SRX

Expand all | Collapse all

Interface must be in the same routing instance as other interfaces in the zone

  • 1.  Interface must be in the same routing instance as other interfaces in the zone

    Posted 04-10-2018 23:04

    Hi,

    Please find below configuration and error message and suggest alternate way to achieve the requirement.

    Same configuration is working fine in packet mode. We are trying to configure the same in flow mode.

     

    set interfaces ge-0/0/3 gigether-options redundant-parent reth0
    set interfaces ge-5/0/3 gigether-options redundant-parent reth0
    set interfaces reth0 vlan-tagging
    set interfaces reth0 redundant-ether-options redundancy-group 1
    set interfaces reth0 unit 100 vlan-id 201
    set interfaces reth0 unit 100 family inet address 10.10.14.18/30
    set interfaces reth0 unit 105 vlan-id 452
    set interfaces reth0 unit 105 family inet address 10.10.20.18/30
    set security zones security-zone Untrust interfaces reth0.100
    set security zones security-zone Untrust interfaces reth0.105

    {primary:node0}[edit routing-instances]
    root# show
    Untrust {
        instance-type vrf;
        interface reth0.100;
        interface reth1.0;
        interface reth2.0;
    }

    set routing-instances Untrust route-distinguisher 12345:297
    set routing-instances Untrust vrf-target target:12345:130
    set routing-instances Untrust protocols bgp group Untrust_Airtel type external
    set routing-instances Untrust protocols bgp group Untrust_Airtel export Untrust_EXPORT
    set routing-instances Untrust protocols bgp group Untrust_Airtel peer-as 6789
    set routing-instances Untrust protocols bgp group Untrust_Airtel local-as 12345
    set routing-instances Untrust protocols bgp group Untrust_Airtel neighbor 192.168.160.1
    set routing-instances Untrust protocols bgp group Untrust1_ISP2 type external
    set routing-instances Untrust protocols bgp group Untrust1_ISP2 peer-as 34567
    set routing-instances Untrust protocols bgp group Untrust1_ISP2 local-as 12345
    set routing-instances Untrust protocols bgp group Untrust1_ISP2 neighbor 192.168.190.2

     

    {primary:node0}[edit]
    root# commit check
    [edit security zones security-zone Untrust]
      'interfaces reth0.105'
        Interface reth0.105 must be in the same routing instance as other interfaces in the zone
    error: configuration check-out failed


    #SRX


  • 2.  RE: Interface must be in the same routing instance as other interfaces in the zone

    Posted 02-07-2019 01:33

    Hi Nik_MH

     

    See article: https://kb.juniper.net/InfoCenter/index?page=content&id=KB26775

     

    I believe the issue is you have two interfaces in the same routing instance but in different security zones.

     

    From your config:

    1. you create reth0.100 and reth0.105 which are by default in the 'global' routing instance;

      - both interfaces in the same routing instance: OK

    2. next you place both reth0.100 and reth0.105 into the 'Untrust ' security zone;

      - both interfaces in the same security zone: OK

    3. you then move reth0.100 to the 'Untrust' routing instance (which you obviously created);

      - both interfaces in different routing instances but same security zone: NOT OK

     

    JUNOS does not allow an interface to be in more than one security zone, and it does not allow one security zone to be associated (by it's member interfaces) with more than one routing instance.

     

    I believe this is your problem.

     

    You must follow the one-to-many rule of association between interfaces, zones and v-routers:

    > 1-to-Many: one routing instance to one or more security zones (1:*)

    > 1-to-Many: one security zone to one or more [sub-]interfaces (1:*)

    By derivation, we then have:

    > 1-to-Many: one routing instance to one or more [sub-]interfaces (1:*)

     

    Another way of stating it is:

    - an interface may be a member of one and only one security zone, and a security zone may be a member of one and only one routing instance, therefore an interface may be a member of one and only one routing instance.

     

    Please let us know if that solves your problem 🙂

     

    As a side note, I would recommend having a naming convention that differentiates between routing instances and security zones, which will help reduce confusion when viewing the config.

     

    Hope that helps.