Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Routing between vlans in an instance type Virtual Router and Master routing instance.

0

0

Article ID: KB27723 KB Last Updated: 04 Mar 2017Version: 2.0
Summary:
This article describes the procedure of routing between Vlans in a instance type Virtual Router and Master routing instance.



Symptoms:
To route between vlans on the master routing instance and instance type virtual router.

Filter based forwarding cannot be used for this directly as we cannot specify the action as "next-hop Master routing instance".

Configuration Sample:

Routing instance type Virtual Router.

{master:0}[edit routing-instances]
root@usedn-swmdr01# show
DEV-9 {
   description "Policy for Dev Net";
   instance-type virtual-router;
   interface vlan.1;
   interface vlan.4;
   routing-options {
      static {
         route 0.0.0.0/0 next-hop 10.205.72.62;
      }
   }
}

set routing-instances DEV-9 description "Policy for Dev Net"
set routing-instances DEV-9 instance-type virtual-router
set routing-instances DEV-9 interface vlan.1
set routing-instances DEV-9 interface vlan.4
set routing-instances DEV-9 routing-options static route 0.0.0.0/0 next-hop 10.205.72.62

Master instance configuration is given below:

{master:0}[edit routing-options]
root@usedn-swmdr01# show
static {
   route 0.0.0.0/0 next-hop 10.205.10.251;
}

set routing-options static route 0.0.0.0/0 next-hop 10.205.10.251

root@Cust-1# show
family inet {
filter master2dr-filter {
   term 106 {
      from {
         source-address {
            10.205.9.0/24;
         }
         destination-address {
            10.205.10.0/23;
         }
      }
      then {
         count c2;
         routing-instance Master; ## 'Master' is not defined
      }
    }
    term default {
       then accept;
      }
   }
}


This filter configuration with next-hop pointing to master cannot be configured.

Cause:

Solution:
We have a vlan.1 added under the routing instance virtual-router and vlan.2 in the master routing instance.

Routing instance type Virtual Router.

{master:0}[edit routing-instances]
root@usedn-swmdr01# show
DEV-9 {
   description "Policy for Dev Net";
   instance-type virtual-router;
   interface vlan.1;
   routing-options {
      static {
         route 0.0.0.0/0 next-hop 10.205.72.62;
      }
   }
}


set routing-instances DEV-9 description "Policy for Dev Net"
set routing-instances DEV-9 instance-type virtual-router
set routing-instances DEV-9 interface vlan.1
set routing-instances DEV-9 routing-options static route 0.0.0.0/0 next-hop 10.205.72.62

Master instance configuration is given below:

{master:0}[edit routing-options]
root@usedn-swmdr01# show
static {
   route 0.0.0.0/0 next-hop 10.205.10.251;
}

set routing-options static route 0.0.0.0/0 next-hop 10.205.10.251

Inorder to route between vlan.1 in virtual router and vlan.2 in master instance, we need to create another routing-instance with instance type forwarding.

{master:0}[edit routing-instances]
dev {
   instance-type forwarding;
   routing-options {
      static {
         route 0.0.0.0/0 next-hop 10.205.10.251;
      }
   }
}


set routing-instances dev instance-type forwarding
set routing-instances dev routing-options static route 0.0.0.0/0 next-hop 10.205.10.251

To merge the routes between two routing-instances we need to configure RIB groups as shown below:

{master:0}[edit routing-options]
root@usedn-swmdr01# show
interface-routes {
   rib-group inet rib1;
}
static {
   route 0.0.0.0/0 next-hop 10.205.10.251;
}
rib-groups {
   rib1 {
      import-rib [ inet.0 dev.inet.0 ];
   }
}


set routing-options interface-routes rib-group inet rib1
set routing-options static route 0.0.0.0/0 next-hop 10.205.10.251
set routing-options rib-groups rib1 import-rib inet.0
set routing-options rib-groups rib1 import-rib dev.inet.0

By doing the above configuration all the routes in the Master Routing instance will be now populated on the instance type forwarding "dev".

Note: The ip next-hop 10.205.10.251 specified should not be configured on the same switch.

Below is the configuration of firewall filter to send traffic from Virtual-router to Master.

[edit firewall]
root@Cust-2# show
family inet {
   filter dev2dr-filter {
      term 106 {
         from {
            source-address {
               10.205.9.0/24;
            }
            destination-address {
               10.205.10.0/23;
            }
         }
         then {
            count c2;
            routing-instance dev;
         }
      }
      term default {
         then accept;
      }
   }
}


set firewall family inet filter dev2dr-filter term 106 from source-address 10.205.9.0/24
set firewall family inet filter dev2dr-filter term 106 from destination-address 10.205.10.0/23
set firewall family inet filter dev2dr-filter term 106 then count c2
set firewall family inet filter dev2dr-filter term 106 then routing-instance dev
set firewall family inet filter dev2dr-filter term default then accept

Below firewall filter rule to be applied for the reverse packet flow.

[edit firewall]
root@Cust-2# show
family inet {
   filter dr2dev-filter {
      term 107 {
         from {
            source-address {
               10.205.10.0/23;
            }
         }
         then {
            count c1;
            routing-instance DEV-9;
         }
      }
      term default {
         then accept;
      }
   }
}

set firewall family inet filter dr2dev-filter term 107 from source-address 10.205.10.0/23
set firewall family inet filter dr2dev-filter term 107 then count c1
set firewall family inet filter dr2dev-filter term 107 then routing-instance DEV-9
set firewall family inet filter dr2dev-filter term default then accept

The filters to be applied to vlan interfaces as shown below:

[edit interfaces vlan unit 1]
root@Cust-2# show
family inet {
   filter {
      input dev2dr-filter;
   }
   address 10.205.9.254/24;
}


set interfaces vlan unit 1 family inet filter input dev2dr-filter
set interfaces vlan unit 1 family inet address 10.205.9.254/24

[edit interfaces vlan unit 2]
root@Cust-2# show
family inet {
   filter {
   input dr2dev-filter;
   }
   address 10.205.10.254/23;
}


set interfaces vlan unit 2 family inet filter input dr2dev-filter
set interfaces vlan unit 2 family inet address 10.205.10.254/23

Now a host connected to vlan.2 will be able to reach vlan.1 with help of the above configurations.

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search