SRX

Expand all | Collapse all

Logical tunnel, static route, policies and isis

Jump to Best Answer
  • 1.  Logical tunnel, static route, policies and isis

     
    Posted 01-12-2018 02:22

    Hi, it's me again.... apologies 🙂

     

    I hope I explain what the issue is as best I can without a network diagram.....

    I have a RADIUS attached to the SRX via 2 connections. One connection is for normal ppp traffic and one connection is for communication ONLY to the other SRX. The SRX physical ports we can state as ge-0/0/2 for ppp connection and ge-0/0/1 for the back to back. The connection to the data network will be ae2. I have cretaed 3 routing-instances and 2 logical tunnels as lt-0/0/0.1  .2  .3  and .4 (1 and 2 are peers and three and 4 are peers).... as per below:

    Customer-VR - ae2, lt-0/0/0.1 and lt-0/0/0.3 (also within isis on the VR)

    NineGroup-VR - ge-0/0/2 and lt-0/0/0.2 (also within isis on the VR)

    NineGroupBTB-VR - ge-0/0/1 and lt-0/0/0.4 (also within isis on the VR)

     

    I have created 3 zones called:

    Customer-Network 

    NineGroup-DMZ

    NineGroup-BTB

     

    I have assigned the correct interfaces to the Zones and have created the policies.

     

    I wanted to check that we have data separation throughout the network with regards to routing so changed the NineGroup-BTB policies to only allow ping from one RADIUS BTB interface to the other RADIUS BTB interface. The ping fails but the strange thing is as follows:

     

    When I look at routing for RADIUS 1 BTB interface address on the SRX that RADIUS 2 BTB is attached too, I see 3 routes.... 1 via the ae2 interface in the Customer-VR, one for the lt-0/0/0.1 interface in the NineGroup-VR and 1 for the lt-0/0/0.3 interface in the NineGroupBTB-VR... I have the static routes in place and injecting them into isis.... why would I see access to the BTB address via both tunnels? If you want to have a look at the config on both devices then please let me know...... I will do my best to draw a diagram.... 



  • 2.  RE: Logical tunnel, static route, policies and isis

     
    Posted 01-12-2018 05:41

    Here is the config with regards to the above. Hopefully it may become more understandable with this:

     

    Interface       Admin Link Description
    ge-0/0/2.0      up    up   To-HEX-RADIUS-SERVER
    ge-0/0/4        up    up   To_HEX_RADIUS_BTB
    xe-0/0/16       up    up   Group-ae2
    xe-0/0/18       up    down Group-ae2
    ae2.0           up    up   To-HEX-CORE-02-ae2

     

    set security address-book global address hexradiusbtb 195.80.0.73/32
    set security address-book global address thwradiusbtb 195.80.0.69/32

    set security policies from-zone Customer-Network to-zone NineGroup-DMZ policy CliveTest match source-address any
    set security policies from-zone Customer-Network to-zone NineGroup-DMZ policy CliveTest match destination-address any
    set security policies from-zone Customer-Network to-zone NineGroup-DMZ policy CliveTest match application any
    set security policies from-zone Customer-Network to-zone NineGroup-DMZ policy CliveTest then permit
    set security policies from-zone NineGroup-DMZ to-zone Customer-Network policy CliveTest1 match source-address any
    set security policies from-zone NineGroup-DMZ to-zone Customer-Network policy CliveTest1 match destination-address any
    set security policies from-zone NineGroup-DMZ to-zone Customer-Network policy CliveTest1 match application any
    set security policies from-zone NineGroup-DMZ to-zone Customer-Network policy CliveTest1 then permit
    set security policies from-zone Customer-Network to-zone Customer-Network policy CliveTest match source-address any
    set security policies from-zone Customer-Network to-zone Customer-Network policy CliveTest match destination-address any
    set security policies from-zone Customer-Network to-zone Customer-Network policy CliveTest match application any
    set security policies from-zone Customer-Network to-zone Customer-Network policy CliveTest then permit
    set security policies from-zone NineGroup-DMZ to-zone NineGroup-DMZ policy CliveTest1 match source-address any
    set security policies from-zone NineGroup-DMZ to-zone NineGroup-DMZ policy CliveTest1 match destination-address any
    set security policies from-zone NineGroup-DMZ to-zone NineGroup-DMZ policy CliveTest1 match application any
    set security policies from-zone NineGroup-DMZ to-zone NineGroup-DMZ policy CliveTest1 then permit
    set security policies from-zone Customer-Network to-zone NineGroup-BTB policy hexradius-btb match source-address thwradiusbtb
    set security policies from-zone Customer-Network to-zone NineGroup-BTB policy hexradius-btb match destination-address hexradiusbtb
    set security policies from-zone Customer-Network to-zone NineGroup-BTB policy hexradius-btb match application junos-icmp-ping
    set security policies from-zone Customer-Network to-zone NineGroup-BTB policy hexradius-btb then permit
    set security policies from-zone NineGroup-BTB to-zone Customer-Network policy hexradius-btb1 match source-address hexradiusbtb
    set security policies from-zone NineGroup-BTB to-zone Customer-Network policy hexradius-btb1 match destination-address thwradiusbtb
    set security policies from-zone NineGroup-BTB to-zone Customer-Network policy hexradius-btb1 match application junos-icmp-ping
    set security policies from-zone NineGroup-BTB to-zone Customer-Network policy hexradius-btb1 then permit
    set security policies from-zone NineGroup-BTB to-zone NineGroup-BTB policy hexradius-btb1 match source-address any
    set security policies from-zone NineGroup-BTB to-zone NineGroup-BTB policy hexradius-btb1 match destination-address any
    set security policies from-zone NineGroup-BTB to-zone NineGroup-BTB policy hexradius-btb1 match application any
    set security policies from-zone NineGroup-BTB to-zone NineGroup-BTB policy hexradius-btb1 then permit

     

    set security zones security-zone NineGroup-DMZ host-inbound-traffic system-services all
    set security zones security-zone NineGroup-DMZ host-inbound-traffic protocols all
    set security zones security-zone NineGroup-DMZ interfaces ge-0/0/2.0
    set security zones security-zone NineGroup-DMZ interfaces lt-0/0/0.1
    set security zones security-zone Customer-Network host-inbound-traffic system-services all
    set security zones security-zone Customer-Network host-inbound-traffic protocols all
    set security zones security-zone Customer-Network interfaces ae2.0
    set security zones security-zone Customer-Network interfaces lt-0/0/0.2
    set security zones security-zone Customer-Network interfaces lt-0/0/0.4
    set security zones security-zone NineGroup-BTB host-inbound-traffic system-services all
    set security zones security-zone NineGroup-BTB host-inbound-traffic protocols all
    set security zones security-zone NineGroup-BTB interfaces lt-0/0/0.3
    set security zones security-zone NineGroup-BTB interfaces ge-0/0/4.0

     

    set interfaces lt-0/0/0 unit 1 encapsulation ethernet
    set interfaces lt-0/0/0 unit 1 peer-unit 2
    set interfaces lt-0/0/0 unit 1 family inet address 10.20.30.1/30
    set interfaces lt-0/0/0 unit 1 family iso
    set interfaces lt-0/0/0 unit 2 encapsulation ethernet
    set interfaces lt-0/0/0 unit 2 peer-unit 1
    set interfaces lt-0/0/0 unit 2 family inet address 10.20.30.2/30
    set interfaces lt-0/0/0 unit 2 family iso
    set interfaces lt-0/0/0 unit 3 encapsulation ethernet
    set interfaces lt-0/0/0 unit 3 peer-unit 4
    set interfaces lt-0/0/0 unit 3 family inet address 40.40.40.1/30
    set interfaces lt-0/0/0 unit 3 family iso
    set interfaces lt-0/0/0 unit 4 encapsulation ethernet
    set interfaces lt-0/0/0 unit 4 peer-unit 3
    set interfaces lt-0/0/0 unit 4 family inet address 40.40.40.2/30
    set interfaces lt-0/0/0 unit 4 family iso
    set interfaces ge-0/0/2 unit 0 description To-HEX-RADIUS-SERVER
    set interfaces ge-0/0/2 unit 0 family inet address 195.80.0.53/30
    set interfaces ge-0/0/2 unit 0 family iso
    set interfaces ge-0/0/2 unit 0 family inet6 address 2a05:d840:004d:ffff:ffff:ffff:0000:0001/127
    set interfaces ge-0/0/4 description To_HEX_RADIUS_BTB
    set interfaces ge-0/0/4 unit 0 family inet address 195.80.0.74/30
    set interfaces ge-0/0/4 unit 0 family iso
    set interfaces ge-0/0/4 unit 0 family inet6 address 2a05:d840:0056:ffff:ffff:ffff:0000:0001/127
    set interfaces ae2 unit 0 description To-HEX-CORE-02-ae2
    set interfaces ae2 unit 0 family inet address 195.80.0.33/30
    set interfaces ae2 unit 0 family iso
    set interfaces ae2 unit 0 family inet6 address 2a05:d840:0048:ffff:ffff:ffff:0000:0002/127

     

    set interfaces lo0 unit 0 family inet address 195.80.0.6/32
    set interfaces lo0 unit 0 family iso address 49.0001.1950.0080.0006.00
    set interfaces lo0 unit 0 family inet6 address 2a05:d840:001c:ffff:ffff:ffff:0000:0001/128
    set interfaces lo0 unit 10 family iso address 49.0001.1950.0080.0026.00
    set interfaces lo0 unit 20 family iso address 49.0001.1950.0080.0016.00
    set interfaces lo0 unit 30 family iso address 49.0001.1950.0080.0036.00

     

    set routing-options static route 195.80.0.54/32 next-hop 195.80.0.53
    set routing-options static route 195.80.0.73/32 next-hop 195.80.0.74

     

    set protocols isis level 1 authentication-key "$9$abJi.Qz6Au1n/1hyKx7YgoJjH.P5F69"
    set protocols isis level 1 authentication-type md5
    set protocols isis level 2 authentication-key "$9$EVwheWN-wgaUbsUH.56/O1RhlKWLxdwY"
    set protocols isis level 2 authentication-type md5
    set protocols isis interface lo0.0

     

    set policy-options policy-statement backtoback term term1 from protocol static
    set policy-options policy-statement backtoback term term1 from source-address-filter 195.80.0.73/32 exact
    set policy-options policy-statement backtoback term term1 then accept
    set policy-options policy-statement backtoback term term2 then reject
    set policy-options policy-statement from_customer_to_ninegroup from instance Customer-VR
    set policy-options policy-statement from_customer_to_ninegroup from protocol direct
    set policy-options policy-statement from_customer_to_ninegroup then accept
    set policy-options policy-statement from_hexradius_to_thwradius from instance NineGroupBTB-VR
    set policy-options policy-statement from_hexradius_to_thwradius from protocol direct
    set policy-options policy-statement from_hexradius_to_thwradius then accept
    set policy-options policy-statement from_nine_to_customer from instance NineGroup-VR
    set policy-options policy-statement from_nine_to_customer from protocol direct
    set policy-options policy-statement from_nine_to_customer then accept
    set policy-options policy-statement from_thwradius_to_hexradius from instance Customer-VR
    set policy-options policy-statement from_thwradius_to_hexradius from protocol direct
    set policy-options policy-statement from_thwradius_to_hexradius then accept
    set policy-options policy-statement nine term term1 from protocol static
    set policy-options policy-statement nine term term1 then accept

     

    set routing-instances Customer-VR instance-type virtual-router
    set routing-instances Customer-VR interface lt-0/0/0.2
    set routing-instances Customer-VR interface lt-0/0/0.4
    set routing-instances Customer-VR interface ae2.0
    set routing-instances Customer-VR interface lo0.10
    set routing-instances Customer-VR protocols isis export from_nine_to_customer
    set routing-instances Customer-VR protocols isis export from_hexradius_to_thwradius
    set routing-instances Customer-VR protocols isis level 1 authentication-key "$9$iHfz9Cu1Eyp0yKWxwsZUjHP5z36AuO"
    set routing-instances Customer-VR protocols isis level 1 authentication-type md5
    set routing-instances Customer-VR protocols isis level 2 authentication-key "$9$3DmzntOhclMLNreNbYoji5QFnApO1RSlK"
    set routing-instances Customer-VR protocols isis level 2 authentication-type md5
    set routing-instances Customer-VR protocols isis interface lt-0/0/0.2
    set routing-instances Customer-VR protocols isis interface lt-0/0/0.4
    set routing-instances Customer-VR protocols isis interface ae2.0
    set routing-instances Customer-VR protocols isis interface lo0.10
    set routing-instances NineGroup-VR instance-type virtual-router
    set routing-instances NineGroup-VR interface lt-0/0/0.1
    set routing-instances NineGroup-VR interface ge-0/0/2.0
    set routing-instances NineGroup-VR interface lo0.20
    set routing-instances NineGroup-VR protocols isis export from_customer_to_ninegroup
    set routing-instances NineGroup-VR protocols isis export nine
    set routing-instances NineGroup-VR protocols isis level 1 authentication-key "$9$C67IABEleWx-wM8wgaU.m369AO1EcyKWL"
    set routing-instances NineGroup-VR protocols isis level 1 authentication-type md5
    set routing-instances NineGroup-VR protocols isis level 2 authentication-key "$9$Yq2ZjmPQn9pTzpBRSMWdbs2JGjHqfQF"
    set routing-instances NineGroup-VR protocols isis level 2 authentication-type md5
    set routing-instances NineGroup-VR protocols isis interface lt-0/0/0.1
    set routing-instances NineGroup-VR protocols isis interface ge-0/0/2.0
    set routing-instances NineGroup-VR protocols isis interface lo0.20
    set routing-instances NineGroupBTB-VR instance-type virtual-router
    set routing-instances NineGroupBTB-VR interface lt-0/0/0.3
    set routing-instances NineGroupBTB-VR interface ge-0/0/4.0
    set routing-instances NineGroupBTB-VR interface lo0.30
    set routing-instances NineGroupBTB-VR protocols isis export from_thwradius_to_hexradius
    set routing-instances NineGroupBTB-VR protocols isis export nine
    set routing-instances NineGroupBTB-VR protocols isis level 1 authentication-key "$9$yE2rWxbwgJUH24Hm5FAtRhSrM8xNdsgo"
    set routing-instances NineGroupBTB-VR protocols isis level 1 authentication-type md5
    set routing-instances NineGroupBTB-VR protocols isis level 2 authentication-key "$9$IFjRrvx7VY4ZdbZjkP3nuO1RylvWLNVw"
    set routing-instances NineGroupBTB-VR protocols isis level 2 authentication-type md5
    set routing-instances NineGroupBTB-VR protocols isis interface lt-0/0/0.3
    set routing-instances NineGroupBTB-VR protocols isis interface ge-0/0/4.0
    set routing-instances NineGroupBTB-VR protocols isis interface lo0.30

     

     

    Thanks

     



  • 3.  RE: Logical tunnel, static route, policies and isis
    Best Answer

     
    Posted 01-15-2018 03:17

    Hi,

     

    This is a repsonse in case anyone else comes across this issue:

     

    The RADIUS servers that we are using are Centos 7  and FreeRADIUS. Because a separate tunnel is configured on the SRX and Routing_Instance plus physical interface with its own policies then a secodnary route has to be configured on the RADIUS. This is because it has two NICs, one for the ppp authentication and Juniper VSAs and one for the separate back to back connectivity that BOTH use the same default gateway (In this case the one connected to the Network interface rather than the back to back).

    With adding a new route to the RADIUS we now have complete data separation and it is working as expected.

     

    The command used was as follows:

    ip route add <destination address>/32 via <gateway address> dev em2

     

    Thanks