SRX Routing Instances
17.04.2018 - Louis Kowolowski - ~5 Minutes
If you are new to routing instances, pinging may not behave as you expect.
Routing instances can be thought of as containerization. Inside the container, you can have interfaces, routes, policies. These things may not exist outside the routing instance. This means you will have some extra hoops to jump through to accomplish the same things.
We have a host on the other end of an IPsec tunnel that exists inside a routing instance that we’d like to ping. Our first attempt looks like this:
[louisk@test1.example.com louisk 6 ]$ ping 10.10.220.4
PING 10.10.220.4 (10.10.220.4): 56 data bytes
64 bytes from 10.10.220.4: icmp_seq=0 ttl=62 time=86.134 ms
^C
--- 10.10.220.4 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 86.134/86.134/86.134/0.000 ms
[louisk@test1.example.com louisk 7 ]$
If we do the same thing on the SRX that has the tunnel
{primary:node1}
louisk@srx340-2.example.com> ping count 1 10.10.220.4
PING 10.10.220.4 (10.10.220.4): 56 data bytes
^C
--- 10.10.220.4 ping statistics ---
1 packets transmitted, 0 packets received, 100% packet loss
{primary:node1}
louisk@srx340-2.example.com>
Is the tunnel up?
{primary:node1}
louisk@srx340-2.example.com> show security ipsec sa
node1:
--------------------------------------------------------------------------
Total active tunnels: 1
ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway
<131073 ESP:aes-gcm-256/None f98973ee 1460/ unlim U root 4500 192.168.20.84
>131073 ESP:aes-gcm-256/None 60a9383b 1460/ unlim U root 4500 192.168.20.84
{primary:node1}
louisk@srx340-2.example.com>
Looks reasonable. Why doesn’t ping work? Actually, ping does work. If we look at the default route table, we’ll see that we in fact don’t have a route to that network in the default route table. I keep saying default route table. Why? There can be more than 1 route table on a network device. Yes, complicated. What does the route table look like?
{primary:node1}
louisk@srx340-2.example.com> show route
inet.0: 4 destinations, 5 routes (4 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
0.0.0.0/0 *[Static/5] 18:34:17
> to 10.10.1.254 via fxp0.0
10.10.1.0/24 *[Direct/0] 18:34:17
> via fxp0.0
[Direct/0] 18:34:17
> via fxp0.0
10.10.1.225/32 *[Local/0] 45w4d 02:08:57
Local via fxp0.0
10.10.1.232/32 *[Local/0] 45w4d 02:08:57
Local via fxp0.0
ThroughTraffic.inet.0: 9 destinations, 10 routes (9 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
0.0.0.0/0 *[Static/5] 45w4d 02:08:56
> to 172.16.15.126 via reth1.2
10.10.220.0/28 *[Static/5] 20:28:57
> via st0.5
10.10.250.248/29 *[Direct/0] 45w4d 02:08:57
> via reth0.1250
[Static/5] 45w4d 02:08:56
> to 10.10.250.254 via reth0.1250
10.10.250.250/32 *[Local/0] 45w4d 02:08:57
Local via reth0.1250
192.168.240.176/28 *[Static/5] 41w1d 00:22:23
> via st0.0
192.168.255.0/24 *[Direct/0] 20:28:57
> via st0.5
192.168.255.2/32 *[Local/0] 41w1d 00:47:43
Local via st0.5
172.16.15.0/25 *[Direct/0] 45w4d 02:08:57
> via reth1.2
172.16.15.118/32 *[Local/0] 45w4d 02:08:57
Local via reth1.2
inet6.0: 5 destinations, 6 routes (5 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
::/0 *[Static/5] 18:34:06
> to 2001:db8:ca7:3:ffff:ffff:ffff:ffff via fxp0.0
2001:db8:ca7:3::/64
*[Direct/0] 18:34:06
> via fxp0.0
[Direct/0] 18:34:06
> via fxp0.0
2001:db8:ca7:3::225/128
*[Local/0] 28w1d 00:40:41
Local via fxp0.0
2001:db8:ca7:3::232/128
*[Local/0] 28w1d 00:40:41
Local via fxp0.0
fe80::2e21:31ff:fe54:7780/128
*[Local/0] 28w1d 00:40:41
Local via fxp0.0
ThroughTraffic.inet6.0: 8 destinations, 8 routes (8 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
::/0 *[Static/5] 45w4d 02:08:56
> to 2001:db8:0:119::1 via reth1.2
2001:db8:0:119::/64
*[Direct/0] 45w4d 02:08:57
> via reth1.2
2001:db8:0:119::118/128
*[Local/0] 45w4d 02:08:57
Local via reth1.2
2001:db8:ca7::/48 *[Static/5] 28w1d 00:37:21
> to 2001:db8:ca7:250:ffff:ffff:ffff:ffff via reth0.1250
2001:db8:ca7:250::/64
*[Direct/0] 45w4d 02:08:57
> via reth0.1250
2001:db8:ca7:250::250/128
*[Local/0] 45w4d 02:08:57
Local via reth0.1250
fe80::210:db00:2ff:2001/128
*[Local/0] 45w4d 02:08:57
Local via reth1.2
fe80::210:db04:e2ff:2000/128
*[Local/0] 45w4d 02:08:57
Local via reth0.1250
{primary:node1}
louisk@srx340-2.example.com>
That’s a lot. The default route table is inet.0, or inet6.0 (depending on whether you want to look at IPv4 or IPv6). What are the other routing tables? They belong to non-default routing instances. Its a kind of virtualization. A routing instance allows you to create a container as it were, and assign interfaces to it. Along with interfaces, you can setup routing (both static and dynamic). OK, what does the routing instance look like?
{primary:node1}
louisk@srx340-2.example.com> show configuration routing-instances ThroughTraffic | display set
set routing-instances ThroughTraffic instance-type virtual-router
set routing-instances ThroughTraffic interface reth0.1250
set routing-instances ThroughTraffic interface reth1.2
set routing-instances ThroughTraffic interface st0.0
set routing-instances ThroughTraffic interface st0.5
set routing-instances ThroughTraffic routing-options rib ThroughTraffic.inet6.0 static route 0::0/0 next-hop 2001:db8:0:119::1
set routing-instances ThroughTraffic routing-options rib ThroughTraffic.inet6.0 static route 2001:db8:ca7::/48 next-hop 2001:db8:ca7:250:ffff:ffff:ffff:ffff
set routing-instances ThroughTraffic routing-options static route 0.0.0.0/0 next-hop 172.16.15.126
set routing-instances ThroughTraffic routing-options static route 10.10.250.248/29 next-hop 10.10.250.254
set routing-instances ThroughTraffic routing-options static route 10.10.220.0/28 next-hop st0.5
set routing-instances ThroughTraffic routing-options static route 192.168.240.176/28 next-hop st0.0
{primary:node1}
louisk@srx340-2.example.com>
This one is pretty simple. It has a pair of redundant interfaces, and some secure tunnel interfaces (IPSec). It has a small handful of static routes. Now we see the network we’re trying to reach actually belongs to this routing instance. If we want to communicate with this network, on this device, we’ll have to go through the routing instance. How do we do that? Tell ping to use a routing-instance.
{primary:node1}
louisk@srx340-2.example.com> ping count 1 routing-instance ThroughTraffic 10.10.220.4
PING 10.10.220.4 (10.10.220.4): 56 data bytes
--- 10.10.220.4 ping statistics ---
1 packets transmitted, 0 packets received, 100% packet loss
{primary:node1}
louisk@srx340-2.example.com>
Why didn’t this work? We used the routing instance? By default, traffic will be sourced as the “external” interface. In this case, the external interface is reth1.2. It has an IP of 172.16.15.118. There is no path that starts with 172.16.15.118 and gets to 10.10.220.4, so it fails. We need to specify a source to ping from. Lets try the internal interface (reth0.1250) IP of 10.10.250.250
{primary:node1}
louisk@srx340-2.example.com> ping count 1 routing-instance ThroughTraffic source 10.10.250.250 10.10.220.4
PING 10.10.220.4 (10.10.220.4): 56 data bytes
64 bytes from 10.10.220.4: icmp_seq=0 ttl=63 time=44.804 ms
--- 10.10.220.4 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/stddev = 44.804/44.804/44.804/0.000 ms
{primary:node1}
louisk@srx340-2.example.com>
Success!