Junos Interface Initial Configuration includes configuring both physical properties and logical properties. IP address configuration is part of interface logical configuration.
When you configure multiple IP addresses in Juniper devices, opposite to cisco devices, they are not replaced but all addresses will be added to the device.
Now the question is which address will be used as the source address when packets are originated from that interface. Junos Primary and Preferred address is the answer to this question.
Junos Primary and Preferred address
Junos Interface Configuration
In Juniper devices, physical properties such as speed and duplex are configured in a different context than logical configurations such as IP address.
In Cisco devices, when you configure multiple IP addresses in one interface, you only see the latest IP address since it replaces the other IP addresses, unless you use the keyword “secondary” at the end of non-primary IP addresses.
But in juniper devices, by default all IP addresses are added to the interface unless you delete the old IP address.
when multiple IP addresses are configured, you have the option to select one of the IP addresses as primary and also one IP address as preferred.
What is the difference between Junos Primary and Preferred address?
Preferred address is used as the source address for packets originated from the interface.
Primary address is used as the source address for broadcast and multicast packets originated from this interface.
Junos Primary and Preferred address configuration
As previously explained, configuring physical interface properties such as speed and duplex requires you to enter the physical context.
As an example we enter “interfaces ge-0/0/0” to configure speed and duplex.
rayka@vSRX# set interfaces ge-0/0/0 link-mode ?
Possible completions:
automatic Automatically negotiate duplex
full-duplex Full-duplex operation
half-duplex Half-duplex operation
[edit]
rayka@vSRX# set interfaces ge-0/0/0 link-mode full-duplex
[edit]
rayka@vSRX# set interfaces ge-0/0/0 speed ?
Possible completions:
100m
10g
10m
1g
[edit]
rayka@vSRX# set interfaces ge-0/0/0 speed 1g
[edit]
rayka@vSRX# set interfaces ge-0/0/0 mtu ?
Possible completions:
<mtu> Maximum transmit packet size (256..9192)We configure duplex with “link-mode” option and speed with “speed” option.
And to configure IP address, you have to enter the logical context which is called “unit” in juniper devices.
In this context, it is possible to configure both IPV4 and IPV6 address. For IPV4 address, we choose “unit 0 family inet” and for IPv6 address configuration, we choose the option “unit 0 family inet6”.
As an example, I will give three IP address to the interface Ge-0/0/0, “192.168.1.101/24”, “192.168.1.102/24” as preferred address and “192.168.1.103/24” as primary address.
rayka@vSRX# set interfaces ge-0/0/0 unit 0 family ?
Possible completions:
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
> ccc Circuit cross-connect parameters
> ethernet-switching Ethernet switching parameters
> inet IPv4 parameters
> inet6 IPv6 protocol parameters
> iso OSI ISO protocol parameters
> mpls MPLS protocol parameters
> tcc Translational cross-connect parameters
> vpls Virtual private LAN service parameters
[edit]
rayka@vSRX# set interfaces ge-0/0/0 unit 0 family inet address 192.168.1.101/24 ?
Possible completions:
<[Enter]> Execute this command
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
> arp Static Address Resolution Protocol entries
broadcast Broadcast address
preferred Preferred address on interface
primary Candidate for primary address in system
> vrrp-group VRRP group
> web-authentication Parameters for web-based firewall-user authentication
| Pipe through a command
[edit]
rayka@vSRX# set interfaces ge-0/0/0 unit 0 family inet address 192.168.1.101/24
[edit]
rayka@vSRX# set interfaces ge-0/0/0 unit 0 family inet address 192.168.1.102/24 preferred
[edit]
rayka@vSRX# set interfaces ge-0/0/0 unit 0 family inet address 192.168.1.103/24 primary
[edit]
rayka@vSRX#
[edit]
rayka@vSRX# show | compare
[edit interfaces]
+ ge-0/0/0 {
+ unit 0 {
+ family inet {
+ address 192.168.1.101/24;
+ address 192.168.1.102/24 {
+ preferred;
+ }
+ address 192.168.1.103/24 {
+ primary;
+ }
+ }
+ }
+ }
[edit]
rayka@vSRX# You can make sure that all three IP address are maintained in the configuration and they are not replaced.
Just to be able to test, which IP address is used as the source address, I have to configure security zone options in SRX to generate traffic. we have not yet learned these concepts and you can also ignore the concept at this step.
If your device is not SRX firewall and it is just a router, then you do not need to configure security zone options. Actually you do not have any security zone option in the configuration.
[edit]
rayka@vSRX# set security zones security-zone untrust interfaces ge-0/0/0.0
[edit]
rayka@vSRX# set security zones security-zone untrust host-inbound-traffic protocols all
[edit]
rayka@vSRX# set routing-options static route 0.0.0.0/0 next-hop 192.168.1.1 After configuring security zones and gateway address, now we can test a ping connectivity to local subnet and also external subnet from the device itself to see which of these address are used as the source address.
rayka@vSRX# run ping 192.168.1.111
PING 192.168.1.111 (192.168.1.111): 56 data bytes
64 bytes from 192.168.1.111: icmp_seq=0 ttl=64 time=1.559 ms
64 bytes from 192.168.1.111: icmp_seq=1 ttl=64 time=1.456 ms
64 bytes from 192.168.1.111: icmp_seq=2 ttl=64 time=1.410 ms
^C
--- 192.168.1.111 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 1.410/1.475/1.559/0.062 ms
[edit]
rayka@vSRX#
root@192-168-1-111:~# tcpdump -i ens32 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens32, link-type EN10MB (Ethernet), capture size 262144 bytes
00:58:27.751925 IP 192.168.1.102 > 192-168-1-111.rayka-co.local: ICMP echo request, id 3650, seq 0, length 64
00:58:27.751956 IP 192-168-1-111.rayka-co.local > 192.168.1.102: ICMP echo reply, id 3650, seq 0, length 64
00:58:28.752563 IP 192.168.1.102 > 192-168-1-111.rayka-co.local: ICMP echo request, id 3650, seq 1, length 64
00:58:28.752595 IP 192-168-1-111.rayka-co.local > 192.168.1.102: ICMP echo reply, id 3650, seq 1, length 64
00:58:29.756771 IP 192.168.1.102 > 192-168-1-111.rayka-co.local: ICMP echo request, id 3650, seq 2, length 64
00:58:29.756799 IP 192-168-1-111.rayka-co.local > 192.168.1.102: ICMP echo reply, id 3650, seq 2, length 64
^C
6 packets captured
7 packets received by filter
0 packets dropped by kernel
root@192-168-1-111:~#
rayka@vSRX# run ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=109 time=57.725 ms
64 bytes from 8.8.8.8: icmp_seq=1 ttl=109 time=62.486 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=109 time=58.223 ms
^C
--- 8.8.8.8 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 57.725/59.478/62.486/2.137 ms
[edit]
rayka@vSRX#
root@192-168-1-111:~# tcpdump -i ens32 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens32, link-type EN10MB (Ethernet), capture size 262144 bytes
02:02:40.394269 IP 192.168.1.102 > dns.google: ICMP echo request, id 61772, seq 0, length 64
02:02:40.451172 IP dns.google > 192.168.1.102: ICMP echo reply, id 61772, seq 0, length 64
02:02:41.401135 IP 192.168.1.102 > dns.google: ICMP echo request, id 61772, seq 1, length 64
02:02:41.462302 IP dns.google > 192.168.1.102: ICMP echo reply, id 61772, seq 1, length 64
02:02:42.405115 IP 192.168.1.102 > dns.google: ICMP echo request, id 61772, seq 2, length 64
02:02:42.462357 IP dns.google > 192.168.1.102: ICMP echo reply, id 61772, seq 2, length 64
^C
6 packets captured
8 packets received by filter
0 packets dropped by kernel
root@192-168-1-111:~#
Hi Rayka- thanks so much for posting this Junos / SRX FW lesson. I have a few immediate questions for you:
1) is there a limitation to the number of secondary IP addresses that can be added to an interface ?
2) Is it mandatory to declare a Primary or can they jus co-exist ?
3) If no Primary is required, can I source traffic from a secondary by using some type of “source interface “ command string ?