SRX

 View Only
last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  SRX1500 - Reth

     
    Posted 09-20-2017 03:02

    Hi,

     

    I Could someone please clear up a point of confusion for me:

     

    I have configured an "active/active" and also an "active/passive" successfully, but there is one part of the configuration that is confusing me slightly and I am amazed the HA even works because of this:

     

    For the data plane configuration (fab ports) the example (and what I have used) is:

    set interfaces fab0 fabric-options member-interfaces xe-0/0/16

    set interfaces fab0 fabric-options member-interfaces xe-0/0/17

    set interfaces fab0 fabric-options member-interfaces xe-7/0/16

    set interfaces fab0 fabric-options member-interfaces xe-7/0/17

     

    This is all good..... but then, it says "For failover use the following ports for the reth and tie to redundancy groups"

     

    set interfaces xe-6/0/0 gigether-options redundant-parent reth0

    set interfaces xe-6/1/0 gigether-options redundant-parent reth1

    set interfaces xe-18/0/0 gigether-options redundant-parent reth0

    set interfaces xe-18/1/0 gigether-options redundant-parent reth1

     

    Why, if these are mentioned as the "failover data ports", are they completely different to the fab ports? I would have expected them to be the same...... My config works, but I want to understand why it works.

     

    Thanks



  • 2.  RE: SRX1500 - Reth

     
    Posted 09-20-2017 04:10

    Maybe I'm missing the point.... The Data Plane or the Fab ports are for the RTO failover....so, am I right in thinking the following:

     

    Aggregated Ethernet - Grouped together but only have port redundancy, not chassis redundancy.

     

    Reth - Same as AE but because they are tied to a redundant group, they are chassis and port redundant? So, if that's the case then it would make sense as to why they are different ports, and, theoretically, could be any port we want chassis redundancy on?



  • 3.  RE: SRX1500 - Reth
    Best Answer

     
    Posted 09-20-2017 05:16

    Fabric links are used for data exchnage between Nodes, like session informataion. And in ideal scenarios fabric link is not used for data transmission (except in z-mode). fab config should be as below (Fab1 for Node 1 and Fab 0 for Node 0)

     

    set interfaces fab0 fabric-options member-interfaces xe-0/0/16

    set interfaces fab0 fabric-options member-interfaces xe-0/0/17

    set interfaces fab1 fabric-options member-interfaces xe-7/0/16

    set interfaces fab1 fabric-options member-interfaces xe-7/0/17

     

    Since these 2 links are connecting the nodes together, its not used for failover.

     

     

    Faiolover is based on the revenue ports, which are used for data transmission through SRX. Only revenue ports (reth) connects to your LAN/WAN and doing failover based on those interface status is the design.

     

     

     

     



  • 4.  RE: SRX1500 - Reth

     
    Posted 09-21-2017 01:05

    If that is the case, then maybe you could explain why the following does not work:

     

    I have created an Active/Active that works, no problem, when the two SRX1500s are connected back to back, but when I try and connect them through the core (MX240) I cannot ping out..... (That may be an SRX issue)... let me explain what I have completed and the actual issue:

     

    On the SRX (HA Works):

    set zones security-zone trust interfaces reth1.0

    set interfaces reth1 unit 0 family inet address 192.168.1.1/24

    set interfaces reth1 unit 0 family iso - (For IS-IS)

    set interfaces lo0 unit 0 family iso address 49.0001.1921.6800.1001.00 - (IS-IS NET Address)

    set protocols isis interface reth1.0

    set protocols isis interface lo0.0 passive

     

    On the other end (MX240)

    set interfaces ge-1/5/0 unit 0 family inet address 192.168.1.2/24

    (IS-IS is configured corerctly as it work everywhere in the core)

     

    So, if I try and ping from the MX240 to the reth1 address it fails.

    If I ping from the SRX to the MX240 it states: No route to host - There should be no need as they are directly connected.

     

    Route table on the MX240 shows that the route to the 192.168.1.1 address is through the correct interface, but when I completer a :

     

    show route 192.168.1.2 from the SRX, it shows lot's of routes as disabled or removed (can't remember which)..... so, it seems there is an issue on the SRX (The Zones states an "any, any, any, permit" rule from trust to trust)

     

    Anyone know please?



  • 5.  RE: SRX1500 - Reth

     
    Posted 09-21-2017 02:31

    Sometimes I think "It is always a simple solution, don't bother the experts" 🙂

     

    I have solved the above issue.... it is is always useful to include the isis authentication 🙂

     

    I do have one more simple quesiton though:

     

    If I have 1 SRX in one building and the second SRX in another building and want them running in HA..... do the HA Control ports and the Fabric ports have to be directly connected still for HA? Can they traverse a switch and if so, how?

     

    Thanks



  • 6.  RE: SRX1500 - Reth

    Posted 09-21-2017 02:45

    For deploying SRX HA links over a switched nework see page 21 and following in the deployment guide.

     

    https://kb.juniper.net/library/CUSTOMERSERVICE/GLOBAL_JTAC/NT260/SRX_HA_Deployment_Guide.pdf



  • 7.  RE: SRX1500 - Reth

     
    Posted 09-21-2017 07:20

    Hi Steve,

     

    Thank you for your superb helo as always..... That document was perfect.... it backed up my theory that the only way you could really achive HA through other switches was with a dedicated VLAN.... it's the only way I could think of....

     

    Thank you