Routing

Hi Everyone,

I wanted to get a better understanding of how people are structuring their zones. If you have a primary hq and a secondary hq each with their own trust zones, do you keep the default trust to trust zone policy for going between the two hq's? To clarify if we have a mesh VPN configuration where each site has a VPN tunnel to a remote location. The secondary site has it's tunnel drop to the remote site but is still connected to primary hq. I would like to allow the remote site to reach the secondary site's resources by way of the primary site since that tunnel is still up. The routes are distributed via OSPF and have preferences adjusted to ensure that when things are functioning correctly no backhauling occurs. Would you structure your policies like "Primary-Trust" and "Secondary-Trust" or simply Trust to trust and include the address books from both sites in configs? I'm trying to gauge how people are handling this. I'm considering removing the default trust zone in favor of Primary-Trust and Secondary-Trust and then creating primary-trust to primary-trust rules for interzone communcation.

If this is confusing I can provide some examples I've been labbing with. thanks in advance!

Hi wmtanderson,

Good day !! 

A security zone is a collection of one or more network segments requiring the regulation of inbound and outbound traffic through policies. Security zones are logical entities to which one or more interfaces are bound. You can define multiple security zones, the exact number of which you determine based on your network needs.

Security Zones Overview please go through the below document.

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-zone-configuration.html

Please mark "Accepted Solution" if this helps.

Kudos are always appreciated

Thanks 

Suraj

Hi Suraj,

Thank you for the link. I understand how to create and assign security zones, but my question is more from a design/architecture perspective. If I am connecting two SRX devices over VPN how do you structure trust policies? Do you treat the trust zones for both devices as the same zone or is each considered their own zone? 

I like to use descriptive zone names rather than the default trust and untrust.  And create categories for each group that indicates the nature of the connections there.  So in your example with two central sites there likely would be more than one internal zone at a larger site users, resources, IoT and perhaps others.  Likewise the remote sites may be just user zones or might have other categories as well. 

I use the same zone name for the same functional group at any site where it exists.

Also remember that for traffic from a remote site to another site requires two policies one at the SRX at each location.  So the VPN setup would be route based vpn with the zone of the st0 interface for the remote site being a name that makes sense for the traffic and type of network on both sides.  For example the central sites may share or have a unique per site zone while remote sites may share a name or be uniquely named for the site.

Also bear in mind scaling limits on the number of tunnels if you will have full mesh.  The number of tunnels can grow fast if there are a large number of sites.