SRX Services Gateway
Highlighted
SRX Services Gateway

Routing-Instance and ISIS Routing

[ Edited ]
‎12-20-2017 09:01 AM

Hi all,

 

SRX1500

 

I have created two new VRs and also, thanks to Kingsman, enabled ISIS on these VRs with the following command:

 

set routing-instance Customer-VR protocols isis interface ae2.0

set interface ae2 unit 0 family iso

set interface lo0 unit 0 family iso address 49.0001.xxxx.xxxx.xxxx.00

set protocols isis level 1 authentication-type md5

set protocols isis level 2 authentication-type mds

set protocols isis level 1 authentication-key xxxxxxxx

set protocols isis level 2 authentication-key xxxxxxxx

 

I have also placed ae2 into the routing-instance

 

But yet, I cannot get any ISIS routes to show in the routing tables....

 

I have configured ISIS on the second SRX that has no new defined routing-instance and it works fine.... with dual-stack

Any help would be greatly appreciated.

Thanks

 

13 REPLIES 13
Highlighted
SRX Services Gateway

Re: Routing-Instance and ISIS Routing

‎12-20-2017 09:08 AM

Hi,

 

Can you paste your full configuration?

 

Did you create a physical loop to create VR and running ISIS between VR?  

 

 

Highlighted
SRX Services Gateway

Re: Routing-Instance and ISIS Routing

‎12-20-2017 09:15 AM

No Physical loop

 

Just placed the interfaces into the VRs.

Here is the full config..

 

Clive@THW-SRX-01# run show configuration | display set
set version 15.1X49-D110.4
set system host-name THW-SRX-01
set system root-authentication encrypted-password "$5$z0x/bUE1$7a0.XL.aD8Tj4HrTCLYWvinpjKFmI79nFjbCJF8HXj4"
set system name-server 8.8.8.8
set system name-server 8.8.4.4
set system login user Clive uid 2000
set system login user Clive class super-user
set system login user Clive authentication encrypted-password "$5$Qx1BnOI.$haJ9bhIUBcROyvUpibcE4UkYuYSuB8qTIMufMaaA7q9"
set system login user Jim uid 2003
set system login user Jim class super-user
set system login user Jim authentication encrypted-password "$5$2jd10ZcZ$WH.lj5bRlh7P4qV3tEDJnM2hwkAiT3OAADRi3j5Wqb8"
set system login user Lee uid 2002
set system login user Lee class super-user
set system login user Lee authentication encrypted-password "$5$EGzUTmfP$9ySV5xu4jyoPAno2qfRCjjDsAg1r9hreOFSu7luLXE/"
set system login user Oliver uid 2004
set system login user Oliver class super-user
set system login user Oliver authentication encrypted-password "$5$nHRTwAfF$O.7LJxttsI8Rgb8Qd/n0oEszEKk4CsE3GyLpyVcl5y/"
set system login user Stephen uid 2001
set system login user Stephen class super-user
set system login user Stephen authentication encrypted-password "$5$okr6bMjJ$bRThHm0wAqEB6T.QmSlbv.VRx31GvaNPhlC4K.0tHmD"
set system services ssh
set system services xnm-clear-text
set system services netconf ssh
set system services dhcp-local-server group jdhcp-group interface ge-0/0/1.0
set system services web-management https system-generated-certificate
set system syslog user * any emergency
set system syslog file messages any notice
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands any
set system max-configurations-on-flash 5
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set system phone-home server https://redirect.juniper.net
set system phone-home rfc-complaint
set chassis aggregated-devices ethernet device-count 2
set security log mode stream
set security log report
set security forwarding-options family inet6 mode flow-based
set security forwarding-options family iso mode packet-based
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security nat source rule-set trust-to-untrust from zone trust
set security nat source rule-set trust-to-untrust to zone untrust
set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 0.0.0.0/0
set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat interface
set security policies from-zone trust to-zone trust policy default-permit match source-address any
set security policies from-zone trust to-zone trust policy default-permit match destination-address any
set security policies from-zone trust to-zone trust policy default-permit match application any
set security policies from-zone trust to-zone trust policy default-permit then permit
set security policies from-zone trust to-zone untrust policy default-permit match source-address any
set security policies from-zone trust to-zone untrust policy default-permit match destination-address any
set security policies from-zone trust to-zone untrust policy default-permit match application any
set security policies from-zone trust to-zone untrust policy default-permit then permit
set security policies from-zone Customer-Network to-zone NineGroup-DMZ policy CliveTest match source-address any
set security policies from-zone Customer-Network to-zone NineGroup-DMZ policy CliveTest match destination-address any
set security policies from-zone Customer-Network to-zone NineGroup-DMZ policy CliveTest match application any
set security policies from-zone Customer-Network to-zone NineGroup-DMZ policy CliveTest then permit
set security policies from-zone NineGroup-DMZ to-zone Customer-Network policy CliveTest1 match source-address any
set security policies from-zone NineGroup-DMZ to-zone Customer-Network policy CliveTest1 match destination-address any
set security policies from-zone NineGroup-DMZ to-zone Customer-Network policy CliveTest1 match application any
set security policies from-zone NineGroup-DMZ to-zone Customer-Network policy CliveTest1 then permit
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces ge-0/0/1.0
set security zones security-zone trust interfaces ge-0/0/3.0
set security zones security-zone untrust screen untrust-screen
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services dhcp
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services tftp
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services https
set security zones security-zone NineGroup-DMZ
set security zones security-zone Customer-Network host-inbound-traffic system-services all
set security zones security-zone Customer-Network host-inbound-traffic protocols all
set security zones security-zone Customer-Network interfaces ae2.0
set interfaces ge-0/0/0 unit 0 family inet dhcp-client update-server
set interfaces ge-0/0/1 unit 0 family inet
set interfaces ge-0/0/2 unit 0 family inet address 195.80.0.37/30
set interfaces ge-0/0/2 unit 0 family iso
set interfaces ge-0/0/2 unit 0 family inet6 address 2a05:d840:0030:ffff:ffff:ffff:0000:0001/127
set interfaces ge-0/0/3 unit 0 family inet
set interfaces ge-0/0/4 unit 0 family inet address 192.168.1.2/24
set interfaces ge-0/0/4 unit 0 family iso
set interfaces xe-0/0/16 description Group-ae2
set interfaces xe-0/0/16 gigether-options 802.3ad ae2
set interfaces xe-0/0/17 unit 0 family inet
set interfaces xe-0/0/18 description Group-ae2
set interfaces xe-0/0/18 gigether-options 802.3ad ae2
set interfaces ae2 unit 0 description TO-THW-CORE-01-ae2
set interfaces ae2 unit 0 family inet address 195.80.0.18/30
set interfaces ae2 unit 0 family iso
set interfaces ae2 unit 0 family inet6 address 2a05:d840:002b:ffff:ffff:ffff:0000:0002/127
set interfaces fxp0 unit 0 family inet address 185.89.120.8/24
set interfaces lo0 unit 0 family inet address 195.80.0.3/32
set interfaces lo0 unit 0 family iso address 49.0001.1950.0080.0004.00
set interfaces lo0 unit 0 family inet6 address 2a05:d840:000e:ffff:ffff:ffff:0000:0001/128
set routing-options static route 172.16.16.0/24 next-hop 172.16.16.39
set protocols isis export export_statics
set protocols isis level 1 authentication-key "$9$zyOuFCuREyKWxSrxdwgUDP5QF9AuO1hyl"
set protocols isis level 1 authentication-type md5
set protocols isis level 2 authentication-key "$9$Xqsxb2ZGi.fzjHz6CuEhvWLxVw24aUik"
set protocols isis level 2 authentication-type md5
set protocols isis interface lo0.0
set policy-options policy-statement export_statics term 1 from protocol static
set policy-options policy-statement export_statics term 1 then accept
set access address-assignment pool junosDHCPPool family inet network 192.168.2.0/24
set access address-assignment pool junosDHCPPool family inet range junosRange low 192.168.2.2
set access address-assignment pool junosDHCPPool family inet range junosRange high 192.168.2.254
set access address-assignment pool junosDHCPPool family inet dhcp-attributes router 192.168.2.1
set access address-assignment pool junosDHCPPool family inet dhcp-attributes propagate-settings ge-0/0/0.0
set routing-instances Customer-VR instance-type virtual-router
set routing-instances Customer-VR interface ae2.0
set routing-instances Customer-VR protocols isis level 1 authentication-key "$9$29gGiPfz6CuQFu1EyW8VwYgZUik.5z3"
set routing-instances Customer-VR protocols isis level 1 authentication-type md5
set routing-instances Customer-VR protocols isis level 2 authentication-key "$9$lOzeLNsYoGjq4aqfQnpuhSre8XNdb2oJ"
set routing-instances Customer-VR protocols isis level 2 authentication-type md5
set routing-instances Customer-VR protocols isis interface ae2.0
set routing-instances NineGroup-VR instance-type virtual-router
set routing-instances NineGroup-VR interface ge-0/0/2.0
set routing-instances NineGroup-VR protocols isis interface ge-0/0/2.0

 

Thank you

Highlighted
SRX Services Gateway

Re: Routing-Instance and ISIS Routing

‎12-20-2017 09:25 AM
Hi,

Do you see isis adjacency up in the VR? I don’t see any iso address configured in VR.

Create one loopback, assign ISO address to it and add in Customer-VR

Set interface lo0.10 family iso address 49.xxxx.xxxx.xxxx.xxxx.00

set routing-instance Customer-VR interface lo0.10


Let us know if it still doesn’t work.
Highlighted
SRX Services Gateway

Re: Routing-Instance and ISIS Routing

‎12-20-2017 12:20 PM

Hi,

 

You can also configure the ISO address in ae2 interface at both end. Below is the sample config:

 

set routing-instances VR2 instance-type virtual-router
set routing-instances VR2 interface ge-0/0/0.0
set routing-instances VR2 protocols isis interface ge-0/0/0.0

set interfaces ge-0/0/0 unit 0 family iso address 49.0001.1950.0080.0004.00

 

set routing-instances VR1 instance-type virtual-router
set routing-instances VR1 interface ge-0/0/0.0
set routing-instances VR1 protocols isis interface ge-0/0/0.0

set interfaces ge-0/0/0 unit 0 family iso address 49.0001.1950.0080.0005.00

 

show isis adjacency instance VR2
Interface System L State Hold (secs) SNPA
ge-0/0/0.0 R1_re0-VR1 1 Up 8 56:68:a3:17:57:32
ge-0/0/0.0 R1_re0-VR1 2 Up 7 56:68:a3:17:57:32

 

[KUDOS PLEASE! If you think I earned it!

If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]

 

 

Highlighted
SRX Services Gateway

Re: Routing-Instance and ISIS Routing

‎12-20-2017 12:26 PM
Yeah,

Well we can assign it to any interface but loopback is the best practice.
Highlighted
SRX Services Gateway

Re: Routing-Instance and ISIS Routing

‎12-20-2017 12:37 PM

Hi Kingsman,

 

I agree with you.

Highlighted
SRX Services Gateway

Re: Routing-Instance and ISIS Routing

‎12-21-2017 02:00 AM

Hi,

 

Thank you guys for the responses.... awesome..... I have not yet had a chance to configure this, but will be completing this morning. As another quick quesiton regarding this configuration.....

 

If I create a new Loopback sub-int....i.e lo0.10  .... would I also assign the IPv4 and IPv6 addresses to this loopback subint rather than the main lo0?

So I should end up with

 

set interfaces lo0.10 unit 0 family inet address 192.168.1.10/32

set interfaces lo0.10 unit 0 family inet6 address 4a06:334a:0049:ffff:ffff:ffff:0000:0001/128

set interfaces lo0.10 unit 0 family iso address 49.0001.xxxx.xxxx.xxxx.00

 

and then assign that subint to the VR with:

 

set routing-instance Customer-VR interface lo0.10

 

Thanks in advance

Highlighted
SRX Services Gateway

Re: Routing-Instance and ISIS Routing

‎12-21-2017 03:04 AM

Hi,

 

You can assign an address to all the units of loopback (including 0). Junos only allow one loopback in global table so any new unit interface you create must be in routing-instance.

You can keep lo0 in global table and lo0.10 in routing-instance and assign both of them an IP address.

 

HTH

Highlighted
SRX Services Gateway

Re: Routing-Instance and ISIS Routing

‎12-21-2017 08:38 AM

Hi,

 

Thank you for tha response. Okay, I have a strange issue occuring.... I have configured as suggested:

 

set interfaces lo0.10 family inet address xxx.xxx.xxx.xxx

set interfaces lo0.10 family inet6 address xxxx.xxxx.xxxx.xxxx.xxxx.xxxx.xxxx.xxxx

set interfaces lo0.10 family iso address 49.0001.xxxx.xxxx.xxxx.00

 

set routing-instance Customer-VR interface ae2

set routing-instance Customer-VR protocols isis interface ae2

 

Now, I get ISIS routes being advertised now, which is awesome work from you guys, but now I have an extremely frustrating, but I am sure easily solved, problem....

 

SRX-A --> MX240 --> MX240 --> SRX-B

 

SRX-A has the Customer-VR but SRX-B has no new VRs associated with it....

 

If I ping from the ae2 interface from SRX-B to the ae2 interface of SRX-A, I get a response, which is brilliant.

If I ping from the ae2 interface on SRX-A to the ae2 interface on SRX-B I get a "No route to host" response..... On SRX-B there is a route via the correct interface to SRX-A and on SRX-A there is a correct route to SRX-B.... How is this possible.....

 

In fact, from SRX-A I cannot even ping the directly connected neighbor as I get the "no route to host" response.... this is very obviously related to the VR, but I am unsure how?

 

Thanks

Highlighted
SRX Services Gateway
Solution
Accepted by topic author adgwytc
‎12-22-2017 04:34 AM

Re: Routing-Instance and ISIS Routing

‎12-21-2017 08:49 AM
Hi,

On SRX-A ae2 is in routing-instance. Are you using “ping x.x.x.x routing-instance Customer-VR” while pinging form SRX-A?
Highlighted
SRX Services Gateway

Re: Routing-Instance and ISIS Routing

‎12-21-2017 09:30 AM

I am a bloody idiot sometimes..... I have been telling another Colleague that when a VR is being used EVERYTHING must be done via that VR and then I make that mistake..... Sorry for waisting your time....

 

 

Highlighted
SRX Services Gateway

Re: Routing-Instance and ISIS Routing

‎12-21-2017 09:38 AM
No worries! ☺ It happens sometime.

Please help close the thread so that others can benefit from it.
Highlighted
SRX Services Gateway

Re: Routing-Instance and ISIS Routing

‎01-02-2018 04:04 AM

Hi,

 

I'm re-opening this thread because I have a secondary issue regarding isis routing and the VRs created....

 

On one SRX1500 I have created 2 x VRs.... one is called Customer-VR and the other Test-VR. One VR faces the Data Network and one VR faces a DMZ, where the RADIUS is located. From an L2TP perspective, the PPP requests will be answered via the RADIUS so routing is required all the way through.

 

The Customer-VR can ping the other SRX1500 Customer-VR with no issue on IPv6 and IPv4, however, even on a directly connected router I have no route to the IPv6 or IPv4 address on the Test-VR. Below is the configuration I have used:

 

set interfaces ge-0/0/2 unit 0 family inet address xxx.xxx.xxx.xxx/30
set interfaces ge-0/0/2 unit 0 family iso
set interfaces ge-0/0/2 unit 0 family inet6 address xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/127

set interfaces lo0 unit 0 family inet address xxx.xxx.xxx.xxx/32
set interfaces lo0 unit 0 family inet6 address xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/128
set interfaces lo0 unit 10 family iso address 49.0001.xxxx.xxxx.xxxx.00

set interfaces ae2 unit 0 description TO-THW-CORE-01-ae2
set interfaces ae2 unit 0 family inet address xxx.xxx.xxx.xxx/30
set interfaces ae2 unit 0 family iso
set interfaces ae2 unit 0 family inet6 address xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/127

set security zones security-zone NineGroup-DMZ host-inbound-traffic system-services all
set security zones security-zone NineGroup-DMZ host-inbound-traffic protocols all
set security zones security-zone NineGroup-DMZ interfaces ge-0/0/2.0
set security zones security-zone Customer-Network host-inbound-traffic system-services all
set security zones security-zone Customer-Network host-inbound-traffic protocols all
set security zones security-zone Customer-Network interfaces ae2.0

set security policies from-zone Customer-Network to-zone NineGroup-DMZ policy CliveTest match source-address any
set security policies from-zone Customer-Network to-zone NineGroup-DMZ policy CliveTest match destination-address any
set security policies from-zone Customer-Network to-zone NineGroup-DMZ policy CliveTest match application any
set security policies from-zone Customer-Network to-zone NineGroup-DMZ policy CliveTest then permit
set security policies from-zone NineGroup-DMZ to-zone Customer-Network policy CliveTest1 match source-address any
set security policies from-zone NineGroup-DMZ to-zone Customer-Network policy CliveTest1 match destination-address any
set security policies from-zone NineGroup-DMZ to-zone Customer-Network policy CliveTest1 match application any
set security policies from-zone NineGroup-DMZ to-zone Customer-Network policy CliveTest1 then permit

set routing-instances Customer-VR interface ae2.0
set routing-instances Customer-VR interface lo0.10
set routing-instances Customer-VR protocols isis level 1 authentication-key "$9$29gGiPfz6CuQFu1EyW8VwYgZUik.5z3"
set routing-instances Customer-VR protocols isis level 1 authentication-type md5
set routing-instances Customer-VR protocols isis level 2 authentication-key "$9$lOzeLNsYoGjq4aqfQnpuhSre8XNdb2oJ"
set routing-instances Customer-VR protocols isis level 2 authentication-type md5
set routing-instances Customer-VR protocols isis interface ae2.0
set routing-instances Customer-VR protocols isis interface lo0.10
set routing-instances NineGroup-VR instance-type virtual-router
set routing-instances NineGroup-VR interface ge-0/0/2.0
set routing-instances NineGroup-VR protocols isis level 1 authentication-key "$9$Ac7/t1heK87dsWLs4JDmPn/CtBIhSrv8X"
set routing-instances NineGroup-VR protocols isis level 1 authentication-type md5
set routing-instances NineGroup-VR protocols isis level 2 authentication-key "$9$Woo8-woaUH.5GD5F6A1IlKM8NdwYgJUj"
set routing-instances NineGroup-VR protocols isis level 2 authentication-type md5
set routing-instances NineGroup-VR protocols isis interface ge-0/0/2.0

 

There is one obvious difference in the configuration of the VRs and that is the inclusion of the lo0.10 interface that the NET address is assigned to. This is because the SRX1500 does not allow it because it is assigned already to the Customer-VR. So, my question is, how can I get the Test-VR to also be included in the ISIS routing?

 

I could get arounf this by configuring a static address, but this will not work once live as more equipment will be connected to different ports on the SRX1500.

 

Thanks