Policy is written from zone to zone which are only indirectly related to routing instances via the interface assignments and how the routing tables are seen by the actual traffic.
Security policies are tied to zones configured under
security zones security-zone
zones contain interfaces to the sub-interface level
security zones security-zone MY_ZONE_NAME interfaces ge-0/0/0.0
The interface can be assigned to a routing-instance thus the indirect association from zone name to sub-interface to routing instance.
Policy is chosen then based on routing from the ingress sub-interface to the routing selected egress sub-interface.
The zone that these interfaces are assigned to become the from-zone & to-zone match where we look for a security policy.
So for the policy to apply the interface must be assigned to the zone and the routing instance desired.
And if they are crossing routing instances then some method of exchanging or connecting the routes from the separate instances must be in place.
------------------------------
Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home------------------------------
Original Message:
Sent: 02-22-2021 19:34
From: Jack
Subject: Security Policies Between Routing Instance
Hello,
I am trying to learn how security policies work between different routing instances.
I have 3 routing instances:
LAN-FIXED
LAN-WIRELESS
INTERNET-BREAKOUT
LAN-FIXED and LAN-WIRELESS NAT to the INTERNET-BREAKOUT routing instance to reach the internet. There are also static routes in the INTERNET-BREAKOUT instance so that traffic can reach both LAN routing instances. Connectivity is working and I have created security zones inside each routing instance with the same name.
If I have a flow destined for the internet, will the security policy need to be:
from zone LAN-FIXED to zone INTERNET-BREAKOUT
from zone LAN-WIRELESS to zone INTERNET-BREAKOUT
or have I misunderstood this?
Thanks.
------------------------------
Jack
------------------------------