Virtual Routing Instances – SRX style

I discussed in my previous post that I wanted to add virtual routing instances to the SRX. This would allow me to learn OSPF in a real device see how it handles on JUNOS. Kurt Bales (@networkjanitor) dropped some hints and I found some resources over at 3fives. After looking at how it was done, I decided to use what I had seen and learn via CLI. I contemplated a screen cast but I still am quite slow at the CLI. My results are below. Lets journey together into making a one box lab.

“A virtual SRX appears”
“Pokeball go”

Once you nail your first configuration it seems to get a bit manageable. Breaking it down we are creating a network using the logical tunnel interfaces. We assign unit, peer-unit, specify ethernet encapsulation, and assign an IP address. We do this for each interface on each device in the topology. Important to remember that the SRX110 supports three routing instances.

set interfaces lt-0/0/0 unit 0 family inet address 192.168.10.1/30
set interfaces lt-0/0/0 unit 0 peer-unit 1
set interfaces lt-0/0/0 unit 0 encapsulation ethernet
set interfaces lt-0/0/0 unit 0 description LINK-TO-R2
set interfaces lt-0/0/0 unit 5 family inet address 192.168.10.10/30
set interfaces lt-0/0/0 unit 5 peer-unit 4
set interfaces lt-0/0/0 unit 5 encapsulation ethernet
set interfaces lt-0/0/0 unit 5 description LINK-TO-R3
set interfaces lo0 unit 1 family inet address 1.1.1.1/32

Now to add these to the routing instance named R1. This creates the virtual router instance that we can use.

set routing-instances R1 description Routing-instance-R1
set routing-instances R1 instance-type virtual-router
set routing-instances R1 interface lt-0/0/0.0
set routing-instances R1 interface lt-0/0/0.5
set routing-instances R1 interface lo0.1
set interfaces lt-0/0/0 unit 1 family inet address 192.168.10.2/30
set interfaces lt-0/0/0 unit 1 peer-unit 0
set interfaces lt-0/0/0 unit 1 encapsulation ethernet
set interfaces lt-0/0/0 unit 1 description LINK-TO-R1
set interfaces lt-0/0/0 unit 2 description LINK-TO-R3
set interfaces lt-0/0/0 unit 2 family inet address 192.168.10.5/30
set interfaces lt-0/0/0 unit 2 peer-unit 3
set interfaces lt-0/0/0 unit 2 encapsulation ethernet
set interfaces lo0 unit 2 family inet address 2.2.2.2/32
set routing-instances R2 description Routing-instance-R2
set routing-instances R2 instance-type virtual-router
set routing-instances R2 interface lt-0/0/0.1
set routing-instances R2 interface lt-0/0/0.2
set routing-instances R2 interface lo0.2

Finally, lets add the same as the R2 instance and create R3.

set interfaces lt-0/0/0 unit 3 description LINK-TO-R2
set interfaces lt-0/0/0 unit 3 family inet address 192.168.10.6/30
set interfaces lt-0/0/0 unit 3 peer-unit 2
set interfaces lt-0/0/0 unit 3 encapsulation ethernet
set interfaces lt-0/0/0 unit 4 description LINK-TO-R1
set interfaces lt-0/0/0 unit 4 family inet address 192.168.10.9/30
set interfaces lt-0/0/0 unit 4 peer-unit 5
set interfaces lt-0/0/0 unit 4 encapsulation ethernet
set interfaces lo0 unit 3 family inet address 3.3.3.3/32

set routing-instances R3 description Routing-instance-R3
set routing-instances R3 instance-type virtual-router
set routing-instances R3 interface lt-0/0/0.3
set routing-instances R3 interface lt-0/0/0.4
set routing-instances R3 interface lo0.3

And lets commit the changes including a note about what we did.

[email protected]# commit comment "Added Routing instances for blog post" 
commit complete

As you can see once you breakdown the code the initial overwhelming part looks easy. Now that we have done that we need to ping.

[email protected]> ping 192.168.10.1 routing-instance R2 rapid 
PING 192.168.10.1 (192.168.10.1): 56 data bytes
.....
--- 192.168.10.1 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss

[email protected]> ping 192.168.10.2 routing-instance R2 rapid    
PING 192.168.10.2 (192.168.10.2): 56 data bytes
!!!!!
--- 192.168.10.2 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.323/0.745/1.947/0.610 ms

[email protected]> ping 192.168.10.2 routing-instance R1 rapid    
PING 192.168.10.2 (192.168.10.2): 56 data bytes
.....

Why you no ping? Well we need to apply the correct security zone to each device. Alright. Lets at all the lt-0/0/0 interfaces to the default trust zone.

[email protected]# set security zones security-zone trust interfaces lt-0/0/0

Lets commit this and see how it works out.

[edit]
[email protected]# commit comment "Added lt-0/0/0 and units to trust sec zone" 
[edit security zones security-zone trust]
  'interfaces lt-0/0/0.0'
    Interface lt-0/0/0.0 must be in the same routing instance as other interfaces in the zone
error: configuration check-out failed

Right. So what does this mean? Well think about it. What we have essentially done is create distinct firewalls. Due to the fact we are in flow mode each routing Instance needs its own unique security zone. In packet mode (router mode) you don’t need to care about this. So now lets create a trust and untrust zones per routing instance.

set security zones security-zone trust-R1    
set security zones security-zone untrust-R1  
set security zones security-zone trust-R2 
set security zones security-zone untrust-R2    
set security zones security-zone trust-R3      
set security zones security-zone untrust-R3

Okay these are made. Don’t be a dork like I did and actually apply no policy to the zones. I am for now only creating an all system-services and all protocols for trust-R1, trust-R2, and trust-R3.

set security zones security-zone trust-R1 host-inbound-traffic system-services all
set security zones security-zone trust-R1 host-inbound-traffic protocols  all
set security zones security-zone trust-R2 host-inbound-traffic system-services all
set security zones security-zone trust-R2 host-inbound-traffic protocols  all
set security zones security-zone trust-R3 host-inbound-traffic system-services all
set security zones security-zone trust-R3 host-inbound-traffic protocols  all

I am now going to assign for now all virtual routing instance interfaces in instances R1, R2, and R3 to their respective trusted interface.

set security zones security-zone trust-R1 interfaces lt-0/0/0.0
set security zones security-zone trust-R1 interfaces lt-0/0/0.5
set security zones security-zone trust-R2 interfaces lt-0/0/0.1
set security zones security-zone trust-R2 interfaces lt-0/0/0.2
set security zones security-zone trust-R3 interfaces lt-0/0/0.3
set security zones security-zone trust-R3 interfaces lt-0/0/0.4

Now to commit with comment and then we can test this bad boy setup!

commit comment "RI trust zones, zone policy, interface zone mapping"

Remember your fellow co-workers and also change request ticket IDs when commenting commits. It will save them burning effigies of you later. Alright, now the pings before didn’t work. Time to test direct connectivity.

  • R1 -> R2
  • R1 -> R3
  • R2 -> R3

Alright. Lets give this a go.

[email protected]> ping 192.168.10.2 routing-instance R1 rapid    
PING 192.168.10.2 (192.168.10.2): 56 data bytes
!!!!!
--- 192.168.10.2 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 2.691/2.992/3.255/0.216 ms

[email protected]> ping 192.168.10.11 routing-instance R1 rapid   
PING 192.168.10.11 (192.168.10.11): 56 data bytes
!!!!!
--- 192.168.10.11 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 3.498/6.055/14.276/4.143 ms

[email protected]> ping 192.168.10.6 routing-instance R2 rapid     
PING 192.168.10.6 (192.168.10.6): 56 data bytes
.!!!!
--- 192.168.10.6 ping statistics ---
5 packets transmitted, 4 packets received, 20% packet loss
round-trip min/avg/max/stddev = 2.505/2.628/2.746/0.107 ms

Awesome. Direct connectivity. That means we have our lab in which we can test routing and make the magic happen.
Lets just quickly check the routing table to make sure it is all kosher.

[email protected]> show route 

inet.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 05:00:19
                    > to 192.168.1.254 via fe-0/0/0.0
192.168.1.0/24     *[Direct/0] 05:00:19
                    > via fe-0/0/0.0
192.168.1.200/32   *[Local/0] 05:00:29
                      Local via fe-0/0/0.0
192.168.2.0/24     *[Direct/0] 05:00:19
                    > via vlan.0
192.168.2.1/32     *[Local/0] 05:00:40
                      Local via vlan.0

R1.inet.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

1.1.1.1/32         *[Direct/0] 01:25:48
                    > via lo0.1
192.168.10.0/30    *[Direct/0] 01:25:47
                    > via lt-0/0/0.0
192.168.10.1/32    *[Local/0] 01:25:48
                      Local via lt-0/0/0.0
192.168.10.8/30    *[Direct/0] 01:25:47
                    > via lt-0/0/0.5
192.168.10.10/32   *[Local/0] 01:25:47
                      Local via lt-0/0/0.5

R2.inet.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

2.2.2.2/32         *[Direct/0] 01:25:48
                    > via lo0.2
192.168.10.0/30    *[Direct/0] 01:25:47
                    > via lt-0/0/0.1
192.168.10.2/32    *[Local/0] 01:25:47
                      Local via lt-0/0/0.1
192.168.10.4/30    *[Direct/0] 01:25:47
                    > via lt-0/0/0.2
192.168.10.5/32    *[Local/0] 01:25:47
                      Local via lt-0/0/0.2

R3.inet.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

3.3.3.3/32         *[Direct/0] 01:25:48 
                    > via lo0.3
192.168.10.4/30    *[Direct/0] 01:25:47
                    > via lt-0/0/0.3
192.168.10.6/32    *[Local/0] 01:25:47
                      Local via lt-0/0/0.3
192.168.10.8/30    *[Direct/0] 01:25:47
                    > via lt-0/0/0.4
192.168.10.9/32    *[Local/0] 01:25:47
                      Local via lt-0/0/0.4

Next blog we will look at establishing a basic OSPF area and explore what JUNOS has to offer network engineers in configuring and deploying OSPF networks. I am still amazed that this machine picture above can do all this. I am looking at you ASA 5500 series.  I am excited. Thank you for reading and I hope you have gained something from this.

 

 

11 thoughts on “Virtual Routing Instances – SRX style”

    1. Much easier than I thought. Thanks for the initial template. I looked at it twice for about 5 minutes then got the ideas behind it and off I went. Can I say converted?

    2. Yeah it is. Thanks for the reference. I had a good look at what you did and understood the concept then sought to reproduce it. It is awesome the fact that you can have one physical box but do so much with it and not get tripped up by licensing at each step.

      1. Notice that the security zone limits are strictly enforced, while the number of virtual routing instances are a recommendation, and are not enforced. If you get carried away and try to use 10 VRs with a SRX110 cluster, you will be punished by extremely long commit times, even with lightweight configurations.

        1. Thanks for that. I hadn’t noticed that it wasn’t hard capped, I just used the datasheet. I did notice the IDP did affect boot and commit times once activated on the default and 2 of the RI’s. It didn’t seem to affect runtime performance. SRX110 cluster would be a nice little HA branch deployment.

  1. I was introduced to Junos when the M40 went live in Quest’s backbone, needless to say I was addicted! I know you worked on the ASA platform which isn’t too bad but you’ll notice the ease of use with the SRX and its fun . ASA- I personally don’t prefer the use “outside, inside, global” naming convention and the flat config when trouble shooting complex cases…just my two cents …!

    1. I don’t mind the ASA – they are my primary $JOB1 device – problem is that they can sometimes be far too expensive to keep the whole notion of end to end Cisco. Comparable SRX + staff training still don’t come close to the price of the SRX.

      Yeah, Inside, Outside, DMZ are default security zones. I think people run with it for familiarity reasons.

  2. Problem I’ve been having is I cannot traceroute between VRs. The above example you did a ping. Are you able to do a traceroute? (I can also ping but not traceroute).

  3. Great writeup! Didn’t know the SRX had such powerful features. Great for creating a virtual lab. I have 2 SRX240b’s and was thinking I could do with another for labbing, but no longer 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *


*