A customer has a network with Virtual Chassis Edge / wiring closets, separated from each other by their own, per wiring closet, vlan. The Edge VC's are connected with a Distribution/Core EX Virtual Chassis. The SRX security device is connected by a trunk to the same distribution VC also, just as it should be.
There is a real complicated mesh of routing by the SRX, Distributing VC with several virtual-router instances and, I assume unwanted and not intended, routes at the Edge VC's by the use of IRBs. Unwanted and unintended, because I believe the configuration has a design error, and that is where about I want to ask you for your opinion.
At the Edge VC I found:
interfaces
irb
unit 987
familiy inet address 10.250.45.x/24
me0 disable
vme0 disable
vlans
management
vlan-id 987
l3 interface irb.987
routing-options
static
route 0.0.0.0/0 next-hop 10.250.1.254
It is possible from a host connected to another Edge VC to open a ssh session to the VC with address 10.250.45.x as if it was configured as the vme0 IPv4 address. All VC's use the same vlan-id 987. It functions and the entire intranet is performing well.
Nevertheless I believe the configuration is faulty:
- The OoB management address should be configured at the vme0 and not at the IRB. Hence when I did so, I lost connection.
- Every VR has its own OoB Management IPv4 address configured in the same VLAN-ID 987 IRB. This is not how it should be. Don't you think so?
- I believe that configuring an IRB on a switch does automatcally create a local and direct route to this vlan. This causes unpredictable results like traffic that flows from one vlan to another vlan nevertheless the SRX has a policy configured to drop it.
Does any of the forum members recognize this obscure configuration practice? Am I wrong and does it have a good reason to configure it this way?
What is your advice for how to redesign this? Is it preferable to use the distribution VC and SRX for all the routing and deactivate the IRB’s?