10 Juni
2011

Juniper – Virtual Router

Virtual Router Configuration Example

Assigning IP Addresses to Interfaces

Assign interface IP addresses. In the following example, 192.168.1.1/24 and 172.17.1.1/24 are assigned to the fe-0/0/2 and fe-0/0/3 interfaces, respectively.

[email protected]# set interface fe-0/0/2 unit 0 family inet address 192.168.1.1/24
[email protected]# set interface fe-0/0/3 unit 0 family inet address 172.17.1.1/24

Creating Virtual Routers and Assigning Interfaces

To create virtual routers and assign interfaces to the virtual routers:

  1. Create a virtual router (named blue-vr in this example).
    [email protected]# set routing-instances blue-vr instance-type virtual-router
    
  2. Assign interfaces to the virtual router. In the following example, the fe-0/0/2.0 interface is assigned to the blue-vr virtual router.
    [email protected]# set routing-instances blue-vr interface fe-0/0/2.0
    
  3. Create another virtual router (named red-vr in this example).
    [email protected]# set routing-instances red-vr instance-type virtual-router
    
  4. Assign interfaces to the virtual router. In the following example, the fe-0/0/3.0 interface is assigned to the red-vr virtual router.
    [email protected]# set routing-instances red-vr interface fe-0/0/3.0
    

Creating Security Zones and Assigning Interfaces

Next, create security zones and assign interfaces to those zones. Assigning interfaces to zones is defined independently from the virtual router, but all interfaces in the same zone must be bound to the same virtual router.

To create security zones and assign interfaces:

  1. Create a security zone for the blue-vr virtual router (in this example, blue-trust).
    [email protected]# set security zones security-zone blue-trust
    
  2. Assign an interface to the blue-trust zone (in this example, fe-0/0/2.0).
    [email protected]# set security zones security-zone blue-trust
    		 interfaces fe-0/0/2.0
    
  3. Create a security zone for the red-vr virtual router (in this example, red-trust).
    [email protected]# set security zones security-zone red-trust
    
  4. Assign an interface to the red-trust zone (in this example, fe-0/0/3.0).
    [email protected]# set security zones security-zone red-trust
    		 interfaces fe-0/0/3.0
    

Importing Routes Between Virtual Routers

Optionally, after creating virtual routers and assigning interfaces to the virtual routers, you can configure that routes are imported between the virtual routers.

To configure the importing of routes between virtual routing instances:

  1. Create a policy statement that defines matching criteria and the action to be taken for traffic that matches the criteria. In this example, a policy statement named from_blue_to_red is created with matching criteria of traffic from the blue-vr virtual router and an action of accept for matching traffic.
    [email protected]# set policy-options policy-statement from_blue_to_red term term1
    		 from instance blue-vr
    [email protected]# set policy-options policy-statement from_blue_to_red term term1
    		 then accept
    
  2. Apply a policy to routes being imported into a routing instance. In this example, the from_blue_to_red policy is applied to routes imported into the red-vr routing instance.
    [email protected]# set routing-instances red-vr routing-options instance-import
    		 from_blue_to_red
    

Creating Security Policies

To allow traffic through the SRX Series device, you need to create a security policy if you have not already done so. For information about creating security policies, see KB16553 and
Security Policies

The following example creates a security policy named default-permit that allows traffic from the blue-trust zone to the red-trust zone:

[email protected]# set security policies from-zone blue-trust to-zone red-trust policy
		 default-permit match source-address any
[email protected]# set security policies from-zone blue-trust to-zone red-trust policy
		 default-permit match destination-address any
[email protected]# set security policies from-zone blue-trust to-zone red-trust policy
		 default-permit match application any
[email protected]# set security policies from-zone blue-trust to-zone red-trust policy
		 default-permit then permit

The following example configures the default-permit security policy that allows traffic from the red-trust zone to the blue-trust zone:

[email protected]# set security policies from-zone red-trust to-zone blue-trust policy
		 default-permit match source-address any
[email protected]# set security policies from-zone red-trust to-zone blue-trust policy
		 default-permit match destination-address any
[email protected]# set security policies from-zone red-trust to-zone blue-trust policy
		 default-permit match application any
[email protected]# set security policies from-zone red-trust to-zone blue-trust policy
		 default-permit then permit

Multiple IP Addresses on a Single Interface

When using set commands to either set interfaces or refer to interfaces, you can use one of two methods. You can refer to the interface as “<interface> unit <#>” or “<interface>.<#>.

[edit]
[email protected]# set interfaces fe-0/0/0 unit 0 family inet address 192.168.1.1/24
[edit]
[email protected]# set interfaces fe-0/0/0.0 family inet address 192.168.1.2/24
[edit]
[email protected]# show interfaces
fe-0/0/0 {
    unit 0 {
        family inet {
            address 192.168.1.1/24;
            address 192.168.1.2/24;
        }
    }
}

Use the following commands to pick one address to always be the source address for traffic on the same subnet:

[edit interfaces fe-0/0/0]
[email protected]# set unit 0 family inet address 182.252.1.14/29
[email protected]# set unit 0 family inet address 182.252.1.13/29
[email protected]# set unit 0 family inet address 182.252.1.12/29
[email protected]# set unit 0 family inet address 182.252.1.11/29
[email protected]# set unit 0 family inet address 182.252.1.10/29 preferred

Use the following commands to choose one address that is used as the source address in broadcast and unnumbered traffic sent out an interface:

[edit interfaces fe-0/0/1]
[email protected]# set unit 0 family inet address 202.253.1.14/29
[email protected]# set unit 0 family inet address 202.253.1.13/29
[email protected]# set unit 0 family inet address 202.253.1.12/29
[email protected]# set unit 0 family inet address 202.253.1.11/29
[email protected]# set unit 0 family inet address 202.253.1.10/29 primary

Di Terbitkan Oleh Winston Sahusilawane Pada Rubrik Juniper : 10 Juni, 2011 |