SRX Routing Instances

If you are new to routing instances, pinging may not behave as you expect.

Routing instances can be thought of as containerization. Inside the container, you can have interfaces, routes, policies. These things may not exist outside the routing instance. This means you will have some extra hoops to jump through to accomplish the same things.

We have a host on the other end of an IPsec tunnel that exists inside a routing instance that we’d like to ping. Our first attempt looks like this:

1[louisk@test1.example.com louisk 6 ]$ ping 10.10.220.4
2PING 10.10.220.4 (10.10.220.4): 56 data bytes
364 bytes from 10.10.220.4: icmp_seq=0 ttl=62 time=86.134 ms
4^C
5--- 10.10.220.4 ping statistics ---
61 packets transmitted, 1 packets received, 0.0% packet loss
7round-trip min/avg/max/stddev = 86.134/86.134/86.134/0.000 ms
8[louisk@test1.example.com louisk 7 ]$

If we do the same thing on the SRX that has the tunnel

1{primary:node1}
2louisk@srx340-2.example.com> ping count 1 10.10.220.4
3PING 10.10.220.4 (10.10.220.4): 56 data bytes
4^C
5--- 10.10.220.4 ping statistics ---
61 packets transmitted, 0 packets received, 100% packet loss
7 
8{primary:node1}
9louisk@srx340-2.example.com>

Is the tunnel up?

 1{primary:node1}
 2louisk@srx340-2.example.com> show security ipsec sa
 3node1:
 4--------------------------------------------------------------------------
 5  Total active tunnels: 1
 6  ID    Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway
 7  <131073 ESP:aes-gcm-256/None f98973ee 1460/ unlim U root 4500 192.168.20.84
 8  >131073 ESP:aes-gcm-256/None 60a9383b 1460/ unlim U root 4500 192.168.20.84
 9 
10{primary:node1}
11louisk@srx340-2.example.com>

Looks reasonable. Why doesn’t ping work? Actually, ping does work. If we look at the default route table, we’ll see that we in fact don’t have a route to that network in the default route table. I keep saying default route table. Why? There can be more than 1 route table on a network device. Yes, complicated. What does the route table look like?

 1{primary:node1}
 2louisk@srx340-2.example.com> show route
 3 
 4inet.0: 4 destinations, 5 routes (4 active, 0 holddown, 0 hidden)
 5+ = Active Route, - = Last Active, * = Both
 6 
 70.0.0.0/0          *[Static/5] 18:34:17
 8                    > to 10.10.1.254 via fxp0.0
 910.10.1.0/24        *[Direct/0] 18:34:17
10                    > via fxp0.0
11                    [Direct/0] 18:34:17
12                    > via fxp0.0
1310.10.1.225/32      *[Local/0] 45w4d 02:08:57
14                      Local via fxp0.0
1510.10.1.232/32      *[Local/0] 45w4d 02:08:57
16                      Local via fxp0.0
17 
18ThroughTraffic.inet.0: 9 destinations, 10 routes (9 active, 0 holddown, 0 hidden)
19+ = Active Route, - = Last Active, * = Both
20 
210.0.0.0/0          *[Static/5] 45w4d 02:08:56
22                    > to 172.16.15.126 via reth1.2
2310.10.220.0/28      *[Static/5] 20:28:57
24                    > via st0.5
2510.10.250.248/29    *[Direct/0] 45w4d 02:08:57
26                    > via reth0.1250
27                    [Static/5] 45w4d 02:08:56
28                    > to 10.10.250.254 via reth0.1250
2910.10.250.250/32    *[Local/0] 45w4d 02:08:57
30                      Local via reth0.1250
31192.168.240.176/28 *[Static/5] 41w1d 00:22:23
32                    > via st0.0
33192.168.255.0/24   *[Direct/0] 20:28:57
34                    > via st0.5
35192.168.255.2/32   *[Local/0] 41w1d 00:47:43
36                      Local via st0.5
37172.16.15.0/25   *[Direct/0] 45w4d 02:08:57
38                    > via reth1.2
39172.16.15.118/32 *[Local/0] 45w4d 02:08:57
40                      Local via reth1.2
41 
42inet6.0: 5 destinations, 6 routes (5 active, 0 holddown, 0 hidden)
43+ = Active Route, - = Last Active, * = Both
44 
45::/0               *[Static/5] 18:34:06
46                    > to 2001:db8:ca7:3:ffff:ffff:ffff:ffff via fxp0.0
472001:db8:ca7:3::/64
48                   *[Direct/0] 18:34:06
49                    > via fxp0.0
50                    [Direct/0] 18:34:06
51                    > via fxp0.0
522001:db8:ca7:3::225/128
53                   *[Local/0] 28w1d 00:40:41
54                      Local via fxp0.0
552001:db8:ca7:3::232/128
56                   *[Local/0] 28w1d 00:40:41
57                      Local via fxp0.0
58fe80::2e21:31ff:fe54:7780/128
59                   *[Local/0] 28w1d 00:40:41
60                      Local via fxp0.0
61 
62ThroughTraffic.inet6.0: 8 destinations, 8 routes (8 active, 0 holddown, 0 hidden)
63+ = Active Route, - = Last Active, * = Both
64 
65::/0               *[Static/5] 45w4d 02:08:56
66                    > to 2001:db8:0:119::1 via reth1.2
672001:db8:0:119::/64
68                   *[Direct/0] 45w4d 02:08:57
69                    > via reth1.2
702001:db8:0:119::118/128
71                   *[Local/0] 45w4d 02:08:57
72                      Local via reth1.2
732001:db8:ca7::/48   *[Static/5] 28w1d 00:37:21
74                    > to 2001:db8:ca7:250:ffff:ffff:ffff:ffff via reth0.1250
752001:db8:ca7:250::/64
76                   *[Direct/0] 45w4d 02:08:57
77                    > via reth0.1250
782001:db8:ca7:250::250/128
79                   *[Local/0] 45w4d 02:08:57
80                      Local via reth0.1250
81fe80::210:db00:2ff:2001/128
82                   *[Local/0] 45w4d 02:08:57
83                      Local via reth1.2
84fe80::210:db04:e2ff:2000/128
85                   *[Local/0] 45w4d 02:08:57
86                      Local via reth0.1250
87 
88{primary:node1}
89louisk@srx340-2.example.com>

That’s a lot. The default route table is inet.0, or inet6.0 (depending on whether you want to look at IPv4 or IPv6). What are the other routing tables? They belong to non-default routing instances. Its a kind of virtualization. A routing instance allows you to create a container as it were, and assign interfaces to it. Along with interfaces, you can setup routing (both static and dynamic). OK, what does the routing instance look like?

 1{primary:node1}
 2louisk@srx340-2.example.com> show configuration routing-instances ThroughTraffic | display set
 3set routing-instances ThroughTraffic instance-type virtual-router
 4set routing-instances ThroughTraffic interface reth0.1250
 5set routing-instances ThroughTraffic interface reth1.2
 6set routing-instances ThroughTraffic interface st0.0
 7set routing-instances ThroughTraffic interface st0.5
 8set routing-instances ThroughTraffic routing-options rib ThroughTraffic.inet6.0 static route 0::0/0 next-hop 2001:db8:0:119::1
 9set routing-instances ThroughTraffic routing-options rib ThroughTraffic.inet6.0 static route 2001:db8:ca7::/48 next-hop 2001:db8:ca7:250:ffff:ffff:ffff:ffff
10set routing-instances ThroughTraffic routing-options static route 0.0.0.0/0 next-hop 172.16.15.126
11set routing-instances ThroughTraffic routing-options static route 10.10.250.248/29 next-hop 10.10.250.254
12set routing-instances ThroughTraffic routing-options static route 10.10.220.0/28 next-hop st0.5
13set routing-instances ThroughTraffic routing-options static route 192.168.240.176/28 next-hop st0.0
14 
15{primary:node1}
16louisk@srx340-2.example.com>

This one is pretty simple. It has a pair of redundant interfaces, and some secure tunnel interfaces (IPSec). It has a small handful of static routes. Now we see the network we’re trying to reach actually belongs to this routing instance. If we want to communicate with this network, on this device, we’ll have to go through the routing instance. How do we do that? Tell ping to use a routing-instance.

1{primary:node1}
2louisk@srx340-2.example.com> ping count 1 routing-instance ThroughTraffic 10.10.220.4
3PING 10.10.220.4 (10.10.220.4): 56 data bytes
4 
5--- 10.10.220.4 ping statistics ---
61 packets transmitted, 0 packets received, 100% packet loss
7 
8{primary:node1}
9louisk@srx340-2.example.com>

Why didn’t this work? We used the routing instance? By default, traffic will be sourced as the “external” interface. In this case, the external interface is reth1.2. It has an IP of 172.16.15.118. There is no path that starts with 172.16.15.118 and gets to 10.10.220.4, so it fails. We need to specify a source to ping from. Lets try the internal interface (reth0.1250) IP of 10.10.250.250

 1{primary:node1}
 2louisk@srx340-2.example.com> ping count 1 routing-instance ThroughTraffic source 10.10.250.250 10.10.220.4
 3PING 10.10.220.4 (10.10.220.4): 56 data bytes
 464 bytes from 10.10.220.4: icmp_seq=0 ttl=63 time=44.804 ms
 5 
 6--- 10.10.220.4 ping statistics ---
 71 packets transmitted, 1 packets received, 0% packet loss
 8round-trip min/avg/max/stddev = 44.804/44.804/44.804/0.000 ms
 9 
10{primary:node1}
11louisk@srx340-2.example.com>

Success!

Footnotes and References

Copyright

Comments