SRX

Hello everybody,

Specification:

Platform: SRX340

Firmware: JUNOS Software Release [15.1X49-D160.2]

route-based VPN

Clustered Active/Passive

Out-of-Band Management Interface (fxp0)

At the moment i have a Problem with the Management-Concept on my SRX340 VPN Cluster.

Let's say i want NTP, SNMP, Syslog, TACACS+ all over the out-of-band Management Interface(fxp0). Besides the Configuration of all this, there is a point, when i must send the Traffic to my Destination. At this moment i must define a Route to my Targethost/subnet.

Because i want the secondary to be reachable too, i also configure something like this for all named services (NTP, SNMP, Syslog, TACACS+)

set groups node0 system ntp source-address 10.10.10.194 (Source Address = Management-IP Device 1 )

set groups node1 system ntp source-address 10.10.10.195 (Source Address = Management-IP Device 2 )

set groups node0 system backup-router 10.10.10.1

set groups node1 system backup-router 10.10.10.1

set groups node0 system backup-router destination 10.10.100.0/24 (NTP Subnet)

set groups node1 system backup-router destination 10.10.100.0/24 (NTP Subnet)

(Secondary dont uses Routing Table, only backup-router route)

Now i also want to configure my route based tunnels.  So more Routes in routing-table and backup-router.

Here comes the risk, that one of my management subnets conflicts a remote subnet.

So how do i separate the routing tables? Best way would be a Virtual Routing Instance, as far as i know.

The only Problem is, that i read, that you cant put the Management in his own VR (with the Firmware i use), without Problems (e.g. with DHCP) .

In the end, i want to separate Trust+st0 in a VR, management in a VR, and maybe for untrust a VR, if this makes sense.

Sadly i dont know, which impact this has on the VPN Tunnels in the future

Has someone experiences with the problems here?

Is there a good solution to separate the VRs, so that management and Trust+st0 routes dont interfere?

Best Regards

Muyo

Hi Muyo, 

I would say keep the management in the default inet.0 and create vr's for the trust/untrust vr's for Lan and VPN traffic.

Regards,

Rahul

Hello rahulverma,

so i just create two other VRs (Trust and Untrust) and let the default be. But i must define the source address for every service to the fxp0, so it will be routed by default table?

Then i move all interfaces in their respective VR and i'm done?

I never worked with VR and i dont know if there are some particularities in combination with route-based VPN.

As far as my understanding goes, after i created the two VRs and assigned the interfaces, i set a default route from trust vr to untrust vr and in untrust vr, i create a default route to the next gw. For the VPNs in Trust i set a route to the external intranet via st0.x

Is this for st0 enought or do i need to set a extra route from st to untrust? (I think i dont get the exact vpn logic)

Best Regards

Muyo

Hi Muyo, 

Please find your answer inline:- 

[Muyo]

so i just create two other VRs (Trust and Untrust) and let the default be. But i must define the source address for every service to the fxp0, so it will be routed by default table?

[Juniper] :- yes, defining source address is good but not mandate as default routing is from inet.0

[Muyo]

Then i move all interfaces in their respective VR and i'm done?

[Juniper] :- Yes

[Muyo]

I never worked with VR and i dont know if there are some particularities in combination with route-based VPN.

[Juniper] :- Dont worry it is easy.

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-secure-tunnel-interface-in-a-virtual-router.html

Note:- Go to "CLI Quick COnfiguration" for a basic example matching 70% of your requirement.

[Muyo]

As far as my understanding goes, after i created the two VRs and assigned the interfaces, i set a default route from trust vr to untrust vr and in untrust vr, i create a default route to the next gw. For the VPNs in Trust i set a route to the external intranet via st0.x

Is this for st0 enought or do i need to set a extra route from st to untrust? (I think i dont get the exact vpn logic)

[Juniper] : default route from your trust vr can point to untrust vr. Your VPN stays in untrust VR(follow juniper example documentation pasted above). Keep it simple.

Hello rahulverma,

thank you for this Link! I didn't find this via Google. This seems like i thought myself.

So for my Example i create VR-Trust and VR-Untrust.

VPN and all st0 Routes stay in Trust. I define a default Route from Trust to Untrust. In Untrust i set a default Route to the next-hop Gateway.

Management Routes stay in default. So there should be no Routing-Interference on the machine.

Source Address is for my Case fine, since its a cluster with two different Management-IPs defined, so i can exactly say, which Node tells me storys.

Thank you for the clarification!

Best Regards

Muyo