Screen OS

Hi,

can you explain what will be this configuration behaviour:

set route 0.0.0.0/0 interface ethernet0/0 gateway 92.141.32.53 preference 20
set route 0.0.0.0/0 gateway 10.2.31.1 preference 20

 thanx 🙂

Hi,

You have either an active dynamic routing protocol on the firewall or active ip tracking on eth0/0 plus a static route to 10.2.31.1 which is configured with a preference lesser than 20 and mapped to an interface other than eth0/0.

If DPR on eth0/0 or IP tracking fails and eth0/0 goes down the first default GW goes also down. The FW looks up the routing table for the route to 10.2.31.1 and uses it's interface and gateway for routing all destination IPs (0.0.0.0/0).

You can read more on gateway tracking in KB9017. The explanation may be confusing because there is no real tracking with the packets. The feature is fully based on the routing table lookup.

As both routes have the same preference I would rather suppose that you use a DPR or an inter-VR route export/import.

Hi Edouards,

we don't have any DPR or tracking ip enabled in the configuration.

Ecmp routing is disabled.

#get route 

vrouter (untrust-vr)
-------------------------------------------
Routing Table
--------------------------------------------------------------------------------------

Total 0/max entries


Interfaces
--------------------------------------------------------------------------------------
ethernet1/0, ethernet1/1, ethernet1/2, ethernet1/3, ethernet1/4, ethernet1/5
ethernet1/6, ethernet1/7, hidden, loopback, null, tunnel

Default-vrouter:No
Shared-vrouter:Yes
nsrp-config-sync:Yes
Advertise-Inactive-Interface:Disabled
Source-Based-Routing:Disabled
SIBR-Routing:Disabled
Ignore-Subnet-Conflict:Disabled
ECMP-Routing:Disabled
vrouter (trust-vr)
-------------------------------------------
Routing Table
--------------------------------------------------------------------------------------
H: Host C: Connected S: Static A: Auto-Exported
I: Imported R: RIP/RIPng P: Permanent D: Auto-Discovered
N: NHRP
iB: IBGP eB: EBGP O: OSPF/OSPFv3 E1: OSPF external type 1
E2: OSPF/OSPFv3 external type 2 trailing B: backup route

Total 9/max entries

         ID          IP-Prefix      Interface         Gateway   P Pref    Mtr     Vsys
--------------------------------------------------------------------------------------
*        19          0.0.0.0/0         eth0/1      10.2.31.1   S   20      1     Root
*        18          0.0.0.0/0         eth0/0    92.141.32.53    S   20      1     Root

Interfaces
--------------------------------------------------------------------------------------
ethernet0/0, ethernet0/1, ethernet0/2, ethernet0/3, hidden.1, l2v
self, v1-dmz, v1-trust, v1-untrust, vlan1

Auto-exporting:Disabled
Default-vrouter:Yes
Shared-vrouter:Yes
nsrp-config-sync:Yes
System-Default-route:Not present 
Advertise-Inactive-Interface:Disabled
Source-Based-Routing:Disabled
SIBR-Routing:Disabled
SNMP Trap:Public
Ignore-Subnet-Conflict:Disabled
ECMP-Routing:Disabled

I have to write recommendation about this configuration, as I understand, both route are active, but as ECMP is not enabled, which one will be choose?

regards,

ludovic

Only the first learned route will be used.

See the chapter 33 in the routing volume of the Concepts and Examples guide.

http://www.juniper.net/techpubs/en_US/screenos6.3.0/information-products/pathway-pages/screenos/inde...

ECMP assists with load-balancing among two to four routes to the same destination or increases the effective bandwidth usage among two or more destinations. When ECMP is enabled, security devices use the statically defined routes or dynamically learn multiple routes to the same destination through a routing protocol. The security device assigns routes of equal cost in rotating (round-robin) fashion.

Without ECMP, the security device only uses the first learned or defined route. Other routes that are of equal cost remain unused until the currently active route is no longer active.

Web interface:
Network > Routing > Virtual Routers > Edit (for trust-vr): Enter the following, then click OK:
0 20

Maximum ECMP Routes: Set Limit at: (select), 2

CLI:
set vrouter trust-vr max-ecmp-routes 2

Hi,

If no DRP nor IP tracking is used the route with ID 18 will be selected as configured first.

I always use a higher metric for the backup/secondary routes for better predictabilty and readability. If the route ID 19 will be assigned a higher metric to, it will be marked as inactive under the normal conditions. It will take over if eth0/0 goes down. 

Hi Steve,

thanx for your answer, but I don't understand why when I issue the "get route" command, I have one * in front of each route.

*        19          0.0.0.0/0         eth0/1      10.2.31.1   S   20      1     Root
*        18          0.0.0.0/0         eth0/0    92.141.32.53    S   20      1     Root

Normally it means that both route are active, isn'it?

As ECMP is disabled, 

ECMP-Routing:Disabled

I should be in that case:

Without ECMP, the security device only uses the first learned or defined route. Other routes that are of equal cost remain unused until the currently active route is no longer active.

So, route to gateway 92.141.32.53 should be the only active, no?

set route 0.0.0.0/0 interface ethernet0/0 gateway 92.141.32.53 preference 20
set route 0.0.0.0/0 gateway 10.2.31.1 preference 20

The route is active and in the table.  But without ECMP the order of learning becomes essentially a third metric used to select which route to use.