Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] Configuring a Loopback Interface

0

0

Article ID: KB4167 KB Last Updated: 29 Dec 2020Version: 7.0
Summary:

This article provides information on how to configure a loopback interface.

 

Solution:

Note: This article is applicable to ScreenOS 5.4, 6.0 or later.

A loopback interface is a logical interface that emulates a physical interface on the NetScreen device. The loopback interface must be placed in a security zone and assigned a unique IP address. This interface's IP address allows you to manage the device, as though it were a manage-IP. However, unlike a physical interface, a loopback interface is always in the up state, as long as the device on which it resides is up. Loopback interfaces are named as loopback.id_num, where id_num is a number from 1 to 10 and denotes a unique loopback interface on the device. Similar to a physical interface, you must assign an IP address to a loopback interface and bind it to a security zone.

A loopback interface is often used with a Mapped IP (MIP) address. For more information on MIPs, refer to KB4739 - How to configure 1-to-1 mapping of a public address to a private address in the WebUI?

Defining an MIP on the loopback interface allows an MIP to be accessed by a group of interfaces. The primary application for this is to allow a node to reach an MIP host through one of several VPN tunnels by using a single MIP address. The MIP host can also reach a node via the appropriate tunnel. A loopback group is often used with a Mapped IP (MIP) address.

The maximum number of members in a loopback interface group is 10. The loopback interface and its member interfaces must be in different IP subnets in the same zone. Any type of interface can be a member of a loopback interface group, as long as the interface has an IP address. If you configure an MIP on both a loopback interface and on one of its member interfaces, the loopback interface configuration takes precedence.

For more information on loopback groups, refer to KB4189 - Configuring a Loopback Group.

Loopback interfaces can be used for device management, sourcing self-generated traffic, MIPs, VPN termination, or with the BGP dynamic routing protocol as source interface for SNMP, syslog, DNS, and NTP as an outgoing interface in a VPN.

When a loopback interface is used as the outgoing Interface in a VPN configuration, the loopback interface must be in the same zone as the outgoing physical interface.

It can be configured as Virtual Security Interfaces (VSIs) for NSRP on a loopback interface. The physical state of the VSI on the loopback interface is always up. The interface can be active or not, depending on the state of the VSD group to which the interface belongs.

Note: In this example, the "loopback.1" loopback interface is created, bound to the Untrust zone, and assigned the IP address of "1.1.1.2/24".

To configure a loopback interface, perform the following procedure:

  1. Open the WebUI.

  2. From the NetScreen options menu, click Network, and then Interfaces.

  1. From the Interfaces drop-down menu, select Loopback IF:

  1. Click New.

  2. In Interface Name, type a loopback number:

Note: For this example, 1 has been typed.

  1. From the Zone drop-down menu, select Untrust (trust-vr).

  2. In the Address/Netmask text box, type an Address/Netmask:

Note: For this example, 1.1.1.2/24 has been typed.

  1. Click OK.

Note: The loopback interface is not directly accessible via the networks or hosts that reside in other zones. You must define a policy to permit traffic to and from the interface.

You can manage the ScreenOS device by using the loopback interface's IP address. You can enable the available management services. For more information about managing a loopback interface, refer to KB4168 - Managing a Loopback Interface.

Via the CLI:
set interface loopback.1 ip 1.1.1.2/24 zone untrust

SSG520-> set interface loopback.1 manage ?
mtrace turn mtrace manageability of interface on/off
ping turn interface ping on/off
snmp turn snmp manageability of interface on/off
ssh turn SSH manageability of interface on/off
ssl turn SSL manageability of interface on/off
telnet turn telnet manageability of interface on/off
web turn web manageability of interface on/off

SSG520-> get int loopback.1
Interface loopback.1:
description loopback.1
number 126, if_info 4127768, if_index 1, mode nat
link up, admin status up
Loopback interface has 3 members:
ethernet 0/1 ; tunnel.1 ; tunnel.2
vsys Root, zone Trust, vr trust-vr
admin mtu 1500, operating mtu 1500, default mtu 1500
*ip 1.1.1.2/24
*manage ip 1.1.1.2
pmtu-v4 disabled
ping enabled, telnet enabled, SSH enabled, SNMP enabled
web enabled, ident-reset disabled, SSL enabled

OSPF disabled OSPFv3 disabled BGP disabled RIP disabled RIPng disabled
mtrace disabled
PIM: not configured IGMP not configured
MLD not configured
NHRP disabled

 

Modification History:

2017-12-07: Article reviewed for accuracy. No changes made. Article is correct and complete.

2020-12-29- Article reviewed and old WebUI snapshots replaced with new WebUI snapshots

 

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search