SRX

last person joined: 3 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Source routing on SR3400

    Posted 01-31-2012 04:58

    Hi Community,

    I am converting Firewall config from Netscreen to SRX3400. two vr are used Gi-vr and untrust-vr.

    On Gi-vr default route is defined pointing to untrust-vr, and source routing are defined for some subnet.

    the commande line in Netscreen:

    set vrouter "Gi-vr"

    set source-routing enable
    set route 172.25.47.83/32 interface ethernet1/1.50 gateway 172.25.51.34
    set route 172.25.51.48/32 interface ethernet1/1.50 gateway 172.25.51.34
    set route source 172.19.16.0/21 interface ethernet1/1.430 gateway 172.25.51.66 preference 20

    set route source 172.19.40.0/21 interface ethernet1/1.430 gateway 172.25.51.66 preference 20
    set route 0.0.0.0/0 vrouter "untrust-vr" preference 20.

    In red the command line for source routing in Netscreen. the route is pointin to 172.25.51.66 in interface eth1/1.430 in the same vr.

    I need a help to fine the commande line in SRX3400 for doing the source routing

    BR

     

     



  • 2.  RE: Source routing on SR3400
    Best Answer

    Posted 02-01-2012 00:03

    Hi

     

    The feauture you need to implement source routing is "filter based forwarding".

    You can search this forum for many examples, e.g.

    http://forums.juniper.net/t5/SRX-Services-Gateway/Source-based-roting-with-Filter-based-Forwarding/m-p/94068/highlight/true#M11478

     

    Tell us if you will have a problem implementing this.



  • 3.  RE: Source routing on SR3400

    Posted 02-27-2012 17:22

    Hi pk

    I have seen the solution but the problem I have is that the interfaces for the incoming traffic and the outgoing traffic are in the same virtual router Gi-vr not int the inet.0.the default route in this vr is untrust-vr.

    I want to do a source route for traffic from 172.19.16.0/21  only to go to reth1.430 interface and the other to the default route.

    here is the config I have right now

    set interfaces reth1 unit 50 family inet address 172.25.51.33/29

    set interfaces reth1 unit 430 family inet address 172.25.51.78/28

    set routing-instances Gi-vr instance-type virtual-router

    set routing-instances Gi-vr interface reth1.50
    set routing-instances Gi-vr interface reth1.430

    set routing-instances Gi-vr routing-options static route 0.0.0.0/0 next-table untrust-vr.inet.0

     

     

     

    BR



  • 4.  RE: Source routing on SR3400

    Posted 02-27-2012 23:46

    Hi

     

    There shouldn't be a problem to implement FBF from a VR. Here is an example.

    Virtual router routing instance name is "vr".

     

    routing-instances {
    FBF {
        instance-type forwarding;
        routing-options {
            static {
                route 0.0.0.0/0 next-hop 10.20.20.254;
            }
        }
    }
    vr {
        instance-type virtual-router;
        interface ge-0/0/3.0;
        interface ge-0/0/4.0;
        interface ge-0/0/5.0;
        routing-options {
            interface-routes {
                rib-group inet RouteClub;
            }
        }
    }
}

     

    RIB groups should be configured as follows 

     

    rib-groups {
    RouteClub {
        import-rib [ vr.inet.0  FBF.inet.0 ];
    }
}

     

    Firewall filter is applied to the interface in VR as usual (it should match on the source of traffic you want to source-route directing it to the FBF instance, and accept all other traffic).