SRX

Hi All,

i have a routing-instance type virtual-router with 6 interfaces:

 

reth0.10

reth0.20

reth0.30

reth0.40

reth0.50

reth0.60

 

I have a lot of static routes using the reth0.60 as egress interface, but the ip next-hop is different.

 

I need that all traffic from 172.16.16.0/24 with destination 10.0.0.0/8 be routed to 10.43.7.4, instead use the next-hop 10.43.7.3. But only when the source address be 172.16.16.0/24 and destination traffic be 10.0.0.0/8.

 

The traffic shouldn´t be routed to the default-route table (inet.0).

 

Someone, know how i can deploy a FBF into a routing-instance (not the default inet.0)?

 

Follow the configuration that i tried, but didn´t worked:

 

edit policy-options policy-statement source-based-forwarding

set term 1 from source-address-filter 172.16.16.0/24 exact

set term 1 then next-hop 10.43.7.4

set term 1 then accept

 

set routing-instances MY-INSTANCE routing-options instance-import source-based-forwarding.

 

Tks,

João victor

 

 

 

 

 

 

 

A topology diagram and the current route table for these destination/source address would help to find the possible config changes

Hi Suraj,

follow attached. I did a simple diagram using only two interfaces. I think that the others interfaces don´t matter.

 

Basically, we have a routing-instance, where the traffic from 172.16.16.0/24 arrive through interface reth0.10, and go out through reth0.11. But in the reth0.11 we have two next-hops available. My requirement is:

 

* All traffic from 172.16.16.0/24 and need reach the 10.0.0.0/8, the traffic need be routed to 10.43.7.4. 

* All other traffic from any other sources, need be routed following the routing-instance decision.

 

Tks for attention. 🙂

João Victor

I think you have to use forwarding instances to achieve this.


Create forwarding instances to have different next hop for same destination.

root@srx> show configuration routing-instances
GROUP1 {
instance-type forwarding;
routing-options {
static {
route 10.0.0.0/8 next-hop 10.43.7.4;
}
}
}
GROUP2 {
instance-type forwarding;
routing-options {
static {
route 10.0.0.0/8 next-hop 10.43.7.2;
}
}
}


Apply firewall filter to route traffic to these forwarding instances based on Source IP.

root@srx> show configuration firewall
filter PBR {
term 1 {
from {
source-address {
172.16.16.0/24;
}
destination-address {
10.0.0.0/8;
}
}
then {
routing-instance GROUP1;
}
}
term 2 {
from {
source-address {
10.1.1.0/24;
}
destination-address {
10.0.0.0/8;
}
}
then {
routing-instance GROUP2;
}
}
term 3 {
then accept;
}
}


Import interface routes to forwarding instances.

root@srx> show configuration routing-options
interface-routes {
rib-group inet Interface-routes-to-VRs;
}
rib-groups {
Interface-routes-to-VRs {
import-rib [ inet.0 GROUP1.inet.0 GROUP2.inet.0 ];
}
}


Please use the correct address as in your network.

Hi Suraj,

tks for your repply and time.

 

The solution provided by you, make sense if the ingress traffic interface and the egress traffic interface belong to inet.0 (default routing table). 

 

But, this scenario is like that:

 

* I have one security zone, example, SRX-ZONE;

* Traffic source (172.16.16.0/24) arrive in the interface reth0.10;

* The egress interface is reth0.20;

* Interface reth0.10 and interface reth0.20 belong to a custom virtual instance type virtual-router. 

* The static route applied in the custom virtual instance to reach the network 10.0.0.0/8 point to 10.43.7.3;

* But when the traffic source is the 172.16.16.0/24 the next hop to reach the network 10.0.0.0/8 should be 10.43.7.4;

 

Summary: i need a FBF to be applied in a custom virtual instance, not to be applied in the inet.0. 

 

Note: i tried your configuration, but didn´t woked because no there "rib-group inet <rib-name>" option in the "routing-instance custom-instance routing-options" stanza. 

 

 

Do you know some another solution?

 

Tks for attention.

 

João Victor

To import interface routes from VR, you need to call the rib-group we specified under "interface-routes" on the VR.

 

Lets say your VR is VR1, then you need to apply below command additional to what I shared earlier.

 

set routing-instance VR1 routing-options interface-routes rib-group inet Interface-routes-to-VRs

 

 

 

Ref: https://kb.juniper.net/InfoCenter/index?page=content&id=KB19787&actp=search

Hi Suraj,

tks for your suggestion, but the options available to [ edit routing-options ]  instance are different for the [ edit routing-instance <custom-instance> routing-options ]. We don´t have a option to import instance routes to routing-instance. 

Please, if you can, look the screenshot attached.

Tks for attention,

João Victor

you dont need import command on vr, you have to specify inport command on inet0 routing-options only

https://kb.juniper.net/KB19787 - interface route import on this kb can be helpful reference

Hi Suraj,

tks a lot for your useful help.

 

 

Now, i can do the Source Based Routing in a custom virtual-instance.

 

 

Follow the configuration applied:
set routing-instances SRX instance-type virtual-router
# Inbound interface
set routing-instances SRX interface reth0.10

# Outbound interface
set routing-instances SRX interface reth0.20

#Routes to source ip address
set routing-instances SRX routing-options static route 172.16.16.0/24 next-hop 10.10.10.2

#Routes to destination ip address allowing any source address reach through 10.20.20.3 next-hop.
set routing-instances SRX routing-options static route 0.0.0.0/0 next-hop 10.20.20.3

#Routing instance type forwarding used to PBR:
set routing-instances PBR-SRX instance-type forwarding
set routing-instances PBR-SRX routing-options static route 172.16.16.0/24 next-hop 10.10.10.2
set routing-instances PBR-SRX routing-options static route 0.0.0.0/0 next-hop 10.20.20.4

#Firewall filter:
set firewall family inet filter PBR-OI term 10 from source-address 172.16.16.0/24
set firewall family inet filter PBR-OI term 10 from destination-address 0.0.0.0/0
set firewall family inet filter PBR-OI term 10 then log
set firewall family inet filter PBR-OI term 10 then routing-instance PBR-SRX
set firewall family inet filter PBR-OI term 20 then accept

#Apply the firewall filter in the "inbound" interface:
set interfaces reth0 unit 10 family inet filter input PBR-OI

#Import the routing tables required:
set routing-options rib-groups PBF import-rib SRX.inet.0
set routing-options rib-groups PBF import-rib PBR-SRX.inet.0

#Rib Groups:
set routing-instances SRX routing-options interface-routes rib-group inet PBF

Again Suraj,

tks a lot for your big help. 🙂

Glad to hear that it worked for you☺