SRX

hi all,

there is a situation where ibgp does not form between 2 SRX intra-zone, and require policies defined in order to form neighbor with set security policies from-zone to-zone.
this is not required when forming ebgp with Cisco in a separate zone, protocols defined in host-inbound-traffic is enough to form ebgp neighbor.
the difference is ibgp session is formed over lo0.0 interfaces and ebgp session is form over real reth interface.

Is there an explanation to this symptom?



here is a sample for the zone forming ibgp
        security-zone zone {
            address-book {
                address R1-lo0 1.1.1.5/32;
                address R2-lo0 1.1.1.6/32;
            }
            host-inbound-traffic {
                protocols {
                    ospf;
                    bgp;
                }
            }
            interfaces {
                reth1.10;
                reth2.20;
                lo0.0;
            }

Yes this is correct behaviour.  In the case of EBGP as you have mentioned, the connection is sourced from the address of the egress interface, so it triggers the self-traffic policy.

In the case of IBGP, the traffic is sourced from the IP address of the lo0.0 interface, but egresses via your reth interface - whenever traffic crosses two interfaces you need a policy.

If it helps, consider the case whereby the loopback interface is in a different zone - you would need a policy. 

thank you for response. 

I thought intra zone traffic does not need policy, but not the case for traffic crossing interfaces.