Routing Juniper SRX – Managing Two IP Ranges with One ISP Connection

juniperroutingsrx

We have a straight forward internet connection which has a small /29 IP range. The connection is Ethernet and our default gateway is the first IP in the /29 range.

Our ISP has just given us a secondary IP range, a /28. They have told us that we need to use the first IP of that range as our default gateway.

Now the device it's connected to is a Juniper SRX.

Initially I thought this wouldn't be an issue but it turns out it's more tricky than I thought.

I can't just use any of the new IP addresses on the existing untrust interface because traffic isn't routed back to the correct gateway.
I can use a virtual router as the networks both come in over the same Ethernet cable and are plugged into a single interface

I was thinking that maybe I need to use source or policy based routing.

Does anyone have any ideas? Should I go back to them and ask for them to just route the new /28 subnet to IP address of the SRX in the original /29? Is PBR/SBR the way to go?

The only thing I know about their config is that the device is a Cisco and has the following config snippet

interface FastEthernet1/0/2
description *** Link into customer LAN ***
no switchport
ip address 1.0.0.145 255.255.255.240 secondary
ip address 1.0.0.121 255.255.255.248

#ping 8.8.8.8 source 1.0.0.145

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 1.0.0.145 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/20/26 ms

Best Answer

As @stevieb said, a link subnet and two routes is the correct path, but few ISPs do that these days. (esp. in a co-lo, which is what this looks like)

As the gateway for both networks is the same interface on the same device, there should be no issue with sending traffic from either subnet to either gateway. I've had the exact same setup in many data centers, and it was never an issue. If they have something odd set up (ACLs, etc.), then VRF or PBR would be logical solutions. The SRX should have plenty of CPU to do either; personally, I'd do PBR as it's less headache.

Related Solutions

Configuring Cisco ASA 5505 for Routing

OK, after looking at your configuration, you are missing one statement:

route outside 0.0.0.0 0.0.0.0 125.x.x.9

This tells the firewall to forward all Internet traffic to the ISP's router at 125.x.x.9

ISP Edge Router Configuration – Step-by-Step Guide

1.Would it be better to setup traffic policing?

You're using shaping, which is better in this case. The important thing is to buffer your traffic before sending it to your internet provider. Consider this:

Your ISP asks you to set your physical interface to 100Mbps
Your service from the ISP is 30Mbps
What happens if you're already sending 30Mbps of traffic, and you need to send a ping?

By default, your Cisco 2901 router's interface will buffer based on the physical transmit rate (100Mbps) you are configuring. If you do not add traffic shaping, that ping has a decent chance of being dropped because the ISP is almost certainly policing ingress to 30Mbps on the other end. Traffic shaping allows you to buffer your instantaneous traffic in excess of 30Mbps, so it has a chance of making it past your ISP's ingress policing; otherwise your router won't even think about buffering traffic until it reaches the physical interface transmit rate (100Mbps).

Setup traffic shaping: class-map match-any SHAPE match any
policy-map SHAPE
class SHAPE
shape average 30000000
interface GigabitEthernet0/1
service-policy output SHAPE
...
Would it be better to setup traffic shaping/policing on outside interface (gig 0/0)?

You should definitely set up egress shaping on Gi0/0; consider qos, and / or wred as well.

Since Gi0/1 is a LAN-facing interface, egress shaping doesn't help much unless you need to prioritize certain traffic, or use wred on the queue (which wouldn't be a bad idea, if you set it up right).

When you configure your QoS policies, I recommend you do it in this order:

Test ping loss from Gi0/0 to 50.204.xxx.81 for at least 20 minutes without qos on either interface; if you don't have a clean baseline, then you'll spend a lot of time chasing the wrong packet loss in the next steps.
Test egress shaping rates on your Gi0/0 interface at about 200-300 byte IP packets (i.e. somewhere at or below imix sizes), and adjust the rates until you don't drop traffic to them (see below). You might need to ask them to temporarily colo some of your test equipment in their network. Failing that, you can rent a server on the internet to test with; however, that gets fairly complicated since there would likely be several additional congestion points.
Test egress shaping rates on your Gi0/1 interface, in the same way you did above.
Add wred (if you plan to do so). Test again with 3 parallel TCP streams in each traffic direction.

Test strategy:

I strongly recommend that you perform a UDP non-drop transmit rate test with whatever qos settings you choose because it's possible that your shaping rate could be slightly higher than your ISP's rate. If so, then you need to lower your shaping parameters until you don't drop traffic when you send it to them.

I am confused with ISP giving me 50.204.xxx.80/30 address for interconnect block and then saying that I can use 50.204.xxx.83 thru 50.204.xxx.86?

That definitely is confusing, as far as I can tell, that sentence can be safely ignored; however, please double check with them to be sure. The reason I say this:

They said "ISP Internet gateway: 50.204.xxx.81"
They said "Customer Layer 3 device WAN interface: 50.204.xxx.82"
They said "The /29 of usable IP space is statically routed by ISP to 50.204.xxx.82"

Regarding your question in the comments

The routes shown in this diagram are adequate. You only need a default route to the provider, unless you plan to turn up other networks besides 50.204.xxx.88/29.

Side notes

I normally don't recommend hard-coding speed and duplex on ethernet interfaces, but this practice is entrenched in many ISP procedures, so there is no point in fighting it.
You should adequately protect your network with a firewall as well, as Kit suggested.

Best Answer

Related Solutions

Configuring Cisco ASA 5505 for Routing

ISP Edge Router Configuration – Step-by-Step Guide

Side notes

Related Topic