SRX

last person joined: 18 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  New install - Testing worked, implementation broke

    Posted 08-02-2016 10:24
      |   view attached

    I've been configuring a SRX-300 the past couple weeks - first time setting one up from scratch.

    We have a /29 from comcast and currently use two of the addresses in production.
    Our internal network is 192.168.44.0/24 with the gateway address of 192.168.44.2  (I inherited this)

     

    I congiured ge-0/0/4 with the same internal IP as our current functioning router.

     

    Ports are configured as follows.

    ge-0/0/0 - x.x.x.145/29 <-- one of the unused /29 addresses

    ge-0/0/1 - 192.168.1.0/24  <-- test machine connected to this port

    ge-0/0/2 - 192.168.2.0/24 - unused

    ge-0/0/3 - 192.168.3.0/24 - unused

    ge-0/0/4 - 192.168.44.2/24 <-- this is our actual internal network

    ge-0/0/5 - 192.168.5.0/24 - unused

     

    ge-0/0/0 is untrust

    ge-0/0/1-5 are in trust

     

     

    Testing setup

    ge-0/0/0 = x.x.x.145/29 (the unused /29 address)

    ge-0/0/1 = 192.168.1.0/24 - test computer connected to this port directly

    ge-/0/0/4 = 192.168.44.2/24 - configured with the same address as our current router. I had a computer connected to this port directly (isolated from the existing network).

     

    All of my testing worked fine.

    Steps to install.

    1. Disconnected the current router.
    2. Attached ge-0/0/4 to our current network. (configured with the same internal address as the existing router)
    3. Added x.x.x.148 to ge-0/0/0 (x.x.x.148 is the production IP address assigned to our current router)
      • the original testing address of x.x.x.145 was not removed from ge-0/0/0)
    4. Attached ge-0/0/0 to the modem

     

    Everything broke.

     

    The 192.168..44.0 network could not communicate with the outside world.

    The 192.168.1.0 network could not communicate with the outside world

    I could not ping an external IP address from either of the networks.

    I could not ping an external IP address from the Juniper.

     

       

    I've compared the two configurations and the only changes made are

     

    Original Working

    interfaces {
    ge-0/0/0 {
    unit 0 {
    family inet {
    address x.x.x.145/29;

     

    Broken

    interfaces {
    ge-0/0/0 {
    unit 0 {
    family inet {
    address x.x.x.148/32;
    address x.x.x.145/32;

    The routing options were not changed but I've included them here:
    routing-options {
    static {
    route 0.0.0.0/0 next-hop x.x.x.150;   <-- gateway provided y ISP
    }
    }

     

    My suspicion is I changed the subnet masks from /29 to /32 on ge-0/0/0 but am not entirely sure. Obviously I would like to figure this out before I try again.

    I have attached a copy of the broken configuration with the IP addresses suitably generified (changed the first three octets),

     

    Thanks

     

     

    Attachment(s)

    txt
    SRX300-BrokenConf.txt   8 KB 1 version


  • 2.  RE: New install - Testing worked, implementation broke
    Best Answer

    Posted 08-02-2016 10:33

    Hi,

     

    you should just configure both external IPs with the /29 instead of /32 - if you use the /32 mask, then next-hop for you comcast connection isn't reachable.

     

    Your interface should look something similar to this. The preferred option is to define which IP the SRX itself will initiate connections from.

     

    interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                address x.x.x.148/29;
                address x.x.x.145/29 preferred;
            }
        }
    }

    On a side note, this could also be solved by utilizing proxy-arp to avoid configuring multiple IP's on the interface. Example-configuration of proxy-arp: https://kb.juniper.net/InfoCenter/index?page=content&id=KB21785



  • 3.  RE: New install - Testing worked, implementation broke

    Posted 08-02-2016 10:43

    I dont think I should accept the solution until I test it but I am sure you know a lot more than me and are correct.


    At least I know I am not a complete fool, just mostly a fool.

    Once I saw the /32 I thought that would be the issue.
    When I initially made the changes I fatfingered it and had to correct, in correcting I made it a /32.

     

    Since I have another /29 address available I will try the proxy-arp with those and see how that works.

    Much appreciated.



  • 4.  RE: New install - Testing worked, implementation broke

    Posted 08-03-2016 09:44

    Hello,

     

    @DaleM wrote:


    We have a /29 from comcast and currently use two of the addresses in production.
    <skip>
    Steps to install.

    1. Disconnected the current router.
    2. Attached ge-0/0/4 to our current network. (configured with the same internal address as the existing router)
    3. Added x.x.x.148 to ge-0/0/0 (x.x.x.148 is the production IP address assigned to our current router)
      • the original testing address of x.x.x.145 was not removed from ge-0/0/0)
    4. Attached ge-0/0/0 to the modem

     

    Everything broke.

    <skip>

     

     

     

    Did You check before migration with Comcast if they allow ONLY certain MAC on Your cable drop, or any MAC is allowed?

    If the former, then when You disconnected Your old router and connected a new one, the router' MAC obviously changed and Comcast could have rejected everything coming from new MAC.

    SRX allows to configure an arbitrary MAC per interface, so next time You might want to make note of Your old router MAC and explicitly configure this MAC on SRX ge-0/0/0 before connecting to Comcast.

    HTH

    Thx

    Alex