Configuring Multiple Default Routes on

Juniper SRX-100 using Routing Instances

Contents
Requirement ................................................................................................................................................. 3
Network Diagram .......................................................................................................................................... 3
Implementation ............................................................................................................................................ 3
WAN .......................................................................................................................................................... 4
LAN ............................................................................................................................................................ 4
Security Zones & Policies .......................................................................................................................... 5
Zone Interface Binding .............................................................................................................................. 6
Routing Instances ...................................................................................................................................... 6
DHCP and DNS within Routing Instance ................................................................................................... 7
References ................................................................................................................................................ 7

Requirement
Our client FAST NUCES required a 20Mbps VC link segregated into 15Mbps and 5Mbps respectively with
two separate default routes. Keeping this requirement in mind, two VLANs on a single fiber link were
dedicated for this purpose. However, segregation of VLAN traffic at client end was required and Juniper
SRX-100 was proposed.

Network Diagram

FAST-NUCES Internet Connectivity

20 Mbps

Mobilink BSD
Connectivity

SRX 100
MC

Fiber Link

Mobilink BSD
Fiber POP

Internet

FAST- Islamabad

Implementation
The aforementioned requirement of traffic segregation along with separate default routes can be
implemented by numerous methods. JunOS gives us the option of using multiple instances as per our
need. This document will focus on the implementation of this requirement using separate routing
instances which serve as individual virtual routers somewhat same as Ciscos vrf.

Fe-0/0/1 Fe0/0/4
Vlan.0
202.61.61.33/28
SRX100

LINK/ACT
ALARM STATUS

POWER

HA

RESET
CONFIG

USB

CONSOLE

0/0

0/1

0/2

0/3

10/100

0/4

0/5

0/6

0/7

Fe-0/0/5 Fe-0/0/7
Vlan.1
202.61.61.49/29

Fe-0/0/0
Unit0 (VLAN 67) 10.5.12.206/30
Unit1 (VLAN 68) 10.5.12.210/30

WAN
Let us start off by enabling vlan-tagging on WAN port to receive tagged traffic on SRX100.
set interfaces fe-0/0/0 vlan-tagging
Next, create sub-interfaces, configure vlan-id [vlan tag], and configure desired IP addresses.
set interfaces fe-0/0/0 unit 0 vlan-id 67
set interfaces fe-0/0/0 unit 0 family inet address 10.5.12.206/30
set interfaces fe-0/0/0 unit 1 vlan-id 68
set interfaces fe-0/0/0 unit 1 family inet address 10.5.12.210/30

LAN
Now move on to the LAN ports, for which 2 separate vlans or groups have been configured and binded
to 2 different logical interface groups [recall bgroups from Juniper SSG-5].
set vlans vlan-15mb vlan-id 15
set vlans vlan-15mb l3-interface vlan.0
set vlans vlan-5mb vlan-id 5
set vlans vlan-5mb l3-interface vlan.1
Bind your physical interfaces or LAN ports to these vlan groups and assign desired IP address on both
groups.
set interfaces fe-0/0/1 unit 0 family ethernet-switching vlan members vlan-15mb
set interfaces fe-0/0/2 unit 0 family ethernet-switching vlan members vlan-15mb

set interfaces fe-0/0/3 unit 0 family ethernet-switching vlan members vlan-15mb

set interfaces fe-0/0/4 unit 0 family ethernet-switching vlan members vlan-15mb
set interfaces fe-0/0/5 unit 0 family ethernet-switching vlan members vlan-5mb
set interfaces fe-0/0/6 unit 0 family ethernet-switching vlan members vlan-5mb
set interfaces fe-0/0/7 unit 0 family ethernet-switching vlan members vlan-5mb
set interfaces vlan unit 0 family inet address 202.61.61.33/28
set interfaces vlan unit 1 family inet address 202.61.61.49/29

Security Zones & Policies

Two default security zones trust and untrust already exist. You need to create two new ones to place
your interfaces in respective zones and apply desired security policy on each. Since the device does not
allow placing interfaces binded to separate vlan groups in the same zone as it destroys the purpose of
keeping them separate. I have kept it simple and named the two new zones trust1 and untrust1.
set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address
any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit
set security policies from-zone untrust to-zone trust policy untrust-to-trust match source-address any
set security policies from-zone untrust to-zone trust policy untrust-to-trust match destination-address
any
set security policies from-zone untrust to-zone trust policy untrust-to-trust match application any
set security policies from-zone untrust to-zone trust policy untrust-to-trust then permit
set security policies from-zone trust1 to-zone untrust1 policy trust1-to-untrust1 match source-address
any
set security policies from-zone trust1 to-zone untrust1 policy trust1-to-untrust1 match destinationaddress any
set security policies from-zone trust1 to-zone untrust1 policy trust1-to-untrust1 match application any
set security policies from-zone trust1 to-zone untrust1 policy trust1-to-untrust1 then permit

set security policies from-zone untrust1 to-zone trust1 policy untrust1-to-trust1 match source-address
any
set security policies from-zone untrust1 to-zone trust1 policy untrust1-to-trust1 match destinationaddress any
set security policies from-zone untrust1 to-zone trust1 policy untrust1-to-trust1 match application any
set security policies from-zone untrust1 to-zone trust1 policy untrust1-to-trust1 then permit

Zone Interface Binding

LAN groups have been placed in zones trust and trust1, and WAN sub-interfaces in zones untrust and
untrust1 respectively. You may enable your desired system services for each security zone host-inboundtraffic.
set security zones security-zone trust interfaces vlan.0
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services all
set security zones security-zone trust1 interfaces vlan.1
set security zones security-zone trust1 host-inbound-traffic system-services all
set security zones security-zone untrust1 interfaces fe-0/0/0.1 host-inbound-traffic system-services all

Routing Instances
Create two routing instances with type as virtual router to separate the 15Mbps connectivity from
5Mbps, place WAN sub-interfaces and LAN vlan groups to their respective routing instance and
configure default route on each instance separately.
set routing-instances VC-15 instance-type virtual-router
set routing-instances VC-15 interface fe-0/0/0.0
set routing-instances VC-15 interface vlan.0
set routing-instances VC-15 routing-options static route 0.0.0.0/0 next-hop 10.5.12.205
set routing-instances VC-5 instance-type virtual-router
set routing-instances VC-5 interface fe-0/0/0.1
set routing-instances VC-5 interface vlan.1
set routing-instances VC-5 routing-options static route 0.0.0.0/0 next-hop 10.5.12.209

DHCP and DNS within Routing Instance

DHCP address assignments and DNS IPs can also be limited to a routing instance if required.
set routing-instances VC-15 access address-assignment pool pool15mb family inet network
202.61.61.32/28
set routing-instances VC-15 access address-assignment pool pool15mb family inet range DHCP15M
low 202.61.61.34
set routing-instances VC-15 access address-assignment pool pool15mb family inet range DHCP15M
high 202.61.61.46
set routing-instances VC-15 access address-assignment pool pool15mb family inet dhcp-attributes
name-server 210.2.177.6
set routing-instances VC-15 access address-assignment pool pool15mb family inet dhcp-attributes
name-server 210.2.185.6
set routing-instances VC-5 access address-assignment pool pool5mb family inet network
202.61.61.48/29
set routing-instances VC-5 access address-assignment pool pool5mb family inet range DHCP5M low
202.61.61.50
set routing-instances VC-5 access address-assignment pool pool5mb family inet range DHCP5M high
202.61.61.54
set routing-instances VC-5 access address-assignment pool pool5mb family inet dhcp-attributes nameserver 210.2.177.6
set routing-instances VC-5 access address-assignment pool pool5mb family inet dhcp-attributes nameserver 210.2.185.6

References
http://kb.juniper.net/InfoCenter/index?page=content&id=KB16453
http://www.ebrahma.com/2015/04/virtual-router-configuration-srx/
http://www.juniper.net/documentation/en_US/junos12.1x47/topics/topic-map/dhcp-security-localserver.html