08-23-2010 08:44 AM
First thanks for creating the opportunity to gossip about all nifty features.
Here I am implementing a full Juniper network, and we were having some issues constructing a management subnet.
By design we need the management subnet (A.B.2.0/24) to be routed by the SRX firewall.
I attach a sketch of the design.
The Core is an EX-4200 virtual chassis and should have it's IP-adress in the management segment. The core is routing the internal subnets.
We are implementing this by using an RVI with IP A.B.2.5.
Without any extra configuation, we bump into following problem:
- internal users have to connect to the IC-4500 with IP A.B.2.3 (https-connection to verify status with OAC or Pulse). This will result in asymmetric routing, as the IC has the SRX as default gateway, and the EX-core will send the traffic directly to the IC (instead of sending it to the SRX).
So we solve this by adding an extra routing instance in the EX.
This works OK, but now NSM is not able to connect to the EX anymore (probably because the EX tries to connect via inet.0).
For support reasons, we do want inet.0 to be the routing instance for the internal routing between the client VLANs.
After a lot of discussion we did not find a very elegant solution for this problem without changing the original design.
Would you guys have some experience with a similar setup and what seems your best solution?
08-23-2010 11:38 AM
We are discussing your question ... as a point of clarification, are you using the me0 port on the EX4200 for management? On the diagram, you have a line coming out of the core to the right that is labeled mgmtcore ... is this the me0 connection?
08-23-2010 11:45 AM
We are not using the vme or me0. We thought about using that one, but my colleague presumed it would not be a solution as it is as well in inet.0, just not forwarding
08-24-2010 12:48 PM
It would be nice to know what Juniper would recommend too. I have similar setup too that I have to plug a patch cable from me0 to the front port for management VLAN purpose. It looks strange but with SRX clusters managements and EX VC management, what would be the best practice to do that?
08-24-2010 03:25 PM
Thanks for posting a question on the forum.
Since the RVI is x.x.2.5 and the NSM is x.x.2.2 and it is on the same subnet, then it should be able to reach each other. Can the two devices not ping each other?
To answer best practice for management subnet, obvious there is two ways of approaching this -- inband vs out-of-band management.
Inband management is nice that there is no need to maintain a separate network. However it is susceptible to outtages because usually the management VLAN shares the same network topology as the data VLAN. If there is a broadcast storm or spanning-tree loop, one can be sure the management vlan can be affected.
Other things to consider is limiting access to the management interface, one method is configure a firewall filter and apply it to loopback 0. The great thing about applying to lo0 is that it simplifies and centralizes firewall filter management to a single point. No longer one needs to bind a firewall filter to all of the L3 interfaces to control traffic that are destined to the RE. The other alternative is to put inband management interface in a separate routing-instance.
Out-of-band-management is great if one wants to separate management and data entirely. The management ethernet interface (me0) is totally separate from the network interfacing ports, which means no traffic is allowed to be passed between the two. The only drawback is that me0 shares the same routing-table as the networking interfaces. However we are looking ways to solve this. I would suggest you contact your local SE or reseller on this.
Hope this helps.