SRX Services Gateway
Reply
Contributor
rebus
Posts: 56
Registered: ‎05-28-2009
0

Possible to bridge same subnet over VPN?

[ Edited ]

We have some storage arrays that can replicate with each other, but ONLY if both arrays are in the same IP subnet.   (vendor confirmed this limitation)   We just entered an agreement for colocation to move some of our in-house gear into colo.   So we have 2 needs:

 

1)  VPN for standard client--server traffic between office and colo.  Separate subnets in office and colo are OK.

 

2)  Separate IP subnet used ONLY for replication traffic between disk arrays.  Must be same subnet at both ends of the VPN.

 

My question-- Is it possible to bridge across the WAN, such that LANs at both ends of the VPN are in the same subnet-- so these 2 arrays can replicate?  (for example, array #1 in office would be 10.1.1.5 and array #2 in colo would be 10.1.1.6)

 

(Cisco reportedly can do a transparent L2 bridge with L2TPv3.  Can the Juniper SRX devices do that, too?)

 

 

 

Distinguished Expert
keithr
Posts: 979
Registered: ‎09-10-2009
0

Re: Possible to bridge same subnet over VPN?

I'm pretty sure the SRX doesn't support L2TP.

 

On Cisco boxes, you can create a GRE tunnel and add the tunnel interface to a bridge group.  I don't know if that would work on an SRX, I've never tried it.  Maybe someone else has tried it, or has a lab they can try it in, or knows if you could possibly do something like this:

 

gr-0/0/0 {
    unit 0 {
        tunnel {
            source <local loopback>;
            destination <remote loopback>;
        }
        family ethernet-switching;
    }
}



... and then assign it to the appropriate vlan?

 

VPLS would also be an option if you can transport MPLS through your path between your data sites, though you'd have to enable "packet mode" on the SRX.

-kr


---
If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated.
Contributor
dark1587
Posts: 72
Registered: ‎08-01-2008
0

Re: Possible to bridge same subnet over VPN?

Is this what you're looking for perhaps?

 

http://kb.juniper.net/InfoCenter/index?page=content&id=TN68&cat=SRX_SERIES&actp=LIST

---
JNCIE-SEC #69, JNCIP-ENT, JNCSP-SEC, JNCIS-SA, JNCIS-AC, JNCIA-IDP, JNCIA-WX
Distinguished Expert
keithr
Posts: 979
Registered: ‎09-10-2009
0

Re: Possible to bridge same subnet over VPN?


dark1587 wrote:

Is this what you're looking for perhaps?

 

http://kb.juniper.net/InfoCenter/index?page=content&id=TN68&cat=SRX_SERIES&actp=LIST


That is basically doing some NAT tricks to use the same address space on both sides of a link.

 

It does not provide an actual Layer 2 bridge across the tunnel.

 

Without knowing why the vendor said the two devices have to be in the same subnet, it's hard to say if this would solve the need or not.  If they have to be in the same subnet because they need direct layer 2 connectivity for some reason, then the NAT tricks won't work.

-kr


---
If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated.
Contributor
rebus
Posts: 56
Registered: ‎05-28-2009
0

Re: Possible to bridge same subnet over VPN?

[ Edited ]

dark1587 wrote:

Is this what you're looking for perhaps?

 

http://kb.juniper.net/InfoCenter/index?page=content&id=TN68&cat=SRX_SERIES&actp=LIST


Unfortunately no, I do not believe so.  In that doc's example, the LANs at both ends were in the same subnet, but Host A in LAN 1 had to reach Host B in LAN 2 using a NAT IP address in a different subnet.

 

The two devices I need to connect will only talk to each other on the same subnet, so it has to be a transparent bridge. 

 

I've had several conversations with Vyatta and even after repeatedly insisting my need, they absolutely insist they can do a transparent L2 bridge (supposedly using OpenVPN which is embedded  into their router OS). 

 

I was really hoping to use Juniper SRX gear for this project.   I've heard good things about Vyatta, but I have no experience with their products and would much rather stay with the brand (Juniper) that I've been using for years, and therefore have high confidence in its quality and reliability.  I don't want to use unknown (to me) equipment for a project this important, but it looks like I don't have much choice.

Distinguished Expert
spuluka
Posts: 2,553
Registered: ‎03-30-2009
0

Re: Possible to bridge same subnet over VPN?

It sounds like you really will need not just the same subnet but layer 2 adjacency for this to work.  That pretty much means you need VPLS.  I'm pretty sure this is not supported in the SRX over VPN platform.  These are only showing support on the M & T platforms.

 

http://www.juniper.net/techpubs/en_US/junos11.2/information-products/pathway-pages/config-guide-vpns...

 

You other option may be to find a "Metro Ethernet" service provider that has both locations.  They can create your layer 2 adjacency and connect to an ethernet port on your Two SRX devices.

Steve Puluka BSEET
Juniper Ambassador
Senior Network Engineer - UPMC Pittsburgh, PA
JNCIA-ER JNCIA-EX JNCIS-SEC JNCIP-SEC
JNCIS-FWV JNCIS-SSL
MCP - Managing Server 2003 MCP - Windows XP Professional
MCTS Windows 7
http://puluka.com/home
Super Contributor
motd
Posts: 221
Registered: ‎12-16-2008
0

Re: Possible to bridge same subnet over VPN?

[ Edited ]

VPLS is supported, but not across VPN of course. You could probably add some GRE as a workaround, but that would be extremely complex and has massive overhead, I wouldn't recommend it.

 

Even VPN may be a problem if the storage arrays expect to be in the same L2 network. The devices will assume an MTU of at least 1500 (higher if you enable jumbos) which you can't do across VPN. Even if another vendor can do this, I doubt it will even work.

Next problem will then be the latency and worse, packet loss caused by other traffic on your internet connection. That kills storage performance.

 

So indeed, see if you can get an L2VPN or VPLS from the ISP. This will save you a lot of trouble.

Distinguished Expert
spuluka
Posts: 2,553
Registered: ‎03-30-2009
0

Re: Possible to bridge same subnet over VPN?

Bart,

 

Are you saying that VPLS is supported on SRX platforms?

 

I'm only seeing any of these layer 2 bridging options are being availabe on the M or T series hardware.  What am I missing that can be done on the SRX?

 

VPLS

http://www.juniper.net/techpubs/en_US/junos11.2/information-products/pathway-pages/config-guide-vpns...

 

L2 VPN

http://www.juniper.net/techpubs/en_US/junos11.3/topics/concept/layer-2-vpn-layer-2-overview.html

 

L2TP

http://www.juniper.net/techpubs/en_US/junos10.4/topics/concept/l2tp-configuring-overview.html

Steve Puluka BSEET
Juniper Ambassador
Senior Network Engineer - UPMC Pittsburgh, PA
JNCIA-ER JNCIA-EX JNCIS-SEC JNCIP-SEC
JNCIS-FWV JNCIS-SSL
MCP - Managing Server 2003 MCP - Windows XP Professional
MCTS Windows 7
http://puluka.com/home
Super Contributor
motd
Posts: 221
Registered: ‎12-16-2008
0

Re: Possible to bridge same subnet over VPN?

It is supported, but only on the branch platforms. Its limited to 3 labels but otherwise quite extensive for a firewall device.

Combining it with flow-mode firewalling is tricky, but can be done.

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.