Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 660
  • Last Modified:

routing in Juniper EX4200

I am new to Juniper switches and I am trying to understand the routing for this config. I got the following routing-options and the routing-instances in my config. How does it work?

The usergp2 is vlan200 10.10.200.0/24. I am not sure what usergp1 is as I could not find where it was defined.
10.10.200.2 and 10.10.10.2 are FWs. I am not sure what 10.10.10.3 is at this time.

routing-options {
    interface-routes {
        rib-group inet VRF-group;
    }
    static {
        route 0.0.0.0/0 next-hop 10.10.10.2;
    }
    rib-groups {
        VRF-group {
            import-rib [ inet.0 usergp1.inet.0 usergp2.inet.0 ];...
...
routing-instances {
    usergp2 {
        instance-type forwarding;
        routing-options {
            static {
                route 0.0.0.0/0 next-hop 10.10.200.2;
            }
        }
    }
    usergp1 {
        instance-type forwarding;
        routing-options {
            static {
                route 0.0.0.0/0 next-hop 10.10.10.3;
            }
        }
    }

Open in new window

0
leblanc
Asked:
leblanc
  • 2
3 Solutions
 
dpk_walCommented:
In Junos we configure static route and other settings related to static routing or route leake using rib groups under routing-options hierarchy.
http://www.juniper.net/documentation/en_US/junos13.2/information-products/pathway-pages/ex-series/routing-options.html

routing-instance is used to create VRF.
https://www.juniper.net/techpubs/en_US/junos14.1/topics/example/bridging-vrf-ex-series.html

Looks to me usergp1 and usergp2 are two distinct routing tables where the admin wanted to have different default route.

Something where we want traffic to egress ISP link1 and then other traffic out from ISP link2.

Please let us know if you need more details.

Thank you.
0
 
pergrCommented:
In Cisco language, this configuration is part of Policy Based Routing.

There is probably a firewall list (ACL) applied to some interface or VLAN, which directs the traffic into these "instance-type forwarding" that will make a routing decision that is different than what the main routing table (inet.0) has.
0
 
leblancAccountingAuthor Commented:
What confused me is when I did the traceroute 4.2.2.2 source with usergp2 IP address, I did not going through 10.10.200.2 FW, rather I was still going through 10.10.10.2 FW. Am I missing something? I am not sure how to locate match-internal & match-external. Thanks

firewall
family inet {
...
filter usergp2-internet {
            term match-internal {
                from {
                    destination-address {
                        10.10.28.0/24;
                      }
                }
                then accept;
            }
            term match-external {
                then {
                    routing-instance usergp2;
...

Open in new window

0
 
pergrCommented:
You need to have a firewall list, saying that the source address of that user you get 'next table usergp2', and that firewall list must be applied to an interface.

Obviously, the 10.10.200.2 also need to be reachable.
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now