I have a project which I'm struggling with and wondered if someone can offer some advise on the best way to achieve my goal (I'm new to Juniper).
At the moment I have 2 juniper SRX240s, one connected a 100Mb fiber, and the other connected to 10 Mb EFM.
My goal is to set them up to allow for automatic fail over from one ISP to the other. The idea is that if the main 100Mb goes down, the backup automatically kicks in.
I also need to setup 3 virtual routing instances, and two DMZs, with the idea that there is one instance for WAN, Internet, and VOIP traffic. Attached is a picture to help explain the setup.
The company wishes to use VRRP instead of a chassis cluster.
I've set it up VRRP, however, both routers are in a master state, and they are sending advertisements but not receiving. I suspect there is an issue with the security configuration, but I can't seem to find what it is. Would someone take a look to see when I'm going wrong?
At this stage, I want standard VRRP on the LAN side (172.16 range), then later on use VRRP route instance tracking for the WAN.
This is the configuration:
set interfaces ge-0/0/0 vlan-tagging
set interfaces ge-0/0/0 unit 126 description DMZ-1
set interfaces ge-0/0/0 unit 126 vlan-id 126
set interfaces ge-0/0/0 unit 126 family inet address 172.16.126.253/24
set interfaces ge-0/0/0 unit 137 description backup-mpls
set interfaces ge-0/0/0 unit 137 vlan-id 137
set interfaces ge-0/0/0 unit 346 vlan-id 346
set interfaces ge-0/0/0 unit 346 family inet address x.x.x.x/30
set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces ge-0/0/3 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces ge-0/0/4 vlan-tagging
set interfaces ge-0/0/4 unit 20 description users-data
set interfaces ge-0/0/4 unit 20 vlan-id 20
set interfaces ge-0/0/4 unit 20 family inet address 172.16.93.253/24 vrrp-group 1 virtual-address 172.16.93.254
set interfaces ge-0/0/4 unit 20 family inet address 172.16.93.253/24 vrrp-group 1 priority 100
set interfaces ge-0/0/4 unit 20 family inet address 172.16.93.253/24 vrrp-group 1 accept-data trust
set interfaces ge-0/0/15 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces vlan unit 0 family inet address 192.168.1.1/24
set protocols stp
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security nat source rule-set trust-to-untrust from zone trust
set security nat source rule-set trust-to-untrust to zone untrust
set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 0.0.0.0/0
set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat interface
set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust host-inbound-traffic protocols vrrp
set security zones security-zone trust interfaces vlan.0
set security zones security-zone untrust screen untrust-screen
set security zones security-zone untrust interfaces ge-0/0/0.346 host-inbound-traffic system-services all
set security zones security-zone untrust interfaces ge-0/0/0.346 host-inbound-traffic protocols all
set security zones security-zone voip host-inbound-traffic system-services all
set security zones security-zone voip host-inbound-traffic protocols all
set security zones security-zone mpls host-inbound-traffic system-services all
set security zones security-zone mpls host-inbound-traffic protocols all
set routing-instances cce instance-type virtual-router
set routing-instances cce interface ge-0/0/4.20
set routing-instances internet instance-type virtual-router
set routing-instances internet interface ge-0/0/0.346
set routing-instances internet routing-options static route 0.0.0.0/0 next-hop x.x.x.141
set routing-instances voip instance-type virtual-router
set routing-instances voip interface ge-0/0/4.70
set vlans vlan-trust vlan-id 3
set vlans vlan-trust l3-interface vlan.0
if you can see what I’m missing that would be great.
Best Answer
From the looks of your config,
ge-0/0/4.20is not in thetrustsecurity zone.should fix things and get your VRRP adjacency established.
You will also need to remove the routing-instances if you want to policy between
trustanduntrustto work.Routing-instances always 'seem' like the right answer for isolation, but they add a lot of unnecessary complexity. Zones and policies work just fine.