Support Support Downloads Knowledge Base Service Request Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] How to configure unnumbered IP address against WAN interface (PPPoE)

0

0

Article ID: KB30723 KB Last Updated: 08 Feb 2016Version: 1.0
Summary:

This article describes how to configure an unnumbered IP address against a WAN interface (PPPoE).

Symptoms:

Scenario:

  • SRX works as a PPPoE client.
  • 8 IPs (e.g., 100.1.0.0/29 in this case) are assigned by ISP.
  • SRX needs to conserve IP addresses - only one IP address is assigned to the SRX, others are preserved for hosts in the trust zone.


Solution:

Configuration:

The set interface pp0 unit 0 family inet command needs to be configured to be unnumbered in this scenario.

set interfaces ge-0/0/0 unit 0 encapsulation ppp-over-ether
set interfaces ge-0/0/1 unit 0 family inet address 100.1.0.1/29
set interfaces pp0 unit 0 ppp-options chap default-chap-secret abcd
set interfaces pp0 unit 0 ppp-options chap local-name "abcd@juniper.net"
set interfaces pp0 unit 0 ppp-options chap passive
set interfaces pp0 unit 0 pppoe-options underlying-interface ge-0/0/0.0
set interfaces pp0 unit 0 pppoe-options auto-reconnect 10
set interfaces pp0 unit 0 pppoe-options client
set interfaces pp0 unit 0 family inet

set routing-options static route 0.0.0.0/0 next-hop pp0.0
set security policies from-zone trust to-zone untrust policy tr-un match source-address any
set security policies from-zone trust to-zone untrust policy tr-un match destination-address any
set security policies from-zone trust to-zone untrust policy tr-un match application any
set security policies from-zone trust to-zone untrust policy tr-un then permit
set security policies from-zone untrust to-zone trust policy un-tr match source-address any
set security policies from-zone untrust to-zone trust policy un-tr match destination-address any
set security policies from-zone untrust to-zone trust policy un-tr match application any
set security policies from-zone untrust to-zone trust policy un-tr then permit
set security zones security-zone trust interfaces ge-0/0/1.0 host-inbound-traffic system-services all
set security zones security-zone untrust interfaces pp0.0 host-inbound-traffic system-services all

Verification:

root@SRX> show interfaces pp0 terse
interface                  Admin  Link   Proto   Local                Remote
pp0                        up     up
pp0.0                      up     up     inet                     <<< pp0.0 link is up and no IP address is displayed.


root@SRX> show route
inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0 *[Static/5] 00:08:47
> via pp0.0

100.1.0.0/29 *[Direct/0] 00:11:29
> via ge-0/0/1.0
100.1.0.1/32 *[Local/0] 00:17:41
Local via ge-0/0/1.0
root@SRX> show ppp interface pp0 extensive
Sessions for interface pp0
Session pp0.0, Type: PPP, Phase: Network
LCP
State: Opened
Last started: 2016-02-05 10:09:57 UTC
Last completed: 2016-02-05 10:09:57 UTC
Negotiated options:
Authentication protocol: CHAP, Authentication algorithm: MD5,
Magic number: 1454334805, Local MRU: 1492
Authentication: CHAP
State: Success
Last completed: 2016-02-05 10:09:57 UTC
IPCP
State: Opened
Last started: 2016-02-05 10:12:25 UTC
Last completed: 2016-02-05 10:12:28 UTC
Negotiated options:
Primary DNS: 0.0.0.0, Secondary DNS: 0.0.0.0

Note:

The source address of self-originated packet sent from the pp0 interface -- such as license update, signature update, etc. -- will be 100.1.0.1 in the above scenario. However, if SRX has more than two interfaces in the same routing instance, the source address of the self-originated packet might not have the expected source address. The following NAT configuration will solve the source address issue.

set security nat source pool selfpacket address 100.1.0.1/32  <<< The address should be same as the trust interface address.
set security nat source rule-set selfnat from zone junos-host  <<< Predefined zone for self-originated packet.
set security nat source rule-set selfnat to zone untrust
set security nat source rule-set selfnat rule 1 match source-address 0.0.0.0/0
set security nat source rule-set selfnat rule 1 then source-nat pool selfpacket
set security nat proxy-arp interface pp0.0 address 100.1.0.1/32
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Security Alerts and Vulnerabilities

Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search