Ethernet Switching
Ethernet Switching

Best practice to implement Ex3400 and SRX345 in datacenter

‎06-10-2019 01:26 PM

Hello,

 

I am new to juniper and i hope u guys can help me with my questions regarding setting up best practice company juniper network infrastructure in datacenter. I am used to cisco enviroment. please bare with me as a newbie and still learning mode in the juniper enviroment. My main questions is how can i setup a best practice network in the datacenter. So i made an example of a draft design of how i would like to setup the network enviroment.

 

So i have 4x EX3400 switch in Virtual Chasis mode, 2x SRX345 in active/passive mode as failover and at last i have few hosts connected into Ex3400 switches. The EX3400 switches will only act as layer2 and layer3 routing will be done on SRX345. All the vlans will be stretched towards SRX345 as trunk. Therefore, the SRX345 will be configured with sub interface vlan l3 for each vlan (web01, FTP, Storage and Syslog) and all the hosts will receive default-gw IP from their own vlan on SRX. And a static default-route will point towards SRX from EX3400. And from the SRX a static default-route will be towards the next-hop of ISPA/ISPB with prepending/localpreference/metric isp traffic. Because of the active/passive, the both SRX should be on the same ISP subnet for advertising. Please do see the attached design example.

 

design.JPG

 

  1. What i mentioned above should this be okay  to setup this enviroment?.
  2. Do i also have to add different security-zone for each vlan in reth1 on the SRX?, if i do need to do this, can u show me an example.
  3. How can i best connect this hosts via mgmt on the EX3400. As i understand you can use the vme mgmt interface for the VC out-of-band management. In addition to this i can also use inband management for managing the hosts, so making the hosts member of mgmt vlan10.

 

EX3400 configuration mgmt:
interfaces {
   ge-0/0/0 {
        unit 0 {
            family ethernet-switching {
                port-mode trunk;

                vlan {

                    members [ web01 FTP Storage Syslog];       
        }
        }
    }
    ge-0/0/1 {
        unit 0 {
            family ethernet-switching {
        vlan {
            members admin-mgmt;
        }
        }
        }
    }
    ge-0/0/3 {
        unit 0 {
            family ethernet-switching {
        vlan {
            member admin-mgmt;
        }
        }
        }
    }

...........

    ge-1/0/1 {
        unit 0 {
            family ethernet-switching {
        vlan {
            members admin-mgmt;
        }
        }
        }
    }
    ge-1/0/3 {
        unit 0 {
            family ethernet-switching {
        vlan {
            members admin-mgmt;
        }
        }
        }
    }
.............
    vlan {
        unit 10 {
 
            family inet {
 
                address 192.168.1.2/24;
 
            }
 
        }
 
    }
 
    vme {
 
        unit 0 {
 
            family inet {
 
                address 192.168.1.10/24;

            }

        }
 
    }
  
}

routing-options {

    static {
       route 0.0.0.0/0 next-hop 192.168.1.1;
     }
  }

.......

vlans {
    admin-mgmt {
        vlan-id 10;

        interface {

        l3-interface vlan.10;
    }
  }

    web01 {
        vlan-id 20;

    }
 

    FTP {
        vlan-id 30;
    }
 

  Syslog {
        vlan-id 40;
    }
 

 

 

Thank u in advance.

4 REPLIES 4
Ethernet Switching
Solution
Accepted by topic author Suli
‎06-12-2019 12:25 AM

Re: Best practice to implement Ex3400 and SRX345 in datacenter

‎06-10-2019 04:25 PM

On the design, remember that ports on the passive SRX do not pass traffic at all unless failover occurs.  Thus for your redundant connection from the SRX cluster to the dual EX switches will end up using 4 instead of 2 ethernet ports.  2 on each SRX.

 

On the switch side then on the VC there are 2 ae bundles that separately connect to each SRX.

 

example

https://kb.juniper.net/InfoCenter/index?page=content&id=KB22474

 

For security zones, you can group subnets/interfaces into the same security zone based on the security profile of the hosts in those subnets.  You do NOT need to have a separate zone for each interface.  When you create security zone names you associate one or more interfaces with that zone.

 

For mgmt OOB on a separate network using dedicated ports in their own routing instance would be the best practice if practical.  If this is not practical you can create virtual interfaces on the ex VC that can be accesses inband for which ever subnet or subnets give you the best access with reasonable security.

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Ethernet Switching

Re: Best practice to implement Ex3400 and SRX345 in datacenter

‎06-12-2019 12:30 AM

Thank u for the advices and a good explanation.   would you be able to give me an example for the following to scenarios.

 

1.For security zones, you can group subnets/interfaces into the same security zone based on the security profile of the hosts in those subnets. You do NOT need to have a separate zone for each interface. When you create security zone names you associate one or more interfaces with that zone.

 

2.For mgmt OOB on a separate network using dedicated ports in their own routing instance would be the best practice if practical. If this is not practical you can create virtual interfaces on the ex VC that can be accesses inband for which ever subnet or subnets give you the best access with reasonable security.  ( for the inband, is it the same as example that i have shown above).

Ethernet Switching

Re: Best practice to implement Ex3400 and SRX345 in datacenter

‎06-12-2019 03:01 AM

1.For security zones, you can group subnets/interfaces into the same security zone based on the security profile of the hosts in those subnets. You do NOT need to have a separate zone for each interface. When you create security zone names you associate one or more interfaces with that zone.

 

So example security zones using the principle of similar devices in the same zone might be.

Servers - each subnet allocated then to server functions and rules written both from outside zones to access the servers and from Server to Server for the communications needs between subnets.

 

Users - where internal user devices connect organized by physical areas, departments or other parameters and rules written for access in and out of the devices.

 

Guests - where vistors connect to access the internet but no internal resources.

 

IoT - locked down and isolated per subnet for the various equipment and devices performing functions.

 

2.For mgmt OOB on a separate network using dedicated ports in their own routing instance would be the best practice if practical. If this is not practical you can create virtual interfaces on the ex VC that can be accesses inband for which ever subnet or subnets give you the best access with reasonable security.  ( for the inband, is it the same as example that i have shown above).

 

Do not manually configure vme interfaces these are system interfaces.  Your mgmt ip address will be on the layer 3 vlan interface that you associate with the mgmt vlan.  The physical interface configured of OOB is me0.

 

Note that since you have a layer 3 interface on all vlans on the ex switch, you will be able to connect for mgmt to all of them unless you apply a firewall filter to limit access.  There is no default security on these.  I thought you wanted the gateways for all subnets on the SRX, if so you want to remove the layer 3 interfaces for all vlans except the mgmt one.

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Ethernet Switching

Re: Best practice to implement Ex3400 and SRX345 in datacenter

‎06-12-2019 03:55 AM

Thank u verry much, that should do itSmiley Happy