Routing

Hi all

I want to have totaly separated virtual routers on srx (packet mode) and ex4200 virtual chassis. Instance inet.0 and mgmt.inet.0. See on picture. I have ospf running on inet.0 with no problem. The problem is that i don't see any ospf neighbor in mgmt.inet.0. Not even in Init or 2Way state. No Hello packets received

on sw-dcd-vc ge-0/0/13 and ge-1/0/13 is other router not mentioned

Question: Is it possible to have virtual routers all across networks with 2 routing instances and ospf running on them separately without no rib-groups or export between routing tables/instances?

# inet.0 - OK:

{master:2}[edit]
admin@sw-dcd-vc# run show ospf neighbor 
Address          Interface              State     ID               Pri  Dead
x.x.x.x   vlan.40                Full      y.y.y.y   128    32
x.x.x.x   vlan.46                Full      y.y.y.y   128    38
x.x.x.x   vlan.47                Full      y.y.y.y   128    34
x.x.x.x   vlan.54                Full      y.y.y.y   128    35

mgmt.inet0 -

{master:2}[edit]
admin@sw-dcd-vc# run show ospf neighbor instance mgmt 

{master:2}[edit]
admin@sw-dcd-vc# 

{master:2}[edit]
admin@sw-dcd-vc# run show ospf statistics instance mgmt 

Packet type             Total                  Last 5 seconds
                   Sent      Received        Sent      Received
   Hello          31808             0           0             0
     DbD              0             0           0             0
   LSReq              0             0           0             0
LSUpdate              0             0           0             0
   LSAck              0             0           0             0

DBDs retransmitted     :                    0, last 5 seconds :          0
LSAs flooded           :                    0, last 5 seconds :          0
LSAs flooded high-prio :                    0, last 5 seconds :          0
LSAs retransmitted     :                    0, last 5 seconds :          0
LSAs transmitted to nbr:                    0, last 5 seconds :          0
LSAs requested         :                    0, last 5 seconds :          0
LSAs acknowledged      :                    0, last 5 seconds :          0

Flood queue depth      :               0
Total rexmit entries   :               0
db summaries           :               0
lsreq entries          :               0

Receive errors:
  None              

admin@sw-dcd-vc# run show route instance mgmt                                 
Instance             Type
         Primary RIB                                     Active/holddown/hidden
mgmt                 virtual-router 
         mgmt.inet.0                                     11/0/0

{master:2}[edit]
admin@sw-dcd-vc# show routing-instances 
mgmt {
    instance-type virtual-router;
    interface ge-0/0/12.0;
    interface ge-0/0/13.0;
    interface ge-1/0/12.0;
    interface ge-1/0/13.0;
    interface vlan.1300;
    routing-options {
        router-id 192.168.12.1;
    }
    protocols {
        ospf {
            # export all-local;
            area 0.0.0.0 {
                interface vlan.1300 {
                    passive;
                }
                interface ge-0/0/12.0;
                interface ge-1/0/12.0;
                interface ge-0/0/13.0;
                interface ge-1/0/13.0;
            }
        }
    }               
}

{master:2}[edit]
admin@sw-dcd-vc# run show route table mgmt   

mgmt.inet.0: 11 destinations, 11 routes (11 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

192.168.13.0/30    *[Direct/0] 20:14:27
                    > via vlan.1300
192.168.13.1/32    *[Local/0] 20:14:27
                      Local via vlan.1300
192.168.13.4/30    *[Direct/0] 18:54:22
                    > via ge-0/0/13.0
192.168.13.5/32    *[Local/0] 18:54:22
                      Local via ge-0/0/13.0
192.168.13.8/30    *[Direct/0] 18:50:56
                    > via ge-1/0/13.0
192.168.13.9/32    *[Local/0] 19:01:16
                      Local via ge-1/0/13.0
192.168.13.12/30   *[Direct/0] 19:39:43
                    > via ge-0/0/12.0
192.168.13.13/32   *[Local/0] 19:39:43
                      Local via ge-0/0/12.0
192.168.13.16/30   *[Direct/0] 19:39:43
                    > via ge-1/0/12.0
192.168.13.17/32   *[Local/0] 19:39:43
                      Local via ge-1/0/12.0
224.0.0.5/32       *[OSPF/10] 20:14:29, metric 1
                      MultiRecv

{master:2}[edit]
admin@sw-dcd-vc# show interfaces ge-0/0/12 |display inheritance    
description "to core-dcd-srx0 ge-0/0/0";
unit 0 {
    family inet {
        address 192.168.13.13/30;
    }
}

{master:2}[edit]
admin@sw-dcd-vc# show interfaces ge-1/0/12 |display inheritance    
description "to core-dcd-srx1 ge-0/0/1";
unit 0 {
    family inet {
        address 192.168.13.17/30;
    }
}

{master:2}[edit]
admin@sw-dcd-vc# run show interfaces ge-0/0/12    
Physical interface: ge-0/0/12, Enabled, Physical link is Up
  Interface index: 179, SNMP ifIndex: 526
  Description: to core-dcd-srx0 ge-0/0/0
  Link-level type: Ethernet, MTU: 1514, Speed: Auto, Duplex: Auto,
  BPDU Error: None, MAC-REWRITE Error: None, Loopback: Disabled,
  Source filtering: Disabled, Flow control: Enabled, Auto-negotiation: Enabled,
  Remote fault: Online
  Device flags   : Present Running
  Interface flags: SNMP-Traps Internal: 0x0
  Link flags     : None
  CoS queues     : 8 supported, 8 maximum usable queues
  Current address: 2c:6b:f5:cc:ab:0c, Hardware address: 2c:6b:f5:cc:ab:0c
  Last flapped   : 2011-03-10 15:25:41 CET (20:10:38 ago)
  Input rate     : 0 bps (0 pps)
  Output rate    : 0 bps (0 pps)
  Active alarms  : None
  Active defects : None

  Logical interface ge-0/0/12.0 (Index 140) (SNMP ifIndex 172) 
    Flags: SNMP-Traps 0x0 Encapsulation: ENET2
    Input packets : 8241 
    Output packets: 32913
    Protocol inet
      Flags: Is-Primary
      Addresses, Flags: Is-Default Is-Preferred Is-Primary
        Destination: 192.168.13.12/30, Local: 192.168.13.13,
        Broadcast: 192.168.13.15

############

kxadm@core-dcd-srx0# run show ospf neighbor instance mgmt 

[edit]
kxadm@core-dcd-srx0# 

kxadm@core-dcd-srx0# run show ospf neighbor 
Address   Interface              State    ID        Pri  Dead
x.x.x.x   ae1.42                 Full     x.x.x.x   128    35
x.x.x.x   ae1.43                 Full     x.x.x.x   128    36
x.x.x.x   ae1.46                 Full     x.x.x.x   128    36
x.x.x.x   ae1.48                 Full     x.x.x.x   128    38
x.x.x.x   ae1.49                 Full     x.x.x.x   128    39

[edit]
kxadm@core-dcd-srx0# run show ospf statistics instance mgmt 

Packet type             Total                  Last 5 seconds
                   Sent      Received        Sent      Received
   Hello          16668             0           1             0
     DbD              0             0           0             0
   LSReq              0             0           0             0
LSUpdate              0             0           0             0
   LSAck              0             0           0             0

DBDs retransmitted     :                    0, last 5 seconds :          0
LSAs flooded           :                    0, last 5 seconds :          0
LSAs flooded high-prio :                    0, last 5 seconds :          0
LSAs retransmitted     :                    0, last 5 seconds :          0
LSAs transmitted to nbr:                    0, last 5 seconds :          0
LSAs requested         :                    0, last 5 seconds :          0
LSAs acknowledged      :                    0, last 5 seconds :          0

Flood queue depth      :               0
Total rexmit entries   :               0
db summaries           :               0
lsreq entries          :               0

Receive errors:
  None

[edit]
kxadm@core-dcd-srx0# run show route instance mgmt 
Instance             Type
         Primary RIB                                     Active/holddown/hidden
mgmt                 virtual-router 
         mgmt.inet.0                                     7/0/0

[edit]
kxadm@core-dcd-srx0# run show route table mgmt       

mgmt.inet.0: 7 destinations, 7 routes (7 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

192.168.13.12/30   *[Direct/0] 20:02:03
                    > via ge-0/0/0.0
192.168.13.14/32   *[Local/0] 20:02:03
                      Local via ge-0/0/0.0
192.168.13.16/30   *[Direct/0] 20:02:03
                    > via ge-0/0/1.0
192.168.13.18/32   *[Local/0] 20:02:03
                      Local via ge-0/0/1.0
192.168.32.0/24    *[Direct/0] 02:53:37
                    > via ae1.1332
192.168.32.1/32    *[Local/0] 02:53:38
                      Local via ae1.1332
224.0.0.5/32       *[OSPF/10] 20:20:44, metric 1
                      MultiRecv

kxadm@core-dcd-srx0# show routing-instances mgmt 
instance-type virtual-router;
interface ge-0/0/0.0;
interface ge-0/0/1.0;
interface ae1.1332;
routing-options {
    router-id 192.168.12.2;
}
protocols {
    ospf {
        export all-local;
        area 0.0.0.0 {
            interface ge-0/0/0.0;
            interface ge-0/0/1.0;
            interface ae1.1332 {
                passive;
            }
        }
    }
}

kxadm@core-dcd-srx0# show interfaces ae1 
per-unit-scheduler;
vlan-tagging;
mtu 1600;
aggregated-ether-options {
    minimum-links 1;
    link-speed 1g;
    lacp {
        active;
    }
}
unit 1332 {
    vlan-id 1332;
    family inet {
        address 192.168.32.1/24;
    }
}

[edit]
kxadm@core-dcd-srx0# show interfaces ge-0/0/0  
description "to sw-dcd-vc ge-0/0/12";
unit 0 {
    family inet {
        address 192.168.13.14/30;
    }
}

[edit]
kxadm@core-dcd-srx0# show interfaces ge-0/0/1    
description "to sw-dcd-vc ge-1/0/12";
unit 0 {
    family inet {
        address 192.168.13.18/30;
    }
}

[edit]
kxadm@core-dcd-srx0# run show interfaces ge-0/0/0          
Physical interface: ge-0/0/0, Enabled, Physical link is Up
  Interface index: 138, SNMP ifIndex: 511
  Description: to sw-dcd-vc ge-0/0/12
  Link-level type: Ethernet, MTU: 1514, Link-mode: Full-duplex, Speed: 1000mbps, BPDU Error: None, MAC-REWRITE Error: None, Loopback: Disabled, Source filtering: Disabled,
  Flow control: Enabled, Auto-negotiation: Enabled, Remote fault: Online
  Device flags   : Present Running
  Interface flags: SNMP-Traps Internal: 0x0
  Link flags     : None
  CoS queues     : 8 supported, 8 maximum usable queues
  Current address: 80:71:1f:b0:61:00, Hardware address: 80:71:1f:b0:61:00
  Last flapped   : 2011-03-10 15:25:44 CET (20:09:53 ago)
  Input rate     : 248 bps (0 pps)
  Output rate    : 0 bps (0 pps)
  Active alarms  : None
  Active defects : None

  Logical interface ge-0/0/0.0 (Index 75) (SNMP ifIndex 606) 
    Flags: SNMP-Traps Encapsulation: ENET2
    Input packets : 8239 
    Output packets: 8322
    Security: Zone: trust
    Protocol inet, MTU: 1500
      Flags: Sendbcast-pkt-to-re, Is-Primary
      Addresses, Flags: Is-Default Is-Preferred Is-Primary
        Destination: 192.168.13.12/30, Local: 192.168.13.14, Broadcast: 192.168.13.15

#############

[edit]
kxadm@core-dcd-srx0# run ping 192.168.13.13 routing-instance mgmt    
PING 192.168.13.13 (192.168.13.13): 56 data bytes
64 bytes from 192.168.13.13: icmp_seq=0 ttl=64 time=9.323 ms
64 bytes from 192.168.13.13: icmp_seq=1 ttl=64 time=1.270 ms
64 bytes from 192.168.13.13: icmp_seq=2 ttl=64 time=3.295 ms
^C
--- 192.168.13.13 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 1.270/4.629/9.323/3.420 ms

Awaiting for any comment

 Hello there,

Do you have a filter applied on lo0.0?

http://www.juniper.net/techpubs/en_US/junos10.0/information-products/topic-collections/config-guide-vpns/vpns-configuring-logical-units-on-the-loopback-interface-for-routing-instances-in-layer-3-vpns.html#id-10956637

If you configure Filter A on the default loopback interface but do not even configure a VRF loopback interface, the VRF routing instance uses Filter A.

This is also true for virtual-routers

HTH

Rgds

Alex

Looks like you solved my problem.

I didn't have configured lo0.1 for new routing instance. But have lo0.0 form inet.0 with firewall filter on it - allow ospf only from certain IP.

I commited it on core-dcd-srx0. And now I see a neighbor.

kxadm@core-dcd-srx0> show ospf neighbor instance mgmt             
Address          Interface              State     ID               Pri  Dead
192.168.13.13    ge-0/0/0.0             Init      x.x.x.x # still public ip... 128    36
192.168.13.17    ge-0/0/1.0             Init      x.x.x.x # ...another side not commited   128    36

 Unfortunately the commit cause a little outage. So I will commit other side(s) at another time.

Glad to help.

Please accept my solution for the benefit of others.

<=== Also, there is a little star to the left for kudos, BTW

Sorry for not understanding the problem completely. I still have one issue with this.

I already commited another side(s) and have lo0.1 in instance mgmt.inet.0 and have lo0.0 in inet.0 with firewall allowing ospf and last term is allow. On lo0.1 there is no firewall. But i don't see ospf packets going to routing instance and also don't see no neighbor. Other side is in init state. (last four "Insert Code" paragraphs)

As you mentioned the url, I have this scenario: 

• If you configure Filter A on the default loopback interface but do not configure a filter on the VRF loopback interface, the VRF routing instance does not use a filter.

So i tried to replace last term on lo0.0 from deny to accept all and it works well. So as with adding to prefix-list pref-my-neighbor

Am I missing something? What is behavior if i dont have configured lo0.0 in default routing instance, but only lo0.1 in mgmt instance?

admin@sw-dcd-vc# show firewall family inet filter f-fw-re-protection
term allow-icmp {
    from {
        protocol icmp;
        icmp-type [ echo-request echo-reply unreachable time-exceeded ];
    }
    then accept;
}
term allow-ntp {
    from {
        source-prefix-list {
            pref-kxnet-domino-list;
        }
        protocol udp;
        source-port 123;
    }
    then accept;
}
term allow-traceroute {
    from {
        protocol udp;
        destination-port 33434-33534;
    }
    then accept;
}
term allow-ssh-access {
    from {
        source-prefix-list {
            pref-kxnet-management;
        }
        protocol tcp;
        destination-port ssh;
    }
    then accept;
}
term allow-web-access {
    from {
        source-prefix-list {
            pref-kxnet-management;
        }
        protocol tcp;
        destination-port [ http https ];
    }
    then accept;
}
term allow-snmp-access {
    from {
        source-prefix-list {
            pref-kxnet-management;
        }
        protocol udp;
        destination-port snmp;
    }
    then accept;
}
term allow-bfd-communication {
    from {
        source-prefix-list {
            pref-my-neighbours;
        }
        protocol udp;
        destination-port 3784;
    }
    then accept;
}
term system-protocols {
    from {
        source-prefix-list {
            pref-my-neighbours;
        }
        protocol ospf;
    }
    then accept;
}
term tcp-established {
    from {
        protocol tcp;
        destination-port 1025-65535;
    }
    then accept;
}
term udp-established {
    from {
        protocol udp;
        destination-port 1025-65535;
    }
    then accept;
}
term default-discard {
    then {
        count c-re-DIN;
        discard;             # ... this to accept;
    }
}

.. after changing discard to accept it works. Also tried to add addresses to prefix-list pref-my-neighbours ... again it works.

admin@sw-dcd-vc# show interfaces lo0 
unit 0 {
    family inet {
        filter {
            input f-fw-re-protection;
        }
        address x.x.x.x/32 {
            primary;
        }
        address 127.0.0.1/32;
    }
    family inet6 {
        ##
        ## Warning: configuration block ignored: unsupported platform (ex4200-24f)
        ##
        filter {
            input f-fw-deny-ipv6; ## reference 'f-fw-deny-ipv6' not found
        }
    }
}
unit 1 {
    family inet {
        address 192.168.12.1/32;
    }
}

admin@sw-dcd-vc# show routing-instances 
mgmt {
    instance-type virtual-router;
    interface ge-0/0/13.0;
    interface ge-1/0/13.0;
    interface lo0.1;
    interface vlan.1300;
    interface vlan.3204;
    interface vlan.3212;
    interface vlan.3213;
    interface vlan.3220;
    interface vlan.3303;
    routing-options {
        router-id 192.168.12.1;
        inactive: instance-import accept-from-inet.0;
    }
    protocols {
        ospf {
            inactive: rib-group mgmt-to-inet;
            export all-local;
            area 0.0.0.0 {
                interface vlan.1300 {
                    passive;
                }
                interface ge-0/0/13.0;
                interface ge-1/0/13.0;
                interface lo0.1 {
                    passive;
                }
                interface vlan.3204;
                interface vlan.3220 {
                    passive;
                }
                interface vlan.3303;
                interface vlan.3212;
                interface vlan.3213;
            }
        }
    }
}

I also tried to create new input filter lo0.1 with 1 term only ... then accept; But it didn't work

Another side:

admin@sw-sol-jas# show interfaces lo0 
unit 1 {
    family inet {
        address 192.168.12.5/32;
    }
}

admin@sw-sol-jas# show routing-instances 
mgmt {
    instance-type virtual-router;
    interface lo0.1;
    interface vlan.3303;
    routing-options {
        router-id 192.168.12.5;
    }
    protocols {
        ospf {
            area 0.0.0.0 {
                interface vlan.3303;
                interface lo0.1 {
                    passive;
                }
            }
        }
    }
}

... bad:

admin@sw-sol-jas# run show ospf neighbor instance mgmt    
Address          Interface              State     ID               Pri  Dead
10.33.3.1        vlan.3303              Init      192.168.12.1     128    34

{master:2}[edit]
admin@sw-dcd-vc# run show ospf neighbor instance mgmt    

{master:2}[edit]
admin@sw-dcd-vc# 

... good:

admin@sw-sol-jas# run show ospf neighbor instance mgmt    
Address          Interface              State     ID               Pri  Dead
10.33.3.1        vlan.3303              Full      192.168.12.1     128    38

{master:2}[edit]
admin@sw-dcd-vc# run show ospf neighbor instance mgmt    
Address          Interface              State     ID               Pri  Dead
10.32.1.2        ge-0/0/13.0            Full      192.168.12.3     128    36
10.32.1.6        ge-1/0/13.0            Full      192.168.12.3     128    33
10.32.1.10       vlan.3204              Init      192.168.12.6     128    34
10.32.1.42       vlan.3212              Full      192.168.12.2     128    32
10.32.1.46       vlan.3213              Full      192.168.12.2     128    30
10.33.3.2        vlan.3303              Full      192.168.12.5     128    33

I have this problem only on two ex4200 with lo0.0 interface with firewall first configured. (lo0.0 and lo0.1)

I don't have this on Srx650 - packet or flow mode (lo0.0 and lo0.1):

kxadm@core-dcd-srx0> show configuration interfaces lo0 
unit 0 {
    family inet {
        filter {
            input f-fw-re-protection;
        }
        address x.x.x.x/32 {
            primary;
        }
        address 127.0.0.1/32;
    }
    family inet6 {
        filter {
            input f-fw-deny-ipv6;
        }
    }
}
unit 1 {
    family inet {
        address 192.168.12.2/32;
    }
}

Hello,

If I understand you correctly, having a lo0.1 inside VR without any FW filter assigned still results in no OSPF neighbor seen in this VR. Only way to bring OSPF up in this VR is to change lo0.0 filter whereas lo0.0 resides in inet.0.

I think this behaviour runs contrary to documentation link I provided earlier, please raise a JTAC case to investigate.

HTH

Regards

Alex