Routing

 View Only
last person joined: 2 days ago 

Ask questions and share experiences about ACX Series, CTP Series, MX Series, PTX Series, SSR Series, JRR Series, and all things routing, including portfolios and protocols.
  • 1.  Routing with 2 SRX devices

    Posted 10-21-2021 14:25

    Hello Juniper Guru's

     

    I am still new to Juniper so I am most likely missing something here.

    I have 2 Juniper devices.

    SRX 300 - version 21.3R1.9

    SRX 210 - version 10.4R5.5

    I have connected them together SRX300 - Ge-0/0/5 & SRX210 Ge-0/0/0 using the range 192.168.5.0/30.

    I have added them to the trust security zone's and enabled ping.

     

    Full config of SRX300

    ## Last commit: 2021-10-20 21:53:46 GMT by root
    version 21.3R1.9;
    system {
        host-name SRX300;
        root-authentication {
            encrypted-password "$6$IIs8GDt8$/Mp/KZj9zEMLe.FBwe0.5lD0plFe.Hn9OCET4GppLZh8F68/27hvfs8QDm48tMUQk7g82EO58Sq28aMSrOfqC/"; ## SECRET-DATA
        }
        login {
            user Will {
                full-name "William Roullier";
                uid 100;
                class super-user;
                authentication {
                    encrypted-password "$6$TzFF2Am2$K/k0hHgckVMa4hu111ahVzsMuzWioZVyyUQi3nqD24vqX6.Ges3HcVcyZLOIq.LKtFFWSvoYvFgpzGWDqxC7n1"; ## SECRET-DATA
                }
            }
            message "PLEASE NOTE: This device is moniotred, any unauthorised access will be logged!";
        }
        services {
            ftp;
            ssh;
            netconf {
                ssh;
            }
            dns;
            dhcp-local-server {
                group jdhcp-group {
                    interface irb.0;
                }
            }
            web-management {
                https {
                    system-generated-certificate;
                }
            }
        }
        domain-name junos.local;
        time-zone GMT;
        authentication-order [ password radius tacplus ];
        name-server {
            8.8.8.8;
            8.8.4.4;
            208.67.220.220;
            208.67.222.222;
        }
        syslog {
            archive size 100k files 3;
            user * {
                any emergency;
            }
            file interactive-commands {
                interactive-commands any;
            }
            file messages {
                any notice;
                authorization info;
            }
        }
        max-configurations-on-flash 5;
        max-configuration-rollbacks 5;
        license {
            autoupdate {
                url https://ae1.juniper.net/junos/key_retrieval;
            }
        }
        phone-home {
            server https://redirect.juniper.net;
            rfc-compliant;
        }
    }
    chassis {
        inactive: auto-image-upgrade;
    }
    security {
        screen {
            ids-option untrust-screen {
                icmp {
                    ping-death;
                }
                ip {
                    source-route-option;
                    tear-drop;
                }
                tcp {
                    syn-flood {
                        alarm-threshold 1024;
                        attack-threshold 200;
                        source-threshold 1024;
                        destination-threshold 2048;
                        timeout 20;
                    }
                    land;
                }
            }
        }
        nat {
            source {
                rule-set trust-to-untrust {
                    from zone trust;
                    to zone untrust;
                    rule source-nat-rule {
                        match {
                            source-address 0.0.0.0/0;
                        }
                        then {
                            source-nat {
                                interface;
                            }
                        }
                    }
                }
            }
        }
        policies {
            from-zone trust to-zone trust {
                policy trust-to-trust {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
            from-zone trust to-zone untrust {
                policy trust-to-untrust {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
            pre-id-default-policy {
                then {
                    log {
                        session-close;
                    }
                }
            }
        }
        zones {
            security-zone trust {
                host-inbound-traffic {
                    system-services {
                        all;
                    }
                    protocols {
                        all;
                    }
                }
                interfaces {
                    irb.0 {
                        host-inbound-traffic {
                            system-services {
                                all;
                                ping;
                            }
                        }
                    }
                    ge-0/0/5.0 {
                        host-inbound-traffic {
                            system-services {
                                all;
                                ping;
                            }
                        }
                    }
                    lo0.0 {
                        host-inbound-traffic {
                            system-services {
                                all;
                                ping;
                            }
                        }
                    }
                }
            }
            security-zone untrust {
                screen untrust-screen;
                interfaces {
                    ge-0/0/0.0 {
                        host-inbound-traffic {
                            system-services {
                                dhcp;
                                tftp;
                                https;
                                ping;
                                traceroute;
                                dns;
                            }
                        }
                    }
                    ge-0/0/7.0 {
                        host-inbound-traffic {
                            system-services {
                                dhcp;
                                tftp;
                            }
                        }
                    }
                }
            }
        }
    }
    interfaces {
        ge-0/0/0 {
            description WAN-UPLINK_FTTC_VM;
            unit 0 {
                description WAN-UPLINK_FTTC_VM;
                family inet {
                    dhcp {
                        retransmission-attempt 50000;
                        retransmission-interval 4;
                        vendor-id Juniper-srx300;
                    }
                }
            }
        }
        ge-0/0/1 {
            description WJR_LAN;
            unit 0 {
                description WJR_HOME_LAN;
                family ethernet-switching {
                    vlan {
                        members vlan-trust;
                    }
                }
            }
        }
        ge-0/0/2 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members vlan-trust;
                    }
                }
            }
        }
        ge-0/0/3 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members vlan-trust;
                    }
                }
            }
        }
        ge-0/0/4 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members vlan-trust;
                    }
                }
            }
        }
        ge-0/0/5 {
            description UPLINK-SRX210-GE-0/0/0;
            unit 0 {
                description UPLINK-SRX210-GE-0/0/0.0;
                family inet {
                    address 192.168.5.1/30;
                }
            }
        }
        ge-0/0/6 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members vlan-trust;
                    }
                }
            }
        }
        ge-0/0/7 {
            unit 0 {
                family inet {
                    dhcp {
                        vendor-id Juniper-srx300;
                    }
                }
            }
        }
        irb {
            unit 0 {
                family inet {
                    address 192.168.1.1/24;
                }
            }
        }
        lo0 {
            unit 0 {
                family inet {
                    address 192.168.255.253/30;
                }
            }
        }
    }
    firewall {
        filter XBOX {
            term XBOX-ALLOW {
                from {
                    protocol [ udp tcp ];
                    source-port [ 88 3074 53 80 500 3544 4500 ];
                }
                then accept;
            }
        }
    }
    access {
        address-assignment {
            pool junosDHCPPool {
                family inet {
                    network 192.168.1.0/24;
                    range junosRange {
                        low 192.168.1.2;
                        high 192.168.1.254;
                    }
                    dhcp-attributes {
                        router {
                            192.168.1.1;
                        }
                        propagate-settings ge-0/0/0.0;
                    }
                }
            }
        }
    }
    vlans {
        vlan-trust {
            vlan-id 3;
            l3-interface irb.0;
        }
    }
    protocols {
        ospf {
            area 0.0.0.0 {
                interface ge-0/0/1.0;
                interface ge-0/0/5.0;
            }
        }
        l2-learning {
            global-mode switching;
        }
        rstp {
            interface all;
        }
    }
    
    

     

    Full config of SRX210

    ## Last commit: 2021-10-20 21:39:10 BST by root
    version 10.4R5.5;
    system {
        host-name SRX210;
        domain-name junos.local;
        time-zone Europe/London;
        authentication-order [ radius tacplus password ];
        root-authentication {
            encrypted-password "$1$8JPWxIHI$CBacPrR29xlC90Grm6XtZ."; ## SECRET-DATA
        }
        name-server {
            208.67.222.222;
            208.67.220.220;
            8.8.8.8;
            1.1.1.1;
        }
        login {
            message "WARNING!!! This device is monitored. Any unauthrised logins used will be captured.";
            class ping-trace {
                allow-commands traceroute;
            }
            user Test {
                uid 2001;
                class ping-trace;
                authentication {
                    encrypted-password "$1$PbvjPudE$9EgG868tIn.trlCXszMwK1"; ## SECRET-DATA
                }
            }
            user Will {
                full-name "William Roullier";
                uid 101;
                class super-user;
                authentication {
                    encrypted-password "$1$hoga1.rx$KAOsik8V0VZKaZ1TPJ6Dx/"; ## SECRET-DATA
                }
            }
        }
        services {
            ssh {
                protocol-version v2;
            }
            telnet;
            xnm-clear-text;
            dns;
            web-management {
                http {
                    interface vlan.0;
                }
                https {
                    system-generated-certificate;
                }
                session {
                    idle-timeout 5;
                }
            }
            dhcp {
                router {
                    192.168.200.1;
                }
                traceoptions {
                    file dhcp-fail size 2m files 3;
                    flag all;
                }
                pool 192.168.200.0/24 {
                    address-range low 192.168.200.2 high 192.168.200.254;
                }
            }
        }
        syslog {
            archive size 100k files 3;
            user * {
                any emergency;
            }
            file messages {
                any critical;
                authorization info;
            }
            file interactive-commands {
                interactive-commands error;
            }
        }
        max-configurations-on-flash 5;
        max-configuration-rollbacks 5;
        license {
            autoupdate {
                url https://ae1.juniper.net/junos/key_retrieval;
            }
        }
    }
    interfaces {
        ge-0/0/0 {
            description UPLINK-SRX300-GE-0/0/5;
            speed 1g;
            link-mode full-duplex;
            mac 84:18:88:75:28:80;
            gigether-options {
                loopback;
                auto-negotiation;
            }
            unit 0 {
                description UPLINK-SRX300-GE-0/0/5;
                family inet {
                    rpf-check;
                    filter {
                        input XBOX;
                    }
                    address 192.168.5.2/30;
                }
            }
        }
        ge-0/0/1 {
            description LAB_LAN;
            speed 1g;
            link-mode full-duplex;
            unit 0 {
                description LAB_LAN;
                family ethernet-switching {
                    port-mode access;
                    vlan {
                        members vlan-trust;
                    }
                }
            }
        }
        fe-0/0/2 {
            disable;
            unit 0 {
                family ethernet-switching;
            }
        }
        fe-0/0/3 {
            disable;
            unit 0 {
                family ethernet-switching;
            }
        }
        fe-0/0/4 {
            disable;
            unit 0 {
                family ethernet-switching;
            }
        }
        fe-0/0/5 {
            disable;
            unit 0 {
                family ethernet-switching;
            }
        }
        fe-0/0/6 {
            disable;
            unit 0 {
                family ethernet-switching;
            }
        }
        fe-0/0/7 {
            disable;
            unit 0 {
                family ethernet-switching;
            }
        }
        lo0 {
            description Loopback;
            unit 0 {
                family inet {
                    address 192.168.255.254/30;
                }
            }
        }
        vlan {
            unit 0 {
                family inet {
                    address 192.168.200.1/24;
                }
            }
        }
    }
    routing-options {
        static {
            defaults {
                readvertise;
            }
        }
    }
    protocols {
        ospf {
            area 0.0.0.0 {
                interface ge-0/0/1.0;
                interface ge-0/0/0.0;
            }
        }
        stp;
    }
    security {
        nat {
            source {
                rule-set trust-to-untrust {
                    from zone trust;
                    to zone untrust;
                    rule source-nat-rule {
                        match {
                            source-address 0.0.0.0/0;
                        }
                        then {
                            source-nat {
                                interface;
                            }
                        }
                    }
                }
            }
        }
        screen {
            ids-option untrust-screen {
                icmp {
                    ping-death;
                }
                ip {
                    source-route-option;
                    tear-drop;
                }
                tcp {
                    syn-flood {
                        alarm-threshold 1024;
                        attack-threshold 200;
                        source-threshold 1024;
                        destination-threshold 2048;
                        timeout 20;
                    }
                    land;
                }
            }
        }
        zones {
            security-zone trust {
                host-inbound-traffic {
                    system-services {
                        all;
                    }
                    protocols {
                        all;
                    }
                }
                interfaces {
                    vlan.0;
                    ge-0/0/1.0;
                    ge-0/0/0.0 {
                        host-inbound-traffic {
                            system-services {
                                all;
                            }
                        }
                    }
                    lo0.0 {
                        host-inbound-traffic {
                            system-services {
                                all;
                            }
                        }
                    }
                }
            }
            security-zone untrust {
                screen untrust-screen;
            }
        }
        policies {
            from-zone trust to-zone untrust {
                policy trust-to-untrust {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
        }
    }
    firewall {
        filter XBOX {
            term XBOX-ALLOW {
                from {
                    protocol [ udp tcp ];
                    source-port [ 88 3074 53 80 500 3544 4500 ];
                }
                then accept;
            }
        }
    }
    vlans {
        vlan-trust {
            description LAB_LAN;
            vlan-id 3;
            l3-interface vlan.0;
        }
    }
    

     

    ping tests from 192.168.5.1

    root@SRX300> ping 192.168.5.2 interface ge-0/0/5.0
    PING 192.168.5.2 (192.168.5.2): 56 data bytes
    ^C
    --- 192.168.5.2 ping statistics ---
    6 packets transmitted, 0 packets received, 100% packet loss
    
    root@SRX300>
    

     

     

    ping tests from 192.168.5.2

    root@SRX210> ping 192.168.5.1 interface ge-0/0/0.0
    PING 192.168.5.1 (192.168.5.1): 56 data bytes
    ^C
    --- 192.168.5.1 ping statistics ---
    4 packets transmitted, 0 packets received, 100% packet loss
    
    root@SRX210>

     

    Pining from SRX210 192.168.5.2 to 192.168.5.1 monitor tab.

    21:14:27.351298 Out arp who-has 192.168.5.1 tell 192.168.5.2
    
    21:14:27.358090  In arp who-has 192.168.5.1 tell 192.168.5.2
    
    21:14:28.166988 Out arp who-has 192.168.5.1 tell 192.168.5.2
    
    21:14:28.168738  In arp who-has 192.168.5.1 tell 192.168.5.2
    
    21:14:28.880548 Out arp who-has 192.168.5.1 tell 192.168.5.2
    
    21:14:28.882031  In arp who-has 192.168.5.1 tell 192.168.5.2
    
    21:14:29.492103 Out arp who-has 192.168.5.1 tell 192.168.5.2
    
    21:14:29.499571  In arp who-has 192.168.5.1 tell 192.168.5.2
    
    21:14:30.624273 Out arp who-has 192.168.5.1 tell 192.168.5.2
    
    21:14:30.627929  In arp who-has 192.168.5.1 tell 192.168.5.2
    
    21:14:31.337092 Out arp who-has 192.168.5.1 tell 192.168.5.2
    
    21:14:31.344546  In arp who-has 192.168.5.1 tell 192.168.5.2
    
    21:14:31.948446 Out arp who-has 192.168.5.1 tell 192.168.5.2
    
    21:14:31.950240  In arp who-has 192.168.5.1 tell 192.168.5.2
    
    21:14:32.560322 Out arp who-has 192.168.5.1 tell 192.168.5.2
    
    21:14:32.562181  In arp who-has 192.168.5.1 tell 192.168.5.2
    
    21:14:33.477602 Out arp who-has 192.168.5.1 tell 192.168.5.2
    
    21:14:33.479088  In arp who-has 192.168.5.1 tell 192.168.5.2
    
    21:14:34.709502 Out arp who-has 192.168.5.1 tell 192.168.5.2
    
    21:14:34.713490  In arp who-has 192.168.5.1 tell 192.168.5.2
    
    21:14:35.320387 Out arp who-has 192.168.5.1 tell 192.168.5.2
    
    21:14:35.322174  In arp who-has 192.168.5.1 tell 192.168.5.2
    
    21:14:36.237998 Out arp who-has 192.168.5.1 tell 192.168.5.2
    
    21:14:36.246818  In arp who-has 192.168.5.1 tell 192.168.5.2

     

    From my understanding, if both interfaces are up and they are on the same range connected physically together then there must be a routing bit I am missing or I have not fully done something with the zone's however all services are enabled and ping itself is enabled for each interface and for the zone itself.

    Any help is much appreciated



    ------------------------------
    William Roullier
    ------------------------------


  • 2.  RE: Routing with 2 SRX devices

    Posted 10-22-2021 09:26
    Hi William,

    this is normal, you are blocking the traffic with the firewall filter under the interface, so even if you have a security policy allowing the service, the interface filter will still block it:

    firewall {
        filter XBOX {
            term XBOX-ALLOW {
                from {
                    protocol [ udp tcp ];
                    source-port [ 88 3074 53 80 500 3544 4500 ];
                }
                then accept;
            }
        }​


    remember there is an implicit deny as "last term", if you want to allow the pings create a second term and that should do the trick. 

    Thanks,
    Gabriel FV



    ------------------------------
    GABRIEL FLORES
    ------------------------------



  • 3.  RE: Routing with 2 SRX devices

    Posted 10-22-2021 12:58
    Oh of course! I am so stupid aha!

    Thank you I knew i missed something.
    I havent tested yet but you are right, will do it tonight.
    Thank you so much

    ------------------------------
    William Roullier
    ------------------------------



  • 4.  RE: Routing with 2 SRX devices

    Posted 10-22-2021 15:14
    it happens to the best engineers jaja,

    happy to help. 
    Thanks 
    Gabriel FV

    ------------------------------
    GABRIEL FLORES
    ------------------------------