SRX Services Gateway
SRX Services Gateway

Alternative to Screen OS null interface

‎07-24-2014 09:00 AM

Dear forums,

 

I'm currently migrating an SSG cluster to SRX and I'm stuck on this part of the configuration.

set route 217.72.233.1/32 interface tunnel.1 preference 20 permanent
set route 217.72.233.2/32 interface tunnel.1 preference 20 permanent
set route 217.72.233.3/32 interface tunnel.1 preference 20 permanent
set route 217.72.233.1/32 interface null preference 40 permanent
set route 217.72.233.2/32 interface null preference 40 permanent
set route 217.72.233.3/32 interface null preference 40 permanent

 

 

As you can see, public IP adresses are being routed over a VPN tunnel. When this VPN tunnel is unavailble, the traffic should be discarded instead of being forwarded to the default gateway.

 

What is the alternative configuration for this in Junos?
The discard function doesn't have the results I'm looking for...

 

All help is welcome!

4 REPLIES 4
SRX Services Gateway

Re: Alternative to Screen OS null interface

‎07-24-2014 09:41 AM

Hello,

First of all, if You don't have a 0/0 route or have a 0/0 route with discard nexthop, then upon disappearing of more specific routes the packets will be rejected (no 0/0) or discarded (0/0 discard).

Secondly, You can use below workaround with "resolve" (assuming tunnel1.1 maps into st0.1):

 

[edit routing-options static]
+    route 217.72.233.1/32 {
+        qualified-next-hop st0.1 {
+            preference 20;
+        }
+        qualified-next-hop 169.254.0.0 {
+            preference 40;
+        }
+        resolve;
+    }
+    route 169.254.0.0/32 discard;

 Instead of 169.254.0.0 You can use any other unreachable IP address.

 

The end result:

 

aarseniev@rtr> show route 217.72.233.1/32                 
Jul 24 18:40:20

inet.0: 6 destinations, 7 routes (6 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

217.72.233.1/32    *[Static/20] 00:04:30
                    > via st0.1
                    [Static/40] 00:07:28, metric2 0
                     to Discard

 HTH

Thanks
Alex

_____________________________________________________________________

Please ask Your Juniper account team about Juniper Professional Services offerings.
Juniper PS can design, test & build the network/part of the network as per Your requirements

+++++++++++++++++++++++++++++++++++++++++++++

Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
SRX Services Gateway

Re: Alternative to Screen OS null interface

‎07-28-2014 05:09 AM

if your intention is to have tunnel only when the matching traffic comes, then is it not better to use policy based VPN?

Highlighted
SRX Services Gateway
Solution
Accepted by topic author Jeroen Bismans
‎08-26-2015 01:27 AM

Re: Alternative to Screen OS null interface

‎08-01-2014 06:40 AM

Hi,

It is pretty straight forward :

you can use like the following :

set routing-options static route 1.1.1.1/32 next-hop st0.1
set routing-options static route 1.1.1.1/32 passive

or 

set routing-options static route 1.1.1.1/32 next-hop st0.1
set routing-options static route 1.1.1.1/32 retain

 

Even when st0.1 goes inactive the route will be retained.

This will solve your problem

 

Regards,

c_r

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too

SRX Services Gateway

Re: Alternative to Screen OS null interface

‎08-11-2014 01:30 AM

Thank you everyone for your feedback!
It's not live yet but that retain option seems to be the solution.

I feel dumb for overlooking that option! :-)