admin@128t-5-R2-node1.128t-5-R2# show fib
Tue 2022-10-18 11:45:26 UTC
Retrieving fib entries...
Entry Count: 67
Capacity: 23472
==================== ====== ======= ========== ===== ========================= ============= ======== ========
IP Prefix Port Proto Tenant VRF Service Next Hops Vector Cost
==================== ====== ======= ========== ===== ========================= ============= ======== ========
0.0.0.0/0 0 None corp - internet 192.168.1.1 - 999999
0.0.0.0/8 0 None <global> - <ControlMessageService> None - -
corp - <ControlMessageService> None - -
127.0.0.0/8 0 None <global> - <ControlMessageService> None - -
corp - <ControlMessageService> None - -
169.254.127.126/31 0 None corp - internet 192.168.1.1 - 999999
169.254.127.126/32 0 IGMP <global> - <ControlMessageService> None - -
OSPF <global> - <ControlMessageService> None - -
179 TCP <global> - <ControlMessageService> None - -
169.254.130.1/32 0 None corp - internet 192.168.1.1 - 999999
IGMP <global> - <ControlMessageService> None - -
OSPF <global> - <ControlMessageService> None - -
179 TCP <global> - <ControlMessageService> None - -
169.254.130.2/32 0 None corp - internet 192.168.1.1 - 999999
IGMP <global> - <ControlMessageService> None - -
OSPF <global> - <ControlMessageService> None - -
179 TCP <global> - <ControlMessageService> None - -
169.254.130.3/32 0 None corp - internet 192.168.1.1 - 999999
IGMP <global> - <ControlMessageService> None - -
OSPF <global> - <ControlMessageService> None - -
179 TCP <global> - <ControlMessageService> None - -
169.254.130.4/32 0 None corp - internet 192.168.1.1 - 999999
IGMP <global> - <ControlMessageService> None - -
OSPF <global> - <ControlMessageService> None - -
179 TCP <global> - <ControlMessageService> None - -
192.0.0.0/24 0 None <global> - <ControlMessageService> None - -
corp - <ControlMessageService> None - -
192.0.0.8/32 0 None <global> - <ControlMessageService> None - -
corp - <ControlMessageService> None - -
192.0.0.170/32 0 None <global> - <ControlMessageService> None - -
corp - <ControlMessageService> None - -
192.0.0.171/32 0 None <global> - <ControlMessageService> None - -
corp - <ControlMessageService> None - -
192.0.2.0/24 0 None <global> - <ControlMessageService> None - -
corp - <ControlMessageService> None - -
192.168.1.0/24 0 None corp - internet 192.168.1.1 - 999999
192.168.1.250/32 0 IGMP corp - <ControlMessageService> None - -
OSPF corp - <ControlMessageService> None - -
179 TCP corp - <ControlMessageService> None - -
192.168.11.0/24 0 None corp - internet 192.168.1.1 - 999999
192.168.11.1/32 0 IGMP corp - <ControlMessageService> None - -
OSPF corp - <ControlMessageService> None - -
179 TCP corp - <ControlMessageService> None - -
192.168.12.0/24 0 None corp - internet 192.168.1.1 - 999999
192.168.12.1/32 0 IGMP corp - <ControlMessageService> None - -
OSPF corp - <ControlMessageService> None - -
179 TCP corp - <ControlMessageService> None - -
192.168.13.0/24 0 None corp - internet 192.168.1.1 - 999999
192.168.13.1/32 0 IGMP corp - <ControlMessageService> None - -
OSPF corp - <ControlMessageService> None - -
Display [n]ext page or [q]uit? [N/q]: n
================= ====== ======= ========== ===== ========================= ============= ======== ========
IP Prefix Port Proto Tenant VRF Service Next Hops Vector Cost
================= ====== ======= ========== ===== ========================= ============= ======== ========
192.168.13.1/32 179 TCP corp - <ControlMessageService> None - -
192.168.14.0/24 0 None corp - internet 192.168.1.1 - 999999
192.168.14.1/32 0 IGMP corp - <ControlMessageService> None - -
OSPF corp - <ControlMessageService> None - -
179 TCP corp - <ControlMessageService> None - -
198.51.100.0/24 0 None <global> - <ControlMessageService> None - -
corp - <ControlMessageService> None - -
203.0.113.0/24 0 None <global> - <ControlMessageService> None - -
corp - <ControlMessageService> None - -
224.0.0.0/3 0 None <global> - <ControlMessageService> None - -
corp - <ControlMessageService> None - -
224.0.0.1/32 0 IGMP <global> - <ControlMessageService> None - -
corp - <ControlMessageService> None - -
224.0.0.5/32 0 OSPF <global> - <ControlMessageService> None - -
corp - <ControlMessageService> None - -
224.0.0.6/32 0 OSPF <global> - <ControlMessageService> None - -
corp - <ControlMessageService> None - -
Completed in 0.08 seconds
------------------------------
JOHN
------------------------------
Original Message:
Sent: 10-18-2022 10:32
From: JOHN BIZE
Subject: Simplest SSR routing problem
Thanks again Sheetanshu. I posted the "after" "show fib" once yesterday and twice today. I don't know why it isn't being posted.
------------------------------
JOHN
Original Message:
Sent: 10-18-2022 01:17
From: Sheetanshu Shekhar
Subject: Simplest SSR routing problem
Thanks, John.
I think the "show fib" output after the suggested change is missing (or did I miss seeing it? :) )
FIB table in SSR is created not just for the destination address (like traditional routers), but also source (or the tenant) is essential in creating a FIB entry in SSR. In the "before" fib output, the internet service for the address 0/0 exists only for the global tenant and not for the corp tenant. The packets hitting the LAN interface of the SSR are identified as traffic from the "corp" tenant (as per your config). If there is no entry in the FIB for the corp tenant, the SSR will drop the packet.
The "after" fib an entry for the "corp" tenant for internet services should exist. The session created for the internet traffic should also show the matched tenant and the service.
Hope this helps.
Regards
Sheetanshu
------------------------------
Sheetanshu Shekhar
Original Message:
Sent: 10-17-2022 14:33
From: JOHN BIZE
Subject: Simplest SSR routing problem
Thanks. I believe that worked. I am attaching the before and after show fib, as well as the updated running configuration.
Before:admin@128t-5-R2-node1.128t-5-R2# show fibMon 2022-10-17 15:02:43 UTCRetrieving fib entries...Entry Count: 67Capacity: 23472==================== ====== ======= ========== ===== ========================= ============= ======== ======== IP Prefix Port Proto Tenant VRF Service Next Hops Vector Cost==================== ====== ======= ========== ===== ========================= ============= ======== ======== 0.0.0.0/0 0 None <global> - internet 192.168.1.1 - 999999 0.0.0.0/8 0 None <global> - <ControlMessageService> None - - corp - <ControlMessageService> None - - 127.0.0.0/8 0 None <global> - <ControlMessageService> None - - corp - <ControlMessageService> None - - 169.254.127.126/31 0 None <global> - internet 192.168.1.1 - 999999 169.254.127.126/32 0 IGMP <global> - <ControlMessageService> None - - OSPF <global> - <ControlMessageService> None - - 179 TCP <global> - <ControlMessageService> None - - 169.254.130.1/32 0 None <global> - internet 192.168.1.1 - 999999 IGMP <global> - <ControlMessageService> None - - OSPF <global> - <ControlMessageService> None - - 179 TCP <global> - <ControlMessageService> None - - 169.254.130.2/32 0 None <global> - internet 192.168.1.1 - 999999 IGMP <global> - <ControlMessageService> None - - OSPF <global> - <ControlMessageService> None - - 179 TCP <global> - <ControlMessageService> None - - 169.254.130.3/32 0 None <global> - internet 192.168.1.1 - 999999 IGMP <global> - <ControlMessageService> None - - OSPF <global> - <ControlMessageService> None - - 179 TCP <global> - <ControlMessageService> None - - 169.254.130.4/32 0 None <global> - internet 192.168.1.1 - 999999 IGMP <global> - <ControlMessageService> None - - OSPF <global> - <ControlMessageService> None - - 179 TCP <global> - <ControlMessageService> None - - 192.0.0.0/24 0 None <global> - <ControlMessageService> None - - corp - <ControlMessageService> None - - 192.0.0.8/32 0 None <global> - <ControlMessageService> None - - corp - <ControlMessageService> None - - 192.0.0.170/32 0 None <global> - <ControlMessageService> None - - corp - <ControlMessageService> None - - 192.0.0.171/32 0 None <global> - <ControlMessageService> None - - corp - <ControlMessageService> None - - 192.0.2.0/24 0 None <global> - <ControlMessageService> None - - corp - <ControlMessageService> None - - 192.168.1.0/24 0 None <global> - internet 192.168.1.1 - 999999 192.168.1.250/32 0 IGMP corp - <ControlMessageService> None - - OSPF corp - <ControlMessageService> None - - 179 TCP corp - <ControlMessageService> None - - 192.168.11.0/24 0 None <global> - internet 192.168.1.1 - 999999 192.168.11.1/32 0 IGMP corp - <ControlMessageService> None - - OSPF corp - <ControlMessageService> None - - 179 TCP corp - <ControlMessageService> None - - 192.168.12.0/24 0 None <global> - internet 192.168.1.1 - 999999 192.168.12.1/32 0 IGMP corp - <ControlMessageService> None - - OSPF corp - <ControlMessageService> None - - 179 TCP corp - <ControlMessageService> None - - 192.168.13.0/24 0 None <global> - internet 192.168.1.1 - 999999 192.168.13.1/32 0 IGMP corp - <ControlMessageService> None - - OSPF corp - <ControlMessageService> None - -Display [n]ext page or [q]uit? [N/q]: yInput must be 'next', 'quit', 'n', or 'q'Display [n]ext page or [q]uit? [N/q]: next================= ====== ======= ========== ===== ========================= ============= ======== ======== IP Prefix Port Proto Tenant VRF Service Next Hops Vector Cost================= ====== ======= ========== ===== ========================= ============= ======== ======== 192.168.13.1/32 179 TCP corp - <ControlMessageService> None - - 192.168.14.0/24 0 None <global> - internet 192.168.1.1 - 999999 192.168.14.1/32 0 IGMP corp - <ControlMessageService> None - - OSPF corp - <ControlMessageService> None - - 179 TCP corp - <ControlMessageService> None - - 198.51.100.0/24 0 None <global> - <ControlMessageService> None - - corp - <ControlMessageService> None - - 203.0.113.0/24 0 None <global> - <ControlMessageService> None - - corp - <ControlMessageService> None - - 224.0.0.0/3 0 None <global> - <ControlMessageService> None - - corp - <ControlMessageService> None - - 224.0.0.1/32 0 IGMP <global> - <ControlMessageService> None - - corp - <ControlMessageService> None - - 224.0.0.5/32 0 OSPF <global> - <ControlMessageService> None - - corp - <ControlMessageService> None - - 224.0.0.6/32 0 OSPF <global> - <ControlMessageService> None - - corp - <ControlMessageService> None - -Completed in 0.22 seconds
admin@128t-5-R2-node1.128t-5-R2# show configcandidate exports running versionadmin@128t-5-R2-node1.128t-5-R2# show config runningconfig authority name SSR-Demo router 128t-5-R2 name 128t-5-R2 location MD location-coordinates +39.15326988575326-076.72836327415992/ node 128t-5-R2-node1 name 128t-5-R2-node1 device-interface wan-1 name wan-1 pci-address 0000:02:08.0 network-interface wan-1 name wan-1 global-id 5 neighborhood internet name internet exit tenant corp tenant-prefixes corp tenant corp exit inter-router-security internal source-nat true dhcp v4 exit exit device-interface lan-1 name lan-1 pci-address 0000:02:05.0 capture-filter "udp port 53" network-interface net-int-1 name net-int-1 global-id 1 neighborhood internet name internet exit tenant corp tenant-prefixes corp tenant corp exit inter-router-security internal source-nat false address 192.168.11.1 ip-address 192.168.11.1 prefix-length 24 gateway 192.168.11.1 host-service dhcp-server service-type dhcp-server address-pool 192.168.11.120 start-address 192.168.11.120 end-address 192.168.11.150 router 192.168.11.1 domain-server 192.168.11.1 exit exit exit dhcp disabled exit exit device-interface lan-2 name lan-2 pci-address 0000:02:06.0 network-interface net-int-2 name net-int-2 global-id 2 tenant corp address 192.168.12.1 ip-address 192.168.12.1 prefix-length 24 gateway 192.168.12.1 host-service dhcp-server service-type dhcp-server address-pool 192.168.12.120 start-address 192.168.12.120 end-address 192.168.12.200 router 192.168.12.1 interface-mtu 1500 domain-server 192.168.12.1 exit exit exit exit exit device-interface lan-3 name lan-3 pci-address 0000:02:07.0 network-interface net-int-3 name net-int-3 global-id 3 tenant corp address 192.168.13.1 ip-address 192.168.13.1 prefix-length 24 gateway 192.168.13.1 host-service dhcp-server service-type dhcp-server address-pool 192.168.13.120 start-address 192.168.13.120 end-address 192.168.13.150 router 192.168.13.1 exit exit exit exit exit device-interface lan-4 name lan-4 pci-address 0000:02:04.0 network-interface net-int-4 name net-int-4 global-id 4 tenant corp address 192.168.14.1 ip-address 192.168.14.1 prefix-length 24 gateway 192.168.14.1 host-service dhcp-server service-type dhcp-server address-pool 192.168.14.120 start-address 192.168.14.120 end-address 192.168.14.150 router 192.168.14.1 exit exit exit exit exit exit service-route internet-route name internet-route service-name internet next-hop 128t-5-R2-node1 wan-1 node-name 128t-5-R2-node1 interface wan-1 exit exit exit tenant corp name corp member internet neighborhood internet exit exit service internet name internet description "The "default route" service" scope private security internal address 0.0.0.0/0 access-policy corp source corp exit service-policy internet-policy source-nat network-interface exit service-policy internet-policy name internet-policy vector internet-vector name internet-vector exit transport-state-enforcement reset exit mist-wan-assurance enabled false exit exitexit
------------------------------
JOHN
Original Message:
Sent: 10-17-2022 05:42
From: Sheetanshu Shekhar
Subject: Simplest SSR routing problem
Hi,
a) What is the tenant associated with the LAN interface?
b) What is the configuration of the "internet" service, and which tenant is allowed access to the service?
c) Does a session get created when the internet traffic is attempted from the LAN client? If so, what is the egress interface for this session?
d) Can the LAN client resolve the hostnames through the configured DNS (nslookup)?
Is it possible to share the configuration of the SSR from CLI?
Regards
Sheetanshu
------------------------------
Sheetanshu Shekhar
Original Message:
Sent: 10-14-2022 10:15
From: Anonymous User
Subject: Simplest SSR routing problem
This message was posted by a user wishing to remain anonymous
I am a software developer; a little weak in the network administrator area. I have set up a standalone SSR (no conductor, no HA peer) on my laptop in a VMWare Workstation VM. I have one designated WAN port that connects via DHCP to my company LAB network LAN (192.168.5.1/24). I have taken another LAN port and configured it with a DHCP server (192.168.11.1/24). I plugged another device into the LAN port, and it auto-configured with an IP, gateway, route/default route, and DNS resolver. The LAN device can ping its DNS server (192.168.11.1), but I want it to be able to get out to the internet.
So, following the setup instructions here (https://www.juniper.net/documentation/us/en/software/session-smart-router/docs/intro_basic_router_config/), I set up the "internet" service route and applied the other assignments as described (adjusting for my naming differences).
However, my LAN test device is not routed out the WAN to the internet.
I believe this is the simplest possible configuration. Can anyone help me with this? I'd also love some troubleshooting tips too.
Thanks.