SRX

last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Redunant GRE through Redundant Site-to-Site Tunnels using multiple ISPs and Routing instances

    Posted 06-26-2020 07:12

    I am trying to set up a redundant GRE interface to a remote site between 2 SRX devices.  Both sites have redundant ISPs and i have them configured into routing instances r1 and r2.  Each routing instances has a Site to Site tunnel bound to it.  s0.0 >> r1 and s0.1 >> r2.  My current GRE interface gr-0/0/0.0 uses a source address that is lo0 on both sides.  I have a route on each srx for the destination of the remote GRE going through s0.0 and i had to use  "set gr-0/0/0 unit 0 tunnel routing-instsance destination r1" to get the tunnel to come up.   I have a rpm probe set up and i am using ip-monitoring to fail over my default gateway to R2,  I tried using that to just failover my GRE tunnel to R2, but that didn't work because of the "routing-instance destination r1" stanza.  

     

    my next through was 2 seperate GRE Tunnels

     

    GR-0/0/0.0 >>source lo0.0 >> destination lo0.0 on remote srx >> route to s0.0 through r1

    GR-0/0/0.1 >>source lo0.1 >> destination lo0.1 on remote srx >> route to s0.1 through r2

     

    I quikly found out that i can't have multiple loopback interfaces in the same routing instance so i moved the Lo interfaces to their respective routing interface.  gr-0/0/0.0 > r1 and gr-0/0/0.1 > r2  but the tunnels don't come up.

     

    any sugestions?

     

    I am currently running srx 240s in both locations, but they are slated to be upgraded later this summer to 340s.  however, i am not running this configuration on my production firewalls.  I have duplicated my network both using older hardware and virtually and i am running these configs in vSRX machines.

     

    thanks.



  • 2.  RE: Redunant GRE through Redundant Site-to-Site Tunnels using multiple ISPs and Routing instances

    Posted 06-26-2020 07:35

    Are you required to use GRE tunnels and routing-instance?

     

    The st0 interfaces on the SRXs are more than enough for your traffic needs. You can even run multicast through them.



  • 3.  RE: Redunant GRE through Redundant Site-to-Site Tunnels using multiple ISPs and Routing instances

    Posted 06-26-2020 07:40

    i am running OSPF inside and the GRE tunnel is my OSPF interface for internal routing.  I have dozens of networks throughout my OSPF interface and i don't want have static routes



  • 4.  RE: Redunant GRE through Redundant Site-to-Site Tunnels using multiple ISPs and Routing instances

    Posted 06-26-2020 08:14

    Hello,

     

    @filaadmin wrote:

     

    my next through was 2 seperate GRE Tunnels

     

    GR-0/0/0.0 >>source lo0.0 >> destination lo0.0 on remote srx >> route to s0.0 through r1

    GR-0/0/0.1 >>source lo0.1 >> destination lo0.1 on remote srx >> route to s0.1 through r2

     

     

     

    AFAIK, multiple parallel GRE tunnels with identical source-address and identical destination address are not supported.

    This is due to how PFE internally processes GRE packets: it has an artificial "route" that concatenates src.IP+dst.IP+IP proto (47)

     

    BUT - You can run OSPF over IPSEC tunnel in JUNOS, unlike CSCO, and multiple parallel IPSEC tunnels with unique proxy-ids are supported, unlike GRE.

     

    HTH

    Thx

    Alex



  • 5.  RE: Redunant GRE through Redundant Site-to-Site Tunnels using multiple ISPs and Routing instances

    Posted 06-26-2020 09:21

    i realize that i can't run multiple gre tunnels with the same source\destination IP.  that is why i have lo0.0 for gr-0/0/0.0  and lo0.1   for gr-0/0/0.1 on both SRX devices and had to configure the lo interfaces in the routing interfaces for their respective s0 interface

    lo0.0 > so.0 > r1

    lo0.1 > s0.1 >r2

     

    how would i run OSPF over the IPSec tunnel.  would i assing the s0.0 and s0.1 an IP address?  will it matter that my ipsec tunnel interfaces are in a different routing instance then my internal network?  

     



  • 6.  RE: Redunant GRE through Redundant Site-to-Site Tunnels using multiple ISPs and Routing instances
    Best Answer

    Posted 06-26-2020 10:22

    The st0 can be configured like a regular inet interface

     

    bbb.pngccc.pngaaa.png

     

    Because of this, you really don't need to have multiple routing-instances. You would just treat each st0.x as two separate connections (on inet.0) to the other SRX



  • 7.  RE: Redunant GRE through Redundant Site-to-Site Tunnels using multiple ISPs and Routing instances

    Posted 06-26-2020 11:17

    I have the s0 interfaces in seperate routing-interfaces because i have 2 ISPs and each ISP has a seperate routing interface.  I think it is this way because i have seperate NATs on each ISP.  do i need to have my so interfaces in my r1 and r2 routing-interfaces, or can i move them to inet.0 and leave my ISPs in their respective routing-instance?  another reason i had the gr interface is because that is in my trust zone whereas i had to move the s0.0 and s0.1 interfaces to the zones associated with other interfaces in my routing-interface.  

     

    r1 {
    instance-type virtual-router;
    routing-options {
        static {
            route 0.0.0.0/0 next-hop 1.1.0.1;
            route 192.168.12.1/32 next-hop st0.0;
            rib-group static-int1-to-main;
        }
        interface-routes {
            rib-group inet int1-to-main;
        }
    }
    interface ge-0/0/0.0;
    interface st0.0;
}
r2 {
    instance-type virtual-router;
    routing-options {
        static {
            route 0.0.0.0/0 next-hop 1.1.1.1;
            route 192.168.12.4/32 next-hop st0.0;
            rib-group static-int2-to-main;
        }
        interface-routes {
            rib-group inet int2-to-main;
        }
    }
    interface ge-0/0/1.0;
    interface st0.1;
}


  • 8.  RE: Redunant GRE through Redundant Site-to-Site Tunnels using multiple ISPs and Routing instances

    Posted 06-26-2020 11:23

    Hi Filaadmin,

     

    Yes, I think you could just configure RIB groups and share interface-routes between the routing-instance using policy-options, then you won't need to add the physical interfaces under the routing instance hierarchy, defaulted on the inet.0.

     

    here is a tech note about RIB groups

    https://www.juniper.net/documentation/en_US/release-independent/solutions/information-products/pathway-pages/rg-understanding-tn.pdf

     

    Hope it helps.

     

    Cheers,

    Benjamin



  • 9.  RE: Redunant GRE through Redundant Site-to-Site Tunnels using multiple ISPs and Routing instances

    Posted 06-27-2020 21:44

    i was able to get OSPF running through my IPSec Tunnels and use RIB Groups to share routes accordingly.  One issue i have is that i can't get static routes to redistribute to OSPF.   the two routes to 192.168.241.x networks are not being distributed to the other ospf neighbors. but 192.168.242.0/24 is

    # show routing-options
static {
    route 0.0.0.0/0 next-hop 50.232.53.92;
    route 192.168.241.1/32 next-hop 10.250.1.11;
    route 192.168.241.5/32 next-hop st0.1;
        route 192.168.242.0/24 next-hop 10.250.1.11;
    rib-group static-to-isps;
}

# show policy-options
policy-statement import-static-filter {
    term static {
        from {
            route-filter 0.0.0.0/0 exact;
        }
        then reject;
    }
}
policy-statement static-to-ospf {
    term static-accept {
        from {
            protocol static;
            route-filter 192.168.241.0/24 exact;
                route-filter 192.168.242.0/24 exact;
        }
        then accept;
    }
}
# show protocols
ospf {
    area 0.0.0.0 {
        interface ge-0/0/0.0;
        interface ge-0/0/3.0 {
            passive;
        }
        interface ge-0/0/1.0 {
            passive;
        }
        interface st0.0;
        interface st0.1;
    }
    rib-group ospf-to-isp;
    export static-to-ospf;
}