SRX

Expand all | Collapse all

SRX 340 - How to manage out-of-band fxp0 in a route-based, active/passive VPN-Cluster with static Routes

Jump to Best Answer
  • 1.  SRX 340 - How to manage out-of-band fxp0 in a route-based, active/passive VPN-Cluster with static Routes

    Posted 04-03-2019 02:49

    Hello everybody,

     

    Specification:

    Platform: SRX340

    Firmware: JUNOS Software Release [15.1X49-D160.2]

    route-based VPN

    Clustered Active/Passive

    Out-of-Band Management Interface (fxp0)

     

    At the moment i have a Problem with the Management-Concept on my SRX340 VPN Cluster.

    Let's say i want NTP, SNMP, Syslog, TACACS+ all over the out-of-band Management Interface(fxp0). Besides the Configuration of all this, there is a point, when i must send the Traffic to my Destination. At this moment i must define a Route to my Targethost/subnet.

     

    Because i want the secondary to be reachable too, i also configure something like this for all named services (NTP, SNMP, Syslog, TACACS+)

     

    set groups node0 system ntp source-address 10.10.10.194 (Source Address = Management-IP Device 1 )

    set groups node1 system ntp source-address 10.10.10.195 (Source Address = Management-IP Device 2 )

    set groups node0 system backup-router 10.10.10.1

    set groups node1 system backup-router 10.10.10.1

    set groups node0 system backup-router destination 10.10.100.0/24 (NTP Subnet)

    set groups node1 system backup-router destination 10.10.100.0/24 (NTP Subnet)

    (Secondary dont uses Routing Table, only backup-router route)

     

    Now i also want to configure my route based tunnels.  So more Routes in routing-table and backup-router.

     

    Here comes the risk, that one of my management subnets conflicts a remote subnet.

     

    So how do i separate the routing tables? Best way would be a Virtual Routing Instance, as far as i know.

    The only Problem is, that i read, that you cant put the Management in his own VR (with the Firmware i use), without Problems (e.g. with DHCP) .

     

    In the end, i want to separate Trust+st0 in a VR, management in a VR, and maybe for untrust a VR, if this makes sense.

    Sadly i dont know, which impact this has on the VPN Tunnels in the future

     

    Has someone experiences with the problems here?

    Is there a good solution to separate the VRs, so that management and Trust+st0 routes dont interfere?

     

    Best Regards

    Muyo

     



  • 2.  RE: SRX 340 - How to manage out-of-band fxp0 in a route-based, active/passive VPN-Cluster with static Routes

    Posted 04-03-2019 03:31

    Hi Muyo, 

     

    I would say keep the management in the default inet.0 and create vr's for the trust/untrust vr's for Lan and VPN traffic.

     

    Regards,

     

    Rahul



  • 3.  RE: SRX 340 - How to manage out-of-band fxp0 in a route-based, active/passive VPN-Cluster with static Routes

    Posted 04-03-2019 05:14

    Hello rahulverma,

     

    so i just create two other VRs (Trust and Untrust) and let the default be. But i must define the source address for every service to the fxp0, so it will be routed by default table?

     

    Then i move all interfaces in their respective VR and i'm done?

     

    I never worked with VR and i dont know if there are some particularities in combination with route-based VPN.

     

    As far as my understanding goes, after i created the two VRs and assigned the interfaces, i set a default route from trust vr to untrust vr and in untrust vr, i create a default route to the next gw. For the VPNs in Trust i set a route to the external intranet via st0.x

     

    Is this for st0 enought or do i need to set a extra route from st to untrust? (I think i dont get the exact vpn logic)

     

    Best Regards

    Muyo

     



  • 4.  RE: SRX 340 - How to manage out-of-band fxp0 in a route-based, active/passive VPN-Cluster with static Routes
    Best Answer

    Posted 04-03-2019 10:38

    Hi Muyo, 

     

    Please find your answer inline:- 

     

    [Muyo]

    so i just create two other VRs (Trust and Untrust) and let the default be. But i must define the source address for every service to the fxp0, so it will be routed by default table?

    [Juniper] :- yes, defining source address is good but not mandate as default routing is from inet.0

     

    [Muyo]

    Then i move all interfaces in their respective VR and i'm done?

    [Juniper] :- Yes

     

    [Muyo]

    I never worked with VR and i dont know if there are some particularities in combination with route-based VPN.

    [Juniper] :- Dont worry it is easy.

    https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-secure-tunnel-interface-in-a-virtual-router.html

    Note:- Go to "CLI Quick COnfiguration" for a basic example matching 70% of your requirement.

     

    [Muyo]

    As far as my understanding goes, after i created the two VRs and assigned the interfaces, i set a default route from trust vr to untrust vr and in untrust vr, i create a default route to the next gw. For the VPNs in Trust i set a route to the external intranet via st0.x

     

    Is this for st0 enought or do i need to set a extra route from st to untrust? (I think i dont get the exact vpn logic)

     

    [Juniper] : default route from your trust vr can point to untrust vr. Your VPN stays in untrust VR(follow juniper example documentation pasted above). Keep it simple.

     



  • 5.  RE: SRX 340 - How to manage out-of-band fxp0 in a route-based, active/passive VPN-Cluster with static Routes

    Posted 04-04-2019 04:19

    Hello rahulverma,

     

    thank you for this Link! I didn't find this via Google. This seems like i thought myself.

     

    So for my Example i create VR-Trust and VR-Untrust.

     

    VPN and all st0 Routes stay in Trust. I define a default Route from Trust to Untrust. In Untrust i set a default Route to the next-hop Gateway.

     

    Management Routes stay in default. So there should be no Routing-Interference on the machine.

     

    Source Address is for my Case fine, since its a cluster with two different Management-IPs defined, so i can exactly say, which Node tells me storys.

     

    Thank you for the clarification!

     

    Best Regards

    Muyo