Junos 11.4 - SRX flow mode - traffic destined for loopback lo0 interface
Junos - SRX - communicating with the loopback lo0 interface of a remote deviceThe structure of Junos on the SRX platforms is a little more complicated from all other platforms due to security zones and policies.
Communication flow path with the IP address of an SRX (running in flow mode) loopback lo0.0 interface starting with Junos 11 iirc, is changed due to the fact that loopback needs to be assigned to a security zone.
Below are the walls that a packet will hit before it reaches the destination IP on the lo0.0 interface.
Configuration before I begin:
Code:
root@daniel# show interfaces fe-0/0/7
unit 0 {
family inet {
address 10.0.0.1/24;
}
}
[edit]
root@daniel# show interfaces lo0.0
family inet {
address 192.168.27.1/32;
}
[edit]
root@daniel# top show security zones
security-zone trust {
interfaces {
fe-0/0/7.0;
}
}
Assuming we have a random host (preferably UNIX) with a static or dynamic route in place having IP 10.0.0.2 directly connected to an SRX 100 on interface fe-0/0/7 (zone "trust") with IP 10.0.0.1 and a loopback lo0.0 IP 192.168.27.1. A ping from <UNIX HOST> to 192.168.27.1 starting with Junos 11 will:
1. Check outgoing interface zone, as the security framework is based on zone-to-zone policies.
Since loopback is not assigned by default to any zone, packet is dropped.
Logs outputing what happens if lo0 interface is not assigned to any zone:
Code:
May 30 12:47:16 12:47:16.647867:CID-0:RT: chose interface fe-0/0/7.0 as incoming nat if.
...
May 30 12:47:16 12:47:16.647867:CID-0:RT:Changing out-ifp from .local..0 to lo0.0 for dst: 192.168.27.1 in vr_id:0
May 30 12:47:16 12:47:16.647867:CID-0:RT: routed (x_dst_ip 192.168.27.1) from trust (fe-0/0/7.0 in 0) to lo0.0, Next-hop: 192.168.27.1
May 30 12:47:16 12:47:16.647867:CID-0:RT: packet dropped, out_ifp is null or in null-zone
May 30 12:47:16 12:47:16.647867:CID-0:RT:Out-ifp lo0.0 is null or in null zone
May 30 12:47:16 12:47:16.647867:CID-0:RT: flow find session returns error.
Assinging lo0 to a security zone:
Code:
set security zones security-zone re interfaces lo0.0
2. If loopback interface is assigned to a zone (let's say "re" in my example), next Junos will check security policies from security zone of incoming physical interface ("trust") to the security zone that loopback belongs to ("re"):
Code:
May 30 12:48:57 12:48:57.548449:CID-0:RT: chose interface fe-0/0/7.0 as incoming nat if.
May 30 12:48:57 12:48:57.548449:CID-0:RT:flow_first_policy_search: policy search from zone trust-> zone re (0x0,0x122f,0x122f)
May 30 12:48:57 12:48:57.548449:CID-0:RT: app 0, timeout 60s, curr ageout 60s
May 30 12:48:57 12:48:57.548449:CID-0:RT: packet dropped, denied by policy
May 30 12:48:57 12:48:57.548449:CID-0:RT: denied by policy default-policy-00(2), dropping pkt
May 30 12:48:57 12:48:57.548449:CID-0:RT: packet dropped, policy deny.
May 30 12:48:57 12:48:57.548449:CID-0:RT: flow find session returns error.
Since no policy is in place, default policy (drop) will take action on the packet.
Let's create a policy from "trust" to "re" to permit everything (for convenience):
Code:
# set security policies from-zone trust to-zone re policy any match source-address any
# set security policies from-zone trust to-zone re policy any match destination-address any
# set security policies from-zone trust to-zone re policy any match application any
# set security policies from-zone trust to-zone re policy any then permit
# set security policies default-policy permit-all
3. Now that the loopback is assigned to a security zone and a security policy to permit traffic from trust to re is in place, there is one more impediment:
Code:
May 30 12:54:59 12:54:59.143260:CID-0:RT: chose interface fe-0/0/7.0 as incoming nat if.
May 30 12:54:59 12:54:59.143260:CID-0:RT: routed (x_dst_ip 192.168.27.1) from trust (fe-0/0/7.0 in 0) to lo0.0, Next-hop: 192.168.27.1
May 30 12:54:59 12:54:59.143260:CID-0:RT:flow_first_policy_search: policy search from zone trust-> zone re (0x0,0x1238,0x1238)
May 30 12:54:59 12:54:59.143260:CID-0:RT: app 0, timeout 60s, curr ageout 60s
May 30 12:54:59 12:54:59.143260:CID-0:RT: permitted by policy any(4)
May 30 12:54:59 12:54:59.143260:CID-0:RT: post addr xlation: 10.0.0.2->192.168.27.1.
May 30 12:54:59 12:54:59.143260:CID-0:RT: flow_first_create_session
May 30 12:54:59 12:54:59.143260:CID-0:RT: chose interface lo0.0 as incoming nat if.
May 30 12:54:59 12:54:59.143260:CID-0:RT: packet dropped: for self but not interested
May 30 12:54:59 12:54:59.143260:CID-0:RT: packet dropped, packet dropped: for self but not interested.
May 30 12:54:59 12:54:59.143260:CID-0:RT: flow find session returns error.
The above means that PFE is not interested in the packet destined for loopback, which is a routing engine interface.
The final step is to tell the forwarding engine which services and/or protocols it needs to pass to routing engine using host-inbound-traffic:
Code:
# set security zones security-zone re interfaces lo0.0 host-inbound-traffic system-services ping
Now, icmp packets only will traverse the forwarding engine of the SRX security device and will reach IP address of the device's loopback interface.
Note: on the "trust" security zone there is no need for "host-inbound-traffic" directive unless the destination of the packets is the IP address of the interface belonging to the zone.
Hope this helps.
News 
Site map 
SitemapIndex 
RSS Feed 