SRX

 View Only
last person joined: 4 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  I battle with the fxp0 interfaces in a cluster configuration and I do not understand anything

    Posted 07-29-2017 14:28

    Hello everybody,

     

    I try to configure a Juniper SRX 100h2 in cluster. All seem correct for me with the cluster. See bellow my config:

    set version 12.1X47-D35.2
    set groups node0 system host-name EROS
    set groups node0 interfaces fxp0 unit 0 family inet address 192.168.6.30/24
    set groups node1 system host-name HADES
    set groups node1 interfaces fxp0 unit 0 family inet address 192.168.6.31/24
    set apply-groups "${node}"
    set system services web-management https system-generated-certificate
    set system services web-management https interface fxp0.0
    set chassis cluster reth-count 2
    set chassis cluster redundancy-group 0 node 0 priority 200
    set chassis cluster redundancy-group 0 node 1 priority 100
    set chassis cluster redundancy-group 1 node 0 priority 200
    set chassis cluster redundancy-group 1 node 1 priority 100
    set chassis cluster redundancy-group 1 interface-monitor fe-0/0/1 weight 255
    set chassis cluster redundancy-group 1 interface-monitor fe-1/0/1 weight 255
    set chassis cluster redundancy-group 1 interface-monitor fe-0/0/2 weight 255
    set chassis cluster redundancy-group 1 interface-monitor fe-1/0/2 weight 255
    set interfaces fe-0/0/1 fastether-options redundant-parent reth0
    set interfaces fe-0/0/2 fastether-options redundant-parent reth1
    set interfaces fe-1/0/1 fastether-options redundant-parent reth0
    set interfaces fe-1/0/2 fastether-options redundant-parent reth1
    set interfaces fab0 fabric-options member-interfaces fe-0/0/0
    set interfaces fab1 fabric-options member-interfaces fe-1/0/0
    set interfaces reth0 vlan-tagging
    set interfaces reth0 redundant-ether-options redundancy-group 1
    set interfaces reth0 unit 81 description VLAN81
    set interfaces reth0 unit 81 vlan-id 81
    set interfaces reth0 unit 81 family inet address 192.168.81.254/24
    set interfaces reth1 redundant-ether-options redundancy-group 1
    set interfaces reth1 unit 0 family inet address 192.168.111.30/24
    set routing-options static route 192.168.100.0/24 next-hop 192.168.81.1
    set security zones security-zone Trusted host-inbound-traffic system-services all
    set security zones security-zone Trusted interfaces reth0.81
    set security zones security-zone Untrusted host-inbound-traffic system-services ping
    set security zones security-zone Untrusted interfaces reth1.0

    2017-07-29_16-43-30.png

     

    What I do not understand... This are the fxp interfaces. I read a lot of subject related to the topic, but with me that's don't work. I need to plug the management Juniper interfaces (normaly, fe-0/06 and fe-1/0/6) to a cisco switch. This switch's ports are configured in access mode with a MGMT Vlan.

     

    All reth are accessible with a ping.

     

    Normaly, with this configuration It should work...

     

    Would I have forgotten something in my configuration !...

     

    Thank for your help.



  • 2.  RE: I battle with the fxp0 interfaces in a cluster configuration and I do not understand anything

     
    Posted 07-29-2017 23:04
    Whats the source IP from you are pinging? If its not in same subnet as fxp0, you need "back-up router" config. If its from same subnet,run "show arp " and confirm if its learned on SRX.


  • 3.  RE: I battle with the fxp0 interfaces in a cluster configuration and I do not understand anything

    Posted 07-30-2017 09:09

    Thank you for you answer.

     

    I don't know why I haven't think to make a show arp and this is for that I like the community, because sometimes it's front of you and you don't see it. I pluged my ethernet cable in the wrong place. Now, It's better. I can ping my interface fxp0, but in don't able to make ssh or https connection.

     

    result of show arp:

     

    gus@EROS# run show arp 
MAC Address Address Name Interface Flags
3c:8a:b0:2a:32:b0 30.17.0.2 30.17.0.2 fab0.0 permanent
50:c5:8d:33:f6:30 30.18.0.1 30.18.0.1 fab1.0 permanent
3c:8a:b0:2a:32:47 130.16.0.1 130.16.0.1 fxp1.0 none
00:17:95:dc:49:48 192.168.6.1 192.168.6.1 fxp0.0 none
00:17:95:dc:49:4f 192.168.81.1 192.168.81.1 reth0.81 none
a4:93:4c:ee:5f:a6 192.168.111.1 192.168.111.1 reth1.0 none
Total entries: 6

    But, It's always possible for me to make a connection in ssh or https and spuluka must have right, my routing is asymmetrical.

     

    I'm going to work on this point... and I return to you.



  • 4.  RE: I battle with the fxp0 interfaces in a cluster configuration and I do not understand anything
    Best Answer

    Posted 07-30-2017 04:10

    I would check the routing involved.

     

    remember that the fxp0 mgmt interface is inside the base or root routing instance.  So unless you have added routing instances this shares the route table with all your other interfaces on the SRX.  Thus if you attempt to ping in/out from outside the mgmt subnet you very likely have assymettrical routing.

     

    You get around this by creating a routing instance for your other interfaces and then your fxp0 can have its own independent route table and default route.

     

    Or you use NAT rules and routes to NAT addresses to work around the internal production routing table.  But this can get cumbersome.



  • 5.  RE: I battle with the fxp0 interfaces in a cluster configuration and I do not understand anything

    Posted 07-30-2017 09:26

    Thank you spukula to spend time for us.

     

    So, You are right, my routing is asymmetrical, so I make some modification in my configuration and now all work correctly.

     

    That, this is for my fxp0:

    routing-options {
    static {
        route 192.168.100.0/24 next-hop 192.168.6.1;
            I will put the subnets which must access at administration interfaces (SSH and HTTPS)
    }
}

    and that, this is to access in a same LAN:

    routing-instances {
    RI-VR-LAN {
        instance-type virtual-router;
        interface reth0.81;
        routing-options {
            static {                    
                route 192.168.100.0/24 next-hop 192.168.81.1;
                    I will put the subnets of my LANs
            }
        }
    }
}

    Result of show route:

    netgus@EROS# run show route 

inet.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

192.168.6.0/24     *[Direct/0] 5d 00:03:18
                    > via fxp0.0
192.168.6.30/32    *[Local/0] 5d 00:03:18
                      Local via fxp0.0
192.168.100.0/24   *[Static/5] 00:22:50
                    > to 192.168.6.1 via fxp0.0
192.168.111.0/24   *[Direct/0] 22:40:04
                    > via reth1.0
192.168.111.30/32  *[Local/0] 22:40:04
                      Local via reth1.0

RI-VR-LAN.inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

192.168.81.0/24    *[Direct/0] 00:44:12
                    > via reth0.81
192.168.81.254/32  *[Local/0] 00:44:12
                      Local via reth0.81
192.168.100.0/24   *[Static/5] 00:40:43
                    > to 192.168.81.1 via reth0.81

    This is very different a Cisco ASA, but once you have understand how that work, that seem not very complicated (I hope so).

     

    Again, a big thank for your help.

     

    I will continious in my understanding of Juniper SRX.