Routing
Reply
Contributor
hermesX
Posts: 20
Registered: ‎08-10-2009
0

routing instance how to...

So, I'm a newbie when it comes to Juniper... I've been switching everything I've been touching from that other company... but I've run into a bit of trouble...  I setup a ScreenOS SSG550M in this mannor, but now I want to be able to do it with a Junos box...

 

But I essentually have this:

 

   1.1.1.1/30(ISP ROUTER)

         |

|--------------------------|
|1.1.1.2/30                 |   J6350

|(VIP 4.4.4.1-128)     |

|        |                        |

|     NAT                     |

|_________________| 

    172.16.1.1/30

           |

           |

__172.16.1.2/30______

|                                    |

|   Vlan 201,202,203     | EX4200 Routing vlans

___________________

 

 

Not sure if it complicates it much or if its possible, I'd like to do it as a chassis configuration, but if can just get it working like this for now.

 

 I've been researching this off and on for the last 4 or 5 days.  I've taken the previously mentioned screenOS config and run it through the screenos to junos conversion, but when I look online everything starts talking about rib groups and such... so I guess I'd like an answer targeted at exactly what I wanted to do... 

 

Thanks for any help or direction you can provide.

Trusted Contributor
Posts: 54
Registered: ‎08-03-2009
0

Re: routing instance how to...

[ Edited ]

I read your question in the manner that you want to divide your J6350 into several virtual systems (routing instances). Let me knwo if it actually was a "normal" ES firewall config for J6350 you needed.

 

So here goes...

 

Routing instances is simply configured under edit routing-instances. You set a name. The type should be virtual-router of you are trying to do a JUNOS box being a firewall with several "virtual systems". Then you divide the interfaces or VLANs oin the interfaces to different routing instances with interface statements under each routing-instance. Also, is using Enhanced Services in JUNOS, you create security zones per each virtual system and assign interfaces to them accordingly. The you just write firewall rules to and from zones as normal in ES for JUNOS. Does this give you a good pointer hpw to attack this?

 

Cheers

 

Message Edited by darkiesan on 08-11-2009 09:43 PM
Message Edited by darkiesan on 08-11-2009 09:43 PM
//Patrik
JNCIS-M, JNCIS-ES
System Engineer
Juniper Networks
Contributor
hermesX
Posts: 20
Registered: ‎08-10-2009
0

Re: routing instance how to...

[ Edited ]

Yes, that makes sense to me...its just taking the concept an applying it... all the examples I see look like

 

http://forums.juniper.net/jnet/board/message?board.id=switch&thread.id=470

 

I keep seeing references to lo0.x and most have a 32 bit mask and they don't seem to relate to each other....

 

From the example in that post, I'm not sure how 1.1.1.1/32 relates to 2.2.2.2/32 to beable to apply the route-filter(or really what the route filter does and how it limits views) later on and that makes it route between the two instances?

 

     lo0 {
        unit 0 {
            family inet {
                address 1.1.1.1/32;
            }
        }
        unit 1 {
            family inet {
                address 2.2.2.2/32;
            }
        }
    }
}
routing-options {
    rib-groups {
        ROUT1_ROUT2 {
            import-rib [ ROUT1.inet.0 ROUT2.inet.0 ];
            import-policy POL_IMP;
        }
        ROUT2_ROUT1 {
            import-rib [ ROUT2.inet.0 ROUT1.inet.0 ];
            import-policy POL_IMP;
        }
    }
}
policy-options {
    policy-statement POL_IMP {
        term 1 {
            from {
                route-filter 1.1.1.1/32 exact;
                route-filter 2.2.2.2/32 exact;
            }
            then accept;
        }
        term 2 {
            then reject;
        }
    }
}

Message Edited by hermesX on 08-11-2009 02:37 PM
Contributor
hermesX
Posts: 20
Registered: ‎08-10-2009
0

Re: routing instance how to...

[ Edited ]

Here's what I have in the config currently... any pointers would be greatly appreciated...

 

interfaces {
    ge-0/0/2 {
        unit 0 {
            family inet;
        }
    }
    ge-2/0/0 {
        description "DMZ Trunk";
        gigether-options {
            802.3ad ae1;
        }
    }
    ge-2/0/1 {
        description "DMZ Trunk";
        gigether-options {
            802.3ad ae1;
        }
    }
    ge-2/0/3 {

        description "WAN Interface";
        unit 0 {
            family inet {
                address 1.2.3.6/30;
            }
        }
    }
    ge-2/0/7 {

        description "CORE Interface";

        unit 0 {
            family inet {
                address 10.2.90.6/24;
            }
        }
    }
    ae1 {
        aggregated-ether-options {
            lacp {
                passive;
            }      
        }
        unit 0 {
            family ethernet-switching {
                port-mode trunk;
            }
        }
    }
    lo0 {
        unit 0 {
            family inet {
                address 172.16.8.1/32;
            }
        }
    }
    vlan {
        unit 1 {
            family inet {
                address 172.16.9.2/30;
            }
        }
        unit 121 {
            family inet {
                address 172.16.21.1/24;
            }
        }
        unit 122 {
            family inet {
                address 172.16.22.1/24;
            }
        }
    }
}
policy-options {
    prefix-list prefixes_from_dmz {
        172.16.10.0/24;
        172.16.11.0/24;
        172.16.13.0/24;
        172.16.21.0/24;
        172.16.22.0/24;
        172.16.250.0/24;
    }
    prefix-list prefixes_from_core {
        10.2.0.0/16;
        10.6.0.0/16;
        10.8.0.0/16;
        10.10.0.0/16;
    }
    policy-statement accept_from_core {
        from {
            instance core-vr;
            prefix-list prefixes_from_core;
        }
        then accept;
    }
    policy-statement accept_from_dmz {
        term t1 {
            from {
                instance dmz-vr;
                prefix-list prefixes_from_dmz;
            }
            then accept;
        }
        term t2 {
            then reject;
        }
    }
    policy-statement accept_from_wan {
        term t1 {
            from instance wan-vr;
            then accept;
        }
    }
}
routing-instances {
    core-vr {
        instance-type virtual-router;
        interface ge-2/0/7.0;
        routing-options {
            static {
                route 10.2.0.0/16 next-hop 10.2.90.1;
            }
        }
    }
    dmz-vr {
        instance-type virtual-router;
        interface ae1.0;
        interface lo0.0;
        routing-options {
            instance-import accept_from_wan;
        }
    }
    wan-vr {       
        instance-type virtual-router;
        interface ge-2/0/3.0;
        routing-options {
            static {
                route 0.0.0.0/0 next-hop 1.2.3.5;
            }
            instance-import [ accept_from_dmz accept_from_core ];
        }
    }
}
vlans {
    dmz-test1 {
        vlan-id 121;
        interface {
            ae1.0;
        }
        l3-interface vlan.121;
    }
    dmz-test2 {
        vlan-id 122;
        l3-interface vlan.122;
    }
}                  
 

Message Edited by hermesX on 08-11-2009 03:57 PM
Trusted Contributor
Posts: 54
Registered: ‎08-03-2009
0

Re: routing instance how to...

From you example you dont seem to have any use of routing instances. You should run everything in the global instance. I.e. Just set IP on the interfaces and they will route in between of them and then apply the filters you are using on the interfaces just as you are doing in yuour config.The static route goes into roputing-options in the global instance.

 

Also the loopback should have a /32 i.e.a network with only one IP and one member, the router itself. iIt is the routers interface that is always online and is used for sourcing routes in BGP, ISIS, OSPF etc. Also for SNMP. Since if there is apath to it no matter what interface, it will answer if possible. 

 

So as I said, routing instances are of other use in JUNOS. If you would like to use them anyways, you need to have routes under routing-options under each instance pointing traffic to the correct instance, i.e. instead of next-hop, you have next-instance. But this clearly complicates stuff. Better to stay in the global instance. Or are there any particular reasosn you do want to divide them in sevreal instances?

//Patrik
JNCIS-M, JNCIS-ES
System Engineer
Juniper Networks
Contributor
hermesX
Posts: 20
Registered: ‎08-10-2009
0

Re: routing instance how to...

I was told I needed to use router-intances, because I have a separte block /24  of public IP's that are nat'd to the DMZ Interface/vlans, and one of them is used as the NAT'd IP for the core network.

 

as an example.. I have the 1.2.3.4/30 network on the public WAN interface, but I have another block, 1.20.30.0/24 network thats routed to my 1.2.3.6 external interface.  I need the 1.20.30.10/32 IP to be the public IP nat'd for my CORE network, and 1.20.30.20/32 to be the public IP for my DMZ networks except when they have a specific 1 to 1 NAT.

 

Currently this is how the Cisco ASA (NAT/Firewall wise, I have a seprate router translating the 1.2.3.4/30 network to the 1.20.30.0/24 network, but I was able to accomplish a similar senario from a ScreenOS box) is working in the environment, and I have clients looking specifically at those IP's in their firewall rules for applications run on both sides.

 

Trusted Contributor
Posts: 54
Registered: ‎08-03-2009
0

Re: routing instance how to...

Ok, you have 2 private network that shopuld nat to different public IP net works.  Let e check into this, whether this requires routing-instances or not. I will be back ASAP!
//Patrik
JNCIS-M, JNCIS-ES
System Engineer
Juniper Networks
Trusted Contributor
Posts: 54
Registered: ‎08-03-2009
0

Re: routing instance how to...

This is an idea to solve the problem and not use routing-instances. Base problem is that you have two "external" VLANs and will have two default routes depending on source IP. NATs will not be a problem, they can be controlled without routing-instances.

 

On incoming interfaces, except for accept the traffic, a firewall filter can also set next-hop to override the route table aka filterbased forwarding. Try that. Then you can direct the two different networks out on correct external VLANs without complicating things with routing instances. Worth a try :-) Let me knwo how it works out.

//Patrik
JNCIS-M, JNCIS-ES
System Engineer
Juniper Networks
Contributor
hermesX
Posts: 20
Registered: ‎08-10-2009
0

Re: routing instance how to...

[ Edited ]

How do I have two? 10.20.30.0/24 is a network routed to my 1.2.3.4/30 network... 1.2.3.5 won't route 10.20.30.0/24 except as saying its over at 1.2.3.6.... so I can really only have the WAN interface on the 1.2.3.4/30 network and somehow get the router to translate 10.20.30.0/24 to private IP ranges in my DMZ. 

 

 I was able to get ahold of the old screenOS config I had done 9 months or so ago that was similar and ran the conversion on it... however I'm still unable to get it working with that config... 

 

 ScreenOS to Junos conversion created what I've attached mostly... removed some of the extra stuff... 

 

 

which... mostly makes sense to me, however, the bgp lines between the virtual instances doesn't seem to work.. nor does putting in static route to the untrust instance.

 

routing-instances {
    trust-vr {
        instance-type virtual-router;
        interface ge-2/0/7.0;
        routing-options {
            static {
                route 0.0.0.0/0 next-table untrust-vr.inet.0;
            }
            auto-export {
                disable;
            }
        }
    }
     untrust-vr {
        instance-type virtual-router;
        interface ge-2/0/3.0;
        interface ae1.0;
        routing-options {
            static {
                route 0.0.0.0/0 next-hop 1.2.3.5;
            }
        }
    }
}

 

if you could provide some examples at how the filter based forwarding would work it would be appreciated... as the OReilly enterprise routing book appears to only talk about it with routing-instances

 

Message Edited by hermesX on 08-12-2009 08:59 AM
Trusted Contributor
Posts: 54
Registered: ‎08-03-2009
0

Re: routing instance how to...

routing instances should get iot to work aswell. But filterbased forwarding should aswell. Allow me to go back to my lab and try this! I will post configs leading it to work with both methods!

 

Patrik

//Patrik
JNCIS-M, JNCIS-ES
System Engineer
Juniper Networks
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.