SRX Services Gateway
Highlighted
SRX Services Gateway

SRX Chassis Cluster - same subnets on different vlan interfaces

[ Edited ]
‎04-01-2020 03:00 AM

Hello,

 

I have difficult SRX configuration with same subnet configured on a couple of interfaces (lo0, reth0.10, reth0.100, reth0.200, reth0.300) which is... working fine (almost).

 

Each reth subinterface corresponds to vlan - 10, 100, 200. Interfaces reth0.10, reth0.100 and reth0.200 also have private subnets added (like 192.168.1.0/24, 192.168.2.0/24, etc) and SNAT configured to access the Internet with external IP from the list of public IP's shown below  (1.1.1.10, etc). Loopback is used for terminating VPN connection. Example:

 

root@SRX2# show interfaces reth0.10 
vlan-id 10;
family inet {
    address 192.168.1.1/24 {
        primary;
    }
    address 1.1.1.10/24;
}

 

Probably those public IP addresses were added to interfaces because SNAT was configured to use them. However, this public subnet should only be configured on reth0.300, which is dedicated for servers with public IP addresses. 

 

 

root@SRX2# run show interfaces terse | match 1.1.1 
lo0.0                  up    up   inet      1.1.1.5/24 
reth0.10               up    up   inet      1.1.1.10/24
reth0.100              up    up   inet      1.1.1.100/24
reth0.200              up    up   inet      1.1.1.200/24
reth0.300              up    up   inet      1.1.1.1/24 


root@SRX2# run show route 1.1.1.0  

inet.0: 802431 destinations, 802436 routes (132 active, 0 holddown, 802299 hidden)
Restart Complete
+ = Active Route, - = Last Active, * = Both

1.1.1.0/24    *[Direct/0] 10w4d 20:17:48
                    > via lo0.0
                    [Direct/0] 6w1d 14:15:36
                    > via reth0.100
                    [Direct/0] 6w1d 14:15:36
                    > via reth0.200
                    [Direct/0] 6w1d 14:15:36
                    > via reth0.10
                    [Direct/0] 6w1d 14:15:36
                    > via reth0.300



root@SRX2# run show route 1.1.1.5     

inet.0: 802442 destinations, 802447 routes (132 active, 0 holddown, 802310 hidden)
Restart Complete
+ = Active Route, - = Last Active, * = Both

1.1.1.5/32    *[Local/0] 10w4d 20:30:56
                      Local via lo0.0

{primary:node1}[edit]
root@SRX2# run show route 1.1.1.10   

inet.0: 802442 destinations, 802447 routes (132 active, 0 holddown, 802310 hidden)
Restart Complete
+ = Active Route, - = Last Active, * = Both

1.1.1.10/32   *[Local/0] 6w1d 14:28:48
                      Local via reth0.10

{primary:node1}[edit]
root@SRX2# run show route 1.1.1.100   

inet.0: 802442 destinations, 802447 routes (132 active, 0 holddown, 802310 hidden)
Restart Complete
+ = Active Route, - = Last Active, * = Both

1.1.1.100/32  *[Local/0] 6w1d 14:28:51
                      Local via reth0.100

 

 

Here is one of NAT rules:

 

 

root@SRX2# show security nat source    

pool src-nat-pool-1{
    address {
        1.1.1.10/32;
    }
}

rule-set rs1 {
    from zone trust;
    to zone untrust;
    rule office-nat {
        match {
            source-address 192.168.1.0/24;
            destination-address 0.0.0.0/0;
        }
        then {
            source-nat {
                pool {
                    src-nat-pool-1;
                }
            }
        }
    }
}

 

 

This configuration started to be problematic when I was trying to add static route to private network with next-hop of 1.1.1.11 - Juniper didn't respect it in routing table:

 

 

root@SRX2# show routing-options | match 10.18                                      
    route 10.18.0.0/24 next-hop 1.1.1.11;

root@SRX2# run show route 10.18.0.0       

inet.0: 802379 destinations, 802384 routes (132 active, 0 holddown, 802247 hidden)
Restart Complete
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[BGP/170] 10w1d 19:59:26, localpref 120
                      AS path: 33333 ?, validation-state: unverified
                    > to 3.3.3.3 via ge-0/0/12.0

root@SRX2# run show route 1.1.1.11                                            

inet.0: 802411 destinations, 802416 routes (132 active, 0 holddown, 802279 hidden)
Restart Complete
+ = Active Route, - = Last Active, * = Both

1.1.1.0/24    *[Direct/0] 10w4d 20:41:19
                    > via lo0.0
                    [Direct/0] 6w1d 14:39:07
                    > via reth0.100
                    [Direct/0] 6w1d 14:39:07
                    > via reth0.200
                    [Direct/0] 6w1d 14:39:07
                    > via reth0.10
                    [Direct/0] 6w1d 14:39:07
                    > via reth0.300


 

 

I'm not sure how to fix it.  Can you suggest me some solution? Thanks!

4 REPLIES 4
Highlighted
SRX Services Gateway

Re: SRX Chassis Cluster - same subnets on different vlan interfaces

‎04-02-2020 03:05 AM

The real questions is how to fix this. I suppose that this /24 public subnet (announced via BGP) should be assigned only on the single interface used for it. And instead of adding addresses of this subnet to interfaces used for NAT, there should be only proxy arp. But on which interface? And what about redundant loopback interface used for VPN? 

Highlighted
SRX Services Gateway

Re: SRX Chassis Cluster - same subnets on different vlan interfaces

‎04-02-2020 11:06 AM

This is honestly a quite strange configuration. From what I understand you are using the addresses for source-nat.

In general having the same subnet on multiple interfaces in the same device and routing-instance will create issues.

 

From looking at the configuration + routes, your default route points towards ge-0/0/12.0 meaning that traffic from eg. 192.168.1.0/24 towards untrust will be sent out via this interface and nat'ed behind 1.1.1.10.

 

Are you announcing 1.1.1.0/24 via BGP? If yes, then with which peer? The one on ge-0/0/12.0 ?

 

If this is true, I would not expect you to need the 1.1.1.x addresses configured on your internal reth0.x interfaces as this is only for your local 192.168.x.0/24 subnets. As long as you announce 1.1.1.0/24 correctly to your bgp neighbor, the SRX flow daemon will do your NAT without needing to configure the IP addresses on any interface. Your BGP upstream will send traffic for 1.1.1.0/24 towards your SRX and will be matched with the session table or match it to your lo0.0 for IPsec VPN.

 

 

 


--
Best regards,

Jonas Hauge Klingenberg
Juniper Ambassador & Technology Architect, SEC DATACOM A/S (Denmark)
Highlighted
SRX Services Gateway

Re: SRX Chassis Cluster - same subnets on different vlan interfaces

‎04-02-2020 11:11 AM

Forgot the part about the static route; direct routes are always preferred over static routes (and any other route in general).

 

On which other device have you configured 1.1.1.11/24? Why do you need a public IP to route your internal 10.18.0.0/24 prefix?

 

Providing full interface config, security zones and nat configuration (no need of security policies and general system configuration) and a drawing of your setup with will help getting a better understanding of your setup.


--
Best regards,

Jonas Hauge Klingenberg
Juniper Ambassador & Technology Architect, SEC DATACOM A/S (Denmark)
Highlighted
SRX Services Gateway

Re: SRX Chassis Cluster - same subnets on different vlan interfaces

‎04-06-2020 02:51 AM

Please check attachment to see how my configuration looks like. We have 2 BGP peers, but we accept only default route.

 

On the internal interface (reth0) we have a couple of vlans. Most of them with private IP subnets and SNAT configuration translating private subnets to 1.1.1.0/24. Moreover, one of the VLANs has public subnet (1.1.1.0/24) for web servers and there's also refundant loopback inteface with 1.1.1.5/24 for terminating VPN connection.

 

From what I remember, when SNAT was configured for example to translate to 1.1.1.10 and this IP was not added to any interface, the NAT worked not predictable. When debugging with traceoptions, I saw that the IPP 1.1.1.10 cannot be found etc. The problem stopped occuring after adding it to any interface.  

 

pool src-nat-pool-office {
    address {
        1.1.1.10/32;
    }
}
pool src-nat-pool-mobile {
    address {
        1.1.1.100/32;
    }
}
pool src-nat-pool-guest {
    address {
        1.1.1.200/32;
    }
}
rule-set rs1 {
    from zone trust;
    to zone untrust;
    rule office-nat {
        match {
            source-address 192.168.1.0/24;
            destination-address 0.0.0.0/0;
        }
        then {
            source-nat {
                pool {
                    src-nat-pool-office;
                }
            }
        }
    }
}
rule-set rs2 {
    from zone guest;
    to zone untrust;
    rule guest-nat {
        match {
            source-address 192.168.2.0/24;
            destination-address 0.0.0.0/0;
        }
        then {
            source-nat {
                pool {
                    src-nat-pool-guest;
                }
            }
        }                               
    }                                   
}                                       
rule-set rs3 {                          
    from zone mobile;                   
    to zone untrust;                    
    rule mobile-nat {                   
        match {                         
            source-address 192.168.3.0/24;
            destination-address 0.0.0.0/0;
        }                               
        then {                          
            source-nat {                
                pool {                  
                    src-nat-pool-office;
                }                       
            }                           
        }                               
    }                                   
}

root@SRX# show interfaces reth0    
vlan-tagging;
redundant-ether-options {
    redundancy-group 1;
    lacp {
        active;
        periodic fast;
    }
}
unit 10 {
    description cable-network;
    vlan-id 10;
    family inet {
        address 192.168.1.1/24 {
            primary;
        }
        address 1.1.1.10/24;
    }
}
unit 100 {
    description mobile-network;
    vlan-id 100;
    family inet {
        address 192.168.3.1/24 {
            primary;
        }
        address 1.1.1.100/24;
    }
}
unit 200 {
    description guest-network;
    vlan-id 200;
    family inet {
        address 192.168.2.1/24 {
            primary;
        }
        address 1.1.1.200/24;
    }
}
unit 300 {
    description servers;                
    vlan-id 300;                        
    family inet {                       
        address 1.1.1.1/24;        
    }                                   
} 
root@SRX# show interfaces lo0      
unit 0 {
    family inet {
        address 1.1.1.5/24;
    }
}
redundant-pseudo-interface-options {
    redundancy-group 0;
}                                      
Feedback