vSRX
Highlighted
vSRX

Accessing fxp0 Out of Band management interfaces of a cluster over (Policy-Based) VPN

‎03-28-2020 12:03 AM

Hello, 

Are there any ideas how to do some workaround to enable access to srx mgmt interface via Policy-based VPN tunnel?

 

I tried route leaking but still it didn't help to enable access to SRX MGMT interface (FXP0) via Policy-Based vpn tunnel. 

I think since Policy-Based vpn requirs external interface and related static route to be in the main routing table as FXP0 so the traffic targeted to FXP0 will always prefer the Local interface (FXP0) rather than sending it to another instance then sending it to FXP0 via some mgmt switch. 

 

This solution is discussed here but with Route-Based VPN not Policy-based

https://kb.juniper.net/InfoCenter/index?page=content&id=KB30949

 

I tried the same idea with creating a VR instance and putting all inetrfaces there so later the traffic will need to go via the mgmt switch then to FXP0 as in the above solution but the tunnel never go up, since "my assumption" the external interface in an instance other than main one. 

3 REPLIES 3
Highlighted
vSRX

Re: Accessing fxp0 Out of Band management interfaces of a cluster over (Policy-Based) VPN

‎03-31-2020 03:14 AM

Hi,

what are you trying to achive? The oob-management interface (fxp0) is just for that: _physical outband_ management access. You seem to want to manage the router inband: traffic coming in over a revenue interfaces (maybe even over a tunnel, which is only supported when that traffic comes on over the forwardng plane). These are two different things which can't be combined afaik.

Regards

Ulf

--
If this worked for you please flag my post as an 'Accepted Solution' so others can benefit. A kudo would be cool if you think I earned it.
Highlighted
vSRX

Re: Accessing fxp0 Out of Band management interfaces of a cluster over (Policy-Based) VPN

‎04-01-2020 03:01 AM

Hi Ulf, 

Yes you got it right. 

We have a customer isolated PBX lan, SRX cluster will be used only for terminating the vpn tunner over the internet to manage this LAN switches and the SRX via our NOC. so topoligy looks like this: 

Our NOC --> FW --> INTERNET -- ISP Router --> 340 SRX Cluster --> EX-4300 MGM switch --> some LAN switches.

So the only traffic will pass via the SRX is the mgmt traffic, PBX traffic will be local to switches. 

SRX & other switches connected via mgmt interfaces (FXP0 in SRX & EM0 in Ex switches) to this MGMT switch. 

Policy based tunnel is built between NOC FW & SRX , on the Inside SRX RETH interface IP from mgmt subnet is configured, also IPs from mgt subnet are conigured on FXP0 & EM0 interfaces, and the goal to reach these mgmt IPs from NOC via the VPN tunnel. 

It's working to reach all MGMT IPs but not the FXP0 and this is my problem. 

Yes, I know it's not real outband mgmt, but it's the solution we have. 

I belive disconnectiong FXP0 and usuing inside RETH interface IP for mgmt will be a solution here but not sure if it is a good one. 

another solution is using route-based VPN (as in below linke) but seems the NOC side want to keep it Policy based
https://kb.juniper.net/InfoCenter/index?page=content&id=KB30949

 

Highlighted
vSRX

Re: Accessing fxp0 Out of Band management interfaces of a cluster over (Policy-Based) VPN

‎04-01-2020 04:31 AM

Hi,

well, maybe I wasn't clear 😉 FXP0 is meant to outband manage _the SRX_ and not (a) network(s) the FXP0 interface is connected to. Usually JUNOS devices (intentionally!) don't even forward traffic incoming over revenue interfaces out the oob-interface or vise versa. So consider yourself lucky but don't try to queeze more of of this than what's meant to be there.

Two ways forward imho:

1. "I belive disconnectiong FXP0 and usuing inside RETH interface IP for mgmt will be a solution"

2. configure a loopback (lo0.x) on the SRX and try to reach that to manage the SRX instead via the fxp0 interface (stop-gap / interrim).

Regards

Ulf

--
If this worked for you please flag my post as an 'Accepted Solution' so others can benefit. A kudo would be cool if you think I earned it.
Feedback