So I need some help desperately. Am stuck trying to setup a SRX240 to get web management for itself, and provide some IPs behind the firewall (public IPs). For some reason, it's not working properly at this new data center, even though I use this method at others, and am just wondering if someone could look at this and help me out. I've gone over it enough I know I'm missing something or making a wrong assumption, so it's time to reach out.
The way that I usually set this up at a DC is I have a primary switch for each rack. That TOR switch gets a /30 of it's own from the DC (and uses the gateway from this /30 to next-hop to). This gives the switch its own address. Then, for example, I have the DC route additional subnets to the switch, and I assign them out. Simple, and that works. Port 47 is my uplink and port 46 will be my firewall. I do it like this because I may have multiple firewalls in the same switch for different customers.
If I have a firewall behind the switch, the DC gives me another /30 for the firewall, and again, routes this to the switch. I make a VLAN assigned to the firewall's port using this /30 which gives the firewall a gateway. I use this for the firewall's next hop.
Finally, I create a default route on the switch routing the subnet to go behind the firewall to the /30 for that firewall.
So it looks like this:
Internet --> DC's next hop(/30) --> EX4200(/30) --> SRX240(/27) --> servers
However, in this new DC I cannot get this working and I dunno if it's me or them. I've done some traceroutes and the /30 for the firewall is just looping between the switch's IP and the DC's next hop. Do I have a route wrong?
Lets do some aliases so it's easier to talk:
dcnexthop = /30 given to the EX4200 firewallsub = /30 given to SRX240 (not working) sub1 = /27 on the switch (working) sub2 = /27 on the firewall (not working)
1. Plug firewall into 0/0/46
2. Load factory default, set password and hostname, commit. Just to make sure it's clean. 3. Set 0/0/0 to inet and give it the free IP in firewallsub. Commit.
My commands (AFTER the reset/commit):
delete interfaces ge-0/0/0
set interfaces ge-0/0/0 unit 0 family inet address [firewallsub's gateway for the /30**]
At this point, I stop, since if I can't get the firewall to respond to pings and login, it's a lost cause. What am I missing? I can give someone the actual IPs in a PM if you can help.
I've done some traceroutes and the /30 for the firewall is just looping between the switch's IP and the DC's next hop. Do I have a route wrong?
It is hard to visualize this without some actual examples, but this description seems like there is a routing loop between your switch and the DC upstream of it.
What is the exact traceroute looping from where to where?
the loop means that the destination address in your trace request is seen by both devices as belonging to the neighbor device. So one of them is wrong. Which one will depend on what that ip address is where the final connection endpoint is of that address.
Steve Puluka BSEET - Juniper Ambassador IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP) http://puluka.com/home