Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] Configuring a loopback group

0

0
Article ID: KB4189 KB Last Updated: 28 Mar 2013Version: 5.0 Summary:
This article provides information on how to configure a loopback group.
Symptoms:
How to configure a loopback group.
Cause:

Solution:
A loopback interface is a resource holder that contains the MIP address mapping. To allow other interfaces to use the MIP on the loopback interface, add the interfaces as members of the loopback group. The loopback interface and its member interfaces must be in different IP subnets in the same zone. Any type of interface can be a member of a loopback group, as long as the interface has an IP address. If you configure a MIP on both a loopback interface and one of its member interfaces, the loopback interface configuration takes precedence. A loopback interface cannot be a member of another loopback group.

In this example, a loopback interface(loopback.3) is configured in the Trust zone, with the 3.3.3.3 IP address. Members of the loopback interface group are tunnel.1 and tunnel.2. The loopback interface holds the 3.3.3.5 MIP, which maps to the 5.5.5.5 host.

When a packet that is destined for 3.3.3.5 arrives at tunnel.1, ScreenOS first searches for the MIP at tunnel.1 and then at the loopback.3 loopback interface. When it finds a match in loopback.3, it translates the original destination IP address (3.3.3.5) to the host IP address (5.5.5.5) and the packet is routed to the MIP host.

The traffic that is destined for 3.3.3.5 can also arrive at tunnel.2. ScreenOS searches for the MIP at tunnel.2 and then at the loopback.3 loopback interface. Again, ScreenOS finds a match in loopback.3 and translates the original destination IP (3.3.3.5) to the host IP address (5.5.5.5) and the packet is routed to the MIP host.

Image of diagram

 

To configure a loopback group, perform the following steps:

 

Step one: Open the WebUI. For more information on accessing the WebUI, refer to KB4060 - Accessing Your NetScreen, SSG, or ISG Firewall Using the WebUI.


Step two: From the NetScreen options menu, click Network, and then click to select Interfaces.

Image of step two

Step three: From the Interfaces drop-down menu, click to select Loopback IF.

Image of step three and four

Step four: Click New.

Step five: From Interface Name, enter a loopback number.

Note: For this example, we have entered 3 to create an Interface Name of loopback.3.

Image of step five and six

Step six: From the Zone drop-down menu, click to select Trust (trust-vr).

Step seven: From IP Address/Netmask, enter an IP Address/Netmask.

Note: For this example, we have entered 3.3.3.3/24.

Image of step seven and eight

Step eight: Click Apply.

Step nine: Click MIP.

Image of step nine

Step ten: Click New.

Image of step ten

Step eleven: From Mapped IP, enter a Mapped IP. From Netmask, enter a Netmask.

Note: For this example, we have entered 3.3.3.5 and 255.255.255.255.

Image of step eleven and twelve

Step twelve: From Host IP Address, enter a Host IP Address, and then from the Host Virtual Router Name drop-down menu, click to select trust-vr.

Note: For this example, we have entered 5.5.5.5.

Step thirteen: Click OK.

Image of step thirteen

Step fourteen: From the NetScreen options menu, click Network, and then click to select Interfaces.

Image of step fourteen

Step fifteen: From the Interfaces drop-down menu, click to select Tunnel IF, and then click New.

Image of step fifteen

Step sixteen: From Interface Name, enter a tunnel number.

Note: For this example, we have entered 1.

Image of step sixteen and seventeen

Step seventeen: From the Zone drop-down menu, click to select Trust (trust-vr).

Step eighteen: In the IP Address/Netmask textbox, enter an IP Address/Netmask.

Note: For this example, we have entered 1.1.1.1/24.

Image of step eighteen and nineteen

Step nineteen: From the Interface drop-down menu, click to select loopback.3 (trust-vr).

Step twenty: Click OK.

Image of step twenty

Step twenty-one: From the NetScreen options menu, click Network, and then click to select Interfaces.

Image of step twenty-one

Step twenty-two: From the Interfaces drop-down menu, click to select Tunnel IF. Click New.

Image of step twenty-two

Step twenty-three: From Interface Name, enter a tunnel number.

Note: For this example, we have entered 2.

Image of step twenty-three and twenty-four

Step twenty-four: From the Zone drop-down menu, click to select Trust (trust-vr).

Step twenty-five: In the IP Address/Netmask textbox, enter an IP Address/Netmask.

Note: For this example, we have entered 2.2.2.2/24.

Image of step twenty-five and twenty-six

Step twenty-six: From the Interface drop-down menu, click to select loopback.3 (trust-vr).

Step twenty-seven: Click OK.

Image of step twenty-seven


CLI:

set interface "loopback.3" zone "Trust"
set interface "loopback.3" ip 3.3.3.3/24
set interface loopback.3 mip 3.3.3.5 host 5.5.5.5 netmask 255.255.255.255 vrouter trust-vr
set interface "tunnel.1" zone "Trust"
set interface "tunnel.1" ip 1.1.1.1/24
set interface "tunnel.1" loopback-group "loopback.3"
set interface "tunnel.2" zone "Trust"
set interface "tunnel.2" ip 2.2.2.2/24
set interface "tunnel.2" loopback-group "loopback.3"

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search