.0
    set routing-instances VR1 protocols isis interface ge-0/0/0.0

    set interfaces ge-0/0/0 unit 0 family iso address 49.0001.1950.0080.0005.00

     

    show isis adjacency instance VR2
    Interface System L State Hold (secs) SNPA
    ge-0/0/0.0 R1_re0-VR1 1 Up 8 56:68:a3:17:57:32
    ge-0/0/0.0 R1_re0-VR1 2 Up 7 56:68:a3:17:57:32

     

    [KUDOS PLEASE! If you think I earned it!

    If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]

     

     



  • 6.  RE: Routing-Instance and ISIS Routing

    Posted 12-20-2017 12:27
    Yeah,

    Well we can assign it to any interface but loopback is the best practice.


  • 7.  RE: Routing-Instance and ISIS Routing

    Posted 12-20-2017 12:38

    Hi Kingsman,

     

    I agree with you.



  • 8.  RE: Routing-Instance and ISIS Routing

     
    Posted 12-21-2017 02:01

    Hi,

     

    Thank you guys for the responses.... awesome..... I have not yet had a chance to configure this, but will be completing this morning. As another quick quesiton regarding this configuration.....

     

    If I create a new Loopback sub-int....i.e lo0.10  .... would I also assign the IPv4 and IPv6 addresses to this loopback subint rather than the main lo0?

    So I should end up with

     

    set interfaces lo0.10 unit 0 family inet address 192.168.1.10/32

    set interfaces lo0.10 unit 0 family inet6 address 4a06:334a:0049:ffff:ffff:ffff:0000:0001/128

    set interfaces lo0.10 unit 0 family iso address 49.0001.xxxx.xxxx.xxxx.00

     

    and then assign that subint to the VR with:

     

    set routing-instance Customer-VR interface lo0.10

     

    Thanks in advance



  • 9.  RE: Routing-Instance and ISIS Routing

    Posted 12-21-2017 03:04

    Hi,

     

    You can assign an address to all the units of loopback (including 0). Junos only allow one loopback in global table so any new unit interface you create must be in routing-instance.

    You can keep lo0 in global table and lo0.10 in routing-instance and assign both of them an IP address.

     

    HTH



  • 10.  RE: Routing-Instance and ISIS Routing

     
    Posted 12-21-2017 08:39

    Hi,

     

    Thank you for tha response. Okay, I have a strange issue occuring.... I have configured as suggested:

     

    set interfaces lo0.10 family inet address xxx.xxx.xxx.xxx

    set interfaces lo0.10 family inet6 address xxxx.xxxx.xxxx.xxxx.xxxx.xxxx.xxxx.xxxx

    set interfaces lo0.10 family iso address 49.0001.xxxx.xxxx.xxxx.00

     

    set routing-instance Customer-VR interface ae2

    set routing-instance Customer-VR protocols isis interface ae2

     

    Now, I get ISIS routes being advertised now, which is awesome work from you guys, but now I have an extremely frustrating, but I am sure easily solved, problem....

     

    SRX-A --> MX240 --> MX240 --> SRX-B

     

    SRX-A has the Customer-VR but SRX-B has no new VRs associated with it....

     

    If I ping from the ae2 interface from SRX-B to the ae2 interface of SRX-A, I get a response, which is brilliant.

    If I ping from the ae2 interface on SRX-A to the ae2 interface on SRX-B I get a "No route to host" response..... On SRX-B there is a route via the correct interface to SRX-A and on SRX-A there is a correct route to SRX-B.... How is this possible.....

     

    In fact, from SRX-A I cannot even ping the directly connected neighbor as I get the "no route to host" response.... this is very obviously related to the VR, but I am unsure how?

     

    Thanks



  • 11.  RE: Routing-Instance and ISIS Routing
    Best Answer

    Posted 12-21-2017 08:50
    Hi,

    On SRX-A ae2 is in routing-instance. Are you using “ping x.x.x.x routing-instance Customer-VR” while pinging form SRX-A?


  • 12.  RE: Routing-Instance and ISIS Routing

     
    Posted 12-21-2017 09:30

    I am a bloody idiot sometimes..... I have been telling another Colleague that when a VR is being used EVERYTHING must be done via that VR and then I make that mistake..... Sorry for waisting your time....

     

     



  • 13.  RE: Routing-Instance and ISIS Routing

    Posted 12-21-2017 09:39
    No worries! ☺ It happens sometime.

    Please help close the thread so that others can benefit from it.


  • 14.  RE: Routing-Instance and ISIS Routing

     
    Posted 01-02-2018 04:04

    Hi,

     

    I'm re-opening this thread because I have a secondary issue regarding isis routing and the VRs created....

     

    On one SRX1500 I have created 2 x VRs.... one is called Customer-VR and the other Test-VR. One VR faces the Data Network and one VR faces a DMZ, where the RADIUS is located. From an L2TP perspective, the PPP requests will be answered via the RADIUS so routing is required all the way through.

     

    The Customer-VR can ping the other SRX1500 Customer-VR with no issue on IPv6 and IPv4, however, even on a directly connected router I have no route to the IPv6 or IPv4 address on the Test-VR. Below is the configuration I have used:

     

    set interfaces ge-0/0/2 unit 0 family inet address xxx.xxx.xxx.xxx/30
    set interfaces ge-0/0/2 unit 0 family iso
    set interfaces ge-0/0/2 unit 0 family inet6 address xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/127

    set interfaces lo0 unit 0 family inet address xxx.xxx.xxx.xxx/32
    set interfaces lo0 unit 0 family inet6 address xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/128
    set interfaces lo0 unit 10 family iso address 49.0001.xxxx.xxxx.xxxx.00

    set interfaces ae2 unit 0 description TO-THW-CORE-01-ae2
    set interfaces ae2 unit 0 family inet address xxx.xxx.xxx.xxx/30
    set interfaces ae2 unit 0 family iso
    set interfaces ae2 unit 0 family inet6 address xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/127

    set security zones security-zone NineGroup-DMZ host-inbound-traffic system-services all
    set security zones security-zone NineGroup-DMZ host-inbound-traffic protocols all
    set security zones security-zone NineGroup-DMZ interfaces ge-0/0/2.0
    set security zones security-zone Customer-Network host-inbound-traffic system-services all
    set security zones security-zone Customer-Network host-inbound-traffic protocols all
    set security zones security-zone Customer-Network interfaces ae2.0

    set security policies from-zone Customer-Network to-zone NineGroup-DMZ policy CliveTest match source-address any
    set security policies from-zone Customer-Network to-zone NineGroup-DMZ policy CliveTest match destination-address any
    set security policies from-zone Customer-Network to-zone NineGroup-DMZ policy CliveTest match application any
    set security policies from-zone Customer-Network to-zone NineGroup-DMZ policy CliveTest then permit
    set security policies from-zone NineGroup-DMZ to-zone Customer-Network policy CliveTest1 match source-address any
    set security policies from-zone NineGroup-DMZ to-zone Customer-Network policy CliveTest1 match destination-address any
    set security policies from-zone NineGroup-DMZ to-zone Customer-Network policy CliveTest1 match application any
    set security policies from-zone NineGroup-DMZ to-zone Customer-Network policy CliveTest1 then permit

    set routing-instances Customer-VR interface ae2.0
    set routing-instances Customer-VR interface lo0.10
    set routing-instances Customer-VR protocols isis level 1 authentication-key "$9$29gGiPfz6CuQFu1EyW8VwYgZUik.5z3"
    set routing-instances Customer-VR protocols isis level 1 authentication-type md5
    set routing-instances Customer-VR protocols isis level 2 authentication-key "$9$lOzeLNsYoGjq4aqfQnpuhSre8XNdb2oJ"
    set routing-instances Customer-VR protocols isis level 2 authentication-type md5
    set routing-instances Customer-VR protocols isis interface ae2.0
    set routing-instances Customer-VR protocols isis interface lo0.10
    set routing-instances NineGroup-VR instance-type virtual-router
    set routing-instances NineGroup-VR interface ge-0/0/2.0
    set routing-instances NineGroup-VR protocols isis level 1 authentication-key "$9$Ac7/t1heK87dsWLs4JDmPn/CtBIhSrv8X"
    set routing-instances NineGroup-VR protocols isis level 1 authentication-type md5
    set routing-instances NineGroup-VR protocols isis level 2 authentication-key "$9$Woo8-woaUH.5GD5F6A1IlKM8NdwYgJUj"
    set routing-instances NineGroup-VR protocols isis level 2 authentication-type md5
    set routing-instances NineGroup-VR protocols isis interface ge-0/0/2.0

     

    There is one obvious difference in the configuration of the VRs and that is the inclusion of the lo0.10 interface that the NET address is assigned to. This is because the SRX1500 does not allow it because it is assigned already to the Customer-VR. So, my question is, how can I get the Test-VR to also be included in the ISIS routing?

     

    I could get arounf this by configuring a static address, but this will not work once live as more equipment will be connected to different ports on the SRX1500.

     

    Thanks