Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  routing between vr's

    Posted 02-16-2011 08:02

    hi all,
    i read some documents but couldn't understand exactly.
    i have trust-vr and untrust-vr in ssg 20.
    i want to write a default route between this two vr..so the packet coming to untrust vr can pass to trust vr...vice versa...how should i do?



  • 2.  RE: routing between vr's

    Posted 02-16-2011 10:35

    There are a few different ways to do this, and the "proper" way is going to depend on a lot on your needs for security, your setup, etc.

     

    In the Trust-VR, you can set the option to "auto export route to untrust-vr" through the WebUI.  In the CLI it would be "set vrouter trust-vr auto-route-export." That will send the routes from the trust-vr into the untrust-vr.

     

    Then, again in the trust-vr, you can set the "Use default route" option in the WebUI to point the default route to the untrust-vr.  In the CLI that would be "set vrouter trust add-default-route vrouter untrust-vr."

     

    If you want more control over which routes are sent between vrouters, you can use export and import rules to filter how routes are sent between VRs.  The online WebUI help has a decent overview of it, or you can check the ScreenOS Concepts & Examples Guide.  In the 6.3.0 C&E Guide, under Part 7 (Routing) / Chapter 33 (Routing) there's an overview and descriptions of vrouters and how they work, and near the end of that chapter is a section on importing and exporting routes between virtual routers.



  • 3.  RE: routing between vr's

    Posted 02-17-2011 01:21

    thanks keithr,

    by the "set vrouter trust add-default-route vrouter untrust-vr" command i add default trust vr -> untrust vr

    i should add "set vrouter untrust-vr add-default-route vrouter trust"  in the same way ? right ?



  • 4.  RE: routing between vr's

    Posted 02-17-2011 10:07

    The "add-default-route" isn't valid for the untrust-vr, you'll get an error if you try to run that command.

     

    For the trust->untrust, you can use the default route method.

     

    For the untrust->trust, you can use the auto-route-export feature (note that you set this in the trust-vr, not the untrust-vr).

     

    Again, I recommend you evaluate the need for having full access between VRs.  If you want full connectivity between your VRs with no filtering, perhaps you don't need to be running separate VRs in the first place.  You can just put all your interfaces and security zones into the default trust-vr, then you don't have to worry about routing between VRs.



  • 5.  RE: routing between vr's
    Best Answer

    Posted 02-18-2011 01:17

    thanks a lot keithr..