SRX

Hello everyone, after many failed attempts, I think I am very close to pinging two virtual routers connected through a virtual switch, I would greatly appreciate your help, thank you very much.
My configuration is:

root@NewJuniper# show routing-instances
VR1 {
instance-type virtual-router;
interface ge-0/0/4.0;
}
VR2 {
instance-type virtual-router;
interface ge-0/0/5.0;
}
MyVirtualSwitch {
instance-type virtual-switch;
interface ge-0/0/3.0;
bridge-domains {
TestBridgeVS {
domain-type bridge;
vlan-id none;
}
}
}

[edit]
root@NewJuniper# show interfaces

ge-0/0/4 {
unit 0 {
family inet {
address 192.168.2.2/24;
}
}
}
ge-0/0/5 {
unit 0 {
family inet {
address 192.168.2.1/24;
}
}
}

This should work, right? have i missed something? Thanks again

Hello,

How does your topology (interface connection) look?

Thanks

Vishal

Do you mean physically? I have a cable connected from port ge-0/0/4 to port ge-0/0/5, I don't know if I have it correctly installed, now that I think about it, if I have the switch on ge-0/0/3, How would the option be? could you please guide me, thank you

You need two connections:

VS <> VR1 

VX <> VR2 

Very basic topology like this

VR1 <> VS <> VR2

Currently you don't have any connection to the VS, it won't be able to talk to anywhere else 

First of all I wanted to thank you for your help, I would have liked to answer them before but this weekend had no way.

1. Responding to mhu, when you say "You need two connections:

   VS <> VR1

   VX <> VR2 ", do you mean that I have to create another virtual switch in order to connect VR2?

2. "Very basic topology like this

   VR1 <> VS <> VR2" --------> This is what I need

3. Responding to vlsingh: "Since you have direct link between VR1 and VR2 you don't need any switch. Ping should work from one VR to other.
   VR1 (ge-0/0/4) -------------- (ge-0/0/5) VR2 would work" ----------> It doesn't work, I put the answer you give me to the pings later.

4. "If you want switch in the middle, It should be like below

   VR1 (ge-0/0/4) -------------- (ge-0/0/3) VS (ge-0/0/x) -----------(ge-0/0/5) VR2" ---------> I ask you the same as me, could it be (VR1) ge-0/0/4 to (VS) ge-0/0/3 and (VR2) ge-0/0/5 to (VS) ge-0/0/3? Do I have the cables incorrectly connected or should I create another virtual switch?

5. Responding lpaniagua: "Can you share the following outputs:"

   1. show route table VR1.inet.0
      error: No routing tables matching specification.

      show route table VR2.inet.0
      error: No routing tables matching specification.

      run ping 192.168.2.2 routing-instance VR2
      PING 192.168.2.2 (192.168.2.2): 56 data bytes

      run ping 192.168.2.1 routing-instance VR2
      PING 192.168.2.1 (192.168.2.1): 56 data bytes
      64 bytes from 192.168.2.1: icmp_seq=0 ttl=64 time=0.375 ms
      64 bytes from 192.168.2.1: icmp_seq=1 ttl=64 time=0.101 ms
      64 bytes from 192.168.2.1: icmp_seq=2 ttl=64 time=0.093 ms
      ^C
      --- 192.168.2.1 ping statistics ---
      3 packets transmitted, 3 packets received, 0% packet loss
      round-trip min/avg/max/stddev = 0.093/0.190/0.375/0.131 ms

      run ping 192.168.2.2 routing-instance VR1
      PING 192.168.2.2 (192.168.2.2): 56 data bytes
      64 bytes from 192.168.2.2: icmp_seq=0 ttl=64 time=0.103 ms
      64 bytes from 192.168.2.2: icmp_seq=1 ttl=64 time=0.104 ms
      64 bytes from 192.168.2.2: icmp_seq=2 ttl=64 time=0.093 ms
      ^C
      --- 192.168.2.2 ping statistics ---
      3 packets transmitted, 3 packets received, 0% packet loss
      round-trip min/avg/max/stddev = 0.093/0.100/0.104/0.005 ms

      run ping 192.168.2.1 routing-instance VR1
      PING 192.168.2.1 (192.168.2.1): 56 data bytes
      
      

      show arp interface ge-0/0/4 no-resolve
      MAC Address Address Interface Flags
      f1:1c:3d:68:f3:c1 192.168.2.1 ge-0/0/4.0 none

      show arp interface ge-0/0/5 no-resolve
      MAC Address Address Interface Flags
      f1:1c:3d:68:fa:c2 192.168.2.2 ge-0/0/5.0 none
      
      

      show interfaces extensive ge-0/0/4 | find security
      Security: Zone: VR1Zone
      Flow Statistics :
      Flow Input statistics :
      Self packets : 0
      ICMP packets : 40
      VPN packets : 0
      Multicast packets : 0
      Bytes permitted by policy : 0
      Connections established : 0
      Flow Output statistics:
      Multicast packets : 0
      Bytes permitted by policy : 2184
      Flow error statistics (Packets dropped due to):
      Address spoofing: 0
      Authentication failed: 0
      Incoming NAT errors: 0
      Invalid zone received packet: 0
      Multiple user authentications: 0
      Multiple incoming NAT: 0
      No parent for a gate: 0
      No one interested in self packets: 0
      No minor session: 0
      No more sessions: 0
      No NAT gate: 0
      No route present: 0
      No SA for incoming SPI: 0
      No tunnel found: 0
      No session for a gate: 0
      No zone or NULL zone binding 0
      Policy denied: 0
      Security association not active: 0
      TCP sequence number out of window: 0
      Syn-attack protection: 0
      User authentication errors: 0
      Protocol inet, MTU: 1500, Generation: 157, Route table: 4
      Flags: Sendbcast-pkt-to-re, Is-Primary
      Addresses, Flags: Is-Default Is-Preferred Is-Primary
      Destination: 192.168.2/24, Local: 192.168.2.2, Broadcast: 192.168.2.255,
      Generation: 148

      show interfaces extensive ge-0/0/5 | find security
       Security: Zone: VR2Zone
      Flow Statistics :
      Flow Input statistics :
      Self packets : 0
      ICMP packets : 26
      VPN packets : 0
      Multicast packets : 0
      Bytes permitted by policy : 0
      Connections established : 0
      Flow Output statistics:
      Multicast packets : 0
      Bytes permitted by policy : 3444
      Flow error statistics (Packets dropped due to):
      Address spoofing: 0
      Authentication failed: 0
      Incoming NAT errors: 0
      Invalid zone received packet: 0
      Multiple user authentications: 0
      Multiple incoming NAT: 0
      No parent for a gate: 0
      No one interested in self packets: 0
      No minor session: 0
      No more sessions: 0
      No NAT gate: 0
      No route present: 0
      No SA for incoming SPI: 0
      No tunnel found: 0
      No session for a gate: 0
      No zone or NULL zone binding 0
      Policy denied: 0
      Security association not active: 0
      TCP sequence number out of window: 0
      Syn-attack protection: 0
      User authentication errors: 0
      Protocol inet, MTU: 1500, Generation: 158, Route table: 5
      Flags: Sendbcast-pkt-to-re, Is-Primary
      Addresses, Flags: Is-Default Is-Preferred Is-Primary
      Destination: 192.168.2/24, Local: 192.168.2.1, Broadcast: 192.168.2.255,
      Generation: 150
      
      
      

      PD: If you need more information do not hesitate to ask me, thank you very much for your attention and your help, I am new to the Juniper world, excuse my ignorance, greetings.

C0d3,

Thanks for the information. I was able to confirm that ARP is not a problem becuase I can see the ARP entries populated properly:

show arp interface ge-0/0/4 no-resolve
MAC Address Address Interface Flags
f1:1c:3d:68:f3:c1 192.168.2.1 ge-0/0/4.0 none

show arp interface ge-0/0/5 no-resolve
MAC Address Address Interface Flags
f1:1c:3d:68:fa:c2 192.168.2.2 ge-0/0/5.0 none

Please confirm if your topology currently looks like the follwoing one (a cable connected from ge-0/0/4 directly to ge-0/0/5) or if you have modified it:

              .2     192.168.2/24     .1
 VR1-(ge-0/0/4)----------------------(ge-0/0/5)-VR2
           VR1Zone                 VR2Zone     

Please also share:

show route
show security zones security-zone VR1Zone | display set
show security zones security-zone VR2Zone | display set 

Im looking to make sure both routing-instances are aware of the 192.168.2.0/24 subnet and that ping is enabled as host-inbound-traffic on those zones.

Please also apply the following counters on both interfaces to confirm if the ping packets are being received/sent.

Configuration for counter in ge-0/0/4:

set firewall filter GE4-COUNTER term GE4-OUT from source-address 192.168.2.2
set firewall filter GE4-COUNTER term GE4-OUT from destination-address 192.168.2.1
set firewall filter GE4-COUNTER term GE4-OUT from protocol icmp
set firewall filter GE4-COUNTER term GE4-OUT then count GE4-OUT
set firewall filter GE4-COUNTER term GE4-OUT then accept
set firewall filter GE4-COUNTER term GE4-IN from source-address 192.168.2.1
set firewall filter GE4-COUNTER term GE4-IN from destination-address 192.168.2.2
set firewall filter GE4-COUNTER term GE4-IN from protocol icmp
set firewall filter GE4-COUNTER term GE4-IN then count GE4-IN
set firewall filter GE4-COUNTER term GE4-IN then accept
set firewall filter GE4-COUNTER term ALLOW-ELSE then accept

set interfaces ge-0/0/4.0 family inet filter input GE4-COUNTER
set interfaces ge-0/0/4.0 family inet filter output GE4-COUNTER

Configuration for counter in ge-0/0/5:

set firewall filter GE5-COUNTER term GE5-OUT from source-address 192.168.2.1
set firewall filter GE5-COUNTER term GE5-OUT from destination-address 192.168.2.2
set firewall filter GE5-COUNTER term GE5-OUT from protocol icmp
set firewall filter GE5-COUNTER term GE5-OUT then count GE5-OUT
set firewall filter GE5-COUNTER term GE5-OUT then accept
set firewall filter GE5-COUNTER term GE5-IN from source-address 192.168.2.2
set firewall filter GE5-COUNTER term GE5-IN from destination-address 192.168.2.1
set firewall filter GE5-COUNTER term GE5-IN from protocol icmp
set firewall filter GE5-COUNTER term GE5-IN then count GE5-IN
set firewall filter GE5-COUNTER term GE5-IN then accept
set firewall filter GE5-COUNTER term ALLOW-ELSE then accept

set interfaces ge-0/0/5.0 family inet filter input GE5-COUNTER
set interfaces ge-0/0/5.0 family inet filter output GE5-COUNTER

After commiting the above configuraiton try the following ping:

run ping 192.168.2.1 routing-instance VR1 count 5

And after that, gather the following command:

> show firewall

Good afternoon lpaniagua!

1. Please confirm if your topology currently looks like the following one (a cable connected from ge-0/0/4 directly to ge-0/0/5) or if you have modified it:

    

                 .2     192.168.2/24     .1
    VR1-(ge-0/0/4)----------------------(ge-0/0/5)-VR2
              VR1Zone                 VR2Zone     

Answer: Yes, I have a cable connected from port ge-0/0/4 to port ge-0/0/5

     2. Please also share:

root@NewJuniper> show route
inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

192.168.1.1/32     *[Local/0] 00:04:45
                      Reject
192.168.4.1/32     *[Local/0] 00:04:45
                      Reject
192.168.7.1/32     *[Local/0] 00:04:16
                      Reject

VRBOXExample.inet.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

192.168.2.0/24     *[Direct/0] 00:04:10
                    > via ge-0/0/4.0
192.168.2.2/32     *[Local/0] 00:04:16
                      Local via ge-0/0/4.0

VRPrincipal.inet.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

192.168.2.0/24     *[Direct/0] 00:04:10
                    > via ge-0/0/5.0
192.168.2.1/32     *[Local/0] 00:04:16
                      Local via ge-0/0/5.0

root@NewJuniper# show security zones security zones security-zone VR1Zone | display set
set security zones security-zone VRPrincipalZone interfaces ge-0/0/5.0
[edit]

root@NewJuniper# show security zones security-zone VR2Zone | display set
set security zones security-zone VRBOXExampleZone interfaces ge-0/0/4.0
[edit]

 3. Please also apply the following counters on both interfaces to confirm if the ping packets are being received/sent.

Answer: I put the commands you wrote.

4. After commiting the above configuraiton try the following ping:

root@NewJuniper# run ping 192.168.2.1 routing-instance VR1 count 5
PING 192.168.2.1 (192.168.2.1): 56 data bytes
64 bytes from 192.168.2.1: icmp_seq=0 ttl=64 time=0.328 ms
64 bytes from 192.168.2.1: icmp_seq=1 ttl=64 time=0.106 ms
64 bytes from 192.168.2.1: icmp_seq=2 ttl=64 time=0.239 ms
64 bytes from 192.168.2.1: icmp_seq=3 ttl=64 time=0.094 ms
64 bytes from 192.168.2.1: icmp_seq=4 ttl=64 time=0.113 ms

--- 192.168.2.1 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.094/0.176/0.328/0.092 ms
[edit]

5. And after that, gather the following command:

root@NewJuniper# show firewall
filter GE4-COUNTER {
    term GE4-OUT {
        from {
            source-address {
                192.168.2.2/32;
            }
            destination-address {
                192.168.2.1/32;
            }
            protocol icmp;
        }
        then {
            count GE4-OUT;
            accept;
        }
    }
    term GE4-IN {
        from {
            source-address {
                192.168.2.1/32;
            }
            destination-address {
                192.168.2.2/32;
            }
            protocol icmp;
        }
        then {
            count GE4-IN;
            accept;
        }
    }
    term ALLOW-ELSE {
        then accept;
    }
}
filter GE5-COUNTER {
    term GE5-OUT {
        from {
            source-address {
                192.168.2.1/32;
            }
            destination-address {
                192.168.2.2/32;
            }
            protocol icmp;
        }
        then {
            count GE5-OUT;
            accept;
        }
    }
    term GE5-IN {
        from {
            source-address {
                192.168.2.2/32;
            }
            destination-address {
                192.168.2.1/32;
            }
            protocol icmp;
        }
        then {
            count GE5-IN;
            accept;
        }
    }
    term ALLOW-ELSE {
        then accept;
    }
}

[edit]




Thank you very much for your involvement helping other people, the truth that is nice to see that there are still people like this in this world, thank you again and if you need anything else, do not hesitate to ask me, greetings.

Hi C0d3,

I can see that there is no host-inbound-traffic configured on the interfaces, please include:

# set security zones security-zone VRPrincipalZone interfaces ge-0/0/5.0 host-inbound-traffic system-services all
# set security zones security-zone VRBOXExampleZone interfaces ge-0/0/4.0 host-inbound-traffic system-services all
# commit

After that try the pings again. Note that for the ping to work we need to include the routing-instance we are sourcing the ping from:

> run ping 192.168.2.1 routing-instance VRBOXExample
> run ping 192.168.2.2 routing-instance VRPrincipal

Please mark my comment as "Solution" if it applies.

Thanks lpaniagua, but that information had ignored it, I had not put there, only ping, but still putting there, it does not work for me, thank you anyway anyway and in thanks, I give it as a valid solution, a greeting.

Hello c0d3,

Since you have direct link between VR1 and VR2 you don't need any switch. Ping should work from one VR to other.

VR1 (ge-0/0/4) -------------- (ge-0/0/5) VR2 would work

If you want switch in the middle, It should be like below

VR1 (ge-0/0/4) -------------- (ge-0/0/3) VS (ge-0/0/x) -----------(ge-0/0/5) VR2


PS: If my response solves your query please accept it as solution, kudos are appreicated too!

Thanks

Vishal

C0d3,

I understand your topology like this, please let me know if this is correct:

              .2     192.168.2/24     .1
 VR1-(ge-0/0/4)----------------------(ge-0/0/5)-VR2

Can you share the following outputs:

>show route table VR1.inet.0
>show route table VR2.inet.0

> run ping 192.168.2.2 routing-instance VR2
> run ping 192.168.2.1 routing-instance VR2

> run ping 192.168.2.2 routing-instance VR1
> run ping 192.168.2.1 routing-instance VR1

>show arp interface ge-0/0/4 no-resolve
>show arp interface ge-0/0/5 no-resolve
>show interfaces extensive ge-0/0/4 | find security
>show interfaces extensive ge-0/0/5 | find security

With above commands Im trying to check routing, ARP, security-zones, etc.