Hi All,
Hope everyone's doing good.
I'm currently playing around with RIB groups for the JNCIP-SEC exam and have noticed an odd behaviour which I am not sure if it's expetected or not.
My topology is as follows
Client (VR1)---SRX1----SRX2----Loopback
SRX1 has two routing tables inet.0 and VR1.inet.0. Client machine connected to VR1 and the link between SRX1 and SRX2 is in inet.0 with ospf enabled.
inet.0 can see the loop back address of SRX2 via OSPF.
I created a rib group to share inet.0s routes to VR1 and from the client I can ping across to the loopback. So all is working as inteded. However, what I noticed is if I try to ping the loopback address from VR1 routing instance locally it time's out. This doesn't make any sense becuase the routes are there and it works from the client, it should be able to ping. The only conslusion I can think is the SRX does not allow it for whatever reason, maybe loop preventions of some sort? It's no big deal but would be interesting to know if anyone else has come across this.
Config:
root# run show route | no-more
inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
2.2.2.2/32 *[OSPF/10] 00:00:38, metric 1
> to 10.0.2.1 via fe-0/0/0.0
10.0.2.0/30 *[Direct/0] 01:50:15
> via fe-0/0/0.0
10.0.2.2/32 *[Local/0] 01:50:15
Local via fe-0/0/0.0
224.0.0.5/32 *[OSPF/10] 01:16:08, metric 1
MultiRecv
VR1.inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
1.1.1.1/32 *[Direct/0] 01:37:53
> via lo0.1
2.2.2.2/32 *[OSPF/10] 00:00:38, metric 1
> to 10.0.2.1 via fe-0/0/0.0
192.168.10.0/24 *[Direct/0] 01:35:32
> via fe-0/0/1.0
192.168.10.1/32 *[Local/0] 01:35:32
Local via fe-0/0/1.0
[edit]
root# run ping rapid 2.2.2.2 routing-instance VR1 source 192.168.10.1
PING 2.2.2.2 (2.2.2.2): 56 data bytes
.....
--- 2.2.2.2 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss
root# show | display set | no-more
set version 12.1X45
set system root-authentication encrypted-password "$1$tEeFObR6$adMM.r/wwG57baDwADCF4."
set interfaces fe-0/0/0 unit 0 family inet address 10.0.2.2/30
set interfaces fe-0/0/1 unit 0 family inet address 192.168.10.1/24
set interfaces lo0 unit 1 family inet address 1.1.1.1/32
set routing-options rib-groups Inet-VR import-rib inet.0
set routing-options rib-groups Inet-VR import-rib VR1.inet.0
set protocols ospf rib-group Inet-VR
set protocols ospf area 0.0.0.0 interface fe-0/0/0.0
set security policies default-policy permit-all
set security zones security-zone rib host-inbound-traffic system-services all
set security zones security-zone rib host-inbound-traffic protocols all
set security zones security-zone rib interfaces fe-0/0/0.0
set security zones security-zone VR1 host-inbound-traffic system-services all
set security zones security-zone VR1 host-inbound-traffic protocols all
set security zones security-zone VR1 interfaces lo0.1
set security zones security-zone VR1 interfaces fe-0/0/1.0
set routing-instances VR1 instance-type virtual-router
set routing-instances VR1 interface fe-0/0/1.0
set routing-instances VR1 interface lo0.1
Laptop output:
C:\Users\root>tracert 2.2.2.2
Tracing route to 2.2.2.2 over a maximum of 30 hops
1 <1 ms <1 ms <1 ms 192.168.10.1
2 2 ms 2 ms 2 ms 2.2.2.2
Trace complete.
Thanks!
Mas