Junos - How to use loopback IP address as source for local originated packets (ssh/telnet)

This article mainly applies to branch and MX devices.

Configuring in Junos the Source Address for Locally Generated TCP/IP Packets

Code:

> show configuration system default-address-selection | display set 
set system default-address-selection

Junos doc quote:

Quote:

Configuring the Source Address for Locally Generated TCP/IP Packets

By default, the source address included in locally generated Transmission
Control Protocol/IP (TCP/IP) packets, such as FTP traffic, and in User
Datagram Protocol (UDP) and IP packets, such as Network Time Protocol
(NTP) requests, is chosen as the local address for the interface on which
the traffic is transmitted. This means that the local address chosen for
packets to a particular destination might change from connection to
connection based on the interface that the routing protocol has chosen to
reach the destination when the connection is established. If multiple
equal-cost next hops are present for a destination, locally generated
packets use the lo0 address as a source.

To configure the software to select a fixed address to use as the source
for locally generated IP packets, include the default-address-selection
statement at the [edit system] hierarchy level:

[edit system]

default-address-selection;

If you include the default-address-selection statement in the
configuration, the software chooses the system default address as the
source for most locally generated IP packets. The default address is
usually an address configured on the lo0 loopback interface. For example,
if you specified that SSH and telnet use a particular address, but you
also have default-address selection configured, the system default address
is used. For more information about how the default address is chosen, see
the JUNOS Network Interfaces Configuration Guide.

For IP packets sent by IP routing protocols--including Open Shortest Path
First (OSPF), Routing Information Protocol (RIP), Resource Reservation
Protocol (RSVP), and the multicast protocols, but not including
Intermediate System-to-Intermediate System (IS-IS)--the local address
selection is often constrained by the protocol specification so that the
protocol operates correctly. When this constraint exists in the routing
protocol, the packet's source address is unaffected by the presence of the
default-address-selection statement in the configuration. For protocols in
which the local address is unconstrained by the protocol specification,
for example, internal Border Gateway Protocol (IBGP) and multihop external
BGP (EBGP), if you do not configure a specific local address when
configuring the protocol, the local address is chosen using the same
method as other locally generated IP packets.

This will require a special nat for junos-host originator security zone if device will send packets to internet (or areas of the network where loopback IP is not routed):

Code:

> show configuration security nat source rule-set self-internet 
from zone junos-host;
to zone untrust;
rule RE-untrust {
    match {
        source-address 0.0.0.0/0;
    }
    then {
        source-nat {
            interface;
        }
    }
}

Testing:

Code:

> show interfaces lo0.0  
  Logical interface lo0.0 (Index 67) (SNMP ifIndex 16) 
    Flags: SNMP-Traps Encapsulation: Unspecified
    Input packets : 0 
    Output packets: 0
    Security: Zone: routing_engine
    Allowed host-inbound traffic : ping ssh
    Protocol inet, MTU: Unlimited
      Flags: Sendbcast-pkt-to-re
      Addresses, Flags: Is-Default Is-Primary
        Local: 172.17.1.1

All ssh/telent Junos initiated sessions will have as source IP 172.17.1.1 ( unless NAT is used).

Linux, FreeBSD, Juniper, Cisco / Network security articles and troubleshooting guides

Junos - How to use loopback IP address as source for local originated packets (ssh/telnet)

Junos - How to use loopback IP address as source for local originated packets (ssh/telnet)