Knowledge Center Search


 

SRX Getting Started - Custom Virtual Router Configuration Example

  [KB16453] Show KB Properties

  [KB16453] Hide KB Properties

Categories:
Knowledge Base ID: KB16453
Last Updated: 27 Mar 2014
Version: 8.0

Summary:

This article describes how to configure virtual routers and verify your configuration.

For other topics, go to the SRX Getting Started main page.

Problem or Goal:

Create two virtual routers, assign interfaces to them, and bind those interfaces to security zones.

Cause:

Solution:

This section contains the following:


Overview

In Junos Software, a virtual router is a type of routing instance, which is a collection of routing tables, interfaces, and routing option settings. To establish a virtual router, you do the following:

  • Create a virtual router
  • Assign an interface to a virtual router (if not inet.0).
  • Assign an interface to a zone.

Note: Binding interfaces to zones is configured separately from binding interfaces to a virtual router (routing instance). The tasks to create a virtual router in Junos OS Software are slightly different from those in ScreenOS, where you would assign a zone to a virtual router and assign an interface to a zone.


Keep the following in mind when configuring virtual routers:

  • For self-initiated management traffic (for example, system logs and traps), route lookup starts with inet.0.

  • Interfaces that are not explicitly members of any custom virtual router are members of inet.0.

CLI Configuration

To configure virtual routers, perform the following tasks:
Assigning IP Addresses to Interfaces

Assign interface IP addresses. In the following example, 6.6.6.5/24 and 7.7.7.5/24 are assigned to the fe-0/0/2 and fe-0/0/3 interfaces, respectively.

user@host#  set interface fe-0/0/2 unit 0 family inet address 6.6.6.5/24
user@host#
set interface fe-0/0/3 unit 0 family inet address 7.7.7.5/24

Creating Virtual Routers and Assigning Interfaces

To create virtual routers and assign interfaces to the virtual routers:

  1. Create a virtual router (named blue-vr in this example).

    user@host# set routing-instances blue-vr instance-type virtual-router

  2. Assign interfaces to the virtual router. In the following example, the fe-0/0/2.0 interface is assigned to the blue-vr virtual router.

    user@host#
    set routing-instances blue-vr interface fe-0/0/2.0
  3. Create another virtual router (named red-vr in this example).

    user@host# set routing-instances red-vr instance-type virtual-router

  4. Assign interfaces to the virtual router. In the following example, the fe-0/0/3.0 interface is assigned to the red-vr virtual router.

    user@host#
    set routing-instances red-vr interface fe-0/0/3.0

Creating Security Zones and Assigning Interfaces

Next, create security zones and assign interfaces to those zones. Assigning interfaces to zones is defined independently from the virtual router, but all interfaces in the same zone must be bound to the same virtual router.

To create security zones and assign interfaces:
  1. Create a security zone for the blue-vr virtual router (in this example, blue-trust).

    user@host# set security zones security-zone blue-trust

  2. Assign an interface to the blue-trust zone (in this example, fe-0/0/2.0).

    user@host#
    set security zones security-zone blue-trust interfaces fe-0/0/2.0
  3. Create a security zone for the red-vr virtual router (in this example, red-trust).

    user@host# set security zones security-zone red-trust

  4. Assign an interface to the red-trust zone (in this example, fe-0/0/3.0).

    user@host#  set security zones security-zone red-trust interfaces fe-0/0/3.0


Importing Routes Between Virtual Routers

Optionally, after creating virtual routers and assigning interfaces to the virtual routers, you can configure that routes are imported between the virtual routers.

To configure the importing of routes between virtual routing instances:

  1. Create a policy statement that defines matching criteria and the action to be taken for traffic that matches the criteria. In this example, a policy statement named from_blue_to_red is created with matching criteria of traffic from the blue-vr virtual router and an action of accept for matching traffic.

    user@host# set policy-options policy-statement from_blue_to_red term term1 from instance blue-vr
    user@host# set policy-options policy-statement from_blue_to_red term term1 then accept

  2. Apply a policy to routes being imported into a routing instance. In this example, the from_blue_to_red policy is applied to routes imported into the red-vr routing instance.

    user@host# set routing-instances red-vr routing-options instance-import from_blue_to_red


Creating Security Policies

To allow traffic through the SRX Series device, create a security policy if you have not already done so. For information about creating security policies, see KB16553 and Security Policies Feature Guide for Security Devices.

The following example creates a security policy named default-permit that allows traffic from the blue-trust zone to the red-trust zone:

user@host# set security policies from-zone blue-trust to-zone red-trust policy default-permit match source-address any
user@host# set security policies from-zone blue-trust to-zone red-trust policy default-permit match destination-address any
user@host# set security policies from-zone blue-trust to-zone red-trust policy default-permit match application any
user@host# set security policies from-zone blue-trust to-zone red-trust policy default-permit then permit

The following example configures the default-permit security policy that allows traffic from the red-trust zone to the blue-trust zone:

user@host# set security policies from-zone red-trust to-zone blue-trust policy default-permit match source-address any
user@host# set security policies from-zone red-trust to-zone blue-trust policy default-permit match destination-address any
user@host# set security policies from-zone red-trust to-zone blue-trust policy default-permit match application any
user@host#
set security policies from-zone red-trust to-zone blue-trust policy default-permit then permit

Technical Documentation
Routing Instances Overview


Verification

The following shows how to verify the configuration, using the configuration example from above:


Basic Virtual Router Configuration

To review entries in the routing table, use the show route operational mode command.
user@host> show route
red-vr.inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 7.7.5.5/32 *[Direct/0] 00:01:56 > via lo0.2 7.7.7.0/24 *[Direct/0] 00:01:56 > via fe-0/0/3.0 7.7.7.5/32 *[Local/0] 00:01:56 Local via fe-0/0/3.0 blue-vr.inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 6.6.5.5/32 *[Direct/0] 00:01:56 > via lo0.1 6.6.6.0/24 *[Direct/0] 00:01:56 > via fe-0/0/2.0 6.6.6.5/32 *[Local/0] 00:01:56 Local via fe-0/0/2.0


To review routing instance information, use the show route instance operational mode command.

user@host> show route instance 
Instance Type
 Primary RIB Active/holddown/hidden
__juniper_private1__ forwarding 
 __juniper_private1__.inet.0 4/0/2
 __juniper_private1__.inet6.0 5/0/0

__juniper_private2__ forwarding 
 __juniper_private2__.inet.0 0/0/1

__master.anon__ forwarding 

master forwarding 
 inet.0 8/0/0

blue-vr virtual-router

red-vr virtual-router


To review information about a specific virtual router, use the show route instance operational mode command, specified with a virtual router name.

user@host> show route instance red-vr
Instance Type
 Primary RIB Active/holddown/hidden
red-vr virtual-router


To review virtual routing instance information, use the show route instance operational mode command with the find vr filter.

user@host> show route instance | find vr

blue-vr virtual-router
 blue-vr.inet.0 3/0/0

red-vr virtual-router

 red-vr.inet.0 3/0/0


Importing of Routes Between Virtual Routers

To verify the active entries in the routing tables, use the show route operational mode command with the find vr option.

user@host> show route | find vr
red-vr.inet.0: 6 destinations, 6 routes (6 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 6.6.5.5/32 *[Direct/0] 00:00:28 > via lo0.1 6.6.6.0/24 *[Direct/0] 00:00:28 > via fe-0/0/2.0 6.6.6.5/32 *[Local/0] 00:00:28 Local via fe-0/0/2.0 7.7.5.5/32 *[Direct/0] 00:08:36 > via lo0.2 7.7.7.0/24 *[Direct/0] 00:08:36 > via fe-0/0/3.0 7.7.7.5/32 *[Local/0] 00:08:36 Local via fe-0/0/3.0 blue-vr.inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 6.6.5.5/32 *[Direct/0] 00:08:36 > via lo0.1 6.6.6.0/24 *[Direct/0] 00:08:36 > via fe-0/0/2.0 6.6.6.5/32 *[Local/0] 00:08:36 Local via fe-0/0/2.0

Purpose:
Configuration
Implementation

Related Links:

 

 

ASK THE KB

Question or KB ID:


 


 

 
Copyright© 1999-2012 Juniper Networks, Inc. All rights reserved.