SRX Services Gateway
Reply
Trusted Contributor
mawr
Posts: 236
Registered: ‎06-11-2010
0

Routed subnet across multiple interfaces?

Greetings,

 

Is there a way to make a routed subnet work across multiple interfaces?  For example, so that a client could roam across the three interfaces (WAPs) and maintain the same IP address.  I'm hesitant to use ethernet-switching as it seems like a relatively unproven technology from a security standpoint.

 

Thanks,

 

mawr

Distinguished Expert
keithr
Posts: 979
Registered: ‎09-10-2009
0

Re: Routed subnet across multiple interfaces?

Mawr -- using ethernet switching on your SRX is going to be equivalent to linking your SRX's routed interface to a switch downstream.  Switching happens at layer 2, and thus security isn't really applied.  ScreenOS has the same concept with bridge groups.

 

Your security checks/policies/etc. are going to happen at layer 3, when traffic is routed and must cross security zone boundaries.

 

I don't see any problems with the scenario you described (as long as your SRX isn't part of a cluster).

-kr


---
If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated.
Trusted Contributor
mawr
Posts: 236
Registered: ‎06-11-2010
0

Re: Routed subnet across multiple interfaces?

Thanks for the feedback keithr.  Perhaps I'm being too paranoid but I thought that if someone were to perform a CAM table overflow on one of the WAPs that it could do the same to the SRX, thereby granting access to all networks.  Is this faulty thinking?

 

mawr

Distinguished Expert
keithr
Posts: 979
Registered: ‎09-10-2009
0

Re: Routed subnet across multiple interfaces?

Generally speaking, I feel that the appropriate level of paranoia is proportionally related to the risk of exposure.  :smileyhappy:

 

If that type of thing would really be a serious concern for you (for demonstrable reasons), then it might be something to take up with a Juniper S.E., as they possess the super-secret architecture-specific information.

 

Since the SRX is a CPU-based software-driven architecture, I really don't know how memory is allocated and accessed internally.  They may not use a traditional CAM.  There may be table-size limits or security features that trigger when tables get full.

 

I have't looked into layer 2 security much on the SRX's, but I'd have to guess they would support some kind of port security feature to limit the amount of flooding/learning on a L2 port.

-kr


---
If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated.
Trusted Contributor
mawr
Posts: 236
Registered: ‎06-11-2010
0

Re: Routed subnet across multiple interfaces?

Actually there aren't any L2 features to be had, unfortunately.  I think the "CAM table" is supported by the PFE as I once tested it as filling to 125k addresses, which then used up an additional 50MB of PFE memory usage.  Interesting, but unfortunately it doesn't tell you much. :smileyhappy:

 

mawr

Distinguished Expert
keithr
Posts: 979
Registered: ‎09-10-2009
0

Re: Routed subnet across multiple interfaces?

 


mawr wrote:

Actually there aren't any L2 features to be had, unfortunately.  I think the "CAM table" is supported by the PFE as I once tested it as filling to 125k addresses, which then used up an additional 50MB of PFE memory usage.  Interesting, but unfortunately it doesn't tell you much. :smileyhappy:


 

Well, Juniper loves to say things like "it's a firewall, not a router."  In this case, it would be "it's a firewall, not a switch."  :smileyhappy:

 

It's unfortunate that there aren't any L2 security features in the SRX.  It would be quite a failure if a rather remedial L2 attack could compromise the SRX device.  I wonder what happens to the SRX if it does fill up the table -- since it's using PFE memory I wonder if the thing just crashes or stops forwarding traffic.

 

I suppose if you need good L2 security, put a good switch in front of the SRX ( I know... wasteful... ) and put in some port security features there to limit how many addresses can be learned and how fast they can be learned.

 

I'd be interested to hear from someone at Juniper (or who otherwise might know the nuts-n-bolts of the SRX) as to how the SRX would handle a L2 attack or CAM table overflow.

-kr


---
If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated.
Trusted Contributor
mawr
Posts: 236
Registered: ‎06-11-2010
0

Re: Routed subnet across multiple interfaces?


keithr wrote:

 

I'd be interested to hear from someone at Juniper (or who otherwise might know the nuts-n-bolts of the SRX) as to how the SRX would handle a L2 attack or CAM table overflow.


As would I!  During the JNCIA-Security training I remember seeing that the switching chip sits between all interfaces and the CPU (PFE/RE) so I would assume that it has to be decent, but some concrete information would be nice.

 

mawr

Trusted Contributor
mawr
Posts: 236
Registered: ‎06-11-2010
0

Re: Routed subnet across multiple interfaces?

Does anyone have any feedback?  Juniper, perhaps?

 

mawr

Contributor
vencour
Posts: 93
Registered: ‎06-17-2010
0

Re: Routed subnet across multiple interfaces?

Make a routing-instance virtual-router and you have 3 interfaces and one routed subnet.

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.