Junos Interface Initial Configuration includes configuring both physical properties and logical properties. IP address configuration is part of  interface logical configuration.

When you configure multiple IP addresses in Juniper devices, opposite to cisco devices, they are not replaced but all addresses will be added to the device.

Now the question is which address will be used as the source address when packets are originated from that interface. Junos Primary and Preferred address is the answer to this question.

Junos Primary Vs Preferred IP Address

Junos Initial Configuration of Ethernet Interface

Junos Primary and Preferred address

Junos Interface Configuration

In Juniper devices, physical properties such as speed and duplex are configured in a different context than logical configurations such as IP address.

Junos Primary and Preferred Address
Junos Primary and Preferred Address

In Cisco devices, when you configure multiple IP addresses in one interface, you only see the latest IP address since it replaces the other IP addresses, unless you use the keyword “secondary” at the end of non-primary IP addresses.

But in juniper devices, by default all IP addresses are added to the interface unless you delete the old IP address.

when multiple IP addresses are configured, you have the option to select one of the IP addresses as primary and also one IP address as preferred.

What is the difference between Junos Primary and Preferred address?

Preferred address is used as the source address for packets originated from the interface.

Primary address is used as the source address for broadcast and multicast packets originated from this interface.

Junos Primary and Preferred address configuration

As previously explained, configuring physical interface properties such as speed and duplex requires you to enter the physical context.

As an example we enter “interfaces ge-0/0/0” to configure speed and duplex.

rayka@vSRX# set interfaces ge-0/0/0 link-mode ?
Possible completions:
  automatic            Automatically negotiate duplex
  full-duplex          Full-duplex operation
  half-duplex          Half-duplex operation
[edit]
rayka@vSRX# set interfaces ge-0/0/0 link-mode full-duplex 

[edit]
rayka@vSRX# set interfaces ge-0/0/0 speed ?                  
Possible completions:
  100m                 
  10g                  
  10m                  
  1g                   
[edit]
rayka@vSRX# set interfaces ge-0/0/0 speed 1g                      

[edit]
rayka@vSRX# set interfaces ge-0/0/0 mtu ?
Possible completions:
  <mtu>                Maximum transmit packet size (256..9192)

We configure duplex with “link-mode” option and speed with “speed” option.

And to configure IP address, you have to enter the logical context which is called “unit” in juniper devices.

In this context, it is possible to configure both IPV4 and IPV6 address. For IPV4 address, we choose “unit 0 family inet” and for IPv6 address configuration, we choose the option “unit 0 family inet6”.

As an example, I will give three IP address to the interface Ge-0/0/0, “192.168.1.101/24”, “192.168.1.102/24” as preferred address and “192.168.1.103/24” as primary address.

rayka@vSRX# set interfaces ge-0/0/0 unit 0 family ?
Possible completions:
+ apply-groups         Groups from which to inherit configuration data
+ apply-groups-except  Don't inherit configuration data from these groups
> ccc                  Circuit cross-connect parameters
> ethernet-switching   Ethernet switching parameters
> inet                 IPv4 parameters
> inet6                IPv6 protocol parameters
> iso                  OSI ISO protocol parameters
> mpls                 MPLS protocol parameters
> tcc                  Translational cross-connect parameters
> vpls                 Virtual private LAN service parameters
[edit]
rayka@vSRX# set interfaces ge-0/0/0 unit 0 family inet address 192.168.1.101/24 ?
Possible completions:
  <[Enter]>            Execute this command
+ apply-groups         Groups from which to inherit configuration data
+ apply-groups-except  Don't inherit configuration data from these groups
> arp                  Static Address Resolution Protocol entries
  broadcast            Broadcast address
  preferred            Preferred address on interface
  primary              Candidate for primary address in system
> vrrp-group           VRRP group
> web-authentication   Parameters for web-based firewall-user authentication
  |                    Pipe through a command
[edit]
rayka@vSRX# set interfaces ge-0/0/0 unit 0 family inet address 192.168.1.101/24    

[edit]
rayka@vSRX# set interfaces ge-0/0/0 unit 0 family inet address 192.168.1.102/24 preferred 

[edit]
rayka@vSRX# set interfaces ge-0/0/0 unit 0 family inet address 192.168.1.103/24 primary      

[edit]
rayka@vSRX# 

[edit]
rayka@vSRX# show | compare    
[edit interfaces]
+   ge-0/0/0 {
+       unit 0 {
+           family inet {
+               address 192.168.1.101/24;
+               address 192.168.1.102/24 {
+                   preferred;
+               }
+               address 192.168.1.103/24 {
+                   primary;
+               }
+           }
+       }
+   }

[edit]
rayka@vSRX#

You can make sure that all three IP address are maintained in the configuration and they are not replaced.

Just to be able to test, which IP address is used as the source address, I have to configure security zone options in SRX to generate traffic. we have not yet learned these concepts and you can also ignore the concept at this step.

If your device is not SRX firewall and it is just a router, then you do not need to configure security zone options. Actually you do not have any security zone option in the configuration.

[edit]
rayka@vSRX# set security zones security-zone untrust interfaces ge-0/0/0.0                 

[edit]
rayka@vSRX# set security zones security-zone untrust host-inbound-traffic protocols all    

[edit]
rayka@vSRX# set routing-options static route 0.0.0.0/0 next-hop 192.168.1.1

After configuring security zones and gateway address, now we can test a ping connectivity to local subnet and also external subnet from the device itself to see which of these address are used as the source address.

rayka@vSRX# run ping 192.168.1.111                                                         
PING 192.168.1.111 (192.168.1.111): 56 data bytes
64 bytes from 192.168.1.111: icmp_seq=0 ttl=64 time=1.559 ms
64 bytes from 192.168.1.111: icmp_seq=1 ttl=64 time=1.456 ms
64 bytes from 192.168.1.111: icmp_seq=2 ttl=64 time=1.410 ms
^C
--- 192.168.1.111 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 1.410/1.475/1.559/0.062 ms

[edit]
rayka@vSRX# 


root@192-168-1-111:~# tcpdump -i ens32 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens32, link-type EN10MB (Ethernet), capture size 262144 bytes
00:58:27.751925 IP 192.168.1.102 > 192-168-1-111.rayka-co.local: ICMP echo request, id 3650, seq 0, length 64
00:58:27.751956 IP 192-168-1-111.rayka-co.local > 192.168.1.102: ICMP echo reply, id 3650, seq 0, length 64
00:58:28.752563 IP 192.168.1.102 > 192-168-1-111.rayka-co.local: ICMP echo request, id 3650, seq 1, length 64
00:58:28.752595 IP 192-168-1-111.rayka-co.local > 192.168.1.102: ICMP echo reply, id 3650, seq 1, length 64
00:58:29.756771 IP 192.168.1.102 > 192-168-1-111.rayka-co.local: ICMP echo request, id 3650, seq 2, length 64
00:58:29.756799 IP 192-168-1-111.rayka-co.local > 192.168.1.102: ICMP echo reply, id 3650, seq 2, length 64
^C
6 packets captured
7 packets received by filter
0 packets dropped by kernel
root@192-168-1-111:~# 


rayka@vSRX# run ping 8.8.8.8    
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=109 time=57.725 ms
64 bytes from 8.8.8.8: icmp_seq=1 ttl=109 time=62.486 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=109 time=58.223 ms
^C
--- 8.8.8.8 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 57.725/59.478/62.486/2.137 ms

[edit]
rayka@vSRX# 

root@192-168-1-111:~# tcpdump -i ens32 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens32, link-type EN10MB (Ethernet), capture size 262144 bytes
02:02:40.394269 IP 192.168.1.102 > dns.google: ICMP echo request, id 61772, seq 0, length 64
02:02:40.451172 IP dns.google > 192.168.1.102: ICMP echo reply, id 61772, seq 0, length 64
02:02:41.401135 IP 192.168.1.102 > dns.google: ICMP echo request, id 61772, seq 1, length 64
02:02:41.462302 IP dns.google > 192.168.1.102: ICMP echo reply, id 61772, seq 1, length 64
02:02:42.405115 IP 192.168.1.102 > dns.google: ICMP echo request, id 61772, seq 2, length 64
02:02:42.462357 IP dns.google > 192.168.1.102: ICMP echo reply, id 61772, seq 2, length 64
^C
6 packets captured
8 packets received by filter
0 packets dropped by kernel
root@192-168-1-111:~#
Back to: Juniper Junos Associate version 22.1R1.10 (JNCIA-Junos) > Junos Configuration Basics

1 Comment

  1. Hi Rayka- thanks so much for posting this Junos / SRX FW lesson. I have a few immediate questions for you:

    1) is there a limitation to the number of secondary IP addresses that can be added to an interface ?

    2) Is it mandatory to declare a Primary or can they jus co-exist ?

    3) If no Primary is required, can I source traffic from a secondary by using some type of “source interface “ command string ?

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *


Post comment