Junos OS

We just configured our J2320 router, but we can't even ping ip addresses on the same network.

version (factory installed): 10.0R3.10

config file snippit (all the rest is basic system settings, no specifics)

however, if we connect the router to the network, we cannot ping another server on the network from the router, and vice versa. However, the mac addresses do show up in the arp listing (both on the router, as on the server).

No firewall or acls are configured. Very basic config.

We are probably going to downgrade to 9.6, and hopefully this will resolve the problem.

Do you have any security zones and policies defined? You should have a single security zone with all your interfaces in it  and a default policy for that zone of permit.

If you are planning on using it as a router, you may want to delete the security section of the config, and put the box into packet-only mode with the follwing commands:

delete security
set security forwarding-options family mpls mode packet-based

If you are planning on using the flow-based services (NAT, firewall, etc.), then I would keep the security stuff in there, and make sure your interfaces are in the correct zone(s), and that you have the correct host-inbound-traffic settings to allow the necessary communications.

Ron

Hi,

Thanks for your messsage, I had the same problem and taking security off worked. If we wanted to use it as a firewall as well, how can we do this?  do you know why if only works when you delete the secuity???

We tried to add a default policy to permit all but that didn't work either. any help appreciated.

thanks

DP

When the router in enabled in flow mode you must create security zones, assign interfaces to them and then create policies for traffic flow. When you put the router into packet mode none of that applies.

If you want to get a quick understanding of how security works in Junos I would recommend the following two guides:

http://www.juniper.net/us/en/community/junos/training-certification/day-one/dynamic-services-series/deploying-srx-series/

http://www.juniper.net/us/en/community/junos/training-certification/day-one/dynamic-services-series/configuring-srx-series/

The first is a "Day One" Guide for the SRX and the second is pretty much the same thing except it covers the use of theJ-Web interface. While there are of course differences between an SRX and a J-series router - the whole zones, policies, NAT concepts all apply - oh yeah and don't forget to read up on "host-inbound-services" so you can manage it while in flow mode...... Have fun!

We have a similar issue with our J2320. We simply want to route from one network to another (segmenting our network). And also have the router forward DHCP requests. We have the router configured as shown below. We can ping the interfaces from the corresponding network, but no traffic is being routed. Do we have to create static routes?

Thanks,

Chris

## Last commit: 2011-10-04 23:42:12 UTC by root
version 10.0R3.10;
system {
    host-name WestDiv;
    root-authentication {
        encrypted-password "";
    }
    services {
        ssh;
        telnet;
        web-management {
            http {
                interface ge-0/0/0.0;
            }
        }
    }
    syslog {
        user * {
            any emergency;
        }
        file messages {
            any any;
            authorization info;
        }
        file interactive-commands {
            interactive-commands any;
        }
    }
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                address 192.168.1.1/24;
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
            family inet {
                address 192.168.155.1/24;
            }
        }
    }
}
forwarding-options {
    helpers {
        bootp {
            relay-agent-option;
            description Townhallpdc;
            server 192.168.1.11;
            maximum-hop-count 10;
            minimum-wait-time 300;
            client-response-ttl 20;
            interface {
                ge-0/0/1.0;
            }
        }
    }
}
security {
    forwarding-options {
        family {
            mpls {
                mode packet-based;
            }
        }
    }
}

Well with the config that you have the only traffic that will move will be traffic from / to the attached local subnets - IE if you have a PC on ge-0/0/0 it will be able to ping a PC on ge-0/0/1 and vice versa but that is it. If you have any other routes "outside" of those two locally attached segments you will need a route to them.

IE - if your Internet is reachable via the 4.0/24 segment than you would want a default route out to the next hop on that segment -

user@host# set routing-options static route 0/0 next-hop 192.168.4.254 (or whatever)

Thanks for the reply. The behavior you descibed is what we are looking for (i.e. the only traffic that will move will be traffic from / to the attached local subnets) since we currently have no connection to the internet and this is the only router on the network. However, it is not working. I'm not sure if there is a problem with the syntax of my config, but nothing is getting through. Any ideas?

Thanks,

Chris.

Chris - I just threw your config onto a J series box. Put a PC on the 4.1 and one on the 155.1 - had no problem pinging from 155.100 (PC) to 4.100 (PC).

If you do > show route 192.168.4.0 do you see it pointing to the ge-0/0/0 IF? and vice versa and can you ping from / to the router to the directly attached PC's?

Again, that config should allow you to ping from any directly connected device on the one segment to any other directly connected device on the other segment. Assuming you also specified the default GW on the connected device.

Hi Kevin,

Here is the output of show route:

Netmin@WaterDiv> show route 192.168.1.0

inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

192.168.1.0/24     *[Direct/0] 1d 06:08:00
                    > via ge-0/0/0.0

Netmin@WaterDiv> show route 192.168.155.0

inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

192.168.155.0/24   *[Direct/0] 1d 06:08:41
                    > via ge-0/0/1.0

That looks OK, and I was also able to ping devices on both networks from the router. I'm new to Juniper, so I'm not familiar with all the syntax, but I was wondering about the interface being ge-0/0/0 versus ge-0/0/0.0?

Thanks,

Chris

Chris - Juniper divides interface properties into physical and logical. so when you refer to ge-0/0/0 you are dealing with the physcial - mtu, speed, duplex, encapsulation.......

ge-0/0/0.X refers to the logical properties - family (ethernet, inet, inet6) ip addressing, vlan tags, firewall filters.

So you can look at and manipulate I/F's at either level depending on what you are doing. Routing obviously operates at the logical.

Your config looks fine and your routes are up. I am clueless as to why you can't get from a PC on the 1.x network to a PC on the 155.x network. Makes no sense - and as I said I dumped the config onto one of my boxes and tested across with no issues. This is basic stuff.

Hi Kevin,

What version are you running on your J series? We are running version 10.0R3.10. Could that make a difference? I'm going to run some more tests today with just the router and two PCs like you did and see what the results are.

Thanks,

Chris

Funnily enough I happen to be running the same code version on that box.

Hi Kevin,

         When I hooked up a PC directly to each port on the J2320 it worked like a champ, just like you had reported with your router. I should have tried that first! D'oh! Anyway, it must be an issue with my 3Com/HP switch. Thanks for all your help.

Chris.

Hi Kevin,

          I had one more question. We are routing between two VLANS (using separate untagged ports). As an experiment, I'd like to try routing tagged traffic. Can that be easily configured? It would be vlan1 on ge-0/0/0 and vlan2 on ge-0/0/1.

         The problem does appear to be with our 3Com switches, but I thought I'd try the tagged vlan as a test.

Thanks,

Chris.

user@host# show interfaces ge-1/0/1 | display set
set interfaces ge-1/0/1 vlan-tagging
set interfaces ge-1/0/1 unit 101 vlan-id 101
set interfaces ge-1/0/1 unit 101 family inet address 1.1.1.1/24

Thanks again, Kevin. Once again the 2320 router is doing what it should. It looks like the 3Com switch is behaving badly.

Chris.

All the more reason to convert 100% to the world of JUNOS -

Just think about a shiny new EX2200 or whatever - all your problems would be solved:)

(Well at least the network related ones)

Thanks!

Although both of you were correct (one solution for packet-mode, the other for flow-mode), I can only select one solution.