SRX Services Gateway
SRX Services Gateway

Interface must be in the same routing instance as other interfaces in the zone

‎04-10-2018 11:03 PM

Hi,

Please find below configuration and error message and suggest alternate way to achieve the requirement.

Same configuration is working fine in packet mode. We are trying to configure the same in flow mode.

 

set interfaces ge-0/0/3 gigether-options redundant-parent reth0
set interfaces ge-5/0/3 gigether-options redundant-parent reth0
set interfaces reth0 vlan-tagging
set interfaces reth0 redundant-ether-options redundancy-group 1
set interfaces reth0 unit 100 vlan-id 201
set interfaces reth0 unit 100 family inet address 10.10.14.18/30
set interfaces reth0 unit 105 vlan-id 452
set interfaces reth0 unit 105 family inet address 10.10.20.18/30
set security zones security-zone Untrust interfaces reth0.100
set security zones security-zone Untrust interfaces reth0.105

{primary:node0}[edit routing-instances]
root# show
Untrust {
    instance-type vrf;
    interface reth0.100;
    interface reth1.0;
    interface reth2.0;
}

set routing-instances Untrust route-distinguisher 12345:297
set routing-instances Untrust vrf-target target:12345:130
set routing-instances Untrust protocols bgp group Untrust_Airtel type external
set routing-instances Untrust protocols bgp group Untrust_Airtel export Untrust_EXPORT
set routing-instances Untrust protocols bgp group Untrust_Airtel peer-as 6789
set routing-instances Untrust protocols bgp group Untrust_Airtel local-as 12345
set routing-instances Untrust protocols bgp group Untrust_Airtel neighbor 192.168.160.1
set routing-instances Untrust protocols bgp group Untrust1_ISP2 type external
set routing-instances Untrust protocols bgp group Untrust1_ISP2 peer-as 34567
set routing-instances Untrust protocols bgp group Untrust1_ISP2 local-as 12345
set routing-instances Untrust protocols bgp group Untrust1_ISP2 neighbor 192.168.190.2

 

{primary:node0}[edit]
root# commit check
[edit security zones security-zone Untrust]
  'interfaces reth0.105'
    Interface reth0.105 must be in the same routing instance as other interfaces in the zone
error: configuration check-out failed

1 REPLY 1
Highlighted
SRX Services Gateway

Re: Interface must be in the same routing instance as other interfaces in the zone

‎02-07-2019 01:32 AM

Hi Nik_MH

 

See article: https://kb.juniper.net/InfoCenter/index?page=content&id=KB26775

 

I believe the issue is you have two interfaces in the same routing instance but in different security zones.

 

From your config:

1. you create reth0.100 and reth0.105 which are by default in the 'global' routing instance;

  - both interfaces in the same routing instance: OK

2. next you place both reth0.100 and reth0.105 into the 'Untrust ' security zone;

  - both interfaces in the same security zone: OK

3. you then move reth0.100 to the 'Untrust' routing instance (which you obviously created);

  - both interfaces in different routing instances but same security zone: NOT OK

 

JUNOS does not allow an interface to be in more than one security zone, and it does not allow one security zone to be associated (by it's member interfaces) with more than one routing instance.

 

I believe this is your problem.

 

You must follow the one-to-many rule of association between interfaces, zones and v-routers:

> 1-to-Many: one routing instance to one or more security zones (1:*)

> 1-to-Many: one security zone to one or more [sub-]interfaces (1:*)

By derivation, we then have:

> 1-to-Many: one routing instance to one or more [sub-]interfaces (1:*)

 

Another way of stating it is:

- an interface may be a member of one and only one security zone, and a security zone may be a member of one and only one routing instance, therefore an interface may be a member of one and only one routing instance.

 

Please let us know if that solves your problem Smiley Happy

 

As a side note, I would recommend having a naming convention that differentiates between routing instances and security zones, which will help reduce confusion when viewing the config.

 

Hope that helps.