This article provides information about the use of Virtual Routers in SRX series platforms, including a sample scenario and configuration example.
You are asked to separate several remote branch locations by attaching them to separate SRX devices. You have only one SRX device and must accomplish this objective virtually.
In Junos Software, a Virtual Router is a type of routing instance (a collection of routing tables, interfaces, and routing option settings). For more information about the Virtual Router, see Configuring Virtual Routers.
To establish a Virtual Router, do the following:
- Create a Virtual Router.
- Assign an interface to the Virtual Router (if not inet.0).
- Assign an interface to a zone.
- Import routes between Virtual Routers.
CLI Configuration
The example below shows how to configure the CLI using routing instances of type virtual-router on SRX devices:
root@SRX# show | no-more
system {
root-authentication {
encrypted-password "$1$jSfj5O5H$AmbVKhc3v6jbpb2fpCaOx0"; ## SECRET-DATA
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address 10.20.30.1/24;
}
}
}
ge-0/0/1 {
unit 0 {
family inet {
address 192.168.1.1/24;
}
}
}
ge-0/0/2 {
unit 0 {
family inet {
address 192.168.2.1/24;
}
}
}
ge-0/0/3 {
unit 0 {
family inet {
address 192.168.3.1/24;
}
}
}
}
routing-options {
interface-routes {
rib-group inet myrib;
}
static { <<< These routes are required when the traffic is initiated from HO site, towards any of the remote branches
route 192.168.1.0/24 next-table B1.inet.0;
route 192.168.2.0/24 next-table B2.inet.0;
route 192.168.3.0/24 next-table B3.inet.0;
}
rib-groups {
myrib { <<< This is required so that local network(10.20.30.0/24) on HO site is advertised to all branch instances
import-rib [ inet.0 B1.inet.0 B2.inet.0 B3.inet.0 ];
}
}
}
security {
zones {
security-zone B1 {
interfaces {
ge-0/0/1.0 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
}
}
security-zone B2 {
interfaces {
ge-0/0/2.0 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
}
}
security-zone B3 {
interfaces {
ge-0/0/3.0 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
}
}
security-zone HO {
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
}
}
}
policies { <<< for simplification, used any in the policy match conditions;
address-book entries can be configured for specific networks and can be used in policies
from-zone B1 to-zone HO {
policy B1-HO {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone B2 to-zone HO {
policy B2-HO {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone B3 to-zone HO {
policy B3-HO {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone HO to-zone B1 {
policy HO-B1 {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone HO to-zone B2 {
policy HO-B2 {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone HO to-zone B3 {
policy HO-B3 {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
}
routing-instances {
B1 {
instance-type virtual-router;
interface ge-0/0/1.0;
}
B2 {
instance-type virtual-router;
interface ge-0/0/2.0;
}
B3 {
instance-type virtual-router;
interface ge-0/0/3.0;
}
}
Verification
The example below shows how to verify the CLI configuration:
[edit]
root# run show route | no-more
inet.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
10.20.30.0/24 *[Direct/0] 00:10:37
> via ge-0/0/0.0
10.20.30.1/32 *[Local/0] 00:45:15
Local via ge-0/0/0.0
192.168.1.0/24 *[Static/5] 00:45:16
to table B1.inet.0
192.168.2.0/24 *[Static/5] 00:45:16
to table B2.inet.0
192.168.3.0/24 *[Static/5] 00:45:16
to table B3.inet.0
B1.inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
10.20.30.0/24 *[Direct/0] 00:10:37
> via ge-0/0/0.0
10.20.30.1/32 *[Local/0] 00:10:37
Local via ge-0/0/0.0
192.168.1.0/24 *[Direct/0] 00:10:37
> via ge-0/0/1.0
192.168.1.1/32 *[Local/0] 00:45:15
Local via ge-0/0/1.0
B2.inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
10.20.30.0/24 *[Direct/0] 00:10:37
> via ge-0/0/0.0
10.20.30.1/32 *[Local/0] 00:10:37
Local via ge-0/0/0.0
192.168.2.0/24 *[Direct/0] 00:09:44
> via ge-0/0/2.0
192.168.2.1/32 *[Local/0] 00:45:15
Local via ge-0/0/2.0
B3.inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
10.20.30.0/24 *[Direct/0] 00:10:37
> via ge-0/0/0.0
10.20.30.1/32 *[Local/0] 00:10:37
Local via ge-0/0/0.0
192.168.3.0/24 *[Direct/0] 00:09:44
> via ge-0/0/3.0
192.168.3.1/32 *[Local/0] 00:45:15
Local via ge-0/0/3.0
[edit]
root# run show interfaces terse routing-instance all
Interface Admin Link Proto Local Instance
ge-0/0/0.0 up up inet 10.20.30.1/24 default
sp-0/0/0.0 up up inet default
sp-0/0/0.16383 up up inet 10.0.0.1
10.0.0.6
128.0.0.1
128.0.0.6 __juniper_private1__
ge-0/0/1.0 up up inet 192.168.1.1/24 B1
ge-0/0/2.0 up up inet 192.168.2.1/24 B2
ge-0/0/3.0 up up inet 192.168.3.1/24 B3
lo0.16384 up up inet 127.0.0.1 __juniper_private2__
lo0.16385 up up inet 10.0.0.1
10.0.0.16
128.0.0.1
128.0.1.16 __juniper_private1__
[edit]