SRX Services Gateway
Highlighted
SRX Services Gateway

Returing traffic trough interface/route which is in another zone?

‎08-03-2015 11:17 PM

I have case where I got SRX240 cluster and ISP-run MPLS network for remote sites. Each remote site has three different networks: administration, student and guest. These are separate from each other. MPLS and SRX is connected trough three separate routing networks, one routing network per network. Traffic is routed with static routes. So I route all administration networks trough administration routing network and ISP returns administration network traffic trough same network to SRX. Internet access from MPLS site is done same way, all traffic from remote administration networks is routed to administration routing interface in SRX and from there with policies and interface NAT to Internet. Each network are in their own zone.

 

Now we have troubles with one site, ISP has some technical limititations and apparently they cannot have three truly separate networks and are asking if I'd create new fourth routing network for default route (internet access). Internet traffic would come trough this and go back trough corresponding administration/student/guest routes. Here is where trouble starts. I know traffic will return for one network if I put this new routing network in same zone with return route but it wont work for other zones. I'd lke put this fourth network to in its own zone but is it even possible to have traffic return trough route which is in separate zone?

4 REPLIES 4
Highlighted
SRX Services Gateway

Re: Returing traffic trough interface/route which is in another zone?

‎08-03-2015 11:52 PM

Hello  ,

 

Can you give us a brief network diagram to explain your requirment . From my understanding , you need to route an internet traffic hitting all the 3 routing instances and the return traffic needs to go via a different interface in Inet .

This will drop the traffic saying re-route failed . Putting them in same zones will not help , it may work for one network and fail for other 2 .


Thanks,
Sam

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too .....
Highlighted
SRX Services Gateway

Re: Returing traffic trough interface/route which is in another zone?

‎08-04-2015 04:56 AM

Here, if it makes any sense...

 

When client sends traffic to default route on "Problem site", it comes to Zone4 and is sent to internet. But returning traffic should be sent back trough Zone1 and Zone2.

 

I got feeling that this is not going to work easily.

 

Attachments

Highlighted
SRX Services Gateway

Re: Returing traffic trough interface/route which is in another zone?

‎08-04-2015 06:18 PM

The SRX will pass traffic that is routed asymmetricly only if the outgoing and incoming interfaces are in the same zone (and therefore must be under the same VRF). Otherwise it will drop the return traffic because it's not matching the flow table entry.

 

It looks like, from your drawing, that you won't be able to do this.

 

I think your only solution is to overlay the service provider MPLS network with either GRE tunnels or maybe IPSec - this will require the CPEs to be able to support the tunnelling protocol.

 

You might be able to do this at Layer2 with GRE - and therefore support the addressing that you've got in your drawing with VLAN's layer-2 stretched over the WAN. If that's too hard, then Layer3 routing over GRE or IPSec to different subnets at each site might be the only answer.

 

 

Highlighted
SRX Services Gateway

Re: Returing traffic trough interface/route which is in another zone?

‎08-06-2015 05:58 AM

After discussions with ISP and thinking we ended up doing trouble site trough its own separate routing network. They route all traffic to SRX trough dedicated routing network which goes to dedicated zone on SRX where I do access rules based on IP addresses.

 

Other sites go trough those three networks.

Feedback