Before defining the VRs and Zones we need to address the interfaces:
root@host# set interfaces fe-0/0/0 unit 0 family inet address 15.243.192.103/26
root@host# set interfaces fe-0/0/1 unit 0 family inet address 172.16.201.1/24
I have created two custom VRs and two custom Zones in this example:
Untrust-VR and Trust-VR,
Untrust_Zone and Trust_zone
Set the Virtual Routers
root@host# set routing-instances Untrust-VR instance-type virtual-router
root@host# set routing-instances Trust-VR instance-type virtual-router
Assign interfaces to VRs
root@host# set routing-instances Untrust-VR interface fe0/0/0.0
root@host# set routing-instances Trust-VR interface fe0/0/1.0
Creating Zones for the VRs
root@host# set security zones security-zone Trust_Zone
root@host# set security zones security-zone Trust_Zone interfaces fe-0/0/1.0
root@host# set security zones security-zone Untrust_Zone
root@host# set security zones security-zone Untrust_Zone interfaces fe-0/0/0.0
Note from Juniper: http://kb.juniper.net/InfoCenter/index?page=content&id=KB16453
Note: Binding interfaces to zones is configured separately from binding interfaces to a virtual router (routing instance). The tasks to create a virtual router in JUNOS Software are slightly different from those in ScreenOS, where you would assign a zone to a virtual router and assign an interface to a zone.
Keep the following in mind when configuring virtual routers:
- VPN interfaces (st) are currently terminated only in zones that are assigned to inet.0.
- For self-initiated management traffic (for example, system logs and traps), route lookup starts with inet.0.
- Interfaces that are not explicitly members of any custom virtual router are members of inet.0.
Hi Jeremy,
ReplyDeletePlease, I need to configure VRs in JuniperSRX. Can you tell me how to do this? I keep your steps, but I don't know how I test it.
Thanks.