1st here's my setup;
So we have a inter-link between two Virtual-Router Instances known as SOC01 and SOC02.
Since I was lazy and didn’t want to tear down my SRX for this post, I built 2 loopback interfaces; one in each virtual-router instance ( SOC01 and SOC02 ).
These will be in our zone known as trust, where the interlink are my outside untrust zone. In reality, these could have been a real physical interface for the lan or a 802.1q interface for the lan access.
I will set a static route in each VR-instance for the remote-loopback address and we will test our reach via the appropriate VR-instance to the opposite VR-instance with a simple ping request.
LT-0/0/0 unit 1 18.104.22.168/30 ( VR-instance SOC01 )
LT-0/0/0 unit 1 22.214.171.124/30 ( VR-instance SOC02 )
Lo0.10 10.10.10.10/32 ( VR-instance SOC01 )
Lo0.20 10.10.10.20/32 ( VR-instance SOC02 )
NOTE: The LT interface is known as a logical tunnel and is a virtual interface by all means.
- all interfaces in a SRX must be in a named security-zone including the LogicalTunnels intf
- you have to define the VR instance and apply the interfaces into that instance
- the interfaces are defind ( LogicalTunnel ) as a ethernet family so it has all the characteristics of a ethernet frame and uses arp
- all interfaces are in the default instance and route-table ( by default )
Okay let 's look at the cfg;
Finally we will test from each VR-instance to the opposite loopback with icmp pings. If we had real lan interfaces, we could have fwpolicies to allow traffic to the local network hosts.
The Logical Tunnel interfaces helps us, by not requiring an external router or wasting precious real interfaces on our SRX with carrying traffic between VirtualRouter-Instances. The traffic is carried locally within the SRX fabric.
I hoped you found this post useful and witness how easily you can configure intra VirtualRouter-Instance links between multiple VRs. You could easily configured a dynamic routing protocol such as bgp/ospf between the various peers if required.
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix -----a----t---- socpuppets ---dot---com
=( @ @ )=