Hello everybody,
Specification:
Platform: SRX340
Firmware: JUNOS Software Release [15.1X49-D160.2]
route-based VPN
Clustered Active/Passive
Out-of-Band Management Interface (fxp0)
At the moment i have a Problem with the Management-Concept on my SRX340 VPN Cluster.
Let's say i want NTP, SNMP, Syslog, TACACS+ all over the out-of-band Management Interface(fxp0). Besides the Configuration of all this, there is a point, when i must send the Traffic to my Destination. At this moment i must define a Route to my Targethost/subnet.
Because i want the secondary to be reachable too, i also configure something like this for all named services (NTP, SNMP, Syslog, TACACS+)
set groups node0 system ntp source-address 10.10.10.194 (Source Address = Management-IP Device 1 )
set groups node1 system ntp source-address 10.10.10.195 (Source Address = Management-IP Device 2 )
set groups node0 system backup-router 10.10.10.1
set groups node1 system backup-router 10.10.10.1
set groups node0 system backup-router destination 10.10.100.0/24 (NTP Subnet)
set groups node1 system backup-router destination 10.10.100.0/24 (NTP Subnet)
(Secondary dont uses Routing Table, only backup-router route)
Now i also want to configure my route based tunnels. So more Routes in routing-table and backup-router.
Here comes the risk, that one of my management subnets conflicts a remote subnet.
So how do i separate the routing tables? Best way would be a Virtual Routing Instance, as far as i know.
The only Problem is, that i read, that you cant put the Management in his own VR (with the Firmware i use), without Problems (e.g. with DHCP) .
In the end, i want to separate Trust+st0 in a VR, management in a VR, and maybe for untrust a VR, if this makes sense.
Sadly i dont know, which impact this has on the VPN Tunnels in the future
Has someone experiences with the problems here?
Is there a good solution to separate the VRs, so that management and Trust+st0 routes dont interfere?
Best Regards
Muyo