Friday, January 2, 2015

A look at inter links betweens SRX vr-instances ( logical tunnel interfaces )

In this post, I will demonstrate  simple but effective interlinks for  VirtualRouter-Instance traffic. Just like with my earlier meshed vdom and intervdom links posts for fortigates, the juniper method is just as simple.

1st here's my setup;





So we have a inter-link between two Virtual-Router Instances known as SOC01 and SOC02.

Since I was lazy and  didn’t want to tear down my SRX for this post, I built 2 loopback interfaces;  one in each virtual-router instance ( SOC01 and SOC02 ).

These will be in our zone known as trust, where the interlink are my outside untrust zone. In reality, these could have been a real physical interface for the lan or a 802.1q interface for the lan access.


I will set a static route in each VR-instance for the remote-loopback address and we will test our reach via the appropriate VR-instance to the opposite VR-instance with a  simple ping request.


SecurityZones:

SOC01-untrust

SOC02-untrust

SOC01-trust

SOC02-trust

Interfaces:

LT-0/0/0 unit 1   1.0.0.1/30 ( VR-instance SOC01 )

LT-0/0/0 unit 1   1.0.0.2/30 ( VR-instance SOC02 )



Lo0.10                     10.10.10.10/32 ( VR-instance SOC01 )

Lo0.20                     10.10.10.20/32 ( VR-instance SOC02 )


NOTE: The LT interface  is known as a logical tunnel and is a virtual interface by all means.

  •  all interfaces in a SRX  must be in  a named security-zone including the LogicalTunnels intf
  • you have to define the VR instance and apply the interfaces into that instance
  • the interfaces are defind ( LogicalTunnel ) as a ethernet family so it has all the characteristics of a ethernet frame and uses arp

  • all interfaces are in  the default instance and route-table  ( by default )

Okay let 's look at the cfg;





Finally  we will test from each VR-instance to the opposite loopback with icmp pings. If we had real lan interfaces, we could have fwpolicies to allow traffic to the local network hosts.





The Logical Tunnel interfaces helps us,  by not requiring an external router or wasting precious real interfaces on our  SRX with carrying traffic between VirtualRouter-Instances. The traffic is carried locally within the SRX fabric.

I hoped you found this post useful and  witness how easily you can configure intra VirtualRouter-Instance links between multiple VRs. You could easily configured a dynamic routing protocol such as bgp/ospf between the various peers if required.


Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
         o 
        /  \


Ken

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)