Routing

Regarding the below line taken from rib group configuration :

import-rib [ inet.0 TRUST-VR.inet.0 INSIDE.inet.0 ]

i know that this will import routes from inet.0 to  trust-vr & inside  Virtual routers  , but will that import all routes ( dynamic , static , direct connected ) or only direct connected ?

Also how can i check that the importing is working , will  show commands for  one  of the routers show the imported routes ?

Hi 

Hello Telent

Not all of the routes will be imported into these tables.

To import routes you will have to apply the rib-group under the specific level to share those routes.

Like for example under the routing-options static routes hierarchy you will have to apply the rib-group to import all static

routes from that table similary to import direct routes from inet.0 you will have to apply the rib-group that you have created under the routing options interface routes hierarchy .

http://www.juniper.net/techpubs/software/junos/junos60/swconfig60-routing/html/routing-generic-config7

The imported routes will appear as as local in the respective instance tables

Regards

Thanks , i'm sorry but i'm new to junos , it is a little hard for me

that is what i need :

i have  2 virtual routers + inet.0 default virtual router  , i need any static route ( or directly connected ) at one of them to be seen at the other 2

how to do that ?

OK

Let me try to make you understand.

Assume that you have one vrf named vpna.inet.0 and you want its interface & static routes to be imported in main inet.0 routing table.

To do this all you have to do is

1- Creat a Rib group in main routing instance like the one below

 routing-options {
    rib-groups {
        group1 {
            import-rib [ vpna.inet.0 inet.0 ];
        }
    }

2-Apply this rib group group1 to the VRF vpna interface routes(direct) and static routes as below

routing-instances {
   vpna {
        routing-options {
            interface-routes {
                rib-group inet group1;
            }
            static {
                rib-group group1;
                route 0.0.0.0/0 next-table inet.0;
            }
        }
    }

3- verify the routes present in vpna table by using show route table vpna.inet.0

4-All the static and direct routes in vpna.inet.0 should be in inet.0 routing table you can verify this

    by using the show route table inet.0 command.

5- For further refrence you may like to see the JNCIS-M book centeralized and distributed vpn access section.

6- I have also attached my configuration for rib groups which i configured on olive.

feel free to ask any other questions

Regards

Malik

Attachment(s)

Rib-Groups Final.txt   5 KB 1 version

Rib-Group.txt   10 KB 1 version

Hi malik1,

Thank you very much , now i began to understand , but i have some more questions :

You mentioned :

1- Creat a Rib group in main routing instance like the one below

 routing-options {
    rib-groups {
        group1 {
            import-rib [ vpna.inet.0 inet.0 ];
        }
    }

 i got the concept  of  all other steps except this one , if i want direct& static routes to be imported from inet.0 to vpna virtual router , will i put the same line from step 1 above , or it will be :

routing-options {
    rib-groups {
        group1 {
            import-rib [ inet.0 vpna.inet.0 ];
        }
    }

Also what does the import line do , import-rib [ vpna.inet.0 inet.0 ]  : will import routes from vpna virtual router to inet.0 & import-rib [ inet.0 vpna.inet.0 ] will import routes from inet.0 to vpna , is that right ?

Hello Telnet

 All that you are doing is asking about the same thing i.e.

 i got the concept  of  all other steps except this one , if i want direct& static routes to be imported from inet.0 to vpna virtual router , will i put the same line from step 1 above , or it will be :

routing-options {
    rib-groups {
        group1 {
            import-rib [ inet.0 vpna.inet.0 ];
        }
    }

 Ans: Yes you are right you will use import-rib [inet.0 vpna.inet.0]

Also what does the import line do , import-rib [ vpna.inet.0 inet.0 ]  : will import routes from vpna virtual router to inet.0 & import-rib [ inet.0 vpna.inet.0 ] will import routes from inet.0 to vpna , is that right ?

Ans: Yes you are right in genral it is import-rib[source table target table]

Regards

Malik

Thanks Alot 

Actually the above is almost correct.  In the import-rib configuration statement, it does not matter in what order the routing tables are listed.  If you do no include inet.0, you will just override the default behaviour, which is to include the interface routes in inet.0, so the following two configurations are exactly the same:

routing-options {
    rib-groups {
        group1 {
            import-rib [ inet.0 vpna.inet.0 ];
        }
    }

routing-options {
    rib-groups {
        group1 {
            import-rib [ vpna.inet.0 inet.0 ];
        }
    }

Please see below for more info:

http://kb.juniper.net/InfoCenter/index?page=content&id=KB2062&actp=search&viewlocale=en_US&searchid=1287366296865

If you want direct and static routes to be imported from inet.0 to vpna, you need to put the interface-routes and static statements in the main instance instead of in the vpna instance.

    routing-instances {
        vpna {
            instance-type virtual-router;
        }
    }
    routing-options {
        interface-routes {
            rib-group inet group1;
        }
        static {
            rib-group group1;
            route 1.1.1.0/24 discard;
        }
        rib-groups {
            group1 {
                import-rib [ inet.0 vpna.inet.0 ];
            }
        }
    }

betsy@host# run show route table vpna.inet.0

vpna.inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

1.1.1.0/24         *[Static/5] 00:02:50
                      Discard
1.1.1.1/32         *[Direct/0] 00:02:50
                    > via lo0.1
10.0.2.0/30        *[Direct/0] 00:02:50
                    > via lt-1/2/0.4
10.0.2.2/32        *[Local/0] 00:02:50
                      Local via lt-1/2/0.4

[edit]
betsy@host# run show route table inet.0         

inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

1.1.1.0/24         *[Static/5] 00:02:57
                      Discard
1.1.1.1/32         *[Direct/0] 00:18:49
                    > via lo0.1
10.0.2.0/30        *[Direct/0] 00:46:31
                    > via lt-1/2/0.4
10.0.2.2/32        *[Local/0] 00:46:32
                      Local via lt-1/2/0.4

Need help as I added the following I get the error below:

set routing-instances srx210_untrust routing-options interface-routes rib-group inet myshare

set routing-instances srx210_untrust routing-options static rib-group myshare

root@srx100# commit
[edit routing-instances srx210_untrust routing-options]
'static'
rib group myshare not legal for rib srx210_untrust,first rib in ribgroup has to be same as current rib
error: configuration check-out failed

Hello there,

---

@kennethgoh wrote:

Need help as I added the following I get the error below:

set routing-instances srx210_untrust routing-options interface-routes rib-group inet myshare

set routing-instances srx210_untrust routing-options static rib-group myshare

 

root@srx100# commit
[edit routing-instances srx210_untrust routing-options]
'static'
rib group myshare not legal for rib srx210_untrust,first rib in ribgroup has to be same as current rib
error: configuration check-out failed

---

Your cirrent RIB is srx210_untrust, as error message says - You attempt to configure static stanza in this instance.

And I am willing to bet that Your rib-group "myshare" is configured as 

import-rib [inet.0 srx210_untrust.inet.0 ]

If You swap the order 

import-rib [srx210_untrust.inet.0 inet.0]

- then Your error messages should go away.

BUT

I won't guarantee that Your solution works since You did not tell us what You are trying to achieve.

HTH

thx
Alex

I am trying to reach internet via routing instance srx201_untrust but so far not working. I have attached my config too. Thanks in advanced

root@srx100> ping 192.168.2.1 routing-instance srx210_untrust
PING 192.168.2.1 (192.168.2.1): 56 data bytes
^C
--- 192.168.2.1 ping statistics ---
4 packets transmitted, 0 packets received, 100% packet loss

root@srx100> ping 8.8.8.8 routing-instance srx210_untrust
PING 8.8.8.8 (8.8.8.8): 56 data bytes
^C
--- 8.8.8.8 ping statistics ---
4 packets transmitted, 0 packets received, 100% packet loss

root@srx100> show route

inet.0: 11 destinations, 11 routes (11 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0 *[Static/5] 01:10:46
> to 192.168.2.1 via fe-0/0/0.0
1.1.1.1/32 *[Local/0] 01:10:50
Reject
192.168.1.1/32 *[Local/0] 01:10:59
Reject
192.168.2.0/24 *[Direct/0] 01:10:46
> via fe-0/0/0.0
192.168.2.200/32 *[Static/1] 01:10:49
Receive
192.168.2.254/32 *[Local/0] 01:10:50
Local via fe-0/0/0.0
192.168.4.1/32 *[Local/0] 01:10:50
Reject
192.168.10.0/24 *[Direct/0] 01:10:59
> via st0.0
192.168.10.1/32 *[Local/0] 01:10:59
Local via st0.0
192.168.100.0/24 *[Static/5] 01:10:59
> via st0.0
192.168.239.1/32 *[Local/0] 01:10:50
Reject

srx210_untrust.inet.0: 12 destinations, 12 routes (12 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0 *[Static/5] 00:44:47
to table inet.0
1.1.1.1/32 *[Local/0] 01:10:50
Reject
172.16.10.0/24 *[Direct/0] 01:09:09
> via vlan.10
172.16.10.2/32 *[Local/0] 01:10:59
Local via vlan.10
172.16.20.0/24 *[Static/5] 00:44:47
> to 172.16.10.1 via vlan.10
192.168.1.1/32 *[Local/0] 01:10:59
Reject
192.168.2.0/24 *[Direct/0] 01:10:46
> via fe-0/0/0.0
192.168.2.254/32 *[Local/0] 01:10:46
Local via fe-0/0/0.0
192.168.4.1/32 *[Local/0] 01:10:50
Reject
192.168.10.0/24 *[Direct/0] 01:10:59
> via st0.0
192.168.10.1/32 *[Local/0] 01:10:59
Local via st0.0
192.168.239.1/32 *[Local/0] 01:10:50
Reject

Attachment(s)

srx100.txt   13 KB 1 version

Hello,

---

@kennethgoh wrote:

I am trying to reach internet via routing instance srx201_untrust but so far not working.

 

---

Quick an dirty solution to Your woes would be "include ALL interfaces into that routing instance and it will work automagically"

On more serious note, if You want to be helped, please include ALL available information including topology.

So far You included a half-finished conffig but You did not include Your topology and traffic flows.

Please add more data.

HTH

Thx

Alex

As shown in the topo traffic will go from host 172.16.20.10/24 to internet eg ping to 8,8,8,8. via SRX100. At the moment I can only ping to 192.168.2.1 & 254.

Attachment(s)

srx100.txt   13 KB 1 version

SRXA.txt   5 KB 1 version