SRX Transparent Mode Clustering - Unable to ping through

View Only

last person joined: 4 hours ago

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

Back to discussions

Expand all | Collapse all

SRX Transparent Mode Clustering - Unable to ping through

Jump to Best Answer

1. SRX Transparent Mode Clustering - Unable to ping through

0 Recommend
shaneharry77
Posted 10-18-2019 04:44

Reply Reply Privately
Hi All,

Could someone please help me with this issue. I have 2 SRX340 to cluster, however I have setup a lab on EVE to configure and test before configuring the SRX340.

I'm unable to ping from the PC on my Trusted zone to the Router on the Untrusted zone. I'm not sure if I'm missing something. Any help will be appreciated

JUNOS 17.3R1.10

I have attached the topology

To confirm all chasis interfaces are up and I have run all the necessary command to make sure the cluster is fine.

PC - 10.10.10.5/24 - Trusted Zone

Router - 10.10.10.1/24 - Untrusted Zone.

Below is the config :

set groups node0 system host-name srx-a
set groups node0 interfaces fxp0 unit 0 family ethernet-switching interface-mode access
set groups node0 interfaces fxp0 unit 0 family ethernet-switching vlan members vlan-254
set groups node0 interfaces irb unit 0 family inet address 192.168.254.53/24

set groups node1 system host-name srx-b
set groups node1 interfaces fxp0 unit 0 family ethernet-switching interface-mode access
set groups node1 interfaces fxp0 unit 0 family ethernet-switching vlan members vlan-254
set groups node1 interfaces irb unit 0 family inet address 192.168.254.54/24
set apply-groups "${node}"

set chassis cluster reth-count 2
set chassis cluster redundancy-group 0 node 0 priority 200
set chassis cluster redundancy-group 0 node 1 priority 100
set chassis cluster redundancy-group 1 node 0 priority 200
set chassis cluster redundancy-group 1 node 1 priority 100

set interfaces fab0 fabric-options member-interfaces ge-0/0/1
set interfaces fab1 fabric-options member-interfaces ge-7/0/1
set interfaces ge-0/0/3 gigether-options redundant-parent reth0
set interfaces ge-7/0/3 gigether-options redundant-parent reth0
set interfaces ge-0/0/2 gigether-options redundant-parent reth1
set interfaces ge-7/0/2 gigether-options redundant-parent reth1

set interfaces reth0 redundant-ether-options redundancy-group 1
set interfaces reth0 unit 0 family ethernet-switching interface-mode access
set interfaces reth0 unit 0 family ethernet-switching vlan members vlan-10

set interfaces reth1 redundant-ether-options redundancy-group 1
set interfaces reth1 unit 0 family ethernet-switching interface-mode access
set interfaces reth1 unit 0 family ethernet-switching vlan members vlan-10

set security zones security-zone Trusted
set security zones security-zone Untrusted

set security zones security-zone Trusted host-inbound-traffic system-services all
set security policies from-zone Trusted to-zone Untrusted policy trust-untrust match source-address any
set security policies from-zone Trusted to-zone Untrusted policy trust-untrust match destination-address any
set security policies from-zone Trusted to-zone Untrusted policy trust-untrust match application any
set security policies from-zone Trusted to-zone Untrusted policy trust-untrust then permit

set vlans vlan-10 vlan-id 10
set vlans vlan-254 vlan-id 254
set vlans vlan-254 l3-interface irb.254

set routing-options static route 0.0.0.0/0 next-hop 192.168.254.254

===================================================

SW3- config : Just layer 2

!
interface Ethernet0/0
switchport access vlan 10
switchport mode access
!
interface Ethernet0/1
switchport access vlan 10
switchport mode access
!
interface Ethernet0/2
switchport access vlan 10
switchport mode access
!
interface Ethernet0/3
!

===================

SW3- config : Just layer 2

!
interface Ethernet0/0
switchport access vlan 10
switchport mode access
!
interface Ethernet0/1
switchport access vlan 10
switchport mode access
!
interface Ethernet0/2
switchport access vlan 10
switchport mode access
2. RE: SRX Transparent Mode Clustering - Unable to ping through
Best Answer

0 Recommend
jonashauge
Posted 10-18-2019 06:35

Reply Reply Privately
There are several issues in the provided config:

fxp0 on each node in the chassis cluster does not support switching. You should change to "family inet address 192.168.254.53/24" instead

To do switching in a chassis cluster you will need a "swfab0 + swfab1" to transport layer2 packets - but ethernet-switching is not supported with vSRX (ref. https://www.juniper.net/documentation/en_US/vsrx/topics/concept/security-vsrx-feature-support.html)

So this setup will be quite different on a vSRX platform. You don't have eg. an SRX300 available to the proof of concept? The transparant part should be similar in a cluster except interface naming.
3. RE: SRX Transparent Mode Clustering - Unable to ping through

0 Recommend
shaneharry77
Posted 10-18-2019 08:58

Reply Reply Privately
Hi,

Thanks for getting back to me. Not completely sure if I understand you. However, I have SRX340 that will be clustering on Monday.

This is the config that I have come up with base onmy understanding of your email. Could you check id I'm right pls.

set groups node0 system host-name srx-a
set groups node0 interfaces fxp0 unit 0 family inet address 192.168.1.52/24
set groups node1 system host-name srx-b
set groups node1 interfaces fxp0 unit 0 family inet address 192.168.1.53/24
set apply-groups "${node}"

set chassis cluster reth-count 2
set chassis cluster redundancy-group 0 node 0 priority 200
set chassis cluster redundancy-group 0 node 1 priority 100
set chassis cluster redundancy-group 1 node 0 priority 200
set chassis cluster redundancy-group 1 node 1 priority 100

set interfaces fab0 fabric-options member-interfaces ge-0/0/2
set interfaces fab1 fabric-options member-interfaces ge-5/0/2

set interfaces ge-0/0/4 gigether-options redundant-parent reth0
set interfaces ge-5/0/4 gigether-options redundant-parent reth0
set interfaces ge-0/0/0 gigether-options redundant-parent reth1
set interfaces ge-5/0/0 gigether-options redundant-parent reth1

set interfaces reth0 vlan-tagging
set interfaces reth0 redundant-ether-options redundancy-group 1
set interfaces reth0 unit 0 family ethernet-switching interface-mode trunk
set interfaces reth0 unit 0 family ethernet-switching vlan members vlan10

set interfaces reth1 vlan-tagging

set interfaces reth1 redundant-ether-options redundancy-group 1
set interfaces reth1 unit 0 family ethernet-switching interface-mode trunk
set interfaces reth1 unit 0 family ethernet-switching vlan members vlan10

set interfaces irb unit 10 family inet address 10.10.10.1/24

set protocols l2-learning global-mode transparent-bridge

set security zones security-zone Trusted
set security zones security-zone Untrusted
set security zones security-zone Trusted host-inbound-traffic system-services all
set security zones security-zone Untrusted interfaces reth0.0
set security zones security-zone Trusted interfaces reth1.0

set security policies from-zone Trusted to-zone Untrusted policy trust-untrust match source-address any
set security policies from-zone Trusted to-zone Untrusted policy trust-untrust match destination-address any
set security policies from-zone Trusted to-zone Untrusted policy trust-untrust match application any
set security policies from-zone Trusted to-zone Untrusted policy trust-untrust then permit

Thanks

SRX

SRX Transparent Mode Clustering - Unable to ping through

shaneharry7710-18-2019 04:44

jonashauge10-18-2019 06:35Best Answer

shaneharry7710-18-2019 08:58

1. SRX Transparent Mode Clustering - Unable to ping through

2. RE: SRX Transparent Mode Clustering - Unable to ping through Best Answer

3. RE: SRX Transparent Mode Clustering - Unable to ping through

2. RE: SRX Transparent Mode Clustering - Unable to ping through
Best Answer