vSRX

  • 1.  vSRX 20.3 vrrp on KVM host (Ubuntu 20.04) - any tutorial?

    Posted 11-02-2020 09:58

    Hello, on my local network,  I have VRRP Group 1 running between old SRX210H-POE (JunOS 12.1X46) and a new MIkrotik CHR latest version. The legacy JunOS vrrp statement is :

    vlan {
        unit 3 {
            /* branch TDC14 LAN TRUST */
            description branch-TDC14-lan;
            family inet {
                address 172.31.254.1/26 {
                    vrrp-group 1 {
                        virtual-address 172.31.254.4;
                        priority 250;
                        preempt;
                        accept-data;
                        track {
                            interface ge-0/0/0.0 {
                                priority-cost 50;
                            }
                        }
                    }
                }
            }
        }
    

    On the new vSRX box (r5) I defined ge-0/0/0.0 with a local IP, 172.31.254.5, which works well. Routing is functional to outside with NAT. 

     

    But vrrp (with the same type of config statement block as shown above, and lower priority 240) and tracking the  vSRX ge-0/0/0.0 interface, fails. The r5 (vSRX) thinks there is no other vrrp node, and assumes master status with ip of 172.31.254.4, but that is not correct - there are the backup router (CHR or r2) and active master router (r2 or CHR). Do vSRX setups require different VRRP config than a physical router? 



  • 2.  Re: vSRX 20.3 vrrp on KVM host (Ubuntu 20.04) - any tutorial?

    Posted 11-02-2020 09:59

    also, the vSRX is using routing-instances, but I don't think that has anything to do with it? 


    #vSRX3.0


  • 3.  Re: vSRX 20.3 vrrp on KVM host (Ubuntu 20.04) - any tutorial?
    Best Answer

    Posted 11-02-2020 10:31

    A couple of thoughts;

     

    * Have you allowed vrrp as a protocol under host-inbound-services?

    * are the KVM allowing the multicast packets on with destination 224.0.0.18?

     

    If yes to both statements above; can you see vrrp packets being sent and received on the vSRX interface ge-0/0/0.0? (monitor traffic interface ge-0/0/0.0 no-resolve matching "vrrp"?

     

    I suspect you haven't allowed vrrp inbound in your security-zone.

     

     



  • 4.  Re: vSRX 20.3 vrrp on KVM host (Ubuntu 20.04) - any tutorial?

    Posted 11-02-2020 13:54

    Hi Jonas, your comment led me to investigate (on Ubuntu 20.04 LTS host) libvirt's support for multi-cast traffic. I am not sure 100% but it seems that with the following configuration, multi-cast receive is allowed (it's a bridge to a physical interface) but for sending multi-cast out, a 2nd interface is required. Not sure if there any available examples of people doing it this way. Allow me to present some details about my setup and ask anyone for ideas on how to check multi-cast configuration for the VM host that the vSRX runs on. The network bridge in question is br0, which is mapped to ge-0/0/0.0 

     

    1. Config libvirt, on VM Host (s5)

    dev1@s5:~$ virsh iface-dumpxml br0
    <interface type='bridge' name='br0'>
      <mtu size='1500'/>
      <bridge stp='on' delay='1500'>
        <interface type='ethernet' name='eno1'>
          <link speed='100' state='up'/>
          <mac address='88:51:fb:63:ee:9d'/>
        </interface>
      </bridge>
    </interface>
    

    2. Please see https://libvirt.org/formatdomain.html#multicast-tunnel 

     

    Multicast tunnel
    A multicast group is setup to represent a virtual network. Any VMs whose network devices are in the same multicast group can talk to each other even across hosts. This mode is also available to unprivileged users. There is no default DNS or DHCP support and no outgoing network access. To provide outgoing network access, one of the VMs should have a 2nd NIC which is connected to one of the first 4 network types and do the appropriate routing. The multicast protocol is compatible with that used by user mode linux guests too. The source address used must be from the multicast address block.
    
    ...
    <devices>
      <interface type='mcast'>
        <mac address='52:54:00:6d:90:01'/>
        <source address='230.0.0.1' port='5558'/>
      </interface>
    </devices>
    ...

    3. Config on vSRX 20.3R1.8 router (r5), after I pulled out the VRRP configuration from the time I posted the original message. At this stage, it is plain old routing in flow-mode (ipv4). So, do you see any deficiencies in my initial configuration - But again, I am not sure that libvirt xml configuration will (or will not) allow incoming multicast traffic. 

    set system management-instance
    set system name-server 172.31.254.3 routing-instance NET20-R5-VR
    set system syslog user * any emergency
    set system syslog file messages any any
    set system syslog file messages authorization info
    set system syslog file interactive-commands interactive-commands any
    set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
    set security screen ids-option untrust-screen icmp ping-death
    set security screen ids-option untrust-screen ip source-route-option
    set security screen ids-option untrust-screen ip tear-drop
    set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
    set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
    set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
    set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
    set security screen ids-option untrust-screen tcp syn-flood queue-size 2000
    set security screen ids-option untrust-screen tcp syn-flood timeout 20
    set security screen ids-option untrust-screen tcp land
    set security nat source rule-set source_nat from zone trust
    set security nat source rule-set source_nat to zone untrust
    set security nat source rule-set source_nat rule nat1 match source-address 0.0.0.0/0
    set security nat source rule-set source_nat rule nat1 then source-nat interface
    set security policies from-zone trust to-zone trust policy default-permit match source-address any
    set security policies from-zone trust to-zone trust policy default-permit match destination-address any
    set security policies from-zone trust to-zone trust policy default-permit match application any
    set security policies from-zone trust to-zone trust policy default-permit then permit
    set security policies from-zone trust to-zone untrust policy default-permit match source-address any
    set security policies from-zone trust to-zone untrust policy default-permit match destination-address any
    set security policies from-zone trust to-zone untrust policy default-permit match application any
    set security policies from-zone trust to-zone untrust policy default-permit then permit
    set security policies from-zone untrust to-zone trust policy default_deny match source-address any
    set security policies from-zone untrust to-zone trust policy default_deny match destination-address any
    set security policies from-zone untrust to-zone trust policy default_deny match application any
    set security policies from-zone untrust to-zone trust policy default_deny then deny
    set security policies pre-id-default-policy then log session-close
    set security zones security-zone trust tcp-rst
    set security zones security-zone trust interfaces ge-0/0/0.0 host-inbound-traffic system-services all
    set security zones security-zone untrust screen untrust-screen
    set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic system-services ntp
    set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic system-services ping
    set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic system-services traceroute
    set interfaces ge-0/0/0 unit 0 description "TDC14 Branch LAN"
    set interfaces ge-0/0/0 unit 0 family inet address 172.31.254.5/26
    set interfaces ge-0/0/1 unit 0 enable
    set interfaces ge-0/0/1 unit 0 family inet address 10.0.0.79/24
    set interfaces ge-0/0/2 unit 0 description "2nd conn to TDC14 Branch LAN"
    set interfaces ge-0/0/2 unit 0 family inet address 172.31.254.6/26
    deactivate interfaces ge-0/0/2 unit 0
    set interfaces fxp0 unit 0 family inet address 172.31.240.1/22
    set routing-instances NET20-R5-VR routing-options static route 0.0.0.0/0 next-hop 10.0.0.1
    set routing-instances NET20-R5-VR interface ge-0/0/0.0
    set routing-instances NET20-R5-VR interface ge-0/0/1.0
    set routing-instances NET20-R5-VR interface ge-0/0/2.0
    deactivate routing-instances NET20-R5-VR interface ge-0/0/2.0
    set routing-instances NET20-R5-VR instance-type virtual-router
    set protocols vrrp traceoptions file vrrp-log
    set protocols vrrp traceoptions file size 1m
    set protocols vrrp traceoptions flag packets
    

      4. I think I will have to check if vrrp is allowed or not, but for now here is the running interface config ... 

     

    ttadmin@r5> show interfaces ge-0/0/0.0 detail |no-more
      Logical interface ge-0/0/0.0 (Index 71) (SNMP ifIndex 518) (Generation 136)
        Description: TDC14 Branch LAN
        Flags: Up SNMP-Traps 0x4004000 Encapsulation: ENET2
        Traffic statistics:
         Input  bytes  :            258123606
         Output bytes  :            356850268
         Input  packets:               487914
         Output packets:               465089
        Local statistics:
         Input  bytes  :              2247158
         Output bytes  :               106268
         Input  packets:                51103
         Output packets:                 1789
        Transit statistics:
         Input  bytes  :            255876448              1260704 bps
         Output bytes  :            356744000                20000 bps
         Input  packets:               436811                  117 pps
         Output packets:               463300                   57 pps
        Security: Zone: trust
        Allowed host-inbound traffic : bootp dns dhcp finger ftp tftp ident-reset http https ike netconf ping reverse-telnet reverse-ssh rlogin rpm rsh snmp snmp-trap ssh telnet traceroute xnm-clear-text xnm-ssl
        lsping ntp sip dhcpv6 r2cp webapi-clear-text webapi-ssl tcp-encap sdwan-appqoe l3-ha
        Flow Statistics :
        Flow Input statistics :
          Self packets :                     1575
          ICMP packets :                     1773
          VPN packets :                      0
          Multicast packets :                8936
          Bytes permitted by policy :        250495656
          Connections established :          12910
        Flow Output statistics:
          Multicast packets :                0
          Bytes permitted by policy :        356612152
        Flow error statistics (Packets dropped due to):
          Address spoofing:                  0
          Authentication failed:             0
          Incoming NAT errors:               0
          Invalid zone received packet:      0
          Multiple user authentications:     0
          Multiple incoming NAT:             0
          No parent for a gate:              0
          No one interested in self packets: 0
          No minor session:                  0
          No more sessions:                  0
          No NAT gate:                       0
          No route present:                  8937
          No SA for incoming SPI:            0
          No tunnel found:                   0
          No session for a gate:             0
          No zone or NULL zone binding       1
          Policy denied:                     0
          Security association not active:   0
          TCP sequence number out of window: 0
          Syn-attack protection:             0
          User authentication errors:        0
        Protocol inet, MTU: 1500
        Max nh cache: 100000, New hold nh limit: 100000, Curr nh cnt: 3, Curr new hold cnt: 0, NH drop cnt: 0
        Generation: 156, Route table: 4
          Flags: Sendbcast-pkt-to-re, Is-Primary
          Addresses, Flags: Is-Default Is-Preferred Is-Primary
            Destination: 172.31.254.0/26, Local: 172.31.254.5, Broadcast: 172.31.254.63, Generation: 142
    


  • 5.  Re: vSRX 20.3 vrrp on KVM host (Ubuntu 20.04) - any tutorial?

    Posted 11-02-2020 13:58

    So, I added in host-inbound-traffic stanza for  "all protocols" for the trust network. 

    ttadmin@r5> show configuration security zones security-zone trust
    tcp-rst;
    interfaces {
        ge-0/0/0.0 {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
        }
    }
    

    But does the vSRX also need a outbound multi-cast interface? Then any suggestions on how to utilize a second interface on the same bridge for that multi-cast subnet and purpose? 



  • 6.  Re: vSRX 20.3 vrrp on KVM host (Ubuntu 20.04) - any tutorial?

    Posted 11-02-2020 14:28

    Ok, better. After allowing the services vrrp to the interface, the VRRP is in backup state, as it has lower priority. But does the VRRP on this vSRX also need to send out updates via multicast? Do we have to go to install a second interface (suggested in my 2nd response) for that then, or does vSRX 3.0 allow multi-cast to be sent over a bridged VM / libvirt network adapter guest connection. ?

     

    Thanks.