SRX

last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Alternative to Screen OS null interface

    Posted 07-24-2014 09:00

    Dear forums,

     

    I'm currently migrating an SSG cluster to SRX and I'm stuck on this part of the configuration.

    set route 217.72.233.1/32 interface tunnel.1 preference 20 permanent
set route 217.72.233.2/32 interface tunnel.1 preference 20 permanent
set route 217.72.233.3/32 interface tunnel.1 preference 20 permanent
set route 217.72.233.1/32 interface null preference 40 permanent
set route 217.72.233.2/32 interface null preference 40 permanent
set route 217.72.233.3/32 interface null preference 40 permanent

     

     

    As you can see, public IP adresses are being routed over a VPN tunnel. When this VPN tunnel is unavailble, the traffic should be discarded instead of being forwarded to the default gateway.

     

    What is the alternative configuration for this in Junos?
    The discard function doesn't have the results I'm looking for...

     

    All help is welcome!



  • 2.  RE: Alternative to Screen OS null interface

    Posted 07-24-2014 09:42

    Hello,

    First of all, if You don't have a 0/0 route or have a 0/0 route with discard nexthop, then upon disappearing of more specific routes the packets will be rejected (no 0/0) or discarded (0/0 discard).

    Secondly, You can use below workaround with "resolve" (assuming tunnel1.1 maps into st0.1):

     

    [edit routing-options static]
+    route 217.72.233.1/32 {
+        qualified-next-hop st0.1 {
+            preference 20;
+        }
+        qualified-next-hop 169.254.0.0 {
+            preference 40;
+        }
+        resolve;
+    }
+    route 169.254.0.0/32 discard;

     Instead of 169.254.0.0 You can use any other unreachable IP address.

     

    The end result:

     

    aarseniev@rtr> show route 217.72.233.1/32                 
Jul 24 18:40:20

inet.0: 6 destinations, 7 routes (6 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

217.72.233.1/32    *[Static/20] 00:04:30
                    > via st0.1
                    [Static/40] 00:07:28, metric2 0
                     to Discard

     HTH

    Thanks
    Alex



  • 3.  RE: Alternative to Screen OS null interface

    Posted 07-28-2014 05:09

    if your intention is to have tunnel only when the matching traffic comes, then is it not better to use policy based VPN?



  • 4.  RE: Alternative to Screen OS null interface
    Best Answer

    Posted 08-01-2014 06:40

    Hi,

    It is pretty straight forward :

    you can use like the following :

    set routing-options static route 1.1.1.1/32 next-hop st0.1
    set routing-options static route 1.1.1.1/32 passive

    or 

    set routing-options static route 1.1.1.1/32 next-hop st0.1
    set routing-options static route 1.1.1.1/32 retain

     

    Even when st0.1 goes inactive the route will be retained.

    This will solve your problem

     

    Regards,

    c_r

    Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too



  • 5.  RE: Alternative to Screen OS null interface

    Posted 08-11-2014 01:31

    Thank you everyone for your feedback!
    It's not live yet but that retain option seems to be the solution.

    I feel dumb for overlooking that option! 🙂