SRX Services Gateway
Reply
Contributor
ahmedsharif
Posts: 36
Registered: ‎04-24-2009
0

Active/Active SCTP multihoming

 

Hi Experts

 

So far we are doing the SCTP Multi-homing design on NetScreen.

Following configuration is done in the NetScreen to accomplish two different paths. The trick is to not include them in NSRP.

 

In FW-1 Zone ss7_int1 below is Path_1 for SCTP and

in FW-2 ss7_int2 is Path_2.

It is important to have them in vsd-group 0 and not include vsd-group 0 in nsrp.  

 

  

Example configuration:

FW-1


set zone id 100 "access"
set zone id 103 "ss7_int_1"

set interface "ethernet0/3.6" tag 6 zone "access"
set interface "ethernet0/3.11" tag 11 zone "ss7_int_1"

set interface ethernet0/3.6:1 ip 10.64.24.73/29
set interface ethernet0/3.6:1 route
set interface ethernet0/3.11 ip 10.64.25.117/30
set interface ethernet0/3.11 route

unset interface ethernet0/3.6:1 ip manageable
unset interface ethernet0/3.11 ip manageable

set nsrp rto-mirror sync
set nsrp vsd-group master-always-exist
unset nsrp vsd-group id 0

 

FW-2


set zone id 100 "access"
set zone id 103 "ss7_int_2"

set interface "ethernet0/3.6" tag 6 zone "access"
set interface "ethernet0/3.21" tag 21 zone "ss7_int_2"

set interface ethernet0/3.6:1 ip 10.64.24.73/29
set interface ethernet0/3.6:1 route
set interface ethernet0/3.21 ip 10.64.25.121/30
set interface ethernet0/3.21 route

unset interface ethernet0/3.6:1 ip manageable
unset interface ethernet0/3.21 ip manageable

set nsrp rto-mirror sync
set nsrp vsd-group master-always-exist
unset nsrp vsd-group id 0

 

I would like to achieve the similar behavour on the SRX.

Now there can be 2 possibilities which I can see.

 

1) Create 2 redundancy groups  lets say RG1 and RG2.

     RG1 active on SRX1 and RG2 active on SRX2.

 

 

2) Create local interfaces and dont include them in RGs.

 

Which one do you suggest will be the preferred way and why ?

And how the statefulness differs in both the scenerios?

 

Any suggesions will be appreciated.

 

Thanks

Regards

Ahmed Sharif
Juniper Employee
galina@juniper.net
Posts: 3
Registered: ‎11-01-2010
0

Re: Active/Active SCTP multihoming

Hi, Ahmed,

 

High-end SRXs support SCTP in A/A or A/P modes HA clusters. To select which mode to use, you’d need to tie it to your overall architecture and deployment goals of the SRX.

 

Attached please find the doc on SCTP configuration CLI in Junos.

 

Please do let me know if you have any further questions.

 

Regards,

 

Galina

Galina
Contributor
ahmedsharif
Posts: 36
Registered: ‎04-24-2009
0

Re: Active/Active SCTP multihoming

[ Edited ]

HI Galina

 

Thanks for reply.

But how can we check that SCTP is working or not?

I have done some configs. The purpose is to check local interfaces without ALG.

My question is that in the config below am i missing something regarding "local interfaces without ALG" ?

If there is any needed thing pls let me know.

 

ge-0/0/6 {
    vlan-tagging;
    unit 466 {
        vlan-id 466;
        family inet {
            address 10.87.53.65/29;
        }
    }
    unit 686 {
        vlan-id 686;
        family inet {
            address 10.87.41.145/29;
        }
    }
}

 

ge-4/0/6 {
    vlan-tagging;                       
    unit 467 {
        vlan-id 467;
        family inet {
            address 10.87.53.73/29;
        }
    }
    unit 687 {
        vlan-id 687;
        family inet {
            address 10.87.41.153/29;
        }
    }
}

 

admin@SRX1400-1# show routing-instances SS7
instance-type virtual-router;
interface ge-0/0/6.466;
interface ge-0/0/6.686;
interface ge-4/0/6.467;
interface ge-4/0/6.687;
routing-options {
    static {
        route 10.87.42.249/32 next-hop 10.87.41.146;
        route 10.87.42.253/32 next-hop 10.87.41.154;
        route 10.87.40.4/32 next-hop 10.87.53.66;
        route 10.87.40.36/32 next-hop 10.87.53.74;
    }
}

 

from-zone SS7-trust to-zone SS7-untrust {
    policy SS7-trust-untrust {
        match {
            source-address any;
            destination-address any;
            application any;
        }
        then {
            permit;
        }
    }
}

 

Thanks

Regards

Ahmed Sharif
Juniper Employee
tonyzhou
Posts: 91
Registered: ‎11-11-2010
0

Re: Active/Active SCTP multihoming

If you want to use SCTP, you need to configure a SCTP profile, and binding it to a security policy.

 

For example:

(1)configure SCTP profile

root@haricot# show security gprs sctp | display set | match profile

set security gprs sctp profile lp association-timeout 1440

set security gprs sctp profile lp handshake-timeout 30

set security gprs sctp profile lp drop payload-protocol m2ua

(2)configure policy,and bind SCTP profile to the policy

root@haricot# show security policies | display set

set security policies from-zone Tsctp-zone to-zone Usctp-zone policy lp match source-address any

set security policies from-zone Tsctp-zone to-zone Usctp-zone policy lp match destination-address any

set security policies from-zone Tsctp-zone to-zone Usctp-zone policy lp match application junos-gprs-sctp

set security policies from-zone Tsctp-zone to-zone Usctp-zone policy lp then permit application-services gprs-sctp-profile lp

set security policies from-zone Usctp-zone to-zone Tsctp-zone policy lp match source-address any

set security policies from-zone Usctp-zone to-zone Tsctp-zone policy lp match destination-address any

set security policies from-zone Usctp-zone to-zone Tsctp-zone policy lp match application junos-gprs-sctp

set security policies from-zone Usctp-zone to-zone Tsctp-zone policy lp then permit application-services gprs-sctp-profile lp

JNCIE-SEC
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.