瞻博网络SRX防火墙路由配置

Question

I have a question about Juniper SRX firewall configuration, Running 11.4R7

My question is about routing table used while processing traffic passing through the firewall, I have routing configuration part of the routing-instances definition, and it looks like this :

set routing-instances Main-VR instance-type virtual-router
set routing-instances Main-VR interface reth0.0
set routing-instances Main-VR routing-options static route 10.80.90.0/27 next-hop 10.80.90.40

Then i could find another routing definition as

 routing-options    static route 10.62.170.190/32 next-hop 10.80.93.1
 routing-options    static route 10.62.170.0/24 next-hop 10.80.93.1
 routing-options    static route 10.61.105.0/26 next-hop 10.80.93.1
 routing-options    static route 10.66.65.103/32 next-hop 10.80.93.1

What's the difference between the two definitions? Are both active, i mean checked while traffic processing taking place? Or I could remove one of them

Answer 1

在set routing-options下定义的静态路由用于全局路由表，在set routing-instances Main-VR routing-options下定义的静态路由set routing-instances Main-VR routing-options用于虚拟路由器（主VR）。

Answer 2

routing-options static route 10.62.170.190/32 next-hop 10.80.93.1 could be removed, as routing-options static route 10.62.170.0/24 next-hop 10.80.93.1 already contains the 10.62.170.190/32 destination.

---

The rest would need to stay as they are destinations to individual networks or destinations. As a first step suggestion I would deactivate route 10.62.170.190/32 next-hop 10.80.93.1 , then test for connectivity to your end point destination before finally removing the item from your configuration.