Reputation: 1
Juniper SRX firewall routing configuration
I have a question about Juniper SRX firewall configuration, Running 11.4R7
My question is about routing table used while processing traffic passing through the firewall, I have routing configuration part of the routing-instances definition, and it looks like this :
set routing-instances Main-VR instance-type virtual-router
set routing-instances Main-VR interface reth0.0
set routing-instances Main-VR routing-options static route 10.80.90.0/27 next-hop 10.80.90.40
Then i could find another routing definition as
routing-options static route 10.62.170.190/32 next-hop 10.80.93.1
routing-options static route 10.62.170.0/24 next-hop 10.80.93.1
routing-options static route 10.61.105.0/26 next-hop 10.80.93.1
routing-options static route 10.66.65.103/32 next-hop 10.80.93.1
What’s the difference between the two definitions? Are both active, i mean checked while traffic processing taking place? Or I could remove one of them
Upvotes: 0
Views: 1385
Answers (3)
Reputation: 11
set routing-instances Main-VR interface reth0.0
set routing-instances Main-VR routing-options static route 10.80.90.0/27 next-hop 10.80.90.40
The routes in the first example are in a separate Routing Instance, which means that the routing table is different from the main one, where I would assume you got these routes from:
routing-options static route 10.62.170.0/24 next-hop 10.80.93.1
routing-options static route 10.61.105.0/26 next-hop 10.80.93.1
routing-options static route 10.66.65.103/32 next-hop 10.80.93.1
If you check each routing tables via:
show route table Main-VR.inet.0
Those would be different from show route table inet.0 as both of them are logically separated and cannot communicate with each other.
You can make them communicate via RIB but thats another topic.
Also if you delete them from the main routing instance, you might have some other problems, so best of all before deleting anything make sure that it is not used.
Upvotes: 0
Reputation: 1
routing-options static route 10.62.170.190/32 next-hop 10.80.93.1 could be removed, as routing-options static route 10.62.170.0/24 next-hop 10.80.93.1 already contains the 10.62.170.190/32 destination.
The rest would need to stay as they are destinations to individual networks or destinations. As a first step suggestion I would deactivate route 10.62.170.190/32 next-hop 10.80.93.1, then test for connectivity to your end point destination before finally removing the item from your configuration.
Upvotes: 0
Reputation: 500
Static routes defined under set routing-options are for Global Routing Table and the ones defined under set routing-instances Main-VR routing-options are for the Virtual Router(Main VR).
Upvotes: 1
Related Questions
- Where does PostgreSQL store configuration/conf files?
- How to define custom configuration variables in Rails?
- Send data through routing paths in Angular
- Cloud Run static outbound IP address does not go through Google App Engine firewall
- Cannot access internet from clients behind Juniper Firewall SRX300
- Juniper firewall configuration file to dictionary
- Multiple VPC static default route & selection criteria