SRX

Hey guys,

hope you're all having a great week so far.  I'm running into a dilemma that I can't quite figure out, and I'm quite sure it's a newbie mistake.

I have two Juniper SRX210s-  One I use that is in production.

My setup is as follows:

(IP addresses are changed for security purposes)

Our internet provider allotted us 32 IP addresses, (67.155.124.0/27).

Our router that's in production has the top range (67.155.124.2/28), and thus we have the gateway 67.155.124.1.

I would like to set up another router with the remaining bottom IP addresses (67.155.124.16 to 67.155.124.31) to be a seperate network that I can use for testing purposes.  The problem is, I'm not entirely too sure what gateway I may use to establish this.  I assumed I would try either .1, or .16, but neither have worked for me.  All my policies seem to be correct, so I'm wondering if this is a routing issue or something else.  Thank you all for your time.

-David

That depends on how your SMC router is set up.

Have you configured a second port on the SMC for an IP address in the upper half of that subnet range?  If the router is configured as the picture indicates (67.155.124.0/27) then it is likely only configured with the IP 67.155.124.1.  Which is why your first SRX works.

In this scenario, I have to make the assumption you're using NAT for the internal hosts.

Looks like you might need to review how subnetting works.  Remember that your network numbers are not usable as hosts, and you lose the top host for broadcasts.

There are a couple ways to approach this:

1.  Configure the router's first port (to SRX1) to 67.155.124.1 / 28   (not /27).  Then, configure a second port on the router (for SRX2) to 67.155.124.17 / 28.    Next, configure SRX2's interface for 67.155.124.18 / 28.  Your usable host range for NAT addresses on SRX1 is .3 - .14 (.0 is the network ID and .15 is the broadcast).  Your usable host range for NAT on SRX2 is .19 - .30 (.16 is the network ID and .31 is the broadcast).

Or...

2.  Leave the router set to 67.155.124.1 / 27.   Change SRX1 to 67.155.124.2 / 27 (not /28).  Set SRX2 to 67.155.124.16 / 27.   Configure your NAT / proxy ARP on SRX1 for addresses .3 - .15.   Configure NAT / proxy ARP on SRX2 for .17 - .30.    This scenario only works if your SMC router is set for switching / bridging on the physical ports.

I'd suggest #1 as it's a cleaner and more "proper" way to break up a subnet.

If you're *not* using NAT, then the reason SRX1 works is because the SMC router has a connected route for 67.155.124.0/27 on the port where your SRX1 is connected so it's going to forward packets down that link and the SRX also has a connected route and is going to forward it out the connected port (if you have a switch downstream) or multiple ports if you have the SRX using a VLAN (RVI).  Your SRX1 hosts have the .2 configured as their default gateway and the SRX has the .1 as its default gateway, so packets make it back up the channel.  However, you really shouldn't have hosts in the same subnet connected through a routing device.  SRX2 is not going to work the way you want it to in this case and you're going to introduce some trouble if you try to wedge it into that kind of topology.

If that sounds confusing, it's because it is, and one of those "it's working but it's not _correct_" kind of scenarios.

Maybe take a step back and think from a high-level point of view about what you're trying to accomplish as an end goal and the proper way to achieve it.   (hint, #1 above is a good starting point  )

It's cool knowing I can always count on you, Keith.  I'm gonna have to buy you a beer at some point.