Routing

I've got a stack of EX4200s with 2 VLANs, each containing half of the ports. Each vlan needs its own default gateway and thus has its own routing instance with a 0/0 route. This works as expected.

 

I need the VLANs to be able to communicate directly with each other. I created policy statements and used instance-import to get the connected routes for each vlan into the routing instances, and everything looks right according to show route, but traffic isn't forwarded between vlans. Ping and traceroute just time out. What am I missing?

 

The stack is running 10.4R5.5.

 

Here's a section of the config:

 

policy-statement from_nat_to_public {
    term 1 {
        from {
            instance NAT;
            route-filter 10.0.0.0/23 exact;
        }
        then accept;
    }
    term 2 {
        then reject;
    }
}
policy-statement from_public_to_nat {
    term 1 {
        from {
            instance Public;
            route-filter 1.1.1.0/25 exact;
        }
        then accept;
    }
    term 2 {
        then reject;
    }
}

NAT {
    instance-type virtual-router;
    interface vlan.10;
    routing-options {
        static {
            route 0.0.0.0/0 next-hop 10.0.0.1;
        }
        instance-import from_public_to_nat;
    }
}
Public {
    instance-type virtual-router;
    interface vlan.8;
    routing-options {
        static {
            route 0.0.0.0/0 next-hop 1.1.1.1;
        }
        instance-import from_nat_to_public;
    }
}

 

And here's the output of show route:

 

inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

redacted/32        *[Local/0] 3d 05:35:30
                      Reject
224.0.0.2/32       *[PIM/0] 3d 05:35:32
                      MultiRecv
224.0.0.13/32      *[PIM/0] 3d 05:35:32
                      MultiRecv

Public.inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 3d 03:30:27
                    > to 1.1.1.1 via vlan.8
1.1.1.0/25         *[Direct/0] 3d 03:30:27
                    > via vlan.8
1.1.1.3/32         *[Local/0] 3d 03:30:27
                      Local via vlan.8
10.0.0.0/23        *[Direct/0] 00:24:09
                    > via vlan.10

NAT.inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 00:24:09
                    > to 10.0.0.1 via vlan.10
1.1.1.0/25         *[Direct/0] 00:28:15
                    > via vlan.8
10.0.0.0/23        *[Direct/0] 00:24:09
                    > via vlan.10
10.0.0.3/32        *[Local/0] 3d 03:24:55
                      Local via vlan.10

inet6.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

ff02::2/128        *[PIM/0] 3d 05:35:32
                      MultiRecv
ff02::d/128        *[PIM/0] 3d 05:35:32
                      MultiRecv

Update! I involved JTAC and we ended up re-writing the config to use firewall rules to specify the routing-instances based on source address instead of tying the interfaces to the routing-instance directly.

Another update! After further testing the above didn't actually work, I ended up updating the switches to Junos 11 and things magically began to work with the same configs.