SRX

Is there a way to have one physical interface host more than one hw-address? I am connecting an SRX210 to a service provider device that is very specific on what is allowed. I am having it installed in 3 days and would like to have the SRX ready to go at install.

From what I have read the static IPs that I will be assigned will exist on the service provider gw and that device's LAN interface will host one of the addresses in my /29. I understand that I must aquire each of the public IPs from DHCP only and can't statically assign them. I can't confirm this, but I understand that the arp may be locked in at that point untill a gw reboot, at which time the statics would be re-aquired by the same method. I pray this isn't all the way things will actually be.

If I can bind 4 additional mac-addresses to the physical interfaces and associate them with the proxy-arp ips, I might can get this working (until the gw loses power).

I'd want a single srx interface ge-0/0/0 unit 0 to basically use:

1.1.1.1/29 (actual int ip via dhcp) 11:11:11:11:11:11 (whatever the real physical mac address is)

1.1.1.2/29 (proxy-arp) 11:11:11:11:11:12 (no idea if this is even possible)

1.1.1.3/29 (proxy-arp) 11:11:11:11:11:13 (seems unlikely)

1.1.1.4/29 (proxy-arp) 11:11:11:11:11:14 (I'm almost sure this is impossible)

1.1.1.5/29 (proxy-arp) 11:11:11:11:11:15 (I'm nearly giving up, but I've already typed this much...)

The SP GW would have 1.1.1.6/29 as it's LAN IP and would be my def-gw.

I may find that it's not as restrictive as this, but I have read conflicting reports and I am trying to prepare for the worst and learn somehting in the process. BTW, it's AT&T Uverse Gigapower with a /29 static ip assignment and the new PACE gw that will not do any kind of bridge mode. People say it's very strict.

Thanks for your time.

-Doug

That is not possible. The mac address can be set for the interface but it is done at the physical interface level and it will only accept 1 mac address.proxy arp on the other had will allow the srx to respond to all the other IPS that you are given once you are doing NAT. It appears that they are trying to limit you to only 5 devices connecting. However NAT removes this limitation since all internal address are hidden and only a single mac on the public side communicates. The ge-0/0/0.0 interface would be configured for dhcp and whatever address it receives from ISP it will use and do not need to reboot the SRX if the least expires.

set security nat proxy-arp interface ge-0/0/0.0 address 1.1.1.1/29

set security nat proxy-arp interface ge-0/0/0.0 address 1.1.1.2/29

set security nat proxy-arp interface ge-0/0/0.0 address 1.1.1.3/29

set security nat proxy-arp interface ge-0/0/0.0 address 1.1.1.4/29

set security nat proxy-arp interface ge-0/0/0.0 address 1.1.1.5/29

I wonder if they are worried because this is not the only place proxy-arp can be configured. It can be configured on the interface itself, but unless you own all the IP address for that subnet length, then you could be responding to address you don't own. like this : set interfaces ge-0/0/0.0 proxy-arp restricted

I would lease the /29. AT&T puts this on the LAN side of their required customer GW and uses the high address for their equipment and I can use the other 5. I already have NAT working well and I have tested proxy-arp. The issue will come if they do, in fact, require a dhcp request and then enter a static arp entry in their gw.

My current plan if dhcp is required:

Pull the first address via dhcp with normal DHCP config.

Disconnect g0/0/0, harcode the MAC to something else.

Reconnect and pull a second IP on the new MAC.

Disconnect.

Remove spoofed MAC and set up proxy arp for the second address.

If they do not lock the arp in their device, this should work. If they do, this won't work.

Hello there,

How do You plan to handle DHCP lease expiration event?

Thx
Alex

Hello,

As other forum member said, this is impossible. You could trick the SRX into accepting Ethernet frames destined to several dst MAC addresses (with VRRP) but You cannot force SRX use different hw_addr in DHCP packet payload.

Assuming it works as You described, I have a feeling You bought the wrong service which is designed for L2 CPE, not L3.

Assuming it works as You described, Your options are:

1/ put SRX into transparent mode

2/ explore DHCP relay on SRX - the DHCP packets from SRX wil have same src MAC but different hw_addr in the packet payload. Not sure if Your ISP supports that.

HTH

Thx

Alex

After getting the service installed, it turns out that dhcp is not required to pull the IP. The customer gw does only allow one IP to forward to one MAC. When I tried with proxy-arp and pinged for a remote device, only one ip would work at a time. The Customer gw has a crappy gui and although I couldn'e see much, I could see that the the same mac was associated with x.x.x.1 and upon refresh might then be associated with x.x.x.2.

Your vrrp suggestion was brilliant. I tried that and now it sees .1 on the physical, .2 and .3 on their perspective virtual vrrp mac addresses. Thank you. I am not sure I would thought of that.

The service is AT&T uverse. I am getting fiber to the home with 1Gbps (SRX only allows a max of 220Mbps(ish)) for about $80/mo, so it's worth the trouble.

Again... thank you.

-Doug