SRX

 View Only
last person joined: 15 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  ISIS Routing issue - Possibly easy resolution

     
    Posted 03-28-2020 06:43

    Hi,

     

    I am using IS-IS as a routing protocol throughout a Virtual network and it seemed to be working fine. Some VR issue occured and I have had to rebuild the network, exactly the same as before. Except now, I cannot get the routes from the SRX showing in the core and the routes from the core showing in the SRX VR.

     

    So, the basic connectivity is as follows:

     

    Core-ge-0/0/2 --> SRX-ge-0/0/2 (customer-vr) --> lt-0/0/0.20 --> lt-0/0/0.21 (snmp.vr)

     

    That's it, very simple.

     

    So, basic SRX config as per below:

    set routing-instances customer-vr instance-type virtual-router
    set routing-instances customer-vr protocols isis level 1 authentication-key "$9$r40lWxN-wgaUVwQnCuEhVwY24Z"
    set routing-instances customer-vr protocols isis level 1 authentication-type md5
    set routing-instances customer-vr protocols isis level 2 authentication-key "$9$CTlRAORhclMLNylJDkP3nylKvWx"
    set routing-instances customer-vr protocols isis level 2 authentication-type md5
    set routing-instances customer-vr protocols isis interface lt-0/0/0.20
    set routing-instances customer-vr protocols isis interface ge-0/0/2.0
    set routing-instances customer-vr protocols isis interface lo0.10
    set routing-instances customer-vr interface lt-0/0/0.20
    set routing-instances customer-vr interface ge-0/0/2.0
    set routing-instances customer-vr interface lo0.10
    set routing-instances snmp-vr instance-type virtual-router
    set routing-instances snmp-vr protocols isis level 1 authentication-key "$9$iHPQF39pOR6987VYZG69Atu1"
    set routing-instances snmp-vr protocols isis level 1 authentication-type md5
    set routing-instances snmp-vr protocols isis level 2 authentication-key "$9$FvDt3CuOBEyeWIEYoGif5IEcSrv"
    set routing-instances snmp-vr protocols isis level 2 authentication-type md5
    set routing-instances snmp-vr protocols isis interface lt-0/0/0.21
    set routing-instances snmp-vr protocols isis interface ge-0/0/1.0
    set routing-instances snmp-vr protocols isis interface lo0.20
    set routing-instances snmp-vr interface lt-0/0/0.21
    set routing-instances snmp-vr interface ge-0/0/1.0
    set routing-instances snmp-vr interface lo0.20

     

    set interfaces lt-0/0/0 unit 20 description to-snmp-vr
    set interfaces lt-0/0/0 unit 20 encapsulation ethernet
    set interfaces lt-0/0/0 unit 20 peer-unit 21
    set interfaces lt-0/0/0 unit 20 family inet address 192.168.1.41/30
    set interfaces lt-0/0/0 unit 20 family iso
    set interfaces lt-0/0/0 unit 21 description to-customer-vr
    set interfaces lt-0/0/0 unit 21 encapsulation ethernet
    set interfaces lt-0/0/0 unit 21 peer-unit 20
    set interfaces lt-0/0/0 unit 21 family inet address 192.168.1.42/30
    set interfaces lt-0/0/0 unit 21 family iso
    set interfaces ge-0/0/1 unit 0 family inet address 192.168.1.33/30
    set interfaces ge-0/0/2 unit 0 family inet address 192.168.1.37/30
    set interfaces fxp0 unit 0
    set interfaces lo0 unit 0 family inet address 192.168.1.245/32
    set interfaces lo0 unit 0 family iso address 49.0001.1921.6801.0245.00
    set interfaces lo0 unit 10 family iso address 49.0001.1921.6801.0244.00
    set interfaces lo0 unit 20 family iso address 49.0001.1921.6801.0243.00

     

    set security zones security-zone customer-vr host-inbound-traffic system-services all
    set security zones security-zone customer-vr host-inbound-traffic protocols all
    set security zones security-zone customer-vr interfaces ge-0/0/2.0
    set security zones security-zone customer-vr interfaces lt-0/0/0.20
    set security zones security-zone snmp-vr host-inbound-traffic system-services all
    set security zones security-zone snmp-vr host-inbound-traffic protocols all
    set security zones security-zone snmp-vr interfaces ge-0/0/1.0
    set security zones security-zone snmp-vr interfaces lt-0/0/0.21

    set security policies from-zone trust to-zone trust policy default-permit match source-address any
    set security policies from-zone trust to-zone trust policy default-permit match destination-address any
    set security policies from-zone trust to-zone trust policy default-permit match application any
    set security policies from-zone trust to-zone trust policy default-permit then permit
    set security policies from-zone trust to-zone untrust policy default-permit match source-address any
    set security policies from-zone trust to-zone untrust policy default-permit match destination-address any
    set security policies from-zone trust to-zone untrust policy default-permit match application any
    set security policies from-zone trust to-zone untrust policy default-permit then permit
    set security policies from-zone customer-vr to-zone customer-vr policy customer-to-customer match source-address any
    set security policies from-zone customer-vr to-zone customer-vr policy customer-to-customer match destination-address any
    set security policies from-zone customer-vr to-zone customer-vr policy customer-to-customer match application any
    set security policies from-zone customer-vr to-zone customer-vr policy customer-to-customer then permit
    set security policies from-zone customer-vr to-zone snmp-vr policy customer-to-snmp match source-address any
    set security policies from-zone customer-vr to-zone snmp-vr policy customer-to-snmp match destination-address any
    set security policies from-zone customer-vr to-zone snmp-vr policy customer-to-snmp match application any
    set security policies from-zone customer-vr to-zone snmp-vr policy customer-to-snmp then permit
    set security policies from-zone snmp-vr to-zone customer-vr policy snmp-to-customer match source-address any
    set security policies from-zone snmp-vr to-zone customer-vr policy snmp-to-customer match destination-address any
    set security policies from-zone snmp-vr to-zone customer-vr policy snmp-to-customer match application any
    set security policies from-zone snmp-vr to-zone customer-vr policy snmp-to-customer then permit
    set security policies from-zone snmp-vr to-zone snmp-vr policy snmp-to-snmp match source-address any
    set security policies from-zone snmp-vr to-zone snmp-vr policy snmp-to-snmp match destination-address any
    set security policies from-zone snmp-vr to-zone snmp-vr policy snmp-to-snmp match application any
    set security policies from-zone snmp-vr to-zone snmp-vr policy snmp-to-snmp then permit

     

    That's actually a really simple configuration.

     

    Here's the very basic config on the core system:

     

    set system services ssh root-login deny
    set system services ssh no-tcp-forwarding
    set system services ssh connection-limit 3
    set chassis aggregated-devices ethernet device-count 4
    set interfaces ge-0/0/0 unit 0 family inet address 192.168.1.9/30
    set interfaces ge-0/0/0 unit 0 family iso
    set interfaces ge-0/0/1 description group-ae0
    set interfaces ge-0/0/1 gigether-options 802.3ad ae0
    set interfaces ge-0/0/2 unit 0 description to-swindon-srx-ng
    set interfaces ge-0/0/2 unit 0 family inet address 192.168.1.38/30
    set interfaces ge-0/0/2 unit 0 family iso
    set interfaces ge-0/0/4 description group-ae0
    set interfaces ge-0/0/4 gigether-options 802.3ad ae0
    set interfaces ae0 unit 0 description to-london-core
    set interfaces ae0 unit 0 family inet address 192.168.1.6/30
    set interfaces ae0 unit 0 family iso
    set interfaces lo0 unit 0 family inet address 192.168.1.253/32
    set interfaces lo0 unit 0 family iso address 49.0001.1921.6801.0253.00
    set routing-options static route 0.0.0.0/0 next-hop 192.168.1.10
    set protocols isis level 1 authentication-key "$9$z0NdF9p0ORSlM1Rs4ZjPf1RhcyK"
    set protocols isis level 1 authentication-type md5
    set protocols isis level 2 authentication-key "$9$B0b1clKvLNVYWLHmT3tpWLx7-w"
    set protocols isis level 2 authentication-type md5
    set protocols isis interface ge-0/0/0.0
    set protocols isis interface ge-0/0/2.0
    set protocols isis interface ae0.0
    set protocols isis interface lo0.0

     

    But I am getting no IGP routes transmitted between the SRX and the Core... very strange as it worked before, unless I have missed something somewhere.


    Cheers

     

     



  • 2.  RE: ISIS Routing issue - Possibly easy resolution
    Best Answer

     
    Posted 03-28-2020 06:59

    Ignore this please.

     

    I will only leave this up so other know what the simple resolution is:

     

    Always check interfaces, which, to be honest, I thought I had, but, alas, I missed a simple command on the main interface. I missed the following command:

     

    set interfaces ge-0/0/2 unit 0 family iso

     

    That's now configured and all working fine....



  • 3.  RE: ISIS Routing issue - Possibly easy resolution

    Posted 03-28-2020 07:07

    Hello,

    Well done !

    In addition, I strongly recommend to set the router-id under each instance and in the global stanza.

    This has been known to cause major hard-to-t'shoot issues in other networks - router-id change on the fly when interface is added or removed from instance, or it bounces.

    HTH

    Thx

    Alex