12-17-2010 02:41 PM - edited 12-17-2010 05:15 PM
We are expanding our environment to accomodate the provisioning of additional IP subnets. The subnets are shared across two devices, an F5 load balancer and our SRX650 cluster. Right now we use only one subnet and our ISP hosts the default gateway IP address on their border router.
So to move forward my ISP will statically route all our subnets to our new router. On it's "backside" I have created three VLANS's, one for each subnet to segregate the subnets traffic. Each device of course has tagged interfaces with access to those VLAN's.
I want to make sure that connections made on one of the subnets on the SRX, gets routed back out that subnet's default gateway (the F5 has magic built in that I don't have to worry about it). The SRX already has a default next-hop set. Do I do this via policy based routing? And if so, can someone offer a little example of how it works?
For reference I have included how our network will look. Pardon the image, i'm a little rusty with Visio.
12-17-2010 05:35 PM
I don't think I'm following what you're asking here...
Are you saying that if you have multiple VLANs / layer 3 interfaces on the SRX, that you don't want the SRX to route between them, perhaps you want all the traffic sent to your router [why]?
If that's the case... then you'd want to make sure they're all in different security zones, and yes, you could/would do that with policy routing, or "Filter Based Forwarding" as it's known in Junos land. Let me just warn you, FBF is a clunky way to implement policy-based routing, I have *NO* clue why Juniper chose to do it this way. Poicy-based routing on ScreenOS was clean and simple. FBF on Junos can make a sane person start flapping their arms around like the infamous Wacky Waving Inflatable Arm-Flailing Tube Man.
That's not to say it's impossible, I have a simple working FBF config that I can share with you, but first I just want to make sure I understand what it is exactly you're trying to accomplish with this.
12-17-2010 05:51 PM
With two devices hosting live IP's I can't just use the SRX to route the various subnets because the F5 isn't in any way related to the SRX. So what I need are 3 VLANs that each device has access to in which they host the IP's for each subnet. One VLAN, one subnet. This is so that the same interface on each device doesn't host multiple subnets on the same network segment. I've read several papers online that say that that is a bad idea.
So teh SRX and my F5 have interfaces in VLAN1, VLAN2, VLAN3, and on each interface they host the IP for the subnet that is dedicated to each VLAN.
However what I want to make sure is that of my three subnets, packets coming into that VLAN destined for the interface on the SRX, goes back out the gateway IP for that subnet.
12-18-2010 05:11 PM
I read your response last night... it was late. I tried to process it mentally, and it just wasn't clicking. I figured it was just because I was so tired that my brain wasn't firing on all cylinders.
I just read it again, and I still just don't understand fully what you need to accomplish here. Perhaps you could add a little more detail to the diagram such as IPs for the interfaces in each VLAN on the different devices, and maybe show an example scenario for traffic flow (source from IP xxxx, destination yyyy, etc.) and the path that you wish the traffic to take?
Sorry if I'm being a little dense here, I'm just having trouble fully understanding what you're looking for.
12-19-2010 02:35 PM
I don't really know what more to add.
I have three VLAN's.
Each VLAN is for one of the three subnets in the image from the first post.
The router hosts the gateway IP for each subnet.
The SRX has an interface in each subnet with ip's bound to it for that subnet.
The SRX has a default next-hop that is 188.8.131.52. That is it's default address so that is where it routes all the traffic by default. That works fine when there is just a single subnet bound to the SRX interface.
Now I have three subnets. Pretend for a moment that I have a static nat for a private server that is 184.108.40.206. When that private server makes an outbound connection, it's packets get natted to the static nat IP of 220.127.116.11. How do I make it so that the SRX knows to send those packets to the default gateway for the 18.104.22.168/24 subnet? Likewise for my third subnet 22.214.171.124/25?
Can I just add multiple next-hops and the SRX will automatically send the packets out the appropriate default gateway? Or do I have to use policy based routing to define the correct gateway somehow?
Does that help?
12-20-2010 02:58 PM
Remember that the SRX is a routing platform. If it has interfaces in those VLANs, it's going to have routes to those VLANs, and it's going to (by default) route between them.
Also remember that security policies are only applied when traffic crosses zones, and that's based on routing (since ingress and egress interfaces need to belong to different zones).
That said, let's take your static NAT example. Let's assume the client has a private IP 10.0.0.2/24, and the SRX has an interface with 10.0.0.1/24 in zone "private1." When traffic comes into the SRX on that interface and decides it needs to go somewhere else (route lookup), if the traffic is destined for another VLAN that the SRX has a direct connection to, the SRX is going to route that packet onto that VLAN (after processing security policies between the zones where those two VLANs live). That's what it's supposed to do. If the SRX doesn't have a direct route to the destination network, it will send it to it's default route, in your case, the router at 126.96.36.199.
So, to answer your question:
How do I make it so that the SRX knows to send those packets to the default gateway for the 188.8.131.52/24 subnet? Likewise for my third subnet 184.108.40.206/25?
You don't have to. If the SRX has a route to the destination (another local VLAN), it will route it to that VLAN. If it does not know a route to the destination, it sends it via it's default route 0.0.0.0/0, and that router takes it from there.
Just remember that if it's traffic between your local VLANs, you will need to create security policies to allow traffic between those VLANs if their interfaces are members of different security zones. If they're all in the same security zone, you'll need a policy to permit intrazone traffic.
Does that help?