Routing

last person joined: 2 days ago 

Ask questions and share experiences about ACX Series, CTP Series, MX Series, PTX Series, SSR Series, JRR Series, and all things routing, including portfolios and protocols.

  • 1.  OSPF Lab on SRX-100 with 2 routing-instances problem.

    Posted 10-16-2014 16:53

    I'm having a problem trying to get a simple three router OSPF setup to work.  It's probably something really simple, but I'm at a dead end.  The routing tables look fine and all neighbor relationships are full, but a ping from any router to an address that is not locally connected will fail.  I am using an SRX-100 with two routing instances for this.

     

    For example, all of the following fail.

     

    ping 10.0.0.9

    ping routing-instance R2 10.0.0.6

    ping routing-instance R3 10.0.0.2

     

    I have attached my full config, the patch version of the config that has only my changes for this lab, and a simple diagram in paint.  The device named SRX is the local device and the two routing instances are named R2 and R3.

     

    Thank you for your time.

     

    Below is the output from 'show route'

     

    inet.0: 7 destinations, 7 routes (7 active, 0 holddown, 0 hidden)
    + = Active Route, - = Last Active, * = Both

     

    10.0.0.0/30         *[Direct/0] 00:18:10
                                 > via fe-0/0/0.0
    10.0.0.1/32         *[Local/0] 00:18:10
                                    Local via fe-0/0/0.0
    10.0.0.4/30         *[Direct/0] 00:18:10
                                 > via fe-0/0/2.0
    10.0.0.5/32         *[Local/0] 00:18:10
                                    Local via fe-0/0/2.0
    10.0.0.8/30         *[OSPF/10] 00:17:15, metric 2
                                 > to 10.0.0.2 via fe-0/0/0.0
                                    to 10.0.0.6 via fe-0/0/2.0
    192.168.1.1/32   *[Local/0] 01:13:58
                                    Reject
    224.0.0.5/32        *[OSPF/10] 00:18:12, metric 1
                                    MultiRecv

     

    R2.inet.0: 6 destinations, 6 routes (6 active, 0 holddown, 0 hidden)
    + = Active Route, - = Last Active, * = Both

     

    10.0.0.0/30           *[Direct/0] 00:18:10
                                   > via fe-0/0/1.0
    10.0.0.2/32            *[Local/0] 00:18:10
                                      Local via fe-0/0/1.0
    10.0.0.4/30            *[OSPF/10] 00:17:10, metric 2
                                      to 10.0.0.1 via fe-0/0/1.0
                                   > to 10.0.0.10 via fe-0/0/4.0
    10.0.0.8/30             *[Direct/0] 00:18:09
                                   > via fe-0/0/4.0
    10.0.0.9/32              *[Local/0] 00:18:09
                                        Local via fe-0/0/4.0
    224.0.0.5/32            *[OSPF/10] 00:18:12, metric 1
                                        MultiRecv

     

    R3.inet.0: 6 destinations, 6 routes (6 active, 0 holddown, 0 hidden)

    + = Active Route, - = Last Active, * = Both

     

    10.0.0.0/30               *[OSPF/10] 00:17:10, metric 2
                                      > to 10.0.0.5 via fe-0/0/3.0
                                         to 10.0.0.9 via fe-0/0/5.0
    10.0.0.4/30                *[Direct/0] 00:18:10
                                      > via fe-0/0/3.0
    10.0.0.6/32                *[Local/0] 00:18:10
                                          Local via fe-0/0/3.0
    10.0.0.8/30                *[Direct/0] 00:18:09
                                       > via fe-0/0/5.0
    10.0.0.10/32               *[Local/0] 00:18:09
                                           Local via fe-0/0/5.0
    224.0.0.5/32               *[OSPF/10] 00:18:12, metric 1
                                           MultiRecv

    Attachment(s)

    txt
    Full config.txt   5 KB 1 version
    txt
    Simple OSPF Lab.txt   1 KB 1 version


  • 2.  RE: OSPF Lab on SRX-100 with 2 routing-instances problem.
    Best Answer

     
    Posted 10-16-2014 23:35

    It is something simple, your pings that are failing are traversing two security zones that don't have any polcies that allow the traffic to traverse through the two zones.  You need to write a policy to permit this traffic as the default on the SRX "deny all."

     

    If you're not really interested in the security portion in your lab, you can change the default policy to permit-all instead of writing a global policy or zone based policies that permit the traffic with "set security policies default-policy permit-all"

     



  • 3.  RE: OSPF Lab on SRX-100 with 2 routing-instances problem.

    Posted 10-17-2014 01:23

    Wow thank you very much!  Just started learning how to do things in Juniper a couple weeks ago, so I'm new to the idea of setting securtiy zones just to pass traffic.  I've read though that this is an SRX specific thing and not a JunOS wide thing.



  • 4.  RE: OSPF Lab on SRX-100 with 2 routing-instances problem.

     
    Posted 10-17-2014 01:46

    You are correct, the SRX is a flow based router (security device), so any traffic that is permitted to or through any SRX needs to be specifically allowed by a policy in the [security] portion of the Junos heirarchy.  

     

    The rest of the Junos platforms are packet based, they lack a security section, and allow all traffic to pass by default.  

     

    You can put any of the branch SRXs in packet mode with the command "set security forwarding-options family mpls mode packet-based" and rebooting.  However, you won't be able to use anything that depends on the flow module like NAT and IPSEC.