SRX

Dear All,

I'm configuring two SRX 3400 with 2 Reth interfaces in the same subnet and I think I'm having ARP issues as I see some interfaces as being up and can't ping from them while others are down and pingable ?  Are there any known issues related with using two Reth interfaces in the same subnet and same broadcast domain ?

Are both of the reth interfaces in same routing-instance or differnet one?

If there are no routing-instance configured, it doesn't make sense to have two interfaces in same subnet.

Do you have any specific use-case/requirement to have same subnet IPs?

Regards,

Raveen

Yes both are in same routing instance .  This is the user requirements in order to configure seperate IPSec VPN Peer gateways for seperate clients.

Overlapping IPs for a given subnet is not recommended to be configured on the same routing-instance.

To have your requirement met, you will have to create routing-instance logically seperate traffic.

Regards,

Raveen

Are there any technical specifics to why it is not recommended as I have a common vpn tunnel on one of the interfaces so I can't seperate them ( or it would make it very complicated ) with a routing instance .

Hello

If you have two interfaces configured with IPs overlapping from same subnet.

Junos will have to two create direct-route like below for same esubnet:

Configuration:

*********

root# show interfaces
ge-0/0/0 {
    unit 0 {
        family inet {
            address 10.10.10.1/24;
        }
    }
}
ge-0/0/6 {
    unit 0 {
        family inet {
            address 10.10.10.2/24;
        }
    }
}

*********

*********

root> show route

10.10.10.0/24      *[Direct/0] 00:00:19
                    > via ge-0/0/0.0
                    [Direct/0] 00:00:19
                    > via ge-0/0/6.0
10.10.10.1/32      *[Local/0] 00:00:19
                      Local via ge-0/0/0.0
10.10.10.2/32      *[Local/0] 00:00:19
                      Local via ge-0/0/6.0

**********

While processing traffic, you would see behavior like you are experiencing now.

Hence it is recommended to have routing-instace configured for overlapping IPs of a subnet.

Hope this clarifies!

Regards,

Raveen

The thing is I'm configuring route based vpn on the reth interfaces, so I had issues with route based vpn in a routing instance and had to remove the reth interface outside of the virtual router. Is there a better way to do it ?

Route based VPN in routing-instance should not be that challenging!

You could refer below KB for example:

http://kb.juniper.net/InfoCenter/index?page=content&id=KB21487

Regards,

Raveen

There are no known issues as such with two interfaces in the same broadcast domain.

BUt thinking of it from newtwork terms, two interfaces can reach the same boracast domain, now the SRX would choose the interface with the highest interface ID as the prefereed outgoing interface.

It is not ana dvisible design to have two interfaces on the same broadcast domain.

c_r

[Click the "Star" for Kudos if you think I earned it!
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]