Routing

 View Only
last person joined: an hour ago 

Ask questions and share experiences about ACX Series, CTP Series, MX Series, PTX Series, SSR Series, JRR Series, and all things routing, including portfolios and protocols.
  • 1.  Route available but cannot ping the loopback IP

    This message was posted by a user wishing to remain anonymous
    Posted 10-22-2022 06:30
    This message was posted by a user wishing to remain anonymous


    Topology: EVG-NG 2*vSRX (running 22.3R1.11)      r1----------r2

    ISIS is up, route is available but only I cannot ping the each others loopback IP. What security config miss is causing this problem, can someone please help?

    r1 config:
    set security forwarding-options family iso mode packet-based
    set security zones security-zone trust tcp-rst
    set security zones security-zone trust interfaces ge-0/0/0.0 host-inbound-traffic system-services all
    set security zones security-zone trust interfaces ge-0/0/0.0 host-inbound-traffic protocols all
    set security zones security-zone trust interfaces lo0.0 host-inbound-traffic system-services all
    set security zones security-zone trust interfaces lo0.0 host-inbound-traffic protocols all
    set interfaces ge-0/0/0 unit 0 description to-R2
    set interfaces ge-0/0/0 unit 0 family inet address 10.0.0.12/27
    set interfaces ge-0/0/0 unit 0 family iso
    set interfaces fxp0 unit 0
    set interfaces lo0 unit 0 family inet address 192.168.0.1/32
    set interfaces lo0 unit 0 family iso address 49.0100.0192.0168.0000.0001.00
    set protocols isis interface ge-0/0/0.0 point-to-point
    set protocols isis interface lo0.0
    set protocols isis level 1 disable

    r2 config:
    set security forwarding-options family iso mode packet-based
    set security zones security-zone trust tcp-rst
    set security zones security-zone trust interfaces ge-0/0/0.0 host-inbound-traffic system-services all
    set security zones security-zone trust interfaces ge-0/0/0.0 host-inbound-traffic protocols all
    set security zones security-zone trust interfaces lo0.0 host-inbound-traffic system-services all
    set security zones security-zone trust interfaces lo0.0 host-inbound-traffic protocols all
    set interfaces ge-0/0/0 unit 0 description to-R1
    set interfaces ge-0/0/0 unit 0 family inet address 10.0.0.21/27
    set interfaces ge-0/0/0 unit 0 family iso
    set interfaces fxp0 unit 0
    set interfaces lo0 unit 0 family inet address 192.168.0.2/32
    set interfaces lo0 unit 0 family iso address 49.0100.0192.0168.0000.0002.00
    set protocols isis interface ge-0/0/0.0 point-to-point
    set protocols isis interface lo0.0
    set protocols isis level 1 disable

    root@r1# run show route

    inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)
    + = Active Route, - = Last Active, * = Both

    10.0.0.0/27 *[Direct/0] 02:32:25
    > via ge-0/0/0.0
    10.0.0.12/32 *[Local/0] 02:32:25
    Local via ge-0/0/0.0
    192.168.0.1/32 *[Direct/0] 02:30:26
    > via lo0.0
    192.168.0.2/32 *[IS-IS/18] 00:56:50, metric 10
    > to 10.0.0.21 via ge-0/0/0.0

    root@r2# run show route

    inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)
    + = Active Route, - = Last Active, * = Both

    10.0.0.0/27 *[Direct/0] 02:32:40
    > via ge-0/0/0.0
    10.0.0.21/32 *[Local/0] 02:32:40
    Local via ge-0/0/0.0
    192.168.0.1/32 *[IS-IS/18] 00:56:36, metric 10
    > to 10.0.0.12 via ge-0/0/0.0
    192.168.0.2/32 *[Direct/0] 02:29:47
    > via lo0.0


  • 2.  RE: Route available but cannot ping the loopback IP

    Posted 10-22-2022 06:33
    What security zone is the loopback and connecting interfaces assigned to?
    And is ping allowed for that zone for host inbound traffic?

    Or the SRX needs to be put into packet mode to turn off security features.
    https://www.juniper.net/documentation/us/en/software/junos/flow-packet-processing/topics/topic-map/security-packet-based-forwarding.html

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
    http://puluka.com/home
    ------------------------------



  • 3.  RE: Route available but cannot ping the loopback IP

    Posted 10-23-2022 08:32
    Hi,

    U miss intrazone policy.


    Thanks