SRX Services Gateway
SRX Services Gateway

conditional route based on VRRP status

‎03-27-2013 11:47 AM

Hi All,

 

I'm working with a pair of SRX 240 running JUNOS 11.4R5.5 and they are not clustered. They secure access to/from the DMZ and run VRRP on the DMZ LAN, acting as default gateway for the DMZ servers.

 

In our environment, the primary SRX does all the work unless there is some failure. However, there are still some occasional events where the secondary receives packets destined for the DMZ and routes them directly to that LAN. This is a problem since the reply from the DMZ uses the current VRRP master, which is the primary SRX. From the point of view of the primary SRX, this is a flow that doesn't yet exist so it is dropped.

 

I'd like to configure the secondary not to install the route from its VRRP interface until it becomes master. This would solve the problem since it would hear the DMZ route through the primary via OSPF. How can I accomplish telling an SRX to conditionally install a *direct* route based on VRRP status?

 

 

Thanks for any help,

RJ

12 REPLIES 12
SRX Services Gateway

Re: conditional route based on VRRP status

‎03-28-2013 06:00 AM

Perhaps a diagram as a conversation starter?

 

 

vrrp-v1.png

SRX Services Gateway

Re: conditional route based on VRRP status

‎03-29-2013 05:40 AM

Hi,

 

I am afraid that changing the direct routes is not possible.

Can you tell me more on what you mean with:  "the reply from the DMZ uses the current VRRP master"???

 

Z.

 

 

SRX Services Gateway

Re: conditional route based on VRRP status

‎03-29-2013 05:44 AM

I am afraid that changing the direct routes is not possible.


I suspected that might be the case.

 


Can you tell me more on what you mean with:  "the reply from the DMZ uses the current VRRP master"???


Sure.  A packet comes into the DMZ via the secondary SRX which is the backup VRRP router.  When the server in the DMZ sends its reply, it selects the default gateway for the LAN which is the primary SRX (the VRRP master).

SRX Services Gateway

Re: conditional route based on VRRP status

‎03-29-2013 10:50 AM

I'm facing a similar design situation, I'd be eager to hear if someone has an elegant solution, becaue I haven't found any, as far as I can see you have to make sure this condition doesn't occur:

 

"there are still some occasional events where the secondary receives packets destined for the DMZ"

SRX Services Gateway

Re: conditional route based on VRRP status

‎03-29-2013 11:02 AM

as far as I can see you have to make sure this condition doesn't occur:

 

"there are still some occasional events where the secondary receives packets destined for the DMZ"


In our particular environment, this can be solved with additional routers.  The easiest solution is to not have those security devices providing VRRP for servers.  And after learning that there's nothing I can do to squelch that direct route installed by the interfaces, it looks like that's exactly what I'll be doing.

 

 

SRX Services Gateway

Re: conditional route based on VRRP status

‎03-30-2013 09:35 AM

Hello,

You could run BGP conditional advertisement between each SRX and 2 Core routers

http://www.juniper.net/techpubs/software/junos/junos94/swconfig-policy/configuring-the-condition-sta... 

The condition should look like (assuming You are doing all routing in inet.0):

 

condition VRRP-master-/32 {
if-route-exists <VRRP VIP/32 table inet.0;
}

 

HTH

Thanks

Alex

_____________________________________________________________________

Please ask Your Juniper account team about Juniper Professional Services offerings.
Juniper PS can design, test & build the network/part of the network as per Your requirements

+++++++++++++++++++++++++++++++++++++++++++++

Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
SRX Services Gateway

Re: conditional route based on VRRP status

‎04-01-2013 08:12 AM

Any reason they're not clustered?  That would solve the issue.... Even in an active/active scenario.

-------------------------------------------------------------------------------
Ben Boyd
Sr. Solutions Architect
Integration Partners (http://www.integrationpartners.com)
JNCIE-M, JNCIE-ENT, JNCIP-SEC, JNCIA-EX
Twitter - @ozark46
SRX Services Gateway

Re: conditional route based on VRRP status

‎04-01-2013 08:23 AM

Any reason they're not clustered?  That would solve the issue.... Even in an active/active scenario.


Downtime.

 

My understanding is that you can't upgrade a cluster of branch SRX without downtime.  When we do JUNOS upgrades or change configurations we simply overload OSPF and all the traffic moves onto the secondary.

SRX Services Gateway

Re: conditional route based on VRRP status

‎04-01-2013 09:29 AM

@rjtaylor wrote:

Any reason they're not clustered?  That would solve the issue.... Even in an active/active scenario.


Downtime.

 

My understanding is that you can't upgrade a cluster of branch SRX without downtime.  When we do JUNOS upgrades or change configurations we simply overload OSPF and all the traffic moves onto the secondary.


 

Fair enough.  If you have a lab, you should check out the ISSU with no SYN and no SEQ checking on the branch series. It's really come a LONG way.  I've seen 30 seconds downtime worst case.

-------------------------------------------------------------------------------
Ben Boyd
Sr. Solutions Architect
Integration Partners (http://www.integrationpartners.com)
JNCIE-M, JNCIE-ENT, JNCIP-SEC, JNCIA-EX
Twitter - @ozark46
Highlighted
SRX Services Gateway

Re: conditional route based on VRRP status

‎04-01-2013 03:22 PM

rjtaylor wrote:


Downtime.

 

My understanding is that you can't upgrade a cluster of branch SRX without downtime.  When we do JUNOS upgrades or change configurations we simply overload OSPF and all the traffic moves onto the secondary.


Any existing sessions would have to re-establish after the traffic moves to the other SRX... so are you really avoiding any "downtime" here?  When you fail the path to the other device, you're going to have traffic stop momentarily.

-kr


---
If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated.
SRX Services Gateway

Re: conditional route based on VRRP status

‎04-02-2013 04:44 AM

@keithr wrote:
Any existing sessions would have to re-establish after the traffic moves to the other SRX... so are you really avoiding any "downtime" here?  

For most of the protocols that flow through these things, it isn't a problem since they're either stateless or they don't have end users sitting on them (DNS, SMTP, etc).  The applications most scrutinized are RDP/ICA/PCoIP and the like.  We move traffic during the most quiet times available and those sessions typically reestablish without headache.

 

Don't get me wrong, I'd *love* to maintain a single set of firewall rules.  However, until an SRX cluster can perform a real in-service software upgrade, two units coupled with routing protocols and VRRP work better for us.

 

 

SRX Services Gateway

Re: conditional route based on VRRP status

‎08-08-2013 11:16 PM

I guess I found a solution. 

 

The only way to beat Direct route  is to provide some more specific route to same destination.  Two static half routes are shadowed one direct one. These static routes are then redistributed to OSPF and send across to peer router.  This way routers will route packets based on OSPF routes and ignore Direct routes.

 

Bellow example of "shadowing" 

 

interfaces {
ge-0/0/4 {
description "connected to  ge-0/0/5";
vlan-tagging;
unit 1 {
    vlan-id 100;
    family inet {
        address 10.0.1.1/24 {
            vrrp-group 2 {
                virtual-address 10.0.1.254;
                priority 110;
                preempt;
                accept-data;
            }
        }
    }
}
}
}


 routing-options {
        static {
            route 10.0.1.0/25 {
                next-hop 10.0.1.5;
                no-install;
                no-resolve;
                preference 150;
            }
            route 10.0.1.128/25 {
                next-hop 10.0.1.5;
                no-install;
                no-resolve;
                preference 150;
            }
        }
}

 

 "preference 150" set to make its comparable with OSPF routes. 

 "no-install" set to do not screw up normal packed forwarding.

 "next-hop 10.0.1.5" and "no-resolve" set to add some interface status tracking. So when interface goes down, route will disapear.  If you do not care about tracking just replace it with  "discard".   "10.0.1.5" is just an IP within target subnet, it can be set to any orher IP-s except Local interface one.

 

I have attached a full config of SRX240 which emulates a network with 2 routers and 2 hosts. connected like that

 

               H1

                 |

   ---------VRRP--------

   |                             |

 R1                         R2 ---------- H2

  |                             |

  --------------------------

 

R1 is VRRP master.  

 

When H2 is trying to reach H1 traffic goes as H2 -> R2 -> R1 ->H1 and returns same way.  Without any asymmetric routing.

 

BTW: There is a way to prevent Direct route to be installed into routing table.  Just declare it "martian" :-).  But it does not help much.

Attachments