Screen OS

Hello Dears,

Can anybody tell me what these 3  below statement means,

set route 10.30.8.13/32 vrouter "trust-vr" preference 20 metric 1

Answer:???

set route 0.0.0.0/0 vrouter "trust-vr" preference 20 metric 1

Answer:???

set route 10.25.8.10/32 vrouter "untrust-vr" preference 20 metric 1

Answer???

Thanks

Hi Jenifer ,

set route 10.2.1.0/24 interface ethernet0/2 gateway 2.2.2.2

If you want to reach 10.2.1.0 subnet  your next hop is 2.2.2.2 through outgoing  interace  e0/2

set route 10.30.8.13/32 vrouter "trust-vr" preference 20 metric 1

If you want to reach 10.30.8.13/32  address  your next hop is the trust virtual router 

set route 0.0.0.0/0 vrouter "trust-vr" preference 20 metric 1

Your default route is the trsut virtual router

set route 10.25.8.10/32 vrouter "untrust-vr" preference 20 metric 1

If you want to reach 10.25.8.10/32  address  your next hop is the untrust virtual router

Reagrding metric : it is a value used  at static routes to decide which static route to choose ( some times called the cost )

Example :

set route 10.30.8.13/32  e0/2  preference 20 metric 1

set route 10.30.8.13/32  e0/2 preference 20 metric 2

Here you have 2 satatic routes to the same destination address but with different  next hops , so the firewall will choose the route with the lowest metric  (  the first route here )

Regarding preference :

a route with higher preference is preferred

directly connected routes have higher preference  then static routes then routes learned form dynamic routing protocols

Regarding Virtual routers:

at your firewall , by default all interfaces belong to trsut-vr , but you can  assign interfaces to  another virtual router ( untrsut-vr)  

*******************  Mark My Post as Accepted if it solved your problem*******************

hello Dear,

I m very much new to Juniper. So these question are very funny.i know the concpts of cisco but they are not matching here very little.

set route 10.30.8.13/32 vrouter "trust-vr" preference 20 metric 1

If you want to reach 10.30.8.13/32  address  your next hop is the trust virtual router

Question: It is a directly connected interface on my juniper  then why i need to specify route.See  below for interface config.

set interface ethernet1/1 ip 10.30.8.1/27
 set interface ethernet1/1 nat

Answer?????

set route 0.0.0.0/0 vrouter "trust-vr" preference 20 metric 1

Your default route is the trsut virtual router

Question:I have default route on untrust interface then why i need default route on Trust virtual router.see below the configs for default route on untrust virtual router..

set route 0.0.0.0/0 interface ethernet2/3 gateway 10.30.250.1 preference 20 metric 2

Answer???

Question:

Does juniper thinks trust and untrust as 2 different routers if so then why i need the route in trust virtual router for my directly connected interface.

Answer:???/

Q1 : Most probably  this interafce is  at trust vr , so the untrsut-vr doesnot know about its existence ( it is directly connected but  to the trust-vr

Q2:Most probably  your default route pointing  to e2/3 is at the trsut-vr ( not at the untrust-vr )

Q3: yes , 2 different routers

You can paste your complete configuration if  things  are still not clear for you

Below is an example that may help you :

subnetX######### trust-vr......untrust-vr  ######## subnetY

Now if you need subnet 1 to ping subnet2  & vice versa , you need to put  2 routes :

at trust-vr      :

(FW)~set vrouter  trust-vr

(FW-trustvr)~set route subnetY/24 vrouter "untrust-vr" preference 20 metric 1

at untrust-vr : 

(FW)~set vrouter untrust-vr

(FW-untrustvr )~set route subnetX/32 vrouter "trust-vr" preference 20 metric 1

*******************  Mark My Post as Accepted if it solved your problem*******************

Very Good Explanation. I have got what u want to explain,where i can rate u please guide,I hope right hand corner in quote.

Here are the configs,please correct me if i m wrong:

Below are the routes from the untrust to trust

set vrouter "untrust-vr"
set route 10.25.8.10/32 interface ethernet2/4 gateway 10.28.50.49 preference 20
set route 10.30.8.13/32 vrouter "trust-vr" preference 20 metric 1
set route 10.30.4.14/32 vrouter "trust-vr" preference 20 metric 1
set route 0.0.0.0/0 vrouter "trust-vr" preference 20 metric 1
set route 10.30.6.11/32 vrouter "trust-vr" preference 20 metric 1
set route 10.30.7.11/32 vrouter "trust-vr" preference 20 metric 1
set route 10.30.6.10/32 vrouter "trust-vr" preference 20 metric 1
set route 10.30.1.0/27 vrouter "trust-vr" preference 20 metric 1
exit

Below are the routes from trust to untrust

 set vrouter "trust-vr"
unset add-default-route
set route 10.30.1.0/27 interface ethernet2/3 gateway 10.30.250.1 preference 20 permanent
set route 0.0.0.0/0 interface ethernet2/3 gateway 10.30.250.1 preference 20 metric 2
set route 10.30.3.0/27 vrouter "untrust-vr" preference 20 metric 1
set route 10.25.8.10/32 vrouter "untrust-vr" preference 20 metric 1
exit

Interface IP address:

set interface ethernet1/1 ip 10.30.8.1/27
set interface ethernet1/1 nat
set interface ethernet1/2 ip 10.30.4.1/27
set interface ethernet1/2 nat
set interface ethernet1/3 ip 10.30.6.1/27
set interface ethernet1/3 nat
set interface ethernet2/1 ip 10.30.7.1/27
set interface ethernet2/1 nat
set interface ethernet2/2 ip 10.30.3.1/27
set interface ethernet2/2 nat
set interface ethernet2/3 ip 10.30.250.3/27
set interface ethernet2/3 route
set interface ethernet2/4 ip 10.28.50.50/28
set interface ethernet2/4 route
set interface ethernet3/1 ip 10.30.35.1/26
set interface ethernet3/1 route

To rate , Just at right below corner click  : " mark post as accepted "

Below are the routes from the untrust to trust

Yes , but the  below route is at the untrust it self   ( ie: not pointing to trsust-vr , so you will find  this subnet is  not deirctly connected  to untrust vr ) :

set route 10.25.8.10/32 interface ethernet2/4 gateway 10.28.50.49 preference 20

Below are the routes from trust to untrust

Yes , but the  below route is at the trust it self   ( ie: not pointing to untrsust-vr , so you will find that  this subnet  is  not deirctly connected  trust vr ) :

set route 10.30.1.0/27 interface ethernet2/3 gateway 10.30.250.1 preference 20 permanent

 ************  Mark My Post as Accepted if it solved your problem By clicking on the button saying " Accept  as Solution " ************

Hello,

Please, help me, the documentation says:

--

Metric The metric is a preference number, with the lowest number having the
highest priority.All directly connected networks have a metric of zero. All static
routes have a default metric of one.There may be cases in which you need to add
the same route twice, the preferred route with the lower metric and the less preferred
route with the higher metric. If the first route is unavailable, the firewall will
use the next route.

--

"If the first route is unavailable...", how does Juniper know this? Just if the interface is down?

I want it to use the next route(metric 1 to metric 2) if the gateway is unavailable.

(In my case, when the gateway is unavailable, the interface is not down)

I already read about track IP, but it's for HW failover, and not route. So I can't use it to ping the gateway, and disable the route when it's not responding.

I don't believe that the only way to do this is configuring a tunnel interface.

Hi,

You are right. There is no gateway tracking mechanism that I am aware of, which can help in route failover. The route will stay up as long as the interface is up.

Eventually, packet forwarding will fail as the gateway is down and will not respond to ARP requests.