vSRX
Highlighted
vSRX

Vlan-Tagging vSRX - AWS Problem - NO untrust traffic

‎05-20-2020 10:03 AM

Hi,

 

This is my case:


I've launched an vSRX in AWS VPC.

 

I configured my vsrx with 5 interfaces: 2 public (fxp0) and (ge-0/0/0) and 3 private.

I need the subnetwork of interface ge-0/0/0 (public) to be of type trunk.

Normally the following configuration would be valid in a non-virtualized srx but when I configure vlan-tagging in vsrx the connection to the outside is lost:

set interfaces ge-0/0/0 vlan-tagging
set interfaces ge-0/0/0 unit 0 description "PUBLIC: Connected to LAN Vlans - 172.31.100.10/28 (eth1)"
set interfaces ge-0/0/0 unit 0 vlan-id 100

traceroute  routing-instance VR_DTA source 172.31.100.10 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8) from 172.31.100.10, 30 hops max, 52 byte packets
 1  ec2-79-125-0-235.eu-west-1.compute.amazonaws.com (79.125.0.235)  8.333 ms ec2-79-125-0-237.eu-west-1.compute.amazonaws.com (79.125.0.237)  2.736 ms ec2-79-125-0-212.eu-west-1.compute.amazonaws.com (79.125.0.212)  29.295 ms
 2  100.66.8.36 (100.66.8.36)  17.888 ms 100.65.33.32 (100.65.33.32)  3.486 ms 100.66.8.46 (100.66.8.46)  17.061 ms
 3  100.66.16.8 (100.66.16.8)  3.330 ms 100.66.11.98 (100.66.11.98)  13.942 ms 100.66.10.160 (100.66.10.160)  19.371 ms

 

 

ping  routing-instance VR_DTA source 172.31.100.10 8.8.8.8
1 * 


I undestand that this is because the other end of the trunk is the AWS gateway who does not understand this configuration.


Is it possible to configure vlan-tagging in vsrx in aws? in such case, how to do it?

 

My need is to build a lab in AWS VPC with the following:

SITE 1:
1 vsrx 
1 Trust Zone: private subnets (interfaces ge-0/0/1.0, ge-0/0/2.0 & ge-0/0/3.0 for example)
1 Untrust: public interface (ge-0/0/0.0) vlan-tagging - trunk

 

This trunk (interface ge-0/0/0.0) conected to a router (the router is between sites)

 

SITE 2:

3 subnets 

 

SITE 1 subnets must comunicate with their respective subnets on SITE 2 through the vSRX and Router.

 

Example:  SITE 1 subnet1 --> vSRX --> out through the trunk interface --> reach the Router --> reach SITE 2 subnet 1.

 

All this in AWS VPC.
Thank you very much for your help in advance
Best regards!

8 REPLIES 8
Highlighted
vSRX

Re: Vlan-Tagging vSRX - AWS Problem - NO untrust traffic

‎05-21-2020 02:57 AM

The fxp0 interface is for mgmt of the device only it does not permit transit traffic.  You will need to move the untrust traffic off of this interface to one of the transit ones.

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Highlighted
vSRX

Re: Vlan-Tagging vSRX - AWS Problem - NO untrust traffic

‎05-21-2020 03:04 AM

Hi, thank you!

Yes  I know, that's why I've two "public" interfaces. One for fxp0 and another for traffic.

 

I also have a separate virtual router with where the traffic interfaces are (public and private) and fxp0 remains in inet.0.

 

My problem is with trunk vlan-tagging interface not with fxp0.

 

Thank you anyway!
Best regards

Highlighted
vSRX

Re: Vlan-Tagging vSRX - AWS Problem - NO untrust traffic

‎05-21-2020 04:53 AM

Hi Chaimae,

 

Good day!!

 

vSRX can be deployed in a virtual private cloud (VPC) in the Amazon Web Services (AWS) cloud. You can launch vSRX as an Amazon Elastic Compute Cloud (EC2) instance in an Amazon VPC dedicated to a specific user account. The vSRX Amazon Machine Image (AMI) uses hardware virtual machine (HVM) virtualization.

 

In the Amazon VPC, public subnets have access to the Internet gateway, but private subnets do not. vSRX requires two public subnets and one or more private subnets for each individual instance group. The public subnets consist of one for the management interface (fxp0) and one for a revenue (data) interface. The private subnets, connected to the other vSRX interfaces, ensure that all traffic between applications on the private subnets and the Internet must pass through the vSRX instance.

 

Kindly find the below document:

 

https://www.juniper.net/documentation/en_US/vsrx/topics/concept/security-vsrx-aws-overview.html

 

Please mark "Accepted Solution" if this helps.

Kudos are always appreciated

 

Thanks 
Suraj S Rao

Highlighted
vSRX

Re: Vlan-Tagging vSRX - AWS Problem - NO untrust traffic

‎05-21-2020 05:09 AM

Hi Suraj!

Thank you so much for yor help!

That's exactly my configuration and the guide I've followed. I've internet access from all sites, and everything is working.

 

Beside that I need that my public interface to be trunk (vlan-tagged) and that's when de problem comes.

 

After vlan-tagged applies, stops working.

 

Thank you

Highlighted
vSRX

Re: Vlan-Tagging vSRX - AWS Problem - NO untrust traffic

‎05-21-2020 06:02 PM

Hi chaimae,


Good day!!


Thank you so much for your response.


Please let me know if you have any question or comment on this regards, I’ll happy to help.


Please mark "Accepted Solution" if this helps.


Kudos are always appreciated
Thanks 

Suraj Rao

Highlighted
vSRX

Re: Vlan-Tagging vSRX - AWS Problem - NO untrust traffic

‎05-22-2020 01:35 AM

Hi Suraj!

Thank you very much.

 

Yes, actually my doubts remains..

What I'm trying to do is to build this architecture (roughly):

 

SITE 1:
3 Private Subnets (vlans: a, b and c)
vSRX
Router
1 Public interface

 

SITE 2:
Other devices.... x
3 Subnets (vlans: a, b and c)

 

I need that traffic from private subnets in Site 1 communicate with the private subnets in Site 2 passing through the firewall.

The connectivity between SRX and Router must be a TRUNK link serving this 3 vlans.

 

Now, this is what I have configured in SRX:

 

VR:
inet.0 --> fxp0VR_DTA (data) --> ge-0/0/0 (public interface)

 

VR_DTA contains:
ge-0/0/0.0 --> Public
ge-0/0/1.0 --> Private
ge-0/0/2.0 --> Private
ge-0/0/3.0 --> Private

 

ge-0/0/0.0:

...interface ge-0/0/0 vlan-tagging
...interface ge-0/0/0 unit 0 vlan-id xx

 

As soon as I configured vlan-tagging, ge-0/0/0 stops pinging its own gateway or any other public IPs...

This is where I get confuse... I've made this configuration in SRX non virtual.. is vlan-tagging not supported on vsrx or it is not possible in AWS?.

 

Thank you indeed.
Best regards

Highlighted
vSRX

Re: Vlan-Tagging vSRX - AWS Problem - NO untrust traffic

‎05-22-2020 02:33 AM

Hi Chaimae,

 

Thanks for the response.

 

Maybe the feature is not supported in the vSRX.

 

Please find the below document 

https://www.juniper.net/documentation/en_US/vsrx15.1x49/topics/concept/security-vsrx-feature-support...

 

Please mark "Accepted Solution" if this helps.

 

Kudos are always appreciated

 

Thanks

Suraj Rao

Highlighted
vSRX

Re: Vlan-Tagging vSRX - AWS Problem - NO untrust traffic

‎05-25-2020 06:23 AM

Hi Suraj,

 

Thank you for your help. I've read and follow all information regarding to AWS - vSRX including the one you attach.

 

Maybe is not supported but I cannot be sure bassed on that information because the information related to 802.1... is related to 802.1X that is not what I'm tying to acheive, neither is Layer 3 Q-in-Q VLAN tagging..

 

So I'm not sure but I don't think it is not supported by vSRX rather it maybe not supported by AWS subnets.. ¿?. Not sure at all.

Thank you, I'll keep trying though.


Best regards!

Feedback