Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Sample configuration on SRX with 2 virtual routers using the logical tunnel

0

0

Article ID: KB22053 KB Last Updated: 10 Nov 2011Version: 3.0
Summary:
By default, in ScreenOS, there are two virtual routers - trust-vr and untrust-vr. Normally only one virtual router, trust-vr, is used; however in certain scenarios, the customer might use both virtual routers or at times even 3 or more virtual routers.


Symptoms:
One typical use case for using both virtual routers is:

  • Untrust zone is connecting to huge network with large number of routes.

  • It is desirable that the box has its own logic to do path determination.

  • Route flapping on untrust zone networks can be filtered to avoid impact on trust zone networks.

  • Trust zone and untrust zone networks are running on different routing domains.

Here is a typical configuration on the ScreenOS device:
ns25-> get vr trust config
set vrouter "trust-vr"
unset auto-route-export
exit
set vrouter "trust-vr"
unset add-default-route
set route 172.0.0.0/8 gateway 172.27.6.1
set route 0.0.0.0/0 vrouter "untrust-vr" preference 20
exit
ns25-> get vr untrust config
set vrouter "untrust-vr"
set protocol ospf
set enable
exit
exit
set vrouter "untrust-vr"
set route 172.0.0.0/8 vrouter "trust-vr" preference 20
exit
set interface ethernet3 protocol ospf area 0.0.0.0
set interface ethernet3 protocol ospf enable


ns25-> get route
H: Host C: Connected S: Static A: Auto-Exported
I: Imported R: RIP P: Permanent D: Auto-Discovered
iB: IBGP eB: EBGP O: OSPF E1: OSPF external type 1
E2: OSPF external type 2


IPv4 Dest-Routes for <untrust-vr> (18 entries)
--------------------------------------------------------------------------------
   ID         IP-Prefix       Interface          Gateway   P Pref    Mtr    Vsys
--------------------------------------------------------------------------------
*   4         0.0.0.0/0            eth3   192.168.200.57  E2  200      0    Root
*  21       172.0.0.0/8             n/a         trust-vr   S   20      0    Root
   15       172.0.0.0/8            eth3   192.168.200.57  E2  200      0    Root
*   1  192.168.200.0/24            eth3          0.0.0.0   C    0      0    Root
*  14 192.168.200.58/32            eth3   192.168.200.57  E2  200      0    Root
*   2 192.168.200.25/32            eth3          0.0.0.0   H    0      0    Root
*  16     10.206.0.0/16            eth3   192.168.200.57  E2  200      0    Root
*  17     10.209.0.0/16            eth3   192.168.200.57  E2  200      0    Root
*   3  192.168.122.0/24            eth3   192.168.200.57   O   60      2    Root
*  13      10.10.9.0/24            eth3   192.168.200.57  E2  200      0    Root
*  12      10.10.8.0/24            eth3   192.168.200.57  E2  200      0    Root
*  11      10.10.7.0/24            eth3   192.168.200.57  E2  200      0    Root
*  10      10.10.6.0/24            eth3   192.168.200.57  E2  200      0    Root
*   9      10.10.5.0/24            eth3   192.168.200.57  E2  200      0    Root
*   8      10.10.4.0/24            eth3   192.168.200.57  E2  200      0    Root
*   7      10.10.3.0/24            eth3   192.168.200.57  E2  200      0    Root
*   6      10.10.2.0/24            eth3   192.168.200.57  E2  200      0    Root
*   5      10.10.1.0/24            eth3   192.168.200.57  E2  200      0    Root



IPv4 Dest-Routes for <trust-vr> (4 entries)
--------------------------------------------------------------------------------
   ID          IP-Prefix      Interface          Gateway   P  Pref   Mtr    Vsys
--------------------------------------------------------------------------------
*  14          0.0.0.0/0            n/a       untrust-vr   S    20     0    Root
*   3      172.27.6.0/24           eth1          0.0.0.0   C     0     0    Root
*   9        172.0.0.0/8           eth1       172.27.6.1   S    20     1    Root
*   4     172.27.6.25/32           eth1          0.0.0.0   H     0     0    Root

Untrust-vr learns routes from the untrust zone networks; so the device can use the information for proper path determination. The Static route is configured on the untrust-vr to direct corresponding traffic to trust-vr.
* 21 172.0.0.0/8 n/a trust-vr S 20 0 Root

Trust-vr is configured with the default route pointing to untrust-vr; so any destination unknown to trust-vr will be brought to untrust-vr to handle.
* 14 0.0.0.0/0 n/a untrust-vr S 20 0 Root
Cause:

Solution:
On SRX, the routing instances are used in replacing the settings of virtual routers in ScreenOS.


                                        +--------------------+
       1.1.1.0/24 ------------(fe-0/0/2)| trust-vr           |
   (Trust zone network)                 | routing-instance   |
                                        +--------------------+
                                             (lt-0/0/0.0)
                                                  |
                                                  |
                                             (lt-0/0/0.1)
                                        +---------------------+
      192.168.200.0/24--------(ge-0/0/0)| untrust-vr          |
   (Untrust zone network)               | routing-instance    |
                                        +---------------------+


  1. Configure the interface for the trust zone network:
    set interfaces ge-0/0/0 unit 0 family inet address 192.168.200.53/24
  2. Configure the interface for the untrust zone network:
    set interfaces fe-0/0/2 unit 0 family inet address 1.1.1.3/24
  3. Configure the lt-0/0/0 interface to the interconnecting routing-instances:

    Note: You can assign the private addresses that should not be used on this router on lt-0/0/0.
    set interfaces lt-0/0/0 unit 0 encapsulation frame-relay
    set interfaces lt-0/0/0 unit 0 dlci 100
    set interfaces lt-0/0/0 unit 0 peer-unit 1
    set interfaces lt-0/0/0 unit 0 family inet address 10.10.10.1/24
    set interfaces lt-0/0/0 unit 1 encapsulation frame-relay
    set interfaces lt-0/0/0 unit 1 dlci 100
    set interfaces lt-0/0/0 unit 1 peer-unit 0
    set interfaces lt-0/0/0 unit 1 family inet address 10.10.10.2/24
  4. Configure the routing-instances for trust-vr and put the trust zone interface and lt-0/0/0.0 on it:
    set routing-instances trust-vr instance-type virtual-router
    set routing-instances trust-vr interface lt-0/0/0.0
    set routing-instances trust-vr interface fe-0/0/2.0
  5. Configure the routing-instances for untrust-vr and put the untrust zone interface and lt-0/0/0.1 on it:
    set routing-instances untrust-vr instance-type virtual-router
    set routing-instances untrust-vr interface ge-0/0/0.0
    set routing-instances untrust-vr interface lt-0/0/0.1
  6. Bind the trust zone interface and lt-0/0/0.0 in the trust zone and define internal-net address object:
    set security zones security-zone trust host-inbound-traffic system-services all
    set security zones security-zone trust host-inbound-traffic protocols all
    set security zones security-zone trust interfaces fe-0/0/2.0
    set security zones security-zone trust interfaces lt-0/0/0.0
    set security zones security-zone trust address-book address internal-net 1.1.1.0/24

  7. Bind the untrust zone interface and lt-0/0/0.1 in the untrust zone and define internal-net address object:
    set security zones security-zone untrust screen untrust-screen
    set security zones security-zone untrust host-inbound-traffic system-services all
    set security zones security-zone untrust host-inbound-traffic protocols all
    set security zones security-zone untrust interfaces lt-0/0/0.1
    set security zones security-zone untrust interfaces ge-0/0/0.0
    set security zones security-zone untrust address-book address internal-net 1.1.1.0/24

  8. Configure the source NAT (if required):
    set security nat source rule-set src1 from interface lt-0/0/0.1
    set security nat source rule-set src1 to interface ge-0/0/0.0
    set security nat source rule-set src1 rule r1 match destination-address 0.0.0.0/0
    set security nat source rule-set src1 rule r1 then source-nat interface
  9. Configure the appropriate security policies:
    #Permit traffic between fe-0/0/2.0 and lt-0/0/0.0
    set security policies from-zone trust to-zone trust policy t2t match source-address internal-net
    set security policies from-zone trust to-zone trust policy t2t match destination-address any
    set security policies from-zone trust to-zone trust policy t2t match application any
    set security policies from-zone trust to-zone trust policy t2t then permit

    #Permit traffic between ge-0/0/0.0 and lt-0/0/0.0
    set security policies from-zone untrust to-zone untrust policy ut2ut match source-address internal-net
    set security policies from-zone untrust to-zone untrust policy ut2ut match destination-address any
    set security policies from-zone untrust to-zone untrust policy ut2ut match application any
    set security policies from-zone untrust to-zone untrust policy ut2ut then permit

  10. Configure the routing protocol for the untrust network (if required):
    set routing-instances untrust-vr protocols ospf export static
    set routing-instances untrust-vr protocols ospf area 0.0.0.0 interface ge-0/0/0.0
  11. Configure the default route on the trust-vr routing-instance:
    set routing-instances trust-vr routing-options static route 0.0.0.0/0 next-hop lt-0/0/0.0
  12. Configure the static route for return traffic (traffic to trust-vr) on untrust-vr routing-instance:
    set routing-instances untrust-vr routing-options static route 1.1.1.0/24 next-hop lt-0/0/0.1
  13. Configure export policy static, including filter out static route for return traffic, so the trust network is not explosed to external network:
    set policy-options prefix-list internal-net 1.1.1.0/24
    set policy-options policy-statement static term 1 from protocol static
    set policy-options policy-statement static term 1 from prefix-list-filter internal-net exact
    set policy-options policy-statemnet static term 1 then rejetct
    set policy-options policy-statement static term 2 from protocol static
    set policy-options policy-statement static term 2 them accept


Routing table output:

lab@srx210a.hk# run show route

inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

172.0.0.0/8 *[Static/5] 1w0d 08:28:37
> to 172.27.6.1 via ge-0/0/1.0
172.27.6.0/24 *[Direct/0] 1w0d 08:28:38
> via ge-0/0/1.0
172.27.6.53/32 *[Local/0] 1w0d 08:28:42
Local via ge-0/0/1.0

trust-vr.inet.0: 7 destinations, 7 routes (7 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0 *[Static/5] 02:58:30
> via lt-0/0/0.0
1.1.1.0/24 *[Direct/0] 03:14:46
> via fe-0/0/2.0
1.1.1.3/32 *[Local/0] 1w0d 08:28:41
Local via fe-0/0/2.0
10.1.22.0/24 *[Direct/0] 03:14:46
> via fe-0/0/2.0
10.1.22.254/32 *[Local/0] 1w0d 08:28:41
Local via fe-0/0/2.0
10.10.10.0/24 *[Direct/0] 02:58:30
> via lt-0/0/0.0
10.10.10.1/32 *[Local/0] 02:58:30
Local via lt-0/0/0.0

untrust-vr.inet.0: 9 destinations, 9 routes (9 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

1.1.1.0/24 *[Static/5] 01:14:46
> via lt-0/0/0.1
10.10.10.0/24 *[Direct/0] 02:58:30
> via lt-0/0/0.1
10.10.10.2/32 *[Local/0] 02:58:30
Local via lt-0/0/0.1
123.30.192.224/27 *[OSPF/150] 00:48:59, metric 21, tag 0
> to 192.168.200.25 via ge-0/0/0.0
172.0.0.0/8 *[OSPF/150] 00:51:20, metric 21, tag 0
> to 192.168.200.25 via ge-0/0/0.0
192.168.200.0/24 *[Direct/0] 1w0d 08:28:38
> via ge-0/0/0.0
192.168.200.53/32 *[Local/0] 1w0d 08:28:42
Local via ge-0/0/0.0
192.168.250.0/24 *[Static/5] 00:42:04
> via lt-0/0/0.1
224.0.0.5/32 *[OSPF/10] 1w0d 08:29:59, metric 1
MultiRecv


Security flow session output:
lab@srx210a.hk# run show security flow session protocol tcp

Session ID: 31401, Policy name: t2t/8, Timeout: 1798, Valid
In: 1.1.1.122/43373 --> 192.168.200.1/23;tcp, If: fe-0/0/2.0, Pkts: 39, Bytes: 1645
Out: 192.168.200.1/23 --> 1.1.1.122/43373;tcp, If: lt-0/0/0.0, Pkts: 38, Bytes: 1634

Session ID: 32031, Policy name: ut2ut/9, Timeout: 1798, Valid
In: 1.1.1.122/43373 --> 192.168.200.1/23;tcp, If: lt-0/0/0.1, Pkts: 39, Bytes: 1645
Out: 192.168.200.1/23 --> 192.168.200.53/2130;tcp, If: ge-0/0/0.0, Pkts: 38, Bytes: 1634
Total sessions: 2

The traffic from 1.1.1.122 (trust zone network) destined to 192.168.200.1 (untrust zone network), will be source NAT'd on the untrust zone interface. The overall traffic behavior on SRX is very similar to how it behaves on a SSG configured to use two VRs.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search