AJSEC Lab2 Virtual Routing / routing-instance

Owned by Jean-luc KRIKER
Last updated: Mar 18, 2019
3 min read




part 1
part1 
[edit routing-instances]
lab@vSRX-1# top show interfaces ge-0/0/4 | display set 
set interfaces ge-0/0/4 unit 0 family inet address 172.20.101.1/24

[edit routing-instances]
lab@vSRX-1# top show interfaces ge-0/0/5 | display set    
set interfaces ge-0/0/5 unit 0 family inet address 172.20.201.1/24

[edit routing-instances]
lab@vSRX-1# show 
ACME-SV {
    instance-type virtual-router;
    interface ge-0/0/5.0;
    routing-options {
        static {
            route 0.0.0.0/0 next-table inet.0;
        }
    }
}
Juniper-SV {
    instance-type virtual-router;
    interface ge-0/0/4.0;
    routing-options {
        static {
            route 0.0.0.0/0 next-table inet.0;
        }
    }
}

part 2

lt based

part2 
lab@vSRX-1> show configuration interfaces lt-0/0/0 | display set 
set interfaces lt-0/0/0 unit 1 encapsulation ethernet
set interfaces lt-0/0/0 unit 1 peer-unit 2
set interfaces lt-0/0/0 unit 1 family inet address 172.21.1.1/30
set interfaces lt-0/0/0 unit 2 encapsulation ethernet
set interfaces lt-0/0/0 unit 2 peer-unit 1
set interfaces lt-0/0/0 unit 2 family inet address 172.21.1.2/30

lab@vSRX-1> show configuration routing-instances Juniper-SV | display set 
set routing-instances Juniper-SV instance-type virtual-router
set routing-instances Juniper-SV interface lt-0/0/0.1
set routing-instances Juniper-SV interface ge-0/0/4.0
set routing-instances Juniper-SV routing-options static route 0.0.0.0/0 next-table inet.0
set routing-instances Juniper-SV protocols ospf area 0.0.0.0 interface lt-0/0/0.1
set routing-instances Juniper-SV protocols ospf area 0.0.0.0 interface ge-0/0/4.0 passive


lab@vSRX-1> show configuration routing-instances ACME-SV | display set 
set routing-instances ACME-SV instance-type virtual-router
set routing-instances ACME-SV interface lt-0/0/0.2
set routing-instances ACME-SV interface ge-0/0/5.0
set routing-instances ACME-SV routing-options static route 0.0.0.0/0 next-table inet.0
set routing-instances ACME-SV protocols ospf area 0.0.0.0 interface lt-0/0/0.2
set routing-instances ACME-SV protocols ospf area 0.0.0.0 interface ge-0/0/5.0 passive

lab@vSRX-1> show configuration security zones security-zone Juniper-SV | display set   
set security zones security-zone Juniper-SV interfaces ge-0/0/4.0
set security zones security-zone Juniper-SV interfaces lt-0/0/0.1 host-inbound-traffic system-services ping
set security zones security-zone Juniper-SV interfaces lt-0/0/0.1 host-inbound-traffic protocols ospf

lab@vSRX-1> show configuration security zones security-zone ACME-SV | display set       
set security zones security-zone ACME-SV interfaces ge-0/0/5.0
set security zones security-zone ACME-SV interfaces lt-0/0/0.2 host-inbound-traffic system-services ping
set security zones security-zone ACME-SV interfaces lt-0/0/0.2 host-inbound-traffic protocols ospf

part 3 

Filter-based

part3 Filter Based 
lab@vSRX-1> show configuration interfaces ge-0/0/1 | display set 
set interfaces ge-0/0/1 unit 0 family inet address 172.19.1.1/30

lab@vSRX-1> show configuration security zones security-zone untrust | display set 
set security zones security-zone untrust interfaces ge-0/0/3.0
set security zones security-zone untrust interfaces ge-0/0/1.0

lab@vSRX-1> show configuration security zones security-zone ACME-SV | display set    
set security zones security-zone ACME-SV interfaces ge-0/0/5.0
set security zones security-zone ACME-SV interfaces lt-0/0/0.2 host-inbound-traffic system-services ping
set security zones security-zone ACME-SV interfaces lt-0/0/0.2 host-inbound-traffic protocols ospf

lab@vSRX-1> show configuration security policies from-zone ACME-SV to-zone untrust | display set 
set security policies from-zone ACME-SV to-zone untrust policy FBF-ACME-SV match source-address ACME-SV
set security policies from-zone ACME-SV to-zone untrust policy FBF-ACME-SV match destination-address any
set security policies from-zone ACME-SV to-zone untrust policy FBF-ACME-SV match application any
set security policies from-zone ACME-SV to-zone untrust policy FBF-ACME-SV then permit

lab@vSRX-1> show configuration routing-instances FBF-instance | display set 
set routing-instances FBF-instance instance-type forwarding
set routing-instances FBF-instance routing-options static route 0.0.0.0/0 next-hop 172.19.1.2

lab@vSRX-1> show configuration routing-instances ACME-SV | display set 
set routing-instances ACME-SV instance-type virtual-router
set routing-instances ACME-SV interface lt-0/0/0.2
set routing-instances ACME-SV interface ge-0/0/5.0
set routing-instances ACME-SV routing-options interface-routes rib-group inet ACME-to-Main
set routing-instances ACME-SV routing-options static route 0.0.0.0/0 next-table inet.0
set routing-instances ACME-SV protocols ospf area 0.0.0.0 interface lt-0/0/0.2
set routing-instances ACME-SV protocols ospf area 0.0.0.0 interface ge-0/0/5.0 passive

lab@vSRX-1> show configuration routing-options | display set 
set routing-options interface-routes rib-group inet Main-to-FBF
set routing-options static route 0.0.0.0/0 next-hop 172.18.1.1
set routing-options rib-groups ACME-to-Main import-rib ACME-SV.inet.0
set routing-options rib-groups ACME-to-Main import-rib inet.0
set routing-options rib-groups Main-to-FBF import-rib inet.0
set routing-options rib-groups Main-to-FBF import-rib FBF-instance.inet.0
set routing-options rib-groups Main-to-FBF import-policy only-179.19.1.0/30