0

I have been thrown in to this project because of a coworker's termination.

I have a set of Juniper SRX 550 Routers. I need to create an OSPF network that passes all traffic (All subnets) as if it were a straight patch cable between switches.

The routers have to be plugged in unmanaged to switches at each location.

Each location is geographically different.

I have an origination point. Where the DHCP process occurs.

What I have so far is this:

load factory-default
set system host-name #######
set routing-options router-id #.#.#.#
set interfaces ge-0/0/0 unit 0 family inet address 172.23.23.#/24
set interfaces ge-0/0/5 unit 0 family inet address 172.23.23.#/24
set interfaces lo0 unit 0 family inet address #.#.#.#/24
set protocols ospf area 0.0.0.0 interface ge-0/0/0.0
set protocols ospf area 0.0.0.0 interface ge-0/0/5.0
set protocols ospf area 0.0.0.0 interface lo0.0 passive 
set system root-authentication plain-text-password
set system login user username class super-user authentication plain-text-password

To assign port ge-0/0/5 to OSPF I have to delete it first.

To address security I am using packet based (It's essentially a LAN.)

delete security
set security forwarding-options family inet6 mode packet-based
set security forwarding-options family mpls mode packet-based

On this router I cannot ping interface ge-0/0/5. I get "No route to host"

I am not versed on this hardware at all and the extent on my knowledge is routing (No IP Routing) between two Cisco 2000 series routers with HWIC DSU T1 cards.

Thus far on two routers I have neighbor relatioships. But I think I'm missing something as I cannot ping anything in either direction.

I'm thinking doing a VLan for each subnet used in the network and assigning the connectors to it would be somewhat in the right direction. But I'm not getting anywhere.

All hardware is the same and think of this as a network where each location is on a LAN.

I have to pass traffic from the open (Free) ports of the router. In the configuration above I'm using ports 0 and 5 for OSPF communication and I'll need ports 1, 2, 3 and 4 to permit access onto the network.

If I need to obtain a list of all subnets I can.

Any help would be greatly appreciated.

Configuration ideas from 9.25.2014

This is without deleting security or enabling MPLS.

set security zones security-zone trust interfaces ge-0/0/0 host-inbound-traffic system-services all 
set security zones security-zone untrust interfaces ge-0/0/5 host-inbound-traffic system-services all 
set security policies from-zone trust to-zone untrust policy permit-all match source-address any 
set security policies from-zone trust to-zone untrust policy permit-all match destination-address any 
set security policies from-zone trust to-zone untrust policy permit-all match application any 
set security policies from-zone trust to-zone untrust policy permit-all then permit 
set security policies from-zone untrust to-zone trust policy deny-all match source-address any 
set security policies from-zone untrust to-zone trust policy deny-all match destination-address any 
set security policies from-zone untrust to-zone trust policy deny-all match application any 
set security policies from-zone untrust to-zone trust policy deny-all then deny
Russell G.
  • 1
  • 2
  • This is an SRX, you nuked the entire security section. You need to permit "host-inbound-traffic" meaning traffic meant for the routing engine for OSPF packets to exchange between other peers. Further, you need a security zone assigned to these and rules to permit traffic to flow. What version of JunOS? – SpacemanSpiff Sep 25 '14 at 13:24
  • That's the thing. I don't need security. The Juniper Engineer I spoke with told me that I want to delete security and change it to packet based. But if there is an easier way to do it utilizing some type of permit all security policy I'd be open to trying. My Junos version is: 12.1x44-D30.4 using the 'show version' command. – Russell G. Sep 25 '14 at 14:55
  • I am fairly certain to get back to a packet based mode where you can use an SRX as a router requires a bunch of downgrades to 9.X code which might be a big headache at this point. I would set the default policy to permit, and then put all interfaces in the same zone. You would still need to set host-inbound-traffic for the zone to permit all as well. – SpacemanSpiff Sep 25 '14 at 16:31

0 Answers0