Below I have several updates, things I have tried. I have spent about three days on this. I am at a point in my studying where I need to be able to ping loopback interfaces on different routers. I need to get back to my studying and this is taking a very long time. Does anyone out there have experience setting up loopback addresses on routers and being able to ping from other devices in the configured senario? These are all physical devices that I have.
WHERE IS STAND NOW:
I have found that I
CAN ping from each router to the loopback of the switch (without even a static route in either router pointing to the loopback's next hop from the router to the switch). but I
CAN'T ping from the switch to the loopback of either router, or from either router to the loopback of the other router.
MY CONCLUSION, something (aside from opening up complete TRUST zone of all services and all protocols on both routers) is keeping both routers from responding to PINGs to their LOOPBACK interface.
MAYBE it has something to do with what unit (logical subinterface) I am putting the loopback's address ON? I am using unit 0. AT THE VERY BOTTOM OF THIS POST I PUT THE OUTPUT OF THE LOOPBACK ON R8.
btw: came up with a nice command: show interfaces | match "[gl][eo]0*|address" :: just shows ge and lo interface names and associated addresses.
ORIGINAL:
I am trying to set up a J2350 router with a lo0 interface address 7.7.7.7. So I put
robmin@Junip2350-R7# show | compare
[edit interfaces]
+ lo0 {
+ unit 0 {
+ family inet {
+ address 7.7.7.7/32;
+ }
+ }
+ }
I am able to ping this address from the router itself #run ping 7.7.7.7 successful
ON a EX2200-C switch that is connected to this router the following way:
Switch Router
ge-0/0/0 ge-0/0/0
10.20.1.4/24 <------direct cable------------> 10.20.1.3/24
I am able to ping from switch to router using the directly connected address
I am able to ping from router to switch using the driectly connected address
I set up a static route on my switch to point to next-hop of 10.20.1.3 so the switch would know to go to that address to get to 7.7.7.7. Here is that config:
robmin@JunipEX22cSW1# show routing-options
static {
route 0.0.0.0/0 next-hop 10.0.0.1;
route 240.0.0.8/32 discard;
route 240.0.0.9/32 reject;
route 1.1.1.1/32 {
next-hop 10.40.1.1;
qualified-next-hop 2.2.2.2 {
preference 7;
}
}
route 7.7.7.7/32 next-hop 10.20.1.3;
}
My routing table on switch:
0.0.0.0/0 *[Static/5] 6d 19:08:33
> to 10.0.0.1 via vlan.50
1.1.1.1/32 *[Static/5] 03:51:58
> to 10.40.1.1 via ge-0/0/3.0
7.7.7.7/32 *[Static/5] 00:03:45
> to 10.20.1.3 via ge-0/0/0.0
9.9.9.9/32 *[Direct/0] 21:46:38
> via lo0.0
10.0.0.0/24 *[Direct/0] 6d 19:08:33
> via vlan.50
10.0.0.26/32 *[Local/0] 1w5d 17:11:51
Local via vlan.50
10.0.0.144/32 *[Local/0] 2w4d 13:24:14
Reject
10.0.0.155/32 *[Local/0] 2w4d 13:23:57
Reject
10.10.100.0/23 *[Direct/0] 1d 03:56:58
> via vlan.100
10.10.100.246/32 *[Local/0] 2w4d 13:24:07
Local via vlan.100
10.20.0.16/32 *[Local/0] 1w3d 20:02:51
Reject
10.20.1.0/24 *[Direct/0] 00:03:45
> via ge-0/0/0.0
10.20.1.2/32 *[Local/0] 6d 13:33:10
Reject
10.20.1.4/32 *[Local/0] 3d 21:52:27
Local via ge-0/0/0.0
10.30.0.2/32 *[Local/0] 1w0d 16:46:21
Reject
10.40.1.0/24 *[Direct/0] 03:51:58
> via ge-0/0/3.0
10.40.1.2/32 *[Local/0] 18:44:43
Local via ge-0/0/3.0
224.0.0.5/32 *[OSPF/10] 2w4d 13:24:17, metric 1
MultiRecv
But I am not able to ping from the switch to the router's lo0 of 7.7.7.7
I have had no problem setting up multiple Cisco routers with a lo0 address and pinging from my Juniper switch.
If you notice in my static config above, I have a route to 1.1.1.1 via 10.40.1.1. Just like between my switch and my juniper router these two are connected directly from the switch to the router on a direct link. When I ping the Cisco lo0 address of 1.1.1.1 I have success.
Why is this so mysterious on Juniper? I did searches on the internet and found articles on Group Global loopback configurations, and found people instructing to use a Proxy Arp. I did try to configure the Group Global loopback and it still did not work:
robmin@Junip2350-R7# show groups
global {
interfaces {
lo0 {
unit 0 {
family inet {
address 7.7.7.7/32 {
preferred;
}
address 127.0.0.1/32;
}
}
}
}
}
THIS still resulted in not being able to ping this loopback address from the Juniper switch.
Why would this be so hard to make work?
Does anyone know what is required to set up a Juniper Router with a simple loopback address that matches the physical router in my lab (i.e. This Juniper router is my 7th router so I want the loopback address to be 7.7.7.7)?
Any light shed on this subject is much appreciated!
robin hood
Switch config: (after this is the router config)
robmin@JunipEX22cSW1# run show configuration | no-more
## Last commit: 2015-05-22 10:24:30 PDT by robmin
version 12.3R9.4;
groups {
MYGROUP {
interfaces {
<ge-*> {
traps;
}
}
}
ACCESS-PORT {
interfaces {
<ge-*> {
unit 0 {
family ethernet-switching {
port-mode access;
}
}
}
}
}
JUMBO {
interfaces {
"<[gx]e-*>" {
mtu 9000;
}
}
}
}
/* I am watching the system uptime to see how accuarate the internal clock is. I reset the time on 5-2-2015, 7:10pm */
system {
host-name JunipEX22cSW1;
domain-name rhcrco.int;
time-zone America/Los_Angeles;
root-authentication {
encrypted-password "$1$.Kwy3nB8$IHVTgcWgqqjRo97tjOorj1"; ## SECRET-DATA
}
name-server {
8.8.8.8;
75.75.75.75;
8.8.4.4;
10.0.0.1;
}
login {
class MyCustomClass {
permissions view-configuration;
allow-commands "show configuration";
}
user MyCustomUser {
uid 2002;
class MyCustomClass;
authentication {
encrypted-password "$1$cFcLmPXI$nZC3NQZtv0WztFUTwreaa1"; ## SECRET-DATA
}
}
user robin {
uid 2000;
class super-user;
authentication {
encrypted-password "$1$l0Uh4pQW$3VadaIK6OMZ6.eWSN4p6/."; ## SECRET-DATA
}
}
user robmin {
full-name "Robin Hood";
uid 2001;
class super-user;
authentication {
encrypted-password "$1$zES4Qia2$cw0t/MQzx.7nJu2zcnQcF0"; ## SECRET-DATA
}
}
}
static-host-mapping {
bumpkin1 inet 10.0.0.155;
host inet 10.0.0.155;
bumpkin1.rhcrco.int inet 10.0.0.155;
}
services {
ssh;
telnet;
web-management {
https {
system-generated-certificate;
interface vlan.100;
}
}
dhcp {
traceoptions {
file dhcp_logfile;
level all;
flag all;
}
}
}
/* user keyword sends syslog info to ssh or telnet session */
syslog {
user * {
any emergency;
}
user robmin {
conflict-log any;
}
file messages {
any notice;
authorization info;
}
file interactive-commands {
interactive-commands any;
}
file AUTH-INFO {
authorization info;
}
file INTERACTIVE-COMMANDS {
interactive-commands any;
}
file CONFIG-CHANGES {
change-log info;
}
console {
any emergency;
}
}
ntp {
boot-server 216.218.254.202;
server 129.6.15.30;
}
}
chassis {
alarm {
management-ethernet {
link-down ignore;
}
}
auto-image-upgrade;
}
interfaces {
traceoptions {
file INT-TRACE size 128k files 10;
}
interface-range MYRANGE {
member-range ge-0/0/1 to ge-0/0/5;
}
ge-0/0/0 {
traps;
unit 0 {
description "Hi Robin, Is anyone going to need your skills?";
family inet {
address 10.20.1.4/24;
}
}
}
ge-0/0/1 {
unit 0 {
description "Connection to Cisco 3620 fa0/1 10.20.1.1";
family inet {
address 10.20.1.2/24;
}
}
}
ge-0/0/2 {
unit 0 {
description "Connection to user/device 10.0.0.13/24";
family ethernet-switching {
port-mode access;
vlan {
members v50end-devices;
}
}
}
}
ge-0/0/3 {
unit 0 {
family inet {
address 10.40.1.2/24;
}
}
}
ge-0/0/4 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/5 {
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members v100;
}
}
}
}
ge-0/0/6 {
traceoptions {
flag event;
flag media;
}
unit 0 {
description "Connection to user/device 10.0.0.x/24 via VLAN 50";
family ethernet-switching {
port-mode access;
vlan {
members v50end-devices;
}
}
}
}
ge-0/0/7 {
apply-groups [ ACCESS-PORT JUMBO ];
unit 0 {
family ethernet-switching;
}
}
ge-0/0/8 {
unit 0 {
description "Connecton to Future Juniper Switch";
family ethernet-switching {
port-mode trunk;
vlan {
members all;
}
}
}
}
ge-0/0/9 {
unit 0 {
description "Connection to Future Cisco Switch";
family ethernet-switching {
port-mode trunk;
vlan {
members all;
}
}
}
}
ge-0/0/10 {
unit 0 {
family inet {
address 10.0.0.155/24;
}
}
}
ge-0/0/11 {
unit 0 {
description "Connection to USB-Ethernet then to MacBookAir 10.10.100.246/23";
family ethernet-switching {
port-mode access;
vlan {
members v100;
}
}
}
}
ge-0/1/0 {
unit 0 {
description "Connection to Comcast Modem 10.0.0.26/24";
family ethernet-switching {
port-mode access;
vlan {
members v50end-devices;
}
}
}
}
ge-0/1/1 {
unit 0 {
description "Connection to Cisco 3620 fa0/0 10.30.0.1";
family inet {
address 10.30.0.2/24;
}
}
}
lo0 {
unit 0 {
family inet {
address 9.9.9.9/32;
}
}
}
me0 {
unit 0 {
family inet {
address 10.0.0.144/24;
}
}
}
vlan {
unit 0 {
family inet {
dhcp {
vendor-id Juniper-ex2200-c-12p-2g;
}
}
}
unit 2 {
family inet {
address 10.20.0.16/24 {
broadcast 10.20.0.255;
}
}
}
unit 50 {
family inet {
address 10.0.0.26/24;
}
}
unit 100 {
family inet {
address 10.10.100.246/23;
}
}
}
}
snmp {
name "snmp MyMatrix";
description "MyMatrix switch";
location "Marci's House or My House";
contact "rhcrco@hotmail.com";
community public {
authorization read-only;
clients {
10.0.0.0/24;
10.10.100.0/23;
192.168.14.0/24;
}
}
community RHCRCO {
authorization read-only;
clients {
10.0.0.0/24;
10.10.100.0/23;
192.168.14.0/24;
}
}
trap-group MM-traps {
version v2;
destination-port 155;
categories {
chassis;
link;
routing;
}
targets {
10.0.0.2;
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 10.0.0.1;
route 240.0.0.8/32 discard;
route 240.0.0.9/32 reject;
route 1.1.1.1/32 {
next-hop 10.40.1.1;
qualified-next-hop 2.2.2.2 {
preference 7;
}
}
route 7.7.7.7/32 next-hop 10.20.1.3;
}
}
protocols {
##
## Warning: requires 'ospf2' license
##
ospf {
export MYDEFAULT;
/* See if I could add this without the license upgrade */
area 0.0.0.0 {
interface ge-0/0/11.0;
interface ge-0/1/1.0;
interface ge-0/0/1.0;
interface ge-0/0/2.0 {
passive;
}
}
}
igmp-snooping {
vlan all;
}
rstp;
lldp {
interface all;
}
lldp-med {
interface all;
}
}
policy-options {
prefix-list MyNets {
10.0.0.0/24;
10.10.100.0/23;
10.20.0.0/24;
10.30.1.0/24;
}
policy-statement MYDEFAULT {
term ZEROZERO {
from {
protocol static;
route-filter 0.0.0.0/0 exact;
}
then accept;
}
}
policy-statement MYPOLICY1 {
term fromR1 {
from {
protocol rip;
neighbor 10.30.1.1;
}
then {
preference subtract 1;
accept;
}
}
term FROMR2 {
from {
neighbor 1;
area 0.0.0.0;
}
then reject;
}
term MY_ROUTE_FILTER1 {
from {
family inet;
interface ge-0/0/4.0;
route-filter 10.20.1.1/32 address-mask 255.255.255.0;
}
then {
tag add 5;
origin igp;
}
}
term MY_PREFIX-LIST {
then {
load-balance per-packet;
}
}
}
}
firewall {
family inet {
filter MedImgGuest {
term 1 {
from {
protocol udp;
destination-port [ bootpc bootps ];
}
then accept;
}
term 2 {
from {
destination-address {
8.8.8.8/32;
}
protocol udp;
destination-port domain;
}
then accept;
}
term 3 {
from {
destination-address {
8.8.4.4/32;
}
protocol udp;
destination-port domain;
}
then accept;
}
term 4 {
from {
destination-address {
192.168.0.0/16;
}
}
then {
reject;
}
}
term 5 {
from {
destination-address {
172.16.0.0/12;
}
}
then {
reject;
}
}
term 6 {
from {
destination-address {
10.0.0.0/8;
}
}
then accept;
}
term 7 {
from {
protocol tcp;
destination-port [ http https ];
}
then accept;
}
term FINAL {
then {
count accept_good_trafic_1;
log;
reject;
}
}
}
filter MedImgVendor {
term 1 {
from {
protocol udp;
destination-port [ bootpc bootps ];
}
then accept;
}
term 2 {
from {
destination-address {
10.10.100.245/32;
}
protocol udp;
destination-port domain;
}
then accept;
}
term 3 {
from {
destination-address {
192.168.0.0/16;
}
}
then {
reject;
}
}
term 4 {
from {
destination-address {
172.16.0.0/12;
}
}
then {
reject;
}
}
term 5 {
from {
destination-address {
10.0.0.0/8;
}
}
then accept;
}
term 6 {
from {
protocol tcp;
destination-port [ http https ];
}
then accept;
}
term FINAL {
then {
count Vendor_stuff_in_2;
log;
reject;
}
}
}
filter limit-ssh-access {
term ssh-accept {
from {
source-prefix-list {
MyNets;
}
protocol tcp;
destination-port ssh;
}
then accept;
}
term ssh-reject {
from {
protocol tcp;
destination-port ssh;
}
then {
discard;
}
}
term else-accept {
then accept;
}
}
filter rate-limit-subnet {
term Match-Subnet {
from {
source-address {
7.7.7.7/32;
}
}
then {
policer Pol1;
count LoopPings;
log;
accept;
}
}
term else-accept {
then accept;
}
}
}
policer Pol1 {
if-exceeding {
bandwidth-limit 100k;
burst-size-limit 1500;
}
then discard;
}
}
ethernet-switching-options {
storm-control {
interface all;
}
}
vlans {
default {
l3-interface vlan.0;
}
v100 {
vlan-id 100;
l3-interface vlan.100;
}
v2 {
vlan-id 2;
l3-interface vlan.2;
}
v50end-devices {
vlan-id 50;
l3-interface vlan.50;
}
}
poe {
interface all;
}
{master:0}[edit]
robmin@JunipEX22cSW1#
ROUTER CONFIG:
robmin@Junip2350-R7# run show configuration | no-more
## Last commit: 2004-05-03 23:28:34 UTC by robmin
version 9.6R2.11;
groups {
global {
interfaces {
lo0 {
unit 0 {
family inet {
address 7.7.7.7/32 {
preferred;
}
address 127.0.0.1/32;
}
}
}
}
}
}
system {
host-name Junip3520-R7;
domain-name rhcrco.ini;
root-authentication {
encrypted-password "$1$32F5yw2X$Qm1RFT2isv2j5Zeteu0Ax."; ## SECRET-DATA
}
name-server {
10.0.0.1;
8.8.8.8;
}
login {
user robmin {
uid 2000;
class super-user;
authentication {
encrypted-password "$1$ZMWfXsf1$1Ox1Uv9Va8Wx4gELPFiz0/"; ## SECRET-DATA
}
}
}
services {
ssh;
telnet;
web-management {
http;
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address 10.20.1.3/24;
}
}
}
lo0 {
unit 0 {
family inet {
address 7.7.7.7/32;
}
}
}
}
snmp {
community MYCOMMUNITY {
authorization read-only;
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 10.20.1.4;
route 1.1.1.1/32 next-hop 10.20.1.4;
}
}
security {
zones {
security-zone PUBLIC {
host-inbound-traffic {
system-services {
telnet;
ssh;
http;
ping;
}
}
interfaces {
ge-0/0/0.0;
}
}
}
}
[edit]
robmin@Junip2350-R7#
UPDATE UPDATE UPDATE
Decided to try pinging from J2350 to J2350 instead of going through my EX2200-C Switch and a console session. This required me to configure a link between the two routers directly. Before I just had each router connected to my switch and was doing one telnet to one switch (or ssh at times) and console port to other router and this was how I was trying to test the pinging to loopback addresses of routers from the switch.
So now that I have the two routers connected directly I CAN'T EVEN PING THE OPPOSITE INTERFACE ON THE DIRECT LINK.
ON R7 I have
security-zone TRUST {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
ge-0/0/0.0;
ge-0/0/3.0;
lo0.0;
UPDATE UPDATE UPDATE UPDATE
added same security zone information of TRUST zone on other router and now I can ping directly from router to router both ways, BUT STILL CAN"T PING THE lo0 on either , what am I missing about security on a router or anything else?
THANKS,
robin hood
R8 LOOPBACK
run show interfaces lo0
Physical interface: lo0, Enabled, Physical link is Up
Interface index: 6, SNMP ifIndex: 6
Type: Loopback, MTU: Unlimited
Device flags : Present Running Loopback
Interface flags: SNMP-Traps
Link flags : None
Last flapped : Never
Input packets : 3263
Output packets: 3263
Logical interface lo0.0 (Index 66) (SNMP ifIndex 16)
Flags: SNMP-Traps Encapsulation: Unspecified
Input packets : 0
Output packets: 0
Security: Zone: TRUST
Allowed host-inbound traffic : bootp bfd bgp dns dvmrp igmp ldp msdp nhrp
ospf pgm pim rip router-discovery rsvp sap vrrp dhcp finger ftp tftp
ident-reset http https ike netconf ping reverse-telnet reverse-ssh rlogin
rpm rsh snmp snmp-trap ssh telnet traceroute xnm-clear-text xnm-ssl lsping
ntp sip r2cp
Protocol inet, MTU: Unlimited
Flags: Sendbcast-pkt-to-re
Addresses, Flags: Primary Preferred Is-Default Is-Primary
Local: 18.18.18.18
Logical interface lo0.16384 (Index 65) (SNMP ifIndex 21)
Flags: SNMP-Traps Encapsulation: Unspecified
Input packets : 0
Output packets: 0
Security: Zone: Null
Protocol inet, MTU: Unlimited
Flags: None
Addresses
Local: 127.0.0.1
Logical interface lo0.16385 (Index 67) (SNMP ifIndex 22)
Flags: SNMP-Traps Encapsulation: Unspecified
Input packets : 3263
Output packets: 3263
Security: Zone: Null
Protocol inet, MTU: Unlimited
Flags: None
Addresses, Flags: Is-Default Is-Primary
Local: 10.0.0.1
Addresses
Local: 10.0.0.16
Addresses
Local: 128.0.0.1
Addresses
Local: 128.0.0.4
Addresses
Local: 128.0.1.16
Logical interface lo0.32768 (Index 64) (SNMP ifIndex 248)
Flags: Encapsulation: Unspecified
Input packets : 0
Output packets: 0
Security: Zone: Null