Routing

Hi Experts

I have two VR on SRX. One is default  inet.0 and other is custom VR like VR1.inet.0. My question is that If the traffic comes from VR-1 to inet.0 then reverse traffic route lookup will be done in inet.0 OR VR-1.

As per this kb KB21256, what I understand the reverse route lookup will happen in VR-1.

Please confirm

Thanks

Hi

It depends on how you connect virtual routers. But as KB states, always
"during the reverse route lookup stage, the lookup will be done in the routing-instance
(either default instance inet.0 or custom routing-instance) in which the
incoming interface is part of".

Fow example, if you connect VRs with lt interface, i.e.,

interface A ---- [ (vr1.inet.0) ---- lt-interface ---- (inet.0)  ] ---- interface B

and traffic flows from interface A to interface B, there will be two (!) sessions,
one for each VR. And for 1st session, reverse lookup will be done in vr1.inet.0
while for second session - in inet.0

On the other hand, if you are using a "next-table" option in vr1 then AKAIK there
will be a single session and reverse lookup will be done once in vr1.inet.0.

Thanks Peter for your expert reply as usual. Actually two things:

1- So reverse lookup always happen in the first VR regardless of the method between inter-VR communication. Lets say in your example, VR-1 has route for interface B, nexthop lt interface but inet.0 does not have reverse route for interface A through lt interface. In this case if interface A ping from VR-1 to interface B in inet.0 then it would be succussful bcs reverse route lookup happens in VR-1 for interface A. Am I correct in understanding?

2- What do you mean by two sessions?

Thanks

Hi

1) Basically yes, for the case when you connect VRs with "next-table" route lookup, or with

RIB groups. But note that if you are using lt (or physical) interface to connect VRs, then

reverse route lookup is done in each of them. If you are not doing NAT then the reverse route

to source is needed in both VRs (just imagine those VRs are separate boxes - you will

need route to the source in each router).

2) If connecting VRs with physical loop or lt interface, SRX creates 2 sessions for any 

session going into one router and exiting the other one. E.g.

Session ID: 57866, Policy name: intrazone-Juniper-SV/4, Timeout: 3394, Valid
 In: 172.20.107.10/56290 --> 172.20.207.10/23;tcp, If: vlan.107, Pkts: 27, Bytes: 1568
 Out: 172.20.207.10/23 --> 172.20.107.10/56290;tcp, If: lt-0/0/0.1, Pkts: 21, Bytes: 1543

Session ID: 57867, Policy name: intrazone-ACME-SV/5, Timeout: 3394, Valid
 In: 172.20.107.10/56290 --> 172.20.207.10/23;tcp, If: lt-0/0/0.2, Pkts: 27, Bytes: 1568
 Out: 172.20.207.10/23 --> 172.20.107.10/56290;tcp, If: vlan.207, Pkts: 21, Bytes: 1543

 Here, vlan.107 is the actual incoming interface while vlan.207 is the outgoing one.

Great Explaination !!! I did not find this info written in any document and I believe it is very important.. Just last thing I am concluding:

1- If I use firewall filters OR rib-groups OR instance-import/export OR next-table for Inter-VR communication in one direction then only one session would be created and reverse rotue lookup always happen in first VR?

2- If I use physical Interface OR lt interface for Inter-VR communciation then two sessions would be created for each VR and reverse route lookup will happen in second VR?

Thanks

Hi

1 - correct;

2 - I would state "will happen in both VRs" or "will ALSO happen in second VR".

Yes this is very important and I also haven't seen much details in the doc.

So if anyone has a good reference please post here.

Thanks