SRX

last person joined: 3 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Same subnet on two interfaces

    Posted 02-14-2017 16:18

     

    I need to support kind of a strange setup that I'm not sure how to configure correctly:

     

    My network setup is like this:

                  [                          SRX345                          ]
10.0.0.3/28 --[-- 10.0.0.2 @ ge-0/0/15.0 -,----- irb.1 @ 10.0.1.254/24 --]-- internal network
10.0.0.7/28 --[-- 10.0.0.6 @ ge-0/0/14.0 /

    Default route to the Internet is via 10.0.0.3. I'm receiving additional routes via BGP peer at 10.0.0.7. I need to advertise my routes in 10.0.0.0/28 back to 10.0.0.7. I have a static NAT entry for 10.0.0.4 <--> 10.0.1.1 and a source NAT from 10.0.1.0/24 to 10.0.0.5. SSH and IKE to the router needs to be accessible at 10.0.0.1 from both external interfaces.

     

     

    I've tried configuring this in various ways including /31 subnets on my interfaces, /28, proxy-arp, unnumbered interfaces, but none seem to get the desired effect. In particular, I can never seem to get the router to respond to ARP requests on both ge-0/0/14.0 and ge-0/0/15.0 for the same IP. Any ideas on how I would be able to configure this network?



  • 2.  RE: Same subnet on two interfaces

     
    Posted 02-14-2017 19:38

    You cannot configure 2 interfaces with same subnet. You can find more details on https://kb.juniper.net/KB24928

    Even though this KB is for M/T, same applies for SRX and below given is a sample log from SRX on similar scenario.

     

    root@jtac-SRX3600-r2014# run show log dcd | match warning
    Feb 15 09:05:20.734379 dcd_util.c:1036 dcd_config_warning() INFO : DCD_PARSE_WARN_INCOMPATIBLE_CFG: [edit interfaces ge-0/0/6 unit 0 family inet address 2.2.2.2/24] : Incompatible configuration detected : identical subnet 2.2.2/24 is found on ge-0/0/5



  • 3.  RE: Same subnet on two interfaces

     
    Posted 02-14-2017 20:34

    You may create VRs to use same subnet IP on multiple interfaces.



  • 4.  RE: Same subnet on two interfaces

    Posted 02-14-2017 22:42

    Hi !

     

    as you have a branch-SRX, they can do ether-switching and routing as well

     

    so why not defining the 2 interfaces towards your ISP as layer 2 and defining irb with the neded layer3- address for the bgp endpoint(s) then you hae one subnet on 2 physical interfaces

     

    regards

     

    alexander



  • 5.  RE: Same subnet on two interfaces

    Posted 02-15-2017 00:55

    Alexander, I thought I read somewhere you can't do IPsec on IRB interfaces, but I can't find that documentation anymore. Anyway, I tried that too but was unable to get the .1q tags setup correctly, apparently vlan rewriting is not functional?



  • 6.  RE: Same subnet on two interfaces

     
    Posted 02-15-2017 07:00
    which interface has 10.0.0.1?


  • 7.  RE: Same subnet on two interfaces

    Posted 02-15-2017 10:54

    The following config excerpt almost works:

     

    interfaces {
    ge-0/0/14 {
        vlan-tagging;
        unit 0 {
            arp-resp unrestricted;
            proxy-arp unrestricted;
            vlan-id 6;
            family inet {
                address 10.0.0.6/31;
            }
        }
    }
    ge-0/0/15 {
        unit 0 {
            family inet {
                address 10.0.0.1/28;
                address 10.0.0.2/28;
            }
        }
    }
}

security {
    nat {
        source {
            pool snat {
                address {
                    10.0.0.5/32;
                }
            }
            rule-set internal-inet {
                from zone trust;
                to zone untrust;
                rule source-nat-rule {
                    match {
                        source-address 10.0.1.0/24;
                    }
                    then {
                        source-nat {
                            pool {
                                snat;
                            }
                        }
                    }
                }
            }
        }
        static {
            rule-set static {
                from zone untrust;
                rule r1 {
                    match {
                        destination-address 10.0.0.4/32;
                    }
                    then {
                        static-nat {
                            prefix {
                                10.0.1.1/32;
                            }
                        }
                    }
                }
            }
        }
        proxy-arp {
            interface ge-0/0/15.0 {
                address {
                    10.0.0.4/32;
                    10.0.0.5/32;
                }
            }
            interface ge-0/0/14.0 {
                address {
                    10.0.0.1/32;
                    10.0.0.4/32;
                    10.0.0.5/32;
                }
            }
        }
    }
}

    Everything works on the ge-0/0/15 network, static and source NAT both work on ge-0/0/14, ge-0/0/14 responds to ARP queries for 10.0.0.1, but there is no ICMP/SSH response to 10.0.0.1 from ge-0/0/14 (haven't tried IPsec yet)

     



  • 8.  RE: Same subnet on two interfaces
    Best Answer

    Posted 02-15-2017 11:08

    Fixed with an additional security policy from-zone untrust to-zone untrust. I had from-zone untrust to-zone junos-host before, not sure why that was not sufficient.