Junos OS

 View Only
last person joined: yesterday 

Ask questions and share experiences about Junos OS.
  • 1.  Juniper SRX Firewall VRRP not able to access the VLAN

    This message was posted by a user wishing to remain anonymous
    Posted 11-19-2022 20:02
    This message was posted by a user wishing to remain anonymous

    Hi,
    I am facing an issue with Juniper SRX Firewalls, configured firewalls using VRRP but i am not able to access the Second VRRP firewall irb. (Refer attached first Picture)
    Two Firewalls A and B Configured with VRRP and a trunk port between each other with all allowed vlan members.
    Other two firewalls X and Y also Configured with VRRP and a trunk port between each other with all allowed vlan members.
    A Firewall Connected to X and B firewall Connected to Y.
    When i am trying to access the management VLAN of Firewall B or Firewall Y, I am not able to access from the switch that is connected to A and B. (Refer attached first Picture)
    And also, one more issue is when i reboot Firewall X, the traffic to the computers Location 2 that are connected to Y not reaching from Location 1. (Refer attached second Picture).

    Please advise, what is the best way to resolve this issue without changing the current design.


  • 2.  RE: Juniper SRX Firewall VRRP not able to access the VLAN

    Posted 11-19-2022 20:11
    Are the SRX configured in packet mode as router only or as the normal shipped flow mode as a firewall?

    How are the routing subnets exchanged between site 1 and site 2? OSPF, BGP, static routes?

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
    http://puluka.com/home
    ------------------------------



  • 3.  RE: Juniper SRX Firewall VRRP not able to access the VLAN

    Posted 11-21-2022 11:59
    Hi,

    Are the SRX configured in packet mode as router only or as the normal shipped flow mode as a firewall?
    There is no packet filtering. Please advise what is the best for the scenario? Please find below configuration sample

    IRB Created in both firewalls. X firewall Configuration shown below
    set interfaces irb unit 10 family inet sampling input
    set interfaces irb unit 10 family inet sampling output
    set interfaces irb unit 10 family inet address 100.0.50.2/28 vrrp-group 1 virtual-address 100.0.50.1
    set interfaces irb unit 10 family inet address 100.0.50.2/28 vrrp-group 1 priority 202
    set interfaces irb unit 10 family inet address 100.0.50.2/28 vrrp-group 1 preempt
    set interfaces irb unit 10 family inet address 100.0.50.2/28 vrrp-group 1 accept-data
    set vlans MGMT vlan-id 10
    set vlans MGMT l3-interface irb.10

    Created Security Zones in Both Firewalls. X Firewall Configuration shown below
    set security zones security-zone MGMT host-inbound-traffic system-services all
    set security zones security-zone MGMT host-inbound-traffic protocols all
    set security zones security-zone MGMT interfaces irb.10.

    Applied IRB to the Physical Interfaces
    set interfaces ge-0/0/7 description **Link-to-Location1**
    set interfaces ge-0/0/7 unit 0 family ethernet-switching interface-mode trunk
    set interfaces ge-0/0/7 unit 0 family ethernet-switching vlan members MGMT

    Between Nodes  Trunking, X and Y Firewalls. X Firewall Configuration shown below
    set interfaces ge-0/0/0 description **SRX-NodeY**
    set interfaces ge-0/0/0 unit 0 family ethernet-switching interface-mode trunk
    set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members all

    Applied ACL Between Zones
    SSH, Junos ping

    Applied Static Route both location, on both firewalls. X Firewall Configuration shown below
    set routing-options static route 192.168.1.0/26 next-hop 10.10.10.6

    How are the routing subnets exchanged between site 1 and site 2? OSPF, BGP, static routes?
    Static Route done from Both Location.

    ------------------------------
    ARUN BALAN
    ------------------------------



  • 4.  RE: Juniper SRX Firewall VRRP not able to access the VLAN

    Posted 11-21-2022 12:06
      |   view attached
    Hi,

    1. Are the SRX configured in packet mode as router only or as the normal shipped flow mode as a firewall?
    Normal Flow Mode Only. Kindly advise what is the best for this scenario

    2. How are the routing subnets exchanged between site 1 and site 2? OSPF, BGP, static routes?
    Static Route between two locations.

    Please find attached sample configuration

    ------------------------------
    Arun Balan
    ------------------------------

    Attachment(s)

    txt
    sample.txt   1 KB 1 version


  • 5.  RE: Juniper SRX Firewall VRRP not able to access the VLAN

    This message was posted by a user wishing to remain anonymous
    Posted 11-26-2022 06:20
    This message was posted by a user wishing to remain anonymous

    Hi,
    Please advise a good solutions for this issue.
    Not able to manage the firewalls also. Because SRX 550 don't have any management IP.



  • 6.  RE: Juniper SRX Firewall VRRP not able to access the VLAN

    Posted 11-27-2022 05:01
    Hi,

    Please just make that SRX as chassis cluster. You dont need to make it complicated since using cluster it easy and seamless failover.

    Thanks