Support Support Downloads Knowledge Base Apex Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Configuring dual ISP on SRX device to connect to Sky Enterprise

0

0

Article ID: KB36428 KB Last Updated: 25 Jan 2021Version: 1.0
Summary:

This article provides the configuration needed for adding an SRX device, which connects to the Internet via Dual ISP, to Sky Enterprise, when the SRX communicates via a custom routing-instance.  This is a scenario where the primary ISP is on the default inet.0 routing-instance, and the secondary ISP is on the custom routing-instance ISP2.inet.0

Symptoms:

SRX is installed in a network that uses Dual ISP.  The primary ISP uses an interface that is on the default inet.0 routing-instance, while a secondary interface is on the routing-instance called ISP2.  If routing on the primary ISP fails, traffic will then traverse through the secondary interface via routing-instance ISP2.

Example Topology
 

[LAN]---------------------------ge-0/0/1 [SRX] ge-0/0/0--------------------------------Primary ISP
           192.168.1.0/24                           |                         10.1.1.1/24
                                                    |
                                               ge-0/0/2 ----------------------------------- ISP2
                                                                              10.2.1.1/24

SRX Configuration

  • DNS is configured as follows:

set system name-server 8.8.8.8
  • Configuration from Sky Enterprise, when adding a device is provided below:

set system services ssh protocol-version v2
set system login user skyenterprise class super-user authentication encrypted-password $ABC123
set system services outbound-ssh client skyenterprise-ncd01 device-id srx320-r003-junipernetworks secret <secret>
set system services outbound-ssh client skyenterprise-ncd01 services netconf keep-alive retry 3 timeout 5
set system services outbound-ssh client skyenterprise-ncd01 skyent01.juniper.net port 4087 timeout 60 retry 1000
set system services outbound-ssh client skyenterprise-ncd02 device-id srx320-r003-junipernetworks secret <secret>
set system services outbound-ssh client skyenterprise-ncd02 services netconf keep-alive retry 3 timeout 5
set system services outbound-ssh client skyenterprise-ncd02 skyent02.juniper.net port 4087 timeout 60 retry 1000
  • The routing-instance configuration is as follows:

set interfaces ge-0/0/0 unit 0 family inet address 10.1.1.10/24
set interfaces ge-0/0/1 unit 0 family inet address 192.168.1.10/24
set interfaces ge-0/0/2 unit 0 family inet address 10.2.1.10/24
set security zones security-zone trust interfaces ge-0/0/1.0
set security zones security-zone untrust interfaces ge-0/0/0.0
set security zones security-zone ISP2 interfaces ge-0/0/2.0
set routing-instances custom-vr instance-type virtual-router
set routing-instances custom-vr interface ge-0/0/0.0

In the above configuration, the SRX device will go out through ge-0/0/0.0 while on the primary ISP.  If that ISP fails, then it will go out on ge-0/0/2.0 via it's secondary ISP, via ISP2.

Cause:

When each device attempts to communicate to Sky Enterprise, it will send the connection from the default routing table (inet.0). This is expected behavior.

Solution:

When the primary ISP fails, create a loopback interface to source the packet and route it to the custom routing instance. Then exchange interface routes between inet.0 and ISP2 routing instance. Then import routes from the default routing instance to the ISP2 routing instance.  

A sample configuration:

  • Configuring the interface

set interfaces lo0 unit 0 family inet address 192.168.10.1/24
Note: Do not use a martian route for the lo0 address (for example, 127.0.0.1/32). For more information on martian routes, please refer to Understanding Martian addresses
  • Assigning security zones

set security zones security-zone trust interfaces lo0.0 
  • NAT configuration

When a new netconf connection is made to Sky Enterprise,  it will use the loopback IP address as the source. Hence, a source NAT is required to translate this to an IP address that is routed over the Internet.

set security nat source rule-set interfacebasednat from zone junos-host
set security nat source rule-set interfacebasednat to routing-instance ISP2
set security nat source rule-set interfacebasednat rule 1 match destination-address 0.0.0.0/0
set security nat source rule-set interfacebasednat rule 1 then source-nat interface
  • Set the default route for primary, and floating static route to fail over to backup

    set routing-options static route 0.0.0.0/0 next-hop 10.1.1.1 
    set routing-options static route 0.0.0.0/0 qualified-next-hop 10.2.1.1 preference 20
    set routing-options static route 0.0.0.0/0 preference 10
    
  • Exchange Interface Routes between inet.0 and ISP2.inet.0

set routing-options interface-routes rib-group inet ToISP2
set routing-options rib-groups ToISP2 import-rib inet.0
set routing-options rib-groups ToISP2 import-rib ISP2.inet.0
set routing-instances ISP2 routing-options interface-routes rib-group inet ToISP2
  • Exchange Interface Routes between inet.0 and ISP2.inet.0

set policy-options policy-statement master-to-custom term 1 from instance master
set policy-options policy-statement master-to-custom term 1 then accept
set routing-instances custom-vr routing-options instance-import master-to-custom
  • Import/Export Routes between Routing-Instances

set policy-options policy-statement RI_ISP2 term 1 from instance master
set policy-options policy-statement RI_ISP2 term 1 from protocol direct
set policy-options policy-statement RI_ISP2 term 1 then accept
set routing-instances ISP2 routing-options instance-import RI_ISP2

Confirming Connectivity with Sky Enterprise

  • Verify connectivity by looking at the Sky Enterprise device list.  If successful, it will show the device as being "Online"

  • Verify connection from the device by issuing the command "show system connections | match 4087" 

root@s10-23> show system connections | match 4087  
tcp4       0      0  192.168.1.1.56945                             xx.xx.xx.21.4087                            ESTABLISHED
tcp4       0      0  192.168.1.1.62095                             xx.xx.xx.108.4087                           ESTABLISHED

root@s10-23> 

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search