SRX

Expand all | Collapse all

VR - Routing-Instance and ISIS NET address lo0 issue

Jump to Best Answer
  • 1.  VR - Routing-Instance and ISIS NET address lo0 issue

     
    Posted 01-02-2018 05:09

     Hi,

     

    I'm having another issue with regrds to ISIS routing and multiple VRs on the SRX1500s we are using.

     

    On one SRX1500 I have created 2 x VRs ....... The issue is that lo0.10 holds the NET address for ISIS and Juniper will only allow me to enter that interface under one instance of VR and not two. The issue now being that the second interface is not being advertised. Below is the configuration I have used and hoping that someone can offer an idea of how to achieve this (Route leaking etc etc):

     

    set interfaces ge-0/0/2 unit 0 family inet address xxx.xxx.xxx.xxx/30
    set interfaces ge-0/0/2 unit 0 family iso
    set interfaces ge-0/0/2 unit 0 family inet6 address xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/127

    set interfaces lo0 unit 0 family inet address xxx.xxx.xxx.xxx/32
    set interfaces lo0 unit 0 family inet6 address xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/128
    set interfaces lo0 unit 10 family iso address 49.0001.xxxx.xxxx.xxxx.00

    set interfaces ae2 unit 0 description TO-THW-CORE-01-ae2
    set interfaces ae2 unit 0 family inet address xxx.xxx.xxx.xxx/30
    set interfaces ae2 unit 0 family iso
    set interfaces ae2 unit 0 family inet6 address xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/127

    set security zones security-zone NineGroup-DMZ host-inbound-traffic system-services all
    set security zones security-zone NineGroup-DMZ host-inbound-traffic protocols all
    set security zones security-zone NineGroup-DMZ interfaces ge-0/0/2.0
    set security zones security-zone Customer-Network host-inbound-traffic system-services all
    set security zones security-zone Customer-Network host-inbound-traffic protocols all
    set security zones security-zone Customer-Network interfaces ae2.0

    set security policies from-zone Customer-Network to-zone NineGroup-DMZ policy CliveTest match source-address any
    set security policies from-zone Customer-Network to-zone NineGroup-DMZ policy CliveTest match destination-address any
    set security policies from-zone Customer-Network to-zone NineGroup-DMZ policy CliveTest match application any
    set security policies from-zone Customer-Network to-zone NineGroup-DMZ policy CliveTest then permit
    set security policies from-zone NineGroup-DMZ to-zone Customer-Network policy CliveTest1 match source-address any
    set security policies from-zone NineGroup-DMZ to-zone Customer-Network policy CliveTest1 match destination-address any
    set security policies from-zone NineGroup-DMZ to-zone Customer-Network policy CliveTest1 match application any
    set security policies from-zone NineGroup-DMZ to-zone Customer-Network policy CliveTest1 then permit

    set routing-instances Customer-VR interface ae2.0
    set routing-instances Customer-VR interface lo0.10
    set routing-instances Customer-VR protocols isis level 1 authentication-key "$9$29gGiPfz6CuQFu1EyW8VwYgZUik.5z3"
    set routing-instances Customer-VR protocols isis level 1 authentication-type md5
    set routing-instances Customer-VR protocols isis level 2 authentication-key "$9$lOzeLNsYoGjq4aqfQnpuhSre8XNdb2oJ"
    set routing-instances Customer-VR protocols isis level 2 authentication-type md5
    set routing-instances Customer-VR protocols isis interface ae2.0
    set routing-instances Customer-VR protocols isis interface lo0.10
    set routing-instances NineGroup-VR instance-type virtual-router
    set routing-instances NineGroup-VR interface ge-0/0/2.0
    set routing-instances NineGroup-VR protocols isis level 1 authentication-key "$9$Ac7/t1heK87dsWLs4JDmPn/CtBIhSrv8X"
    set routing-instances NineGroup-VR protocols isis level 1 authentication-type md5
    set routing-instances NineGroup-VR protocols isis level 2 authentication-key "$9$Woo8-woaUH.5GD5F6A1IlKM8NdwYgJUj"
    set routing-instances NineGroup-VR protocols isis level 2 authentication-type md5
    set routing-instances NineGroup-VR protocols isis interface ge-0/0/2.0

     

    So, I need to be able to advertise both instances of VR into the ISIS routing tables...

     

    Thanks

     

     


  • 2.  RE: VR - Routing-Instance and ISIS NET address lo0 issue

    Posted 01-02-2018 05:53

    you will need a sperate net-address for each routing-instance where you run ISIS in it.

    the NET must be unique per "router"

     

    therefore you also needa net under unit0 of the lo0 for the mater instance

     

    regards

     

    alexander



  • 3.  RE: VR - Routing-Instance and ISIS NET address lo0 issue

    Posted 01-02-2018 06:06

    Hello,

    JUNOS allows duplicate addresses in different routing instances, so these 2 lines:

    set interfaces lo0 unit 20 family iso address 49.0001.xxxx.xxxx.xxxx.00
    set routing-instances NineGroup-VR interface lo0.20

    - should be able to solve Your problem.

    HTH

    Thx
    Alex



  • 4.  RE: VR - Routing-Instance and ISIS NET address lo0 issue

     
    Posted 01-02-2018 06:12

    Hi guys,

     

    Thank you very much for your responses. It would appear that Junos does not like trying to configure multiple interfaces.... as can be seen below:

     

    set interfaces lo0 unit 20 family iso address 49.0001.xxxx.xxxx.xxxx.00

    Commit

    'unit 20'
    if_instance: Multiple loopback interfaces not permitted in master routing instance
    error: configuration check-out failed

     

    So, I thought I would set the new NET address on the lo0 interface itself and utilise that as follows:

     

     

    set interface lo0 unit 0 family iso address 49.0001.xxxx.xxxx.xxxx.00

    commit

    [edit routing-instances NineGroup-VR protocols isis]
    'interface lo0.0'
    IS-IS: interface is not in this instance
    error: configuration check-out failed

     

    The second issue is obvious as it is the master ..... why won't it let me configure multiple interfaces on the master lo0?

     

    Thanks

     



  • 5.  RE: VR - Routing-Instance and ISIS NET address lo0 issue

     
    Posted 01-02-2018 06:46

    Hi,

     

    So, I have managed to get around the multiple interface issue by completing the following:

     

    set routing-instances NineGroup-VR interface lo0.20

    set interfaces lo0 unit 20 family iso 49.0001.xxxx.xxxx.xxxx.00

    set routing-instances NineGroup-VR protocols isis interface lo0.20

     

    Presumably, this should now advertise the route. However, if I connect to the directly connected MX240 and look at the routing table for the NineGroup-VR ge-0/0/2 IPv6 or IPv4 interface address there is nothing there. So the interface is still not being advertised by isis....

     

    I'm pretty sure it is something I have missed but cannot see what

     

     



  • 6.  RE: VR - Routing-Instance and ISIS NET address lo0 issue

    Posted 01-02-2018 07:15

    Hello,


    @adgwytc wrote:

    Hi,

     

    So, I have managed to get around the multiple interface issue by completing the following:

     

    set routing-instances NineGroup-VR interface lo0.20

    set interfaces lo0 unit 20 family iso 49.0001.xxxx.xxxx.xxxx.00

    set routing-instances NineGroup-VR protocols isis interface lo0.20

     

     

     


    Cool, I hope You realised that Your mistake was committing too soon, after adding just lo0 unit 20 WITHOUT inserting it into VR.

     


    @adgwytc wrote:

     

    Presumably, this should now advertise the route. However, if I connect to the directly connected MX240 and look at the routing table for the NineGroup-VR ge-0/0/2 IPv6 or IPv4 interface address there is nothing there. So the interface is still not being advertised by isis....

     

    I'm pretty sure it is something I have missed but cannot see what

     

     


    What do You expect to be advertised from NineGroup-VR ? You don't have any other IP addresses inside NineGroup-VR  OTHER THAN connected ge-0/0/2.0 IPs. These connected IPs WON'T be seen on ISIS neighbor as coming from ISIS, they would be seen as [Direct/1].

    Add an IP address to lo0.20, add lo0.20 into [routing-instances NineGroup-VR protocols isis], repeat the test and report the results.

    HTH

    Thx
    Alex



  • 7.  RE: VR - Routing-Instance and ISIS NET address lo0 issue

     
    Posted 01-02-2018 07:29

    Hi aarseniev,

     

    Thank you for the response.

     

    If I have advertised the ge-0/0/2 interface into the VR as follows:

     

    set routing-instance NineGroup-VR interface ge-0/0/2

    set routing-instance NineGroup-VR protocols isis interface ge-0/0/2.0

    set interfaces ge-0/0/2 unit 0 family iso

    set interfaces ge-0/0/2 unit 0 family inet address xxx.xxx.xxx.xxx/30

    set interfaces ge-0/0/2 unit 0 family inet6 address xxxx.xxxx.xxxx.xxxx.xxxx.xxxx.xxxx.xxxx/64

     

    Which is configured exactly the same as Customer-VR routing-instance, then why can I see the ae2 interface addresses and ping them from anywhere on the network to the Customer-VR, but I cannot to the NineGroup-VR? Surely the ge-0/0/2 interface addresses should now be advertised into ISIS? There is a security zone allowing all protocols and there is a policy between the VRs allowing anything through (any, any, any, permit) in both directions. I will complete as mentioned but don't see how that will help routing anything to the RADIUS and IPv6 DNS as there will be no route to the network or prefix....

     

    Please accept my apologies if this does not sound right, but it makes sense to me.....



  • 8.  RE: VR - Routing-Instance and ISIS NET address lo0 issue

     
    Posted 01-02-2018 07:57

    Many apologies.... Something must be missing, but as mentioned, I don't know where.... I have completed the following:

     

    set interface lo0.20 family inet address 192.168.1.1/32

     

    The interface is already i n the routing-instance isis and also in the routing-instance (as per the Customer-VR)

     

    I cannot ping the interface and it is not in the routing table:

    run show route 192.168.1.1 

     

    Nothing there.....

     

    So, the only difference between the Customer-VR and the NineGroup-VR is the following:

     

    ge-0/0/2(NineGroup-VR) -- SRX1500 -- ae2 (Customer-VR) ---> ae2 (MX240)

     

    So, maybe there is something in the middle missing that allows connectivity between the two VRs?

     

    Here is the config you would want to see regarding this (again, please accept my apologies):

    set security policies from-zone trust to-zone trust policy default-permit match source-address any
    set security policies from-zone trust to-zone trust policy default-permit match destination-address any
    set security policies from-zone trust to-zone trust policy default-permit match application any
    set security policies from-zone trust to-zone trust policy default-permit then permit
    set security policies from-zone trust to-zone untrust policy default-permit match source-address any
    set security policies from-zone trust to-zone untrust policy default-permit match destination-address any
    set security policies from-zone trust to-zone untrust policy default-permit match application any
    set security policies from-zone trust to-zone untrust policy default-permit then permit
    set security policies from-zone Customer-Network to-zone NineGroup-DMZ policy CliveTest match source-address any
    set security policies from-zone Customer-Network to-zone NineGroup-DMZ policy CliveTest match destination-address any
    set security policies from-zone Customer-Network to-zone NineGroup-DMZ policy CliveTest match application any
    set security policies from-zone Customer-Network to-zone NineGroup-DMZ policy CliveTest then permit
    set security policies from-zone NineGroup-DMZ to-zone Customer-Network policy CliveTest1 match source-address any
    set security policies from-zone NineGroup-DMZ to-zone Customer-Network policy CliveTest1 match destination-address any
    set security policies from-zone NineGroup-DMZ to-zone Customer-Network policy CliveTest1 match application any
    set security policies from-zone NineGroup-DMZ to-zone Customer-Network policy CliveTest1 then permit
    set security zones security-zone trust host-inbound-traffic system-services all
    set security zones security-zone trust host-inbound-traffic protocols all
    set security zones security-zone trust interfaces ge-0/0/1.0
    set security zones security-zone trust interfaces ge-0/0/3.0
    set security zones security-zone untrust screen untrust-screen
    set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services dhcp
    set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services tftp
    set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services https
    set security zones security-zone NineGroup-DMZ host-inbound-traffic system-services all
    set security zones security-zone NineGroup-DMZ host-inbound-traffic protocols all
    set security zones security-zone NineGroup-DMZ interfaces ge-0/0/2.0
    set security zones security-zone Customer-Network host-inbound-traffic system-services all
    set security zones security-zone Customer-Network host-inbound-traffic protocols all
    set security zones security-zone Customer-Network interfaces ae2.0

    set interfaces ge-0/0/2 unit 0 family inet address 195.80.0.37/30
    set interfaces ge-0/0/2 unit 0 family iso
    set interfaces ge-0/0/2 unit 0 family inet6 address 2a05:d840:0030:ffff:ffff:ffff:0000:0001/127

    set interfaces xe-0/0/16 description Group-ae2
    set interfaces xe-0/0/16 gigether-options 802.3ad ae2

    set interfaces xe-0/0/18 description Group-ae2
    set interfaces xe-0/0/18 gigether-options 802.3ad ae2

    set interfaces ae2 unit 0 description TO-THW-CORE-01-ae2
    set interfaces ae2 unit 0 family inet address 195.80.0.18/30
    set interfaces ae2 unit 0 family iso
    set interfaces ae2 unit 0 family inet6 address 2a05:d840:002b:ffff:ffff:ffff:0000:0002/127

    set interfaces lo0 unit 0 family inet address 195.80.0.3/32
    set interfaces lo0 unit 0 family iso
    set interfaces lo0 unit 0 family inet6 address 2a05:d840:000e:ffff:ffff:ffff:0000:0001/128
    set interfaces lo0 unit 10 family iso address 49.0001.1950.0080.0004.00
    set interfaces lo0 unit 20 family inet address 192.168.1.1/32
    set interfaces lo0 unit 20 family iso address 49.0001.1950.0080.0014.00

    set routing-options static route 172.16.16.0/24 next-hop 172.16.16.39
    set protocols isis export export_statics
    set protocols isis level 1 authentication-key "$9$zyOuFCuREyKWxSrxdwgUDP5QF9AuO1hyl"
    set protocols isis level 1 authentication-type md5
    set protocols isis level 2 authentication-key "$9$Xqsxb2ZGi.fzjHz6CuEhvWLxVw24aUik"
    set protocols isis level 2 authentication-type md5
    set protocols isis interface lo0.0
    set policy-options policy-statement export_statics term 1 from protocol static
    set policy-options policy-statement export_statics term 1 then accept

    set routing-instances Customer-VR instance-type virtual-router
    set routing-instances Customer-VR interface ae2.0
    set routing-instances Customer-VR interface lo0.10
    set routing-instances Customer-VR protocols isis level 1 authentication-key "$9$29gGiPfz6CuQFu1EyW8VwYgZUik.5z3"
    set routing-instances Customer-VR protocols isis level 1 authentication-type md5
    set routing-instances Customer-VR protocols isis level 2 authentication-key "$9$lOzeLNsYoGjq4aqfQnpuhSre8XNdb2oJ"
    set routing-instances Customer-VR protocols isis level 2 authentication-type md5
    set routing-instances Customer-VR protocols isis interface ae2.0
    set routing-instances Customer-VR protocols isis interface lo0.10
    set routing-instances NineGroup-VR instance-type virtual-router
    set routing-instances NineGroup-VR interface ge-0/0/2.0
    set routing-instances NineGroup-VR interface lo0.20
    set routing-instances NineGroup-VR protocols isis level 1 authentication-key "$9$.mz6pu1hyKBIK8xdg4jHqmQF69A01R"
    set routing-instances NineGroup-VR protocols isis level 1 authentication-type md5
    set routing-instances NineGroup-VR protocols isis level 2 authentication-key "$9$10AIyKXxdsgJ-VJDHmF3p0BISrKM87db"
    set routing-instances NineGroup-VR protocols isis level 2 authentication-type md5
    set routing-instances NineGroup-VR protocols isis interface ge-0/0/2.0
    set routing-instances NineGroup-VR protocols isis interface lo0.20

     

    I just cannot see anything there that would not allow this to work....

     

    I have tested with the defaults of Trust and Untrust and this worked.... but we need more control over the VRs...

     

    Thanks again for your time.....

     

     

     



  • 9.  RE: VR - Routing-Instance and ISIS NET address lo0 issue

     
    Posted 01-02-2018 09:25

    I have had success in getting the routes from one VR to the other VR but still CANNOT see these routes external to the SRX.... I configured the following:

     

    set policy-options policy-statement from_customer_to_ninegroup term term1 from instance Customer-VR protocol isis
    set policy-options policy-statement from_customer_to_ninegroup term term1 then accept
    set policy-options policy-statement from_customer_to_ninegroup term term1 then reject
    set routing-instances NineGroup-VR routing-options instance-import from_customer_to_ninegroup

    set policy-options policy-statement from_ninegroup_to_customer term term1 from instance Customer-VR protocol isis
    set policy-options policy-statement from_ninegroup_to_customer term term1 then accept
    set policy-options policy-statement from_ninegroup_to_customer term term1 then reject
    set routing-instances NineGroup-VR routing-options instance-import from_ninegroup_to_customer

     

    Again, many apologies for this troublesome issue



  • 10.  RE: VR - Routing-Instance and ISIS NET address lo0 issue

     
    Posted 01-03-2018 01:55

    Scrap what I wrote in the last message. Many apologies for any confusion. The policy I wrote did not work after all. I was looking at the NineGroup-VR when seeing the routes and not the Customer-VR.....

     

    I have configured a second SRX exactly as has been recommended here and have the exact same problem. The interface "ae2" that is directly connected, physically, to the core has all the correct routes and can be contacted from anywhere on the network. However, the ge-0/0/2 interface that is connected to the DMZ has only its own interface in the routing table under its VR. It is getting no isis updates.

     

    Would anyone like me to complete a traceoptions debug and post here?



  • 11.  RE: VR - Routing-Instance and ISIS NET address lo0 issue

     
    Posted 01-03-2018 03:03

    Okay. The latest information so that it may trigger some resolution.... I know it's a pain, it is to me too 😞

     

    I have configured the following:

    set routing-instance Customer-VR routing-options instance-import to_customer
    set policy-options policy-statement to_customer term term1 from instance NineGroup-VR
    set policy-options policy-statement to_customer term term1 from protocol isis

    set policy-options policy-statement to_customer term term1 from protocol direct
    set policy-options policy-statement to_customer term term1 then accept
    set policy-options policy-statement to_customer term term2 then reject

     

    And also the same the other way

     

    This now shows ALL routes in Customer-VR and the NineGroup-VR.... The problem is that these routes are only viewable locally on the SRX because they are not being advertised as part of isis.... so if I log onto the Core (that the SRX is directly connected to) and check the routes with the "run show route" command, ALL of the Customer-VR routes are there but none of the NineGroup-VR.... so, still not being advertised by isis. I have gone through all of the Juniper documentation I can find regarding this and am now starting to meltdown trying to find a resolution. Heeeeelp  🙂

     



  • 12.  RE: VR - Routing-Instance and ISIS NET address lo0 issue

     
    Posted 01-03-2018 11:25

    Hi Folks,

    How is the connection between the VR and the external world? Same area or different? Can I get the below outputs,

     

    show route table NineGroup-VR extensive

    show isis database extensive

    show isis interface extensive

     



  • 13.  RE: VR - Routing-Instance and ISIS NET address lo0 issue
    Best Answer

     
    Posted 01-04-2018 03:14

    Create the policy you want for the BGP routes you want into ISIS.

     

    Apply that policy on the ISIS stanza

    set protocols isis export NEW_POLICY

     



  • 14.  RE: VR - Routing-Instance and ISIS NET address lo0 issue

     
    Posted 01-05-2018 03:31

    Hi Python / Spuluka,

     

    Thank you for your responses. Very much appreciated.

     

    Currently I have had to remove the VR configuraiton and use a default while I rebuild the L2TP LNS. This is because we are now getting close for these systems to be installed and tested before going live. As soon as I get an opportunity I will reconfigure the VRs and test. But I have to complete MPLS, RSVP and all the services policies on the SRX yet .... work, work, work... 🙂

     

    I will close this for now and can re-open later if required.

     

    Thank you again.