That got your attention didn't it! It's the big topic these days and in the SRX we can apply in several ways.
In the Juniper world we have VSYS on ScreenOS and LSYS for high end SRXs both of which allow the creation of logical firewalls with different administrative rights within a single box.
There is also Firefly Perimeter to consider (Eval for 60 day)
http://www.juniper.net/us/en/products-services/security/firefly-perimeter/#evaluation
Even though we can't use LSYS on a branch SRX device we can still set up logical routers called Routing Instances on them and then apply specific zones/interfaces to those Routing Instances thereby gaining some degree or virtualisation in the branch SRX.
Lets look at a simple example of how to apply this..
Lets say we have a single SRX serving 2 separate companies. We'll call them comp1 and comp2. Each has their own Internet connection and they don't want to share them.
We will create a separate routing instance for comp1 and assign the zones that comp1 uses to it.
Remember: A logical interface or zone can only exist in one routing instance.
Here is the diagram of what we will build..
Comp2 will use the default master routing instance - inet.0
Comp1 will use a new created routing instance called vr-comp1, which means its routing instance will be vr-comp1.inet.0
In both the inet.0 and the routing instance the ISP interfaces (fe-0/0/7 and fe-0/0/6) are DHCP clients of their respective ISPs and will propagate the ISP assigned DNS settings to their associated DHCP client pools.
Before we get into the config of the routing instance I just want to mention some things about DHCP.
Juniper recommends (http://kb.juniper.net/InfoCenter/index?page=content&id=KB26897) to use JDHCP rather than DHCP as this addresses providing DHCP to a client on a routing instance which is what we will be doing.
So, for example, whereas before we would have had this config for DHCP to serve clients on the SRX..
set system services dhcp pool 10.10.10.0/24 address-range low 10.10.10.50
set system services dhcp pool 10.10.10.0/24 address-range high 10.10.10.100
set system services dhcp pool 10.10.10.0/24 exclude-address 10.10.10.30
set system services dhcp pool 10.10.10.0/24 default-lease-time 86400
set system services dhcp pool 10.10.10.0/24 domain-name xyz.com
set system services dhcp pool 10.10.10.0/24 router 10.10.10.1
set system services dhcp propagate-settings fe-0/0/4.0
We now have this config..
set system services dhcp-local-server group dhcp-comp2 interface vlan.7
set access address-assignment pool pool-comp2 family inet network 10.10.10.0/24
set access address-assignment pool pool-comp2 family inet range range-comp1 low 10.10.10.50
set access address-assignment pool pool-comp2 family inet range range-comp1 high 10.10.10.100
set access address-assignment pool pool-comp2 family inet dhcp-attributes maximum-lease-time 86400
set access address-assignment pool pool-comp2 family inet dhcp-attributes domain-name xyz.com
set access address-assignment pool pool-comp2 family inet dhcp-attributes router 10.10.10.1
set access address-assignment pool pool-comp2 family inet dhcp-attributes propagate-settings fe-0/0/4.0
Also not the difference in the daemon that is running
DHCP..
blogger@SRX> show system processes | match dhcp
1264 ?? S 9:17.23 /usr/sbin/dhcpd -N
JDHCP..
blogger@SRX-CORE> show system processes | match dhcp
4494 ?? S 0:00.98 /usr/sbin/jdhcpd -N
CONFIG FOR INET.0
1) Setup the ISP interface as a DHCP client
set interfaces fe-0/0/7 unit 0 family inet dhcp-client update-server
2) Create the logical VLAN interface for the comp2 clients and assign to physical interface.
set vlans vlan-comp2 vlan-id 20
set vlans vlan-comp2 l3-interface vlan.20
set interfaces fe-0/0/4 unit 0 family ethernet-switching vlan members vlan-comp2
set interfaces vlan unit 20 family inet address 192.168.20.1/24
3) Create The DHCP pool for the comp2 clients
set access address-assignment pool pool-comp2 family inet network 192.168.20.0/24
set access address-assignment pool pool-comp2 family inet range range-comp1 low 192.168.20.50
set access address-assignment pool pool-comp2 family inet range range-comp1 high 192.168.20.100
set access address-assignment pool pool-comp2 family inet dhcp-attributes maximum-lease-time 86400
set access address-assignment pool pool-comp2 family inet dhcp-attributes domain-name comp2.com
set access address-assignment pool pool-comp2 family inet dhcp-attributes router 192.168.20.1
set access address-assignment pool pool-comp2 family inet dhcp-attributes propagate-settings fe-0/0/7.0
4) Set the default route for inet.0
Set routing-options static route 0.0.0.0/0 next-hop 1.1.1.1
CONFIG FOR THE ROUTING INSTANCE.
1) Set up the ISP interface as a DHCP client
set interfaces fe-0/0/6 unit 0 family inet dhcp-client update-server
Note the use of the dhcp-client now rather than dhcp. Below is what happens if you don't
blogger@SRX-CORE# commit
[edit interfaces fe-0/0/6 unit 0 family inet]
'dhcp'
Incompatible with the dhcp-local-server configured under 'routing-instances <*> system services dhcp-local-server group
[edit interfaces fe-0/0/6 unit 0 family inet]
'dhcp'
Incompatible with the dhcp-local-server configured under 'system services dhcp-local-server group
2) Create the logical VLAN interface for the comp1 clients and assign to physical interface.
set vlans vlan-comp1 vlan-id 10
set vlans vlan-comp1 l3-interface vlan.10
set interfaces fe-0/0/3 unit 0 family ethernet-switching vlan members vlan-comp1
set interfaces vlan unit 10 family inet address 192.168.10.1/24
3) Create the routing instance and assign interfaces
set routing-instances vr-comp1 instance-type virtual-router
set routing-instances vr-comp1 interface fe-0/0/6.0
set routing-instances vr-comp1 interface vlan.10
set interfaces vlan unit 10 family inet address 192.168.10.1/24
4) Create The DHCP pool for the comp1 clients
set routing-instances vr-comp1 system services dhcp-local-server group dhcp-comp1 interface vlan.10
set routing-instances vr-comp1 access address-assignment pool pool-comp1 family inet network 192.168.10.0/24
set routing-instances vr-comp1 access address-assignment pool pool-comp1 family inet range range-comp1 low 192.168.10.50
set routing-instances vr-comp1 access address-assignment pool pool-comp1 family inet range range-comp1 high 192.168.10.100
set routing-instances vr-comp1 access address-assignment pool pool-comp1 family inet dhcp-attributes maximum-lease-time 86400
set routing-instances vr-comp1 access address-assignment pool pool-comp1 family inet dhcp-attributes domain-name comp.com
set routing-instances vr-comp1 access address-assignment pool pool-comp1 family inet dhcp-attributes router 192.168.10.1
set routing-instances vr-comp1 access address-assignment pool pool-comp1 family inet dhcp-attributes propagate-settings fe-0/0/6.0
5) Give the routing instance a default route
set routing-instances vr-comp1 routing-options static route 0.0.0.0/0 next-hop 2.2.2.2
Here is all the routing instance config..
blogger@SRX-CORE> show configuration routing-instances
vr-comp1 {
instance-type virtual-router;
system {
services {
dhcp-local-server {
group dhcp-comp1 {
interface vlan.10;
}
}
}
}
access {
address-assignment {
pool pool-comp1 {
family inet {
network 192.168.10.0/24;
range range-comp1 {
low 192.168.10.50;
high 192.168.10.100;
}
dhcp-attributes {
maximum-lease-time 86400;
domain-name comp1.com;
router {
192.168.10.1;
}
propagate-settings fe-0/0/6.0;
}
}
}
}
}
interface fe-0/0/6.0;
interface vlan.10;
routing-options {
static {
route 0.0.0.0/0 next-hop 2.2.2.2;
}
}
}
ZONE, NAT AND POLICY SETTINGS
set security zones security-zone zone-comp1 interfaces vlan.10 host-inbound-traffic system-services ping
set security zones security-zone zone-comp1 interfaces vlan.10 host-inbound-traffic system-services dhcp
set security zones security-zone zone-comp2 interfaces vlan.20 host-inbound-traffic system-services dhcp
set security zones security-zone zone-comp2 interfaces vlan.20 host-inbound-traffic system-services ping
set security zones security-zone zone-isp1 interfaces fe-0/0/6.0 host-inbound-traffic system-services dhcp
set security zones security-zone zone-isp2 interfaces fe-0/0/7.0 host-inbound-traffic system-services dhcp
set security nat source rule-set comp2-isp2 from zone zone-comp2
set security nat source rule-set comp2-isp2 to zone zone-isp2
set security nat source rule-set comp2-isp2 rule n1-comp2 match source-address 0.0.0.0/0
set security nat source rule-set comp2-isp2 rule n1-comp2 then source-nat interface
set security nat source rule-set comp1-isp1 from zone zone-comp1
set security nat source rule-set comp1-isp1 to zone zone-isp1
set security nat source rule-set comp1-isp1 rule n1-comp1 match source-address 0.0.0.0/0
set security nat source rule-set comp1-isp1 rule n1-comp1 then source-nat interface
set security policies from-zone zone-comp2 to-zone zone-isp2 policy p1-comp2 match source-address any
set security policies from-zone zone-comp2 to-zone zone-isp2 policy p1-comp2 match destination-address any
set security policies from-zone zone-comp2 to-zone zone-isp2 policy p1-comp2 match application any
set security policies from-zone zone-comp2 to-zone zone-isp2 policy p1-comp2 then permit
set security policies from-zone zone-comp2 to-zone zone-isp2 policy p1-comp2 then log session-init
set security policies from-zone zone-comp1 to-zone zone-isp1 policy p1-comp1 match source-address any
set security policies from-zone zone-comp1 to-zone zone-isp1 policy p1-comp1 match destination-address any
set security policies from-zone zone-comp1 to-zone zone-isp1 policy p1-comp1 match application any
set security policies from-zone zone-comp1 to-zone zone-isp1 policy p1-comp1 then permit
set security policies from-zone zone-comp1 to-zone zone-isp1 policy p1-comp1 then log session-init
As you can see, nothing special for these elements in relation to the routing instance.
VERIFICATION
1) Check the route instances
blogger@SRX-CORE> show route instance
Instance Type
Primary RIB Active/holddown/hidden
master forwarding
inet.0 8/0/0
__juniper_private1__ forwarding
__juniper_private1__.inet.0 7/0/0
__juniper_private2__ forwarding
__juniper_private2__.inet.0 0/0/1
__master.anon__ forwarding
vr-comp1 virtual-router
vr-comp1.inet.0 7/0/0
blogger@SRX-CORE> show route instance vr-comp1
Instance Type
Primary RIB Active/holddown/hidden
vr-comp1 virtual-router
vr-comp1.inet.0 7/0/0
2) Check the route tables
Notice the 2 now separate route tables
blogger@SRX-CORE> show route
inet.0: 8 destinations, 8 routes (8 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
0.0.0.0/0 *[Static/5] 04:04:15
> to 1.1.1.1 via fe-0/0/7.0
1.1.1.0/24 *[Direct/0] 04:04:15
> via fe-0/0/7.0
1.1.1.10/32 *[Local/0] 04:04:15
Local via fe-0/0/7.0
192.168.20.0/24 *[Direct/0] 04:06:40
> via vlan.20
192.168.20.1/32 *[Local/0] 5d 19:56:05
Local via vlan.20
192.168.20.51/32 *[Access-internal/12] 03:08:19
> to 192.168.20.1 via vlan.20
vr-comp1.inet.0: 7 destinations, 7 routes (7 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
0.0.0.0/0 *[Static/5] 03:58:55
> to 2.2.2.2 via fe-0/0/6.0
2.2.2.0/24 *[Direct/0] 03:58:56
> via fe-0/0/6.0
2.2.2.10/32 *[Local/0] 03:58:56
Local via fe-0/0/6.0
192.168.10.0/24 *[Direct/0] 03:23:29
> via vlan.10
192.168.10.1/32 *[Local/0] 5d 19:56:05
Local via vlan.10
192.168.10.51/32 *[Access-internal/12] 03:31:51
> to 192.168.10.1 via vlan.10
192.168.10.52/32 *[Access-internal/12] 03:31:51
> to 192.168.10.1 via vlan.10
3) Verify inet.0 and the routing instance can both access the internet..
blogger@SRX-CORE> ping 8.8.8.8 count 4 rapid
PING 8.8.8.8 (8.8.8.8): 56 data bytes
!!!!
--- 8.8.8.8 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max/stddev = 62.483/94.899/112.646/19.407 ms
blogger@SRX-CORE>
blogger@SRX-CORE> ping 8.8.8.8 routing-instance vr-comp1 count 4 rapid
PING 8.8.8.8 (8.8.8.8): 56 data bytes
!!!!
--- 8.8.8.8 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max/stddev = 4.550/6.442/8.554/1.731 ms
blogger@SRX-CORE>
5) Verify DHCP client and Server
blogger@SRX-CORE> show dhcp client binding
IP address Hardware address Expires State Interface
1.1.1.10 40:b4:f0:8f:2d:47 72916 BOUND fe-0/0/7.0
blogger@SRX-CORE> show dhcp client binding routing-instance vr-comp1
IP address Hardware address Expires State Interface
2.2.2.10 40:b4:f0:8f:2d:46 72909 BOUND fe-0/0/6.0
blogger@SRX-CORE> show dhcp server binding detail
Client IP Address: 192.168.20.51
Hardware Address: 08:00:27:ce:af:e7
State: BOUND(LOCAL_SERVER_STATE_BOUND)
Lease Expires: 2014-09-04 11:04:55 UTC
Lease Expires in: 74229 seconds
Lease Start: 2014-09-03 11:04:55 UTC
Last Packet Received: 2014-09-03 11:04:55 UTC
Incoming Client Interface: vlan.20
Client Interface Vlan Id: 20
Server Identifier: 192.168.20.1
Session Id: 7
Client Pool Name: pool-comp2
blogger@SRX-CORE> show dhcp server binding detail routing-instance vr-comp1
Client IP Address: 192.168.10.52
Hardware Address: 00:23:18:46:37:85
State: BOUND(LOCAL_SERVER_STATE_BOUND)
Lease Expires: 2014-09-04 10:49:51 UTC
Lease Expires in: 73299 seconds
Lease Start: 2014-09-03 10:49:51 UTC
Last Packet Received: 2014-09-03 10:49:59 UTC
Incoming Client Interface: vlan.10
Client Interface Vlan Id: 10
Server Identifier: 192.168.10.1
Session Id: 6
Client Pool Name: pool-comp1
Client IP Address: 192.168.10.51
Hardware Address: 00:23:18:46:37:85
State: BOUND(LOCAL_SERVER_STATE_BOUND)
Lease Expires: 2014-09-04 10:06:43 UTC
Lease Expires in: 70711 seconds
Lease Start: 2014-09-03 10:06:43 UTC
Last Packet Received: unknown
Incoming Client Interface: vlan.10
Client Interface Vlan Id: 10
Server Identifier: 192.168.10.1
Session Id: 5
Client Pool Name: pool-comp1
So that's it. Two separate client groups using 2 different Internet links on one SRX.
All DHCP client , server and propagation is working with this config.
This is one way to do it. There are of course different ways....
Model: srx210he
JUNOS Software Release [12.1X44-D35.5]
No comments:
New comments are not allowed.