SRX

I'm testing a configuration that will eventually be used on a pair of SRX240 in a cluster.  I have following several examples and I had thought that I had it right, but what I've noticed is that there is no <instance>.inet.0 table.  What have I missed?

 

interfaces {

    ge-0/0/0 {

        description Comcast;

        unit 0 {

            family inet {              

                address 10.1.10.5/24;

            }

        }

    }

    ge-0/0/1 {

        description Centurlink;

        vlan-tagging;

        unit 170 {

            vlan-id 170;

            family inet {

                address 4.2.2.174/24;

            }

        }

        unit 901 {

            vlan-id 901;

            family inet {

                filter {

                    input pbr-out;

                }

                address 10.0.0.1/30;

            }

        }

    }

    ge-0/0/7 {

        description blue;

        unit 0 {

            family inet {

                address 172.20.0.203/24;

            }                          

        }

    }

}

protocols {

    ospf {

        area 0.0.0.0 {

            interface ge-0/0/1.901;

        }

    }

}

firewall {

    filter pbr-out {

        term TESTVPN20 {

            from {

                source-address {

                    172.31.130.10/32;

                }

            }

            then {

                routing-instance comcast;

            }

        }

        term servers {

            from {

                source-address {

                    172.31.121.0/24;

                }

            }                          

            then {                     

                routing-instance Centurlink;

            }                          

        }                              

        term users {                   

            from {                     

                source-address {

                    172.31.122.0/24;

                }

            }

            then {

                routing-instance comcast;

            }

        }

        term VPN-users {

            from {

                source-address {

                    172.31.130.0/24;

                }

            }

            then {

                routing-instance comcast;

            }

        }

    }

}

routing-instances {

    comcast {

        instance-type forwarding;

        routing-options {

            static {

                route 0.0.0.0/0 next-hop 10.1.10.1;

            }

        }

    }                                  

    management {

        instance-type virtual-router;

        interface ge-0/0/7.0;

        routing-options {

            static {

                route 0.0.0.0/0 next-hop 172.20.0.1;

            }

        }

    }

    Centurlink {

        instance-type forwarding;

        routing-options {

            static {

                route 0.0.0.0/0 next-hop 4.2.2.1;

            }

        }

    }

}

services {

    rpm {

        probe comcast-probe {

            test comcast-router {

                target address 10.1.10.1;

                probe-count 10;

                probe-interval 5;

                test-interval 10;

                thresholds {

                    successive-loss 8; 

                    total-loss 4;

                }

                destination-interface ge-0/0/0.0;

                next-hop 10.1.10.1;

            }

        }

        probe Centurlink-probe {

            test Centurlink-mib {

                target address 4.2.2.97;

                probe-count 10;

                probe-interval 5;

                test-interval 10;

                thresholds {

                    successive-loss 8;

                    total-loss 4;

                }

                destination-interface ge-0/0/1.170;

                next-hop 4.2.2.1;

            }

        }

    }

    ip-monitoring {

        policy comcast-tracking {

            match {

                rpm-probe comcast-probe;

            }

            then {

                preferred-route {

                    routing-instances Centurlink {

                        route 0.0.0.0/0 {

                            next-hop 10.1.10.1;

                        }

                    }

                }

            }

        }

        policy Centurlink-tracking {

            match {

                rpm-probe Centurlink-probe;

            }

            then {

                preferred-route {

                    routing-instances comcast {

                        route 0.0.0.0/0 {

                            next-hop 4.2.2.1;

                        }

                    }

                }

            }

        }

    }

}

Hello Thomas

 

Filter based forwarding instance will *NOT* have different routing table as there is no one-to-one mapping between interface and routing instance.

All instances belong to same default instance inet.0.

Hope this helps!

 

Instance types reference:

 

http://www.juniper.net/techpubs/en_US/junos11.4/topics/concept/routing-instance-security-type-understanding.html

 

Regards,

Raveen

 

Note: If I have answered your question correct, you could mark this post as accepted soltuion, that way, it helps others as well. Kudos will be cool if I earned it!

 

Raveen,

 

I've read about the different instance-types as well and I completely agreed with you until I read the KB below.  It indicates in the verification that there would be route tables for forwarding instances.  I also noticed that there are comcast.inet and Centurylink.inet tables, but no inet.0 tables.  

 

http://kb.juniper.net/InfoCenter/index?page=content&id=KB22052

 

 

The config in it's current state black holes traffic, even though it appears traffic is matching the filter which would indicate that I don't have something right.  Any thoughts on what I may have missed?

 

Hi there,

 

You did not inject connected routes into Your forwarding instances, hence You won't be able to see any tables You are referring to.

You will need to use the following construct:

 

set routing-options rib-groups if-rib import-rib [ inet.0 comcast.inet.0 Centurlink.inet.0 ]
set routing-options interface-routes rib-group inet if-rib

 After commiting this config, You will be able to see Your forwarding-instances tables populated with connected AND static routes (provided static nexthops are reachable via connected Up/Up interface).

HTH

Thanks

Alex

 

Alex, 

 

I tried to add the rib-group but it would error out on commit pointing to no comcast.inet.0 and Centurylink.inet.0 tables.  Any other thoughts?

You should just copy this and use "load set terminal" and paste this in the window, then try to commit.

If this does not work then try using instance-import

You should run this command >"show security flow status", to see if the box needs to be rebooted. What version OS?

If you get error, post the complete error

set policy-options policy-statement FBF-import from instance master
set policy-options policy-statement FBF-import then accept
set routing-instances comcast routing-options instance-import FBF-import
set routing-instances Centurlink routing-options instance-import FBF-import

 

set routing-options rib-groups if-rib import-rib [ inet.0 comcast.inet.0 Centurlink.inet.0 ]
set routing-options interface-routes rib-group inet if-rib

After staring at my config, I realized that my rib-group had an error in it.  Instead of typing Centurlink.inet.0, I hat typed in Centurlink.inet.o and kept missing it.  

 

Problem solved.

awesome! Next time, copy the exact error message. We would have spotted it immediately. Also the commands had it exactly as you needed it. 0 and o are very common mistake. 🙂

Hello,

Please post the complete sanitized candidate config (the exact config You are trying to commit, not the delta config) and complete console|ssh|telnet terminal output from Your commit attempt.

HTH

Thanks
Alex