SRX

 

Hi guys!

 

I have done this before but it seems I have forgotten!

 

Basically I have 4 Virtual Routers. I want to import the routes from the "untrust-vr" to the "trust-vr" so i can get to the interweb.

 

I can vaguley remember that I might have had to setup a "rib-group" and import instances but i have tried this and cant seem to get it to work!

 

Can someone please remind me of the best way!

 

[edit]
root@GATEWAY# run show route

inet.0: 1 destinations, 1 routes (0 active, 0 holddown, 1 hidden)

dmz-vr.inet.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

10.0.0.1/32        *[Local/0] 01:10:32
                      Reject

train-vr.inet.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

192.168.10.1/32    *[Local/0] 01:10:32
                      Reject

trust-vr.inet.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

192.168.1.0/24     *[Direct/0] 01:10:27
                    > via ge-0/0/3.0
192.168.1.50/32    *[Local/0] 01:10:32
                      Local via ge-0/0/3.0

untrust-vr.inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 00:14:27
                    > via pp0.0
62.27.136.164/32   *[Direct/0] 00:16:09
                    > via pp0.0
95.1.32.69/32   *[Local/0] 00:16:09
                      Local via pp0.0

The other VRs need access as well but i only want to get one working.

 

root@GATEWAY# run show route instance
Instance             Type
         Primary RIB                                     Active/holddown/hidden
master               forwarding
         inet.0                                          0/0/1

__juniper_private1__ forwarding
         __juniper_private1__.inet.0                     3/0/4

__juniper_private2__ forwarding
         __juniper_private2__.inet.0                     0/0/1

__master.anon__      forwarding

dmz-vr               virtual-router
         dmz-vr.inet.0                                   1/0/0

train-vr             virtual-router
         train-vr.inet.0                                 1/0/0

trust-vr             virtual-router
         trust-vr.inet.0                                 5/0/0

untrust-vr           virtual-router
         untrust-vr.inet.0                               3/0/0

should I be importing the master?

 

Thanks

 

I think that KB21241 shows the configuration you are looking for to route between virtual routing instances.

 

http://kb.juniper.net/InfoCenter/index?page=content&id=KB21241

Hi,

 

Please see attachment - maybe you will understand what I am trying to do.

 

I have already tried to do

 

set routing-instances trust-vr instance type virtual-router routing-options static route 0.0.0.0/0 next-hop x.x.x.x

but it doesnt seem to be working.

 

I have set up individual VRs to manage traffic - clearly not working at this time lol

 

I am somehow unable to view the article at this time, however there are a few options.

1- use instance-import to import the routes from the untrust-vr into the other vrs

2-Use ribgroups and share interface routes; or just import the interface routes from the ppo interface

3- set the default route in the vrs to use the untrust-vr route table. This one can be  problematic though.

 

set routing-instances trust-vr instance type virtual-router routing-options static route 0.0.0.0/0 next-table untrust-vr.inet.0 (or whatever the correct name of that routing table is)
create a routing policy in the untrust-vr to with one term import direct routes from the pp0 interface with action accept, add a second term action reject
set routing-instances trust-vr instance type virtual-router routing-options instance-import
<policy_name>
The other is create rib-groups and there are numerous examples in teh forum and on Juniper website - just way to complecated when instance-import achieves the same thing in just a few steps.

After digging around and unable to pass traffic I decided to delete the untrust-vr.

I didn't really need a separate vr for untrust since the rest of the zones a separate.

After that I ran static route default table into The virtual router. I can now pass traffic.

however I have got a question... If I want to be able to connect from the trust zone to the dmz zone Eg a resource but only one way so the dmz vr can not see back into the trust zone how would one configure this ?
Is it a security policy ?

Thanks

create a security policy to match traffic from zone trust to destination zone DMZ, match applications any or the specified applications then permit. That will allow host to access resources in DMZ but the other way around.

Top trumps!

 

😄

Thanks!