Switching

last person joined: 18 hours ago 

Ask questions and share experiences about EX and QFX portfolios and all switching solutions across your data center, campus, and branch locations.

  • 1.  Frustratation using loopback address and unable to access (easy and obvious but I'm missing it)

    Posted 05-09-2012 21:27

    So I'm new to Juniper coming from a Brocade/Marconi/Alcatel background (ten years ago) and having immense frustration trying to use looopback for in-band network management.  Been scouring the board (and the KB  and google) for a couple days now along with Day One JunOS, SRX, and EX documents and the problem is they either don't answer the obvious (to me) or are using configurations way more advanced than my setup which is frustrating as this seems like a two minute fix.  

     

    Anways the configuration is the standard: ISP<--DHCP-->SRX-220H<-->EX-3200 with the 3200 being way underutilized as basically a big dumb switch (which is fine, it's supporting 25 workstations/printers).  Everything is working fine short of I can't figure out how to configure a management IP on EX-3200 (inband, not me0), loopback or otherwise, and can only get to the SRX management interface via the LAN GW.  Do I really need to create vlans, etc just to do this?  I can just simply assign the EX lo0 (for example) a LAN IP? (ditto with SRX).

     

    Configs are attached, what am I missing (the obvioius?) and thanks for humoring a rusty network guy (been in security for nearly ten years now). 

     

    Thanks,

     

    -Peter 

     

    PS: Yes I could have the EX to the routing and configure a /30 between the SRX and EX but not sure if that gains me anything.  No I can't remove the SRX from the picture as it's doing UTM and IDP for the local office.   


    #EX
    #SRX
    #basic

    Attachment(s)

    txt
    srx.conf.txt   5 KB 1 version
    txt
    ex3200.conf.txt   1 KB 1 version


  • 2.  RE: Frustratation using loopback address and unable to access (easy and obvious but I'm missing it)

    Posted 05-10-2012 04:39
    Well, you already have a VLAN. It should be called "default." Say "show ether int" to confirm. So, you need a Routed VLAN Interface to use for management:

    set int vlan unit 0 fam inet addr <address>
    set vlans default l3-interface vlan.0

    And if you want to manage the switch from a different subnet, then also configure default route, with something like this ...
    (I don't remember the exact syntax. Use question marks)

    set routing-options route static 0.0.0.0/0 next-hop <gateway address>


  • 3.  RE: Frustratation using loopback address and unable to access (easy and obvious but I'm missing it)

    Posted 05-10-2012 15:07

    OK no disrepect meant but you obvious didn't look at the configs are read the question.

     

    I already have exactly what you said configured on the SRX with vlan.0 acting as the GW for the EX (and I can get to it via the GW address just fine).

     

    What I want though is a seperate IP (loopback would be best but any would work) on that same LAN (1921.68.2.0/24) that I can use for management only, i.e. the SRX (lets say) .254 and the EX (lets say) .253.

     

    What I don't understand is how to make that happen (I assume it has to be loopback as vlan's need a physical interface to be up) and why it doesn't work looking at my existing configs (which have the IP assigned to loopback) 



  • 4.  RE: Frustratation using loopback address and unable to access (easy and obvious but I'm missing it)
    Best Answer

    Posted 05-10-2012 15:32

    No problem, I will clarify.

     

    You wrote: "Everything is working fine short of I can't figure out how to configure a management IP on EX-3200 (inband, not me0) [...]" 

     

    From that sentence I infer that you can indeed manage the SRX and are having trouble reaching the EX switch. Therefore, I ignored the SRX config you've attached, and instead only focused on the EX configuration.

     

    You wrote "PS: Yes I could have the EX to the routing and configure a /30 between the SRX and EX but not sure if that gains me anything."

     

    From that sentence I infer that you are willing to work with a /30 option, but you'd rather have an address on the same LAN.

     

    Looking at the EX configuration you attached, I see that you are, in fact, missing interface L3 interface for the default VLAN.

     

    What I am getting at is that on a Juniper EX switch you use a Routed VLAN Interface (RVI) associated with VLAN to reach the switch itself on a particular VLAN, rather than a loopback interface. That's all. Hence, the commands I included in my previous post are for the EX switch, not for the SRX firewall. Sorry for the mix up.



  • 5.  RE: Frustratation using loopback address and unable to access (easy and obvious but I'm missing it)

    Posted 05-10-2012 17:32

    Good call Nikolay and my failure was in properly understanding the l3.interface and it's play in all this.  I was wrong thinking the l3.interface was a pointer to the vlan gateway.

     

    So the second part of the initial post then is "Why doesn't this work with lo0.0", i.e. if I assign lo0.0 an IP on the same local LAN (on both the SRX and EX) I am unable to get to it (or even an arbitrary IP like 1.2.3.4/32).  I guess I'm trying to understand how the lo0 is routed locally (as it shows up in the routing table a a direct connect) so not sure why I can't find a route to it from lets say a workstation. 



  • 6.  RE: Frustratation using loopback address and unable to access (easy and obvious but I'm missing it)

    Posted 05-10-2012 17:49

    Let's say your workstation is at 192.168.2.100 /24. When you try to reach IP address 192.168.2.2, your PC assumes (rightly so) the address is in the same subnet, and thus send out an ARP request: Who has 192.168.2.2?

     

    Being that the loopback interface (on both SRX and EX) is in a different subnet (albeit with an overlapping address space), it will not see the ARP request directly, and thus won't respond to it. So your computer never knows how to talk to that IP address. If you're using Windows, you can observe this by doing a continuous ping in one window, and in another type "arp -a" -- you'll see 192.168.2.2 with MAC entry of 00-00-00-00-00-00 (ARP lookup in progress).

     

    In some circumstances a different interface (in your case vlan.0) can act as a proxy and answer those ARP requests thereby having your PC send traffic for 192.168.2.2 to the MAC address of the vlan.0 interface from where traffic gets routed to whereever it needs to go. This feature is called Proxy ARP.

     

    Because you need an IP address on the EX switch solely for management, I would recommend that your forego the loopback interface altogether over there. If you do want to find out more about proxy ARP and experiment, here's a starting point: http://www.juniper.net/techpubs/en_US/junos12.1/topics/concept/port-security-ex-series-proxy-arp-understanding.html.

     

    As for the SRX firewall, I can see your point about not wanting to manage the firewall on the same address that's used as default gateway for you LAN, but I'm not sure how exactly to go about it. As a matter of fact, I'm not quite certain how JUNOS will handle Proxy ARP for overlapping subnets.



  • 7.  RE: Frustratation using loopback address and unable to access (easy and obvious but I'm missing it)

    Posted 05-11-2012 14:42

    For my OSPF speakers I used a loopback for admin, since any path to that router will get me to the lookback.

     

    For a basic layer 2 switch, I just create an RVI, associate it with a vlan and I am good to go.

     

    In a data center with Top of Rack access switches, you would typically have a management vlan that all your switches would be part of, and each would have an RVI in that vlan. Default route would point to the gateway for that management vlan.