SRX Services Gateway
SRX Services Gateway

Re: SRX240 Need Help with vlan Routing

07.06.17   |  
‎07-06-2017 10:22 AM

So the cause is zone mismatch.

Please take a look at https://kb.juniper.net/InfoCenter/index?page=content&id=KB21363

 

Did you think about running vrrp? If you want to use both clusters for access between vlans 43 and 222 I think this is the way to go.

 

Regards, Wojtek

SRX Services Gateway

Re: SRX240 Need Help with vlan Routing

07.07.17   |  
‎07-07-2017 02:52 AM

Hi Wojtek,

 

Running VRRP would be a good solution as we could provide a 1st hop redundancy protocol for LAN.

For sure I will consider it once business moves to the new office.

For the time being the goal is following.

 

Our customer has two branch offices with L2 connection established between them.

As they are going to close/move location A they want to move L3 gateways for all vlans form SRX-A -> SRX-B

In this way hosts which resides in location A will be leaving their network via SRX in location B.

Once it is done they will be able to take off most of network devices in location A.

Last time we had an issue (I think with udp traffic as I couldn't authenticate via AD credentials) while moving L3 gateway for just single Vlan43 example:

 

Previously

SRX-A reth1.43 - 10.32.43.1 (DG)

SRX-B reth2.43 - 10.32.43.254

 

After changes

SRX-A reth1.43 - 10.32.43.254

SRX-B reth2.43 - 10.32.43.1 (DG)

 

In this scenario hosts (from V43) which resides in location A to access any other networks were leaving via SRX-B. However other hosts were leaving their network via SRX-A.

Please correct me if I'm wrong (I'm not a FW expert) but this is probably the cause of problem were traffic was simply dropped as traffic originated from ex. host 10.32.43.123 to 10.32.222.x was rotued from SRX-B but response (from 10.32.222.x) was coming from SRX-A.

 

To migrate successfully I should move both vlans to SRX-B at the same time.

 

Many thanks for your input

SRX Services Gateway

Re: SRX240 Need Help with vlan Routing

07.20.17   |  
‎07-20-2017 06:00 AM

Dear Wojtek,

 

I've checked the case regarding VRRP and it seems we can't configure it between two clusters of SRX firewalls -> https://forums.juniper.net/t5/SRX-Services-Gateway/SRX-Cluster-and-VRRP/m-p/256031

 

It could work if we would have a standalone firewalls split between two locations.

That means our customer have a configuration which doesn't support vrrp.

I understand that Reth interfaces performs similar function but in that case if something happens with a SRX cluster in location A we have to reconfigure all L3 gateways on location B to provide 1st hop for lan devices.

 

I will be very glad if you can provide your thoughts about my previous reply (7th July).

In addition could you please confirm what should be the correct design for site with two DC's?

How can I improve network design in that scenario ?

 

Many thanks

SRX Services Gateway

Re: SRX240 Need Help with vlan Routing

08.01.17   |  
‎08-01-2017 02:34 AM

Hi All,

Any help ?

 

Your thoughts are highly appreciated

 

Thx,

Patryk

Highlighted
SRX Services Gateway

Re: SRX240 Need Help with vlan Routing

08.03.17   |  
‎08-03-2017 03:23 AM

Hi Patryk,

I didn't know that VRRP is not supported on reth interfaces. Sorry for confusing you.

If you really need L2 across data centers the only solution that I can think of is single cluster with one node in DC1 and second node in DC2.

 

Regards, Wojtek