SRX

Greetings,

In short, my question is, "What is the best technique of configuring a new SRX router alongside an existing router, so we can migrate network traffic gradually from the old router to the new?"

We are using a Ubiqiuti Edge Router and are attempting to migrate settings over, but would like to do it in a controlled way so we can gradually move over, step by step.  Since we're not experienced with JunOS routing we're not sure of the best way to do this.

Can anyone offer any advice here?  I realize this question begs further questions, but I hope some generous soul would be willing to help us out here.

Thank you,
AVanson

Hello, It is very vast question but we will have to consider following 

1) Network topology to know which interfaces are involved and how the data flows through. 

2) do you want to use SRX in packet mode since you will be replacing an edge router. 

3) Based off above two points one can start to move traffic to SRX subnet by subnet basis. 

Alternatively, Juniper P.S. can help you complete this task.  

Thanks

Hello,

Perimeter router replacement could be a bit tricky.

Option1 - Transparent mode

> You could setup the Juniper SRX in transparent mode and then convert to L3 once you are comfortable.

> You can deploy all the policies and be comfortable with JUNOS

> Later you would need to convert to L3, configure routing and NAT once you decide to fully migrate

Option2 - L3 Routed mode

> If you wish to go for L3 mode deployment it can be done in parallel to the existing router. Again depends on factors like availability of public IPs.

> If above is possible you can keep the existing setup with some subnets routed through the Juniper. Some device before the Juniper would need to take care of this conditional routing provided it is supported.

> Else you could consider having a group of user subnets having their gateway directly on the Juniper firewall with this traffic completely segregated by VLANs till the perimeter

  (Option 1)                                       (Option 2)

    Internet                               Internet                     Internet

        +                                      +                             +
        |                                      |                             |
        |                                      |                             |
 +------+-------+                       +------+-------+               +-----+------+
 |              |                       |              |               |            |
 |  Ubiquiti    |                       |  Ubiquiti    |               |   SRX      |
 |              |                       |              |               |  L3- Mode  |
 |              |                       |              |               |            |
 +------+-------+                       +------+-------+               +----+-------+
        |                                      |                            |
        |                                      |                            |
        |                                      |                            |
 +------+-------+                              |                            |
 |     SRX      |                              |                            |
 |   Transparent|                              |                            |
 |     Mode     |                              |                            |
 +------+-------+                              |                            |
        |                                      |                            |
        |                                      |                            |
        |                                      |                            |
+-------+-------+                      +-------+-------+                    |
|               |                      |               +--------------------+
|    Switch     |                      |    Switch     |  Selectively
|               |                      |               |  Route some traffic
+---------------+                      +---------------+  through SRX

I hope this helps. Regards,

Vikas

Hi Vikas,

Can you explain transparent mode?  What can we do in transparent mode as opposed to L3 mode?  Would this work for designing and testing configuration?

Asai

Based on the full discussion here I don't think transparent mode would be the right solution.

In transparent mode we don't have layer 3 gateways for any of the subnets. This is typically used to add an SRX firewall to an existing layer 3 setup when there is no intention to remove the existing router.

Assuming the internal subnet gateways on the router and moving to the SRX this can be done on a subnet by subnet basis.

You would connect the SRX in parallel to the exsiting router with an available upstream address and a physical connection to the switch where all the subnet vlans are configured.

Create an internal routing connection between the SRX and existing router.  This can be a separate vlan trunked to both devices or another interface on both devices connecting them.  Setup routing here so the SRX knows about the subnets on the existing routers and vice versa.  Simplest is an ospf neighbor with all the internal interfaces as passive it this is supported.  But you can add static routes per subnet if needed.

Create a new test vlan and attach this to just the SRX.  Setup the necessary nat and security policies to match how you handle the other internal networks and verify all operations for both internal and external routing.

Now you should be able to migrate the gateway interfaces one at a time deleting from existing and adding to the SRX in a brief maintenance window with testing afterwards.  Rollback is simple if there are issues.

Thank you all for your helpful replies.

@spuluka, your outline of how we should proceed is actually the option that we are currently pursuing.

What prompted this question was a problem I ran into while attempting to implement this, and I'm not sure what I'm missing.

• In our configuration on the SRX, I have set up an IRB (irb.1044) with an IP of 10.10.44.1/24 and I have assigned this IRB to VLAN 1044 (named Test) as an l3-interface.
• Added VLAN 1044 to all SRX trunk ports
• Added VLAN 1044 to all switches, and added this VLAN to old router (router on a stick)
• Added a static route for 10.10.44.0/24 to our old router, to route to 10.10.44.1

I assumed that when I logged on to one of the switches, and pinged 10.10.44.1 then the SRX would respond, but it doesn't, so clearly I'm missing something.

Thank you for your assistance here.

-AV

The key is that the link between the old and new router should be separate from the downstream routing as a point to point link.  This prevents asymmetrical routing occuring.

SRX   10.10.44.1 ---10.10.44.2 Router

|.                                                       |

lana.                                                lanb

10.1.1.0/24.                               10.1.2.0/24

The routes are SRX has 10.1.2.0/24 > 10.10.44.2

router has 10.1.1.0/24 > 10.10.44.1

The 10.10.44.0/24 network is local on both routers.

Thank you, Steve.

Can you clarify a couple of things?

First, could you clarify "downstream routing?"

Second, could you clarify the IP addressing and routing of LAN A and LAN B?  I'm not clear on the example.  Perhaps that's because in our old routing system, we have a router-on-a-stick configuration, and the inter-VLAN routing is automatically done.

Thank you.

-AV

Sorry for the confusion.

Upstream is connections facing the internet

Downstream are connections interally facing for routing

The downstream sample addresses I provided are made up.  They would represent two of your existing subnets one connected to the current router the other moved to the SRX.

The link between the two routers (which can be a vlan sharing the same port as those downstream links) passes traffic between the two routers.  The static routes point to the other router to send traffic where the gateway is not local to the assigned router.