SRX

 View Only
last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  Routing between VR´s using logica tunnels and OSPF

    Posted 03-06-2021 04:11
    Edited by Paul 03-06-2021 05:01
      |   view attached
    Hello everybody,

    I'm pretty new to juniper and also if it comes to deeper network administration ( especially routing ) I'm like a young banana, so please be gentle. :)

    Also, this is the first post I'm asking for advice on because I'm struggling with this matter for weeks now.

    Basically, I would like to allow all VR´s to communicate with each other, starting with VR VF-3 (192.168.0.0/19) and VR VDSL (10.10.0.0/24), later I would like to use the Dynamic VPN to access the different instances as well.

    I've been using this article https://kb.juniper.net/InfoCenter/index?page=content&id=KB21260&actp=METADATA to make it work but I don't seem to get it right.

    Verifying OSPF for VR VF-3 and VR VDSL outputs:

    root@STFWHQ> show ospf neighbor instance vdsl
    Address Interface State ID Pri Dead
    10.20.30.2 lt-0/0/0.1 Full 10.20.30.2 128 32

    root@STFWHQ> show ospf neighbor instance vf-3
    Address Interface State ID Pri Dead
    10.20.30.1 lt-0/0/0.2 Full 10.10.0.1 128 35

    Also, there is no active session checking the security flow.

    The config without NAT rules and without Screen configurations has been attached.

    ------------------------------
    Paul
    ------------------------------​

    Attachment(s)

    txt
    srx_config.txt   18 KB 1 version


  • 2.  RE: Routing between VR´s using logica tunnels and OSPF

    Posted 03-06-2021 05:57
    The reason you don't see any sessions for the ospf neighbors is because this is traffic that terminates on the SRX itself.

    Security policy and the flow table are for transit traffic, flows that come from outside the SRX and exit to an end device outside the SRX.

    Self traffic - that which either starts with the SRX itself or ends with the SRX itself (in this case both) is controlled by the security zone settings under host-inbound-traffic and does not hit policy.

    There is an option to create policy for self traffic by using the junos-host zone if you want more control or visibility.

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------



  • 3.  RE: Routing between VR´s using logica tunnels and OSPF

    Posted 03-06-2021 08:06
    Edited by Paul 03-06-2021 08:07
    Hey spuluka, thank you for your reply but I'm not sure if this is the answer to my question. I used the guide for creating a logical tunnel interface and I adopted the setup.

    So it's not necessary to create extra policies nor flow tables if the traffic stays inside? 

    Anyway, my setup was missing the intra-zone policy for both trust zones Internal-vdsl and Internal-vf3 so the inter VR communication is working now, also visible in the security flow.

    And finally, I would like to access the network Internal-vf3 inside the VR VF-3 (10.10.0.0/24) through the dynamic VPN which is configured to another VR VDSL (192.168.0.0/19) and working within but I can't ping the other VR, also the remote-protected-resources has been set.

    Thanks four help


    ------------------------------
    Paul
    ------------------------------



  • 4.  RE: Routing between VR´s using logica tunnels and OSPF

    Posted 03-07-2021 07:08
    Sorry, that I'm having trouble understanding the topology.  And I guess I don't understand the question.

    Looking at the config the only internal connection between the virtual routers I see is the one between vr3 and dsl via the logical tunnel.

    So unless those other routers vf1 and vf2 have an external path to connect there is no way for these 4 routers to pass traffic in a full mesh.

    If there is an external path, then routing would need to be added by ospf, static or some other protocol to allow the reachability for the virtual router controlled subnets.

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------



  • 5.  RE: Routing between VR´s using logica tunnels and OSPF

    Posted 03-07-2021 07:28
    Edited by Paul 03-07-2021 10:06
    Hey Spuluka, sorry for being inaccurate haha, the issue was the missing intra-zone policy which I didn't create because it did not make sense to me.

    Anyway it's working really good for now only accessing the other VR´s through an established VPN tunnel within one certain VR is the last thing I'm struggling with right now, so the remote protected resources has been defined but I can't get through, I can't ping any host within the other subnet.

    ------------------------------
    Paul
    ------------------------------



  • 6.  RE: Routing between VR´s using logica tunnels and OSPF

    Posted 03-07-2021 12:59
    So far in the configuration for routing only vr3 has a connection to your dsl virtual router.

    If you want to access vr1 & vf1 from the remote connection to the dsl virtual router:
    • Create a routing path to them either via another logical tunnel
    • And then add those logical tunnels to the existing or new zones for the communications
    • Make sure the traffic desired is then covered by a security policy or add a new policy for that zone to zone traffic


    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------



  • 7.  RE: Routing between VR´s using logica tunnels and OSPF

    Posted 03-07-2021 13:50
    I would like to access the vdsl virtual router via the dynamic vpn, the dynamic vpn is established via the vf3 virtual router, the remote protected resource has been set and I can access the vdsl virtual router via the local network within the vf3 virtual router but I can't reach the virtual router vdsl network via the dynamic vpn

    ------------------------------
    Paul
    ------------------------------



  • 8.  RE: Routing between VR´s using logica tunnels and OSPF

    Posted 03-08-2021 05:52
    There is a troubleshooting tree of articles available for failure to access protected resources on dynamic vpn.

    You start with step 5 in this kb and follow the path indicated by the messages you are getting.
    https://kb.juniper.net/InfoCenter/index?page=content&id=KB17220

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------