Hi,
I'm re-opening this thread because I have a secondary issue regarding isis routing and the VRs created....
On one SRX1500 I have created 2 x VRs.... one is called Customer-VR and the other Test-VR. One VR faces the Data Network and one VR faces a DMZ, where the RADIUS is located. From an L2TP perspective, the PPP requests will be answered via the RADIUS so routing is required all the way through.
The Customer-VR can ping the other SRX1500 Customer-VR with no issue on IPv6 and IPv4, however, even on a directly connected router I have no route to the IPv6 or IPv4 address on the Test-VR. Below is the configuration I have used:
set interfaces ge-0/0/2 unit 0 family inet address xxx.xxx.xxx.xxx/30
set interfaces ge-0/0/2 unit 0 family iso
set interfaces ge-0/0/2 unit 0 family inet6 address xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/127
set interfaces lo0 unit 0 family inet address xxx.xxx.xxx.xxx/32
set interfaces lo0 unit 0 family inet6 address xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/128
set interfaces lo0 unit 10 family iso address 49.0001.xxxx.xxxx.xxxx.00
set interfaces ae2 unit 0 description TO-THW-CORE-01-ae2
set interfaces ae2 unit 0 family inet address xxx.xxx.xxx.xxx/30
set interfaces ae2 unit 0 family iso
set interfaces ae2 unit 0 family inet6 address xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/127
set security zones security-zone NineGroup-DMZ host-inbound-traffic system-services all
set security zones security-zone NineGroup-DMZ host-inbound-traffic protocols all
set security zones security-zone NineGroup-DMZ interfaces ge-0/0/2.0
set security zones security-zone Customer-Network host-inbound-traffic system-services all
set security zones security-zone Customer-Network host-inbound-traffic protocols all
set security zones security-zone Customer-Network interfaces ae2.0
set security policies from-zone Customer-Network to-zone NineGroup-DMZ policy CliveTest match source-address any
set security policies from-zone Customer-Network to-zone NineGroup-DMZ policy CliveTest match destination-address any
set security policies from-zone Customer-Network to-zone NineGroup-DMZ policy CliveTest match application any
set security policies from-zone Customer-Network to-zone NineGroup-DMZ policy CliveTest then permit
set security policies from-zone NineGroup-DMZ to-zone Customer-Network policy CliveTest1 match source-address any
set security policies from-zone NineGroup-DMZ to-zone Customer-Network policy CliveTest1 match destination-address any
set security policies from-zone NineGroup-DMZ to-zone Customer-Network policy CliveTest1 match application any
set security policies from-zone NineGroup-DMZ to-zone Customer-Network policy CliveTest1 then permit
set routing-instances Customer-VR interface ae2.0
set routing-instances Customer-VR interface lo0.10
set routing-instances Customer-VR protocols isis level 1 authentication-key "$9$29gGiPfz6CuQFu1EyW8VwYgZUik.5z3"
set routing-instances Customer-VR protocols isis level 1 authentication-type md5
set routing-instances Customer-VR protocols isis level 2 authentication-key "$9$lOzeLNsYoGjq4aqfQnpuhSre8XNdb2oJ"
set routing-instances Customer-VR protocols isis level 2 authentication-type md5
set routing-instances Customer-VR protocols isis interface ae2.0
set routing-instances Customer-VR protocols isis interface lo0.10
set routing-instances NineGroup-VR instance-type virtual-router
set routing-instances NineGroup-VR interface ge-0/0/2.0
set routing-instances NineGroup-VR protocols isis level 1 authentication-key "$9$Ac7/t1heK87dsWLs4JDmPn/CtBIhSrv8X"
set routing-instances NineGroup-VR protocols isis level 1 authentication-type md5
set routing-instances NineGroup-VR protocols isis level 2 authentication-key "$9$Woo8-woaUH.5GD5F6A1IlKM8NdwYgJUj"
set routing-instances NineGroup-VR protocols isis level 2 authentication-type md5
set routing-instances NineGroup-VR protocols isis interface ge-0/0/2.0
There is one obvious difference in the configuration of the VRs and that is the inclusion of the lo0.10 interface that the NET address is assigned to. This is because the SRX1500 does not allow it because it is assigned already to the Customer-VR. So, my question is, how can I get the Test-VR to also be included in the ISIS routing?
I could get arounf this by configuring a static address, but this will not work once live as more equipment will be connected to different ports on the SRX1500.
Thanks