SRX Services Gateway
Showing results for 
Search instead for 
Do you mean 
Reply
Contributor
Posts: 15
Registered: ‎03-10-2016
0 Kudos
Accepted Solution

SRX firewall routing configuration

Hi,

I have a question about Juniper SRX firewall configuration,
Running 11.4R7

My Q, is about routing table used while processing traffic passing through the firewall,

 

I have routing configuration part of the routing-instances definition, and it looks like
set routing-instances Main-VR instance-type virtual-router
set routing-instances Main-VR interface reth0.0
set routing-instances Main-VR routing-options static route 10.80.90.0/27 next-hop 10.80.90.40

 

Then i could find another routing definition as
routing-options static route 10.62.170.190/32 next-hop 10.80.93.1
routing-options static route 10.62.170.0/24 next-hop 10.80.93.1
routing-options static route 10.61.105.0/26 next-hop 10.80.93.1
routing-options static route 10.66.65.103/32 next-hop 10.80.93.1

 

What’s the difference between the two definitions?
Are both active, i mean checked while traffic processing taking place?
Or I could remove one of them

Recognized Expert Recognized Expert
Recognized Expert
Posts: 175
Registered: ‎12-07-2014

Re: SRX firewall routing configuration

Hi Arouba,

 

In the following configuration;

Then i could find another routing definition as
routing-options static route 10.62.170.190/32 next-hop 10.80.93.1  >> 1
routing-options static route 10.62.170.0/24 next-hop 10.80.93.1      >> 2
routing-options static route 10.61.105.0/26 next-hop 10.80.93.1      >> 3
routing-options static route 10.66.65.103/32 next-hop 10.80.93.1    >> 4

 

2 should take care of 1 as well and hence 1 can be deleted, unless you only want the /32 address to pass through, in whcih case you should check and delete 2.

For 3 and 4 it is different as 10.66.65.103 is  not included in 10.61.105.0/26, so both will be required as per your network requirements.

 

set routing-instances Main-VR routing-options static route 10.80.90.0/27 next-hop 10.80.90.40

>> This takes care of traffic present in the routing instances and so is crucial for traffic that has to be routed from the routing instance.

 

 

Shailesh
[KUDOS PLEASE! If you think I earned it!
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]
Contributor
Posts: 36
Registered: ‎08-22-2015

Re: SRX firewall routing configuration

Hi Arouba

 

Routing lookup will be perfromed based on the souce interface. if the source interface is bind to a user defined routing-instance, the defination mention in those routing instance will be used.

 

set routing-instances Main-VR instance-type virtual-router
set routing-instances Main-VR interface reth0.0
set routing-instances Main-VR routing-options static route 10.80.90.0/27 next-hop 10.80.90.40

 

All those traffic that will arrive to srx interface other then reth0.0 use global defination.

 


routing-options static route 10.62.170.190/32 next-hop 10.80.93.1
routing-options static route 10.62.170.0/24 next-hop 10.80.93.1
routing-options static route 10.61.105.0/26 next-hop 10.80.93.1
routing-options static route 10.66.65.103/32 next-hop 10.80.93.1

Distinguished Expert
Posts: 4,873
Registered: ‎03-30-2009

Re: SRX firewall routing configuration

To see which routes are actually active you need to run the operational command:

 

show route

or the more specific

show route protocol static

 

This will show you the active routes indicated by the * symbol and organize them by the routing instance in which they are active.

Steve Puluka BSEET
Juniper Ambassador
Senior IP Engineer - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
JNCIA-Junos JNCIS-SEC JNCIP-SEC JNCSP-SEC
JNCIS-FWV
JNCDA JNCDS-DC JNCDS-SEC
JNCIS-SP
ACE PanOS 6 ACE PanOS 7
http://puluka.com/home
Contributor
Posts: 15
Registered: ‎03-10-2016
0 Kudos

Re: SRX firewall routing configuration

Hi SSN,

 

i thought down 1 to 4 routing-options, will not function at all, as the next hop is not part of 10.80.90.0/27, which is defined at the routing-instances , as

set routing-instances Main-VR routing-options static route 10.80.90.0/27 next-hop 10.80.90.40

 

routing-options static route 10.62.170.190/32 next-hop 10.80.93.1  >> 1
routing-options static route 10.62.170.0/24 next-hop 10.80.93.1      >> 2
routing-options static route 10.61.105.0/26 next-hop 10.80.93.1      >> 3
routing-options static route 10.66.65.103/32 next-hop 10.80.93.1    >> 4

 

is this right? or could you help me to understand the different functionality of the 2 definitions

1- set routing-instances Main-VR routing-options static route

2- routing-options static route

Contributor
Posts: 15
Registered: ‎03-10-2016
0 Kudos

Re: SRX firewall routing configuration

Hi vMicroMe,

 

In your reply,

“All those traffic that will arrive to srx interface other then reth0.0 use global defination.”

 

Where to find this global definition

Distinguished Expert
Posts: 4,873
Registered: ‎03-30-2009

Re: SRX firewall routing configuration

could you help me to understand the different functionality of the 2 definitions
1- set routing-instances Main-VR routing-options static route
2- routing-options static route

When you create a routing instance this creates an independent routing table within the device.  

 

1 - adds a static route to the Main-VR routing instance route table

2- adds a static route to the root routing instance route table

 

Use the operation command will show both route tables.  This is an example of an SRX with 2 routing instances configured Trust-vr and Untrust-vr and inet.0 is the root routing instance.

 

root@none> show route 

inet.0: 3 destinations, 4 routes (3 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 16w5d 14:04:33
                    > to 192.168.0.1 via fe-0/0/7.0
                    [Access-internal/12] 18w6d 20:44:27
                    > to 192.168.128.1 via fe-0/0/0.0
192.168.0.0/24     *[Direct/0] 24w5d 17:49:39
                    > via fe-0/0/7.0
192.168.0.20/32    *[Local/0] 24w5d 18:02:06
                      Local via fe-0/0/7.0

Trust-vr.inet.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

192.168.27.64/28   *[Direct/0] 17w5d 17:29:41
                    > via fe-0/0/1.0
192.168.27.65/32   *[Local/0] 18w6d 20:46:02
                      Local via fe-0/0/1.0

Untrust-vr.inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

192.168.27.64/28   *[Direct/0] 16w5d 14:04:33
                    > via fe-0/0/1.0
192.168.128.0/24   *[Direct/0] 18w6d 20:44:27
                    > via fe-0/0/0.0
192.168.128.14/32  *[Local/0] 18w6d 20:44:27
                      Local via fe-0/0/0.0

 

 

“All those traffic that will arrive to srx interface other then reth0.0 use global defination.”
Where to find this global definition

Your original configuration shows that reth0.0 is assigned to the Main-VR.  Thus any traffic that arrives on this sub interface will be processed by the Main-VR routing table.  Traffic that arrives on any other interface will be procesed by the root routing instance.

Steve Puluka BSEET
Juniper Ambassador
Senior IP Engineer - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
JNCIA-Junos JNCIS-SEC JNCIP-SEC JNCSP-SEC
JNCIS-FWV
JNCDA JNCDS-DC JNCDS-SEC
JNCIS-SP
ACE PanOS 6 ACE PanOS 7
http://puluka.com/home
Contributor
Posts: 15
Registered: ‎03-10-2016
0 Kudos

Re: SRX firewall routing configuration

Thanks Spuluka,

 

Much appreciating your reply and clarification,

 

I got the show route results, and am reviewing one by one,

 

Q, do those definitions in global configuration, defined as         routing-options static route

Interact with Zones or Security Policies?

                Or is it only for the basic functionality related to the Firewall as a device (I mean, for the syslog/NTP/… accessibility)

 

Distinguished Expert
Posts: 4,873
Registered: ‎03-30-2009

Re: SRX firewall routing configuration

Q, do those definitions in global configuration, defined as routing-options static route

Interact with Zones or Security Policies?

                Or is it only for the basic functionality related to the Firewall as a device (I mean, for the syslog/NTP/… accessibility)

 

The routing helps to determine which zone is involved with a flow which then determines which security policy will apply.

 

When a packet arrives, the ingress interface belongs to a zone, this is the from-zone for the policy check.

A route lookup occurs for the destination address, this determines then the egress interface for the traffic and the zone assigned to this interface is the to-zone in the policy check.

Steve Puluka BSEET
Juniper Ambassador
Senior IP Engineer - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
JNCIA-Junos JNCIS-SEC JNCIP-SEC JNCSP-SEC
JNCIS-FWV
JNCDA JNCDS-DC JNCDS-SEC
JNCIS-SP
ACE PanOS 6 ACE PanOS 7
http://puluka.com/home
Contributor
Posts: 15
Registered: ‎03-10-2016
0 Kudos

Re: SRX firewall routing configuration

thanks

 

am reviewing and matching one by one to understand

for sure will come back,

 

much appreciated

Contributor
Posts: 15
Registered: ‎03-10-2016
0 Kudos

Re: SRX firewall routing configuration

[ Edited ]

Hi,

 

while reviewing the outout of

show route command, one output lines i started to dig about shows as

681    10.14.224.193/32   *[Local/0] 24w6d 22:05:53
682                          Reject

 

i tried to find a reason, but could find nothing, except one, where there is no

routing-instances Other-VR routing-options static route

got directed to this interface,

but is it really the reason?

 

here is the VR definition

 

 

Contributor
Posts: 15
Registered: ‎03-10-2016
0 Kudos

Re: SRX firewall routing configuration

[ Edited ]

Hi,

 

In need for your help please,

to know the reason of getting

reject

to one of the interfaces!

 

is it because no route defined to use it?

 

is it because no use of related zone, in any security policy as from-zone (but it does exist in other security policies as to-zone)

 

is it something not related to the firewall configuration, i mean its related to any of the devices later, routers, or the subnet is not defined properly?

 

or, is it something in configuration for sure, but need to go through to identify it

Distinguished Expert
Posts: 4,873
Registered: ‎03-30-2009

Re: SRX firewall routing configuration

show route command, one output lines i started to dig about shows as
681    10.14.224.193/32   *[Local/0] 24w6d 22:05:53
682                          Reject

You get a reject local route when you have an ip address configured on an interface and the interface is currently link down.

 

 

Steve Puluka BSEET
Juniper Ambassador
Senior IP Engineer - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
JNCIA-Junos JNCIS-SEC JNCIP-SEC JNCSP-SEC
JNCIS-FWV
JNCDA JNCDS-DC JNCDS-SEC
JNCIS-SP
ACE PanOS 6 ACE PanOS 7
http://puluka.com/home
Contributor
Posts: 15
Registered: ‎03-10-2016
0 Kudos

Re: SRX firewall routing configuration

thanks,

 

when you descripe the interface as down, do you mean its down from the firewall configurations?

or outside device, like router connected, and the interface from router side is down?

 

any commands would you recommend to run, in order to diagnose the issue?

Distinguished Expert
Posts: 4,873
Registered: ‎03-30-2009

Re: SRX firewall routing configuration

The local routes are ones assigned in the configuration to interfaces.

 

Reject means the interface with that ip address is admin up and link down.  You need to check the cabling attached to that interface and the neighbor device to which it is connected.

 

This command will show you the ip address and current status of the interfaces.

show interfaces terse

Steve Puluka BSEET
Juniper Ambassador
Senior IP Engineer - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
JNCIA-Junos JNCIS-SEC JNCIP-SEC JNCSP-SEC
JNCIS-FWV
JNCDA JNCDS-DC JNCDS-SEC
JNCIS-SP
ACE PanOS 6 ACE PanOS 7
http://puluka.com/home
Contributor
Posts: 15
Registered: ‎03-10-2016
0 Kudos

Re: SRX firewall routing configuration

[ Edited ]

Hi again,

 

the result related to the issue interface, of the command

show interfaces terse

 

is as follow

 

Interface               Admin Link Proto    Local                 Remote
reth4                   up    down
reth4.1549              up    down inet     10.14.224.193/26
                                   multiservice
reth4.32767             up    down multiservice

 

does this confirm your finding, that its the naighbor device, which is down, and not the firewall configuration?

second q, from where this interface reth4.32767 came, its not at all in the configuraton, is it system default?

 

Highlighted
Distinguished Expert
Posts: 4,873
Registered: ‎03-30-2009

Re: SRX firewall routing configuration

Yes, this is showing that your link from this interface is down.

 

Interface               Admin Link Proto    Local                 Remote
reth4                   up    down

Admin = the interface configuration is active

Link = the physical layer link is down meaning the cable is not good or disconected or the partner interface is not up.

 

Since this is a reth interface you may also want to confirm the status of the underlying physical ethernet port.  Look at the interface stanza and see which physical port is assigned to reth4 and also run the show interface terse for this physical interface to confirm it is admin up.  

 

If no interface is assigned to reth4 then one will need to be assigned and connected to the desired partner device.

Steve Puluka BSEET
Juniper Ambassador
Senior IP Engineer - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
JNCIA-Junos JNCIS-SEC JNCIP-SEC JNCSP-SEC
JNCIS-FWV
JNCDA JNCDS-DC JNCDS-SEC
JNCIS-SP
ACE PanOS 6 ACE PanOS 7
http://puluka.com/home