Ethernet Switching
Ethernet Switching

Faulty IRB config?

[ Edited ]
‎06-22-2019 06:25 AM

A customer has a network with Virtual Chassis Edge / wiring closets, separated from each other by their own, per wiring closet, vlan. The Edge VC's are connected with a Distribution/Core EX Virtual Chassis. The SRX security device is connected by a trunk to the same distribution VC also, just as it should be.

 

There is a real complicated mesh of routing by the SRX, Distributing VC with several virtual-router instances and, I assume unwanted and not intended, routes at the Edge VC's by the use of IRBs. Unwanted and unintended, because I believe the configuration has a design error, and that is where about I want to ask you for your opinion.

 

At the Edge VC I found:

interfaces

                irb

                     unit 987

                               familiy inet address 10.250.45.x/24

                me0 disable

                vme0 disable

 

vlans

                management

                     vlan-id 987

                    l3 interface irb.987

 

routing-options

                static

                      route 0.0.0.0/0 next-hop 10.250.1.254

 

It is possible from a host connected to another Edge VC to open a ssh session to the VC with address 10.250.45.x as if it was configured as the vme0 IPv4 address. All VC's use the same vlan-id 987. It functions and the entire intranet is performing well.

 

Nevertheless I believe the configuration is faulty: 

  1. The OoB management address should be configured at the vme0 and not at the IRB. Hence when I did so, I lost connection.
  2. Every VC has its own OoB Management IPv4 address configured in the same VLAN-ID 987 IRB. This is not how it should be. Don't you think so?
  3. I believe that configuring an IRB on a switch does automatcally create a local and direct route to this vlan. This causes unpredictable results like traffic that flows from one vlan to another vlan nevertheless the SRX has a policy configured to drop it.

 

Does any of the forum members recognize this obscure configuration practice? Am I wrong and does it have a good reason to configure it this way?  

 

What is your advice for how to redesign this? Is it preferable to use the distribution VC and SRX for all the routing and deactivate the IRB’s?


Certified:
JNCIS-ENT
JNCIS-SEC
JNCIA-Junos
4 REPLIES 4
Ethernet Switching

Re: Faulty IRB config?

[ Edited ]
‎06-22-2019 07:03 AM

1. me0 is the physical mgmt port on the back of the switch. Configuring vme0 allows any member's mgmt port to be used. Your customer's setup with an oob vlan interface for management is correct and normal for remote access to a layer 2-only switch. When you moved the mgmt ip to the unconnected physical management port you lost connectivity.

 

2. I don't believe it is possible to place the same interface in multiple routing instances. I would be interested in seeing that config

 

3. Adding an IRB interface to a vlan on a switch will not make that vlan reachable from devices in other vlans if their gateways are on another device (like the SRX). The SRX has its own IP in that vlan that could allow routing from there, but as you note security policies and routing instances are in place to prevent it. 

Ethernet Switching

Re: Faulty IRB config?

[ Edited ]
‎06-23-2019 05:33 AM

 

Smicker,

Thank you for your response, but please, can you further explain it?

 

  1. me0 is the physical mgmt port on the back of the switch. Configuring vme0 allows any member's mgmt port to be used. Your customer's setup with an oob vlan interface for management is correct and normal for remote access to a layer 2-only switch. When you moved the mgmt ip to the unconnected physical management port you lost connectivity.

 

Do you really mean that the OoB management address should be configured in the IRB ip-address (me0 disable, vme0 disable)? All Juniper documentation I know, states that you must use me0, or vme0 if it concerns a VC. An IRB interface is not (specially) intended as a management interface, actually I think it is strange that it nevertheless works. Can you further explain your response?

 

  1. I don't believe it is possible to place the same interface in multiple routing instances. I would be interested in seeing that config

 

Sorry, I didn’t mean VR (Virtual router) but VC (virtual chassis). Every VC has its own OoB Management IPv4 address configured in the same VLAN-ID 987 IRB. This is not how it should be. Don't you think so?

 

  1. Adding an IRB interface to a vlan on a switch will not make that vlan reachable from devices in other vlans if their gateways are on another device (like the SRX). The SRX has its own IP in that vlan that could allow routing from there, but as you note security policies and routing instances are in place to prevent it.

 

OK, indeed, I understand the first sentence. But when you create an IRB e.g. on the management vlan then the computer vlan on the same switch can connect to that management vlan, routed by the local and direct routes of the switch. That is not wat was intended. As long as routing is not performed by the SRX, the SRX security policies’s doesn’t make sense. Routing of the management vlan should not be performed bij the edge VC's but the SRX or distribution VC. The use of IRB's seems unneccesary to me and makes the mangement vlan availalble for al PC's (insecure). Do I misunderstand it?

 

With regards,

 

Jean


Certified:
JNCIS-ENT
JNCIS-SEC
JNCIA-Junos
Ethernet Switching

Re: Faulty IRB config?

‎06-23-2019 09:56 AM

1 & 2. It's not always feasible or possible to use the dedicated me0/vme0 management port due to cost or distance. A single switch in an edge closet doesn't justifiy the expense of a fully seperate management network to plug those ports into. IDF's that are hundreds or thousands of meters away are unable to connect over copper. Also, Juniper is only just now (JUNOS 18 & 19) implementing a seperate management instance for EX and QFX switches, meaning until recently the management port wasn't even useful outside specific deployment scenarios. Because of these issues it is normal to use either an existing IRB interface IP or create a dedicated management IRB interface for management. This is inband management. Each VC must have a unique address

 

3. If there are local routes in the same routing instance as the mgmt irb on the edge switch then yes it is possible that routing to the management network can occur from connected hosts. Routing instances, switch ACLs, or route distribution policy options can prevent this. Since you mentioned routing instances and trunks to the edge switches it's possible that the designer intended for seperation. Whether or not they were successful is hard to tell without seeing a topology and configurations.

Ethernet Switching

Re: Faulty IRB config?

‎07-10-2019 11:46 AM

Smicker,

 

Thank you for your response, but I still don't really get it.

Sorry for responding so late, I am very busy at the moment (and passed for the JNCIS-ENT exam last thuesday Smiley Happy).

I would like to give an in dept response, later on.

 

With regards,

 

Jean de La Cour


Certified:
JNCIS-ENT
JNCIS-SEC
JNCIA-Junos