SRX

Expand all | Collapse all

Going crazy with subinterfaces on SRX300 cluster

Jump to Best Answer
  • 1.  Going crazy with subinterfaces on SRX300 cluster

    Posted 10-10-2018 08:05

    Hi guys, 

    I've been trying to set up subinterfaces on a SRX300 HA cluster and haven't been able to make it work. 

    Straight to the point: I have reth2 and want to have there 2 subinterfaces, one on VLAN 903 (IP 172.30.111.254/24) and the other one on VLAN 904 (IP 172.16.1.254/24). 

     

    This is the configuration set under interfaces (NOTE: I have rebooted both nodes when commited the "family ethernet-switching"):

     

    irb {
        unit 1 {
            family inet {
                address 172.30.111.254/24;
            }
        }
        unit 2 {
            family inet {
                address 172.16.1.254/24;
            }
        }
    }                                
    reth2 {                                 
            redundant-ether-options {           
            redundancy-group 1;             
        }                                   
        unit 0 {                            
            family ethernet-switching {     
                interface-mode trunk;       
                vlan {                      
                    members all;            
                }                           
            }                               
        }                                   
    }                                  

    And this is the configuration under #vlans:

     

    root@DWFW-NODE0> show configuration vlans 
    vlan903 {
        vlan-id 903;
        l3-interface irb.1;
    }
    vlan904 {
        vlan-id 904;
        l3-interface irb.2;
    }
    

    And here the security zone configuration:

    root@DWFW-NODE0> show configuration security zones security-zone trust 
    host-inbound-traffic {
        system-services {
            all;
        }
        protocols {
            all;
        }
    }
    interfaces {
        reth1.0;
        irb.1;
        irb.2;
    }
    

     

    But from my laptop connected to any of those VLANs I'm not able to ping the firewalls either on IPs 172.16.1.254 or 172.30.111.254

     

    Any clue what might be missing here?

     

    Thanks in advance

     



  • 2.  RE: Going crazy with subinterfaces on SRX300 cluster

    Posted 10-10-2018 08:10

    Forgot to say that the FW interface is connected to a switchport on trunk mode



  • 3.  RE: Going crazy with subinterfaces on SRX300 cluster

    Posted 10-10-2018 08:35

    Hi Trasgu,

     

    Can you share the following operational mode commands from the SRX?

     

    • show vlans
    • show interfaces terse vlan
    • show arp interface irb.2 no-resolve
    • show arp interface irb.1 no-resolve

    Also whats the version running in the SRX? Family Ethernert-switching is supported on reth interfaces until 15.1X49-D50.

     

    Are vlans 904 and 903 permitted over that trunk, on the switch side? 

    Any firewall filters dropping the pings on the SRX?

     



  • 4.  RE: Going crazy with subinterfaces on SRX300 cluster
    Best Answer

    Posted 10-10-2018 11:13

    When applying ethernet-switching you to configure "swfab0" and "swfab1" for switching fabric between the cluster nodes. I suspect you only configured your control and ordinary fabric link.

    More info here: https://kb.juniper.net/InfoCenter/index?page=content&id=KB21422

     

    ...but I suspect you don't need ethernet-switching and can just create it a logical vlan interfaces on reth2 which I've made an example for below. Remember to remove reth2.0 family ethernet-switching as it cannot coexist on the interface.

     

    user@fw# show interfaces reth2
    vlan-tagging;
    unit 903 {
        vlan-id 903;
        family inet {
            address 172.30.111.254/24;
        }
    }
    unit 904 {
        vlan-id 904;
        family inet {
            address 172.16.1.254/24;
        }
    }
    
    [edit]
    user@fw> show configuration security zones security-zone trust 
    host-inbound-traffic {
        system-services {
            all;
        }
        protocols {
            all;
        }
    }
    interfaces {
        reth1.0;
        reth2.903;
        reth2.904;
    }


  • 5.  RE: Going crazy with subinterfaces on SRX300 cluster

    Posted 10-11-2018 05:34

    Thanks jonashauge, it worked fine!

     

    I'm not sure if i get what you mean about swfab... I have interface 0/0 has HA Mgmt interface (fxp0), 0/1 as Control Link (fxp1) and 0/2 as Ha Fabric Link (fab)...

     

     



  • 6.  RE: Going crazy with subinterfaces on SRX300 cluster

    Posted 10-11-2018 06:44

    Hi Trasgu,

     

    the swfab0 and swfab1 are used if you actually want ethernet-switching on your SRX cluster... Then you will need a fabric link for "ordinary" traffic and a fabric link for layer2 (vlanX->vlanX) traffic. In this scenario you configure swfab0 and swfab1 on top of fab0 and fab1.

     

    But in general you are usually better of keeping layer2 switching away from your SRX cluster - keep that traffic in your switches 🙂



  • 7.  RE: Going crazy with subinterfaces on SRX300 cluster

     
    Posted 10-10-2018 16:42

    I build SRX clusters pretty often and thought i'll documenting the process. I have typed up this article (not tested yet), but am confident it covers all the steps needed to build a cluster on the SRX platform.

     

    The "how to" or Step by Step" Juniper SRX300, 320, 340, 345 clustering guide.

     

    Minimum Junos Version: 12.1X47-D10

     

    • SRX300 Control Ports: Connect ge-0/0/1 on node 0 to ge-0/0/1 on node 1. < -- Becomes the fxp0 interfaces
    • SRX300 Fabric Ports: Connect ge-0/0/0 on node 0 to ge-0/0/0 on node 1. < -- Becomes the fab0/1 interfaces

    Depending on your SRX model this will be the port re-numbering scheme applied:

     

    • SRX300 : ge-0/0/1 interface on node 1 changes to ge-1/0/1
    • SRX320 : ge-0/0/1 interface on node 1 changes to ge-3/0/1
    • SRX340/345 : ge-0/0/1 interface on node 1 changes to ge-5/0/1

     General Notes:

     

    1. Interconnect the control interfaces: connect interface srx0 ge-0/0/1 to srx1 ge-0/0/1
    2. Interconnect the fabric interfaces: connect interface srx0 ge-0/0/2 to srx1 ge-0/0/2
    3. Connect the physical interfaces you intend to send network traffic over directly to the same switch initially.
    4. Connect Network Interfaces to the switch: connect interface ge-0/0/3 and ge-0/0/4 to your switch for both srx0 and srx1.
    5. !! Do not put the switch ports into any kind of LAG configuration !!
    6. Configure the switch ports as access ports (no vlanning) to simplify initial trouble shooting, once the cluster and ports are functional you can switch ports to trunk and pass multiple vlans.
    7. All configurations are done via the SRX direct or usb-to-serial management port.

     On srx0 and srx1:

    Clear the config on both devices and set the root password.
    set system root authentication plaintext-password
    set protocols l2-learning global-mode switching
    commit

    On srx0:

    set chassis cluster cluster-id 1 node 0 reboot

    On srx1:

    set chassis cluster cluster-id 1 node 1 reboot

    Review:

    run show chassis cluster status
    
    Cluster ID: 1
    Node                  Priority          Status    Preempt  Manual failover
    
    Redundancy group: 0 , Failover count: 1
        node0                   100         primary        no       no
        node1                   1           secondary      no       no
    
    Redundancy group: 1 , Failover count: 1
        node0                   0           primary        no       no
        node1                   0           secondary      no       no

    After the cluster is built configure management:

    set groups node0 system host-name srx300-node0
    set groups node0 interfaces fxp0 unit 0 family inet address 10.1.1.1/24
    set groups node1 system host-name srx300-node1
    set groups node1 interfaces fxp0 unit 0 family inet address 10.1.1.2/24
    set apply-groups "${node}"
    commit

    Review:

    run show interfaces terse | match fxp0
    
    fxp0                    up    up
    fxp0.0                  up    up   inet     10.1.1.1/24

    Configure the chassis cluster fabric:

    set interfaces fab0 fabric-options member-interfaces ge-0/0/2
    set interfaces fab1 fabric-options member-interfaces ge-1/0/2
    commit

    Review:

    run show interfaces terse | match fab
    
    ge-0/0/2.0              up    up   aenet    --> fab0.0
    ge-1/0/2.0              up    up   aenet    --> fab1.0
    fab0                    up    up
    fab0.0                  up    up   inet     30.17.0.200/24
    fab1                    up    up
    fab1.0                  up    up   inet     30.18.0.200/24

    run show chassis cluster data-plane interfaces

    fab0:
    Name Status
    ge-0/0/2 up
    fab1:
    Name Status
    ge-1/0/2 up

    Verification:

    run show chassis cluster data-plane statistics
    
    Services Synchronized:
        Service name                              RTOs sent    RTOs received
        Translation context                       0            0
        Incoming NAT                              0            0
        Resource manager                          0            0
        DS-LITE create                            0            0
        Session create                            1428919      0
        IPv6 session create                       0            0
        Session close                             537639       0
        IPv6 session close                        0            0
        Session change                            130005       0
        IPv6 session change                       0            0
        ALG Support Library                       121          0
        Gate create                               0            0
        Session ageout refresh requests           0            10241
        IPv6 session ageout refresh requests      0            0
        Session ageout refresh replies            9513         0
        IPv6 session ageout refresh replies       0            0
        IPSec VPN                                 9            0
        Firewall user authentication              0            0
        MGCP ALG                                  0            0
        H323 ALG                                  0            0
        SIP ALG                                   0            0
        SCCP ALG                                  0            0
        PPTP ALG                                  0            0
        JSF PPTP ALG                              0            0
        RPC ALG                                   0            0
        RTSP ALG                                  0            0
        RAS ALG                                   0            0
        MAC address learning                      0            0
        GPRS GTP                                  0            0
        GPRS SCTP                                 0            0
        GPRS FRAMEWORK                            0            0
        JSF RTSP ALG                              0            0
        JSF SUNRPC MAP                            0            0
        JSF MSRPC MAP                             0            0
        DS-LITE delete                            0            0
        JSF SLB                                   0            0
        APPID                                     0            0
        JSF MGCP MAP                              0            0
        JSF H323 ALG                              0            0
        JSF RAS ALG                               0            0
        JSF SCCP MAP                              0            0
        JSF SIP MAP                               0            0
        PST_NAT_CREATE                            0            0
        PST_NAT_CLOSE                             0            0
        PST_NAT_UPDATE                            0            0
        JSF TCP STACK                             0            0
        JSF IKE ALG                               0            0
    

    Clear stats if needed:

    run clear chassis cluster data-plane statistics

    Configure the chassis cluster interfaces:

    set chassis cluster redundancy-group 0 node 0 priority 100
    set chassis cluster redundancy-group 0 node 1 priority 1
    set chassis cluster redundancy-group 1 node 0 priority 100
    set chassis cluster redundancy-group 1 node 1 priority 1
    set chassis cluster redundancy-group 1 interface-monitor ge-0/0/3 weight 255
    set chassis cluster redundancy-group 1 interface-monitor ge-0/0/4 weight 255
    set chassis cluster redundancy-group 1 interface-monitor ge-1/0/3 weight 255
    set chassis cluster redundancy-group 1 interface-monitor ge-1/0/4 weight 255
    set chassis cluster reth-count 2
    commit

     Configure redundant interfaces:

    set interfaces ge-0/0/3 gigether-options redundant-parent reth0
    set interfaces ge-1/0/3 gigether-options redundant-parent reth0
    
    *******************************************************************
    Access Port Mode:
    set interfaces reth0 redundant-ether-options redundancy-group 1
    set interfaces reth0 unit 0 family inet address 172.30.111.254/24
    
    OR
    
    Trunk Port Mode:
    set interfaces reth0 vlan-tagging
    set interfaces reth0 redundant-ether-options redundancy-group 1
    set interfaces reth0 unit 903 family inet address 172.30.111.254/24
    
    Or 
    
    Trunk Port Mode Multiple Sub Interfaces:
    set interfaces reth0 vlan-tagging
    set interfaces reth0 unit 903 family inet address 172.30.111.254/24
    set interfaces reth0 unit 904 family inet address 172.16.1.254/24
    *******************************************************************
    
    set interfaces ge-0/0/4 gigether-options redundant-parent reth1
    set interfaces ge-1/0/4 gigether-options redundant-parent reth1
    set interfaces reth1 redundant-ether-options redundancy-group 1
    set interfaces reth1 unit 0 family inet address 172.16.1.254/24
    
    commit
    *******************************************************************
    Same Applies for Access/Trunk or Mutliple Sub Interfaces as above.
    The rest of this configuartion is built around access interfaces.
    *******************************************************************

    Add the interfaces to the security zone:

    set security zones security-zone trust host-inbound-traffic system-services ping
    set security zones security-zone trust interfaces reth0.0

    set security zones security-zone untrust host-inbound-traffic system-services ping
    set security zones security-zone untrust interfaces reth1.0
    commit

    Verification:

    run show chassis cluster status
    
    Cluster ID: 1
    Node                       Priority     Status    Preempt  Manual failover
    
    Redundancy group: 0 , Failover count: 1
        node0                   100         primary   no       no
        node1                   1           secondary no       no
    
    Redundancy group: 1 , Failover count: 1
        node0                   0           primary   no       no
        node1                   0           secondary no       no
    
    #run show chassis cluster interfaces

    Control link name: em0 Redundant-ethernet Information: Name Status Redundancy-group reth0 Up 1 reth1 Up 1 Interface Monitoring: Interface Weight Status Redundancy-group ge-0/0/3 255 Up 1 ge-0/0/4 255 Up 1 ge-1/0/3 255 Up 1 ge-1/0/4 255 Up 1

    Verification:

    run show chassis cluster statistics
    Control link statistics:
        Control link 0:
            Heartbeat packets sent: 2276
            Heartbeat packets received: 2280
            Heartbeat packets errors: 0
    Fabric link statistics:
        Child link 0
            Probes sent: 2272
            Probes received: 597
    Services Synchronized:
        Service name                              RTOs sent    RTOs received
        Translation context                       0            0
        Incoming NAT                              0            0
        Resource manager                          6            0
        Session create                            161          0
        Session close                             148          0
        Session change                            0            0
        Gate create                               0            0
        Session ageout refresh requests           0            0
        Session ageout refresh replies            0            0
        IPSec VPN                                 0            0
        Firewall user authentication              0            0
        MGCP ALG                                  0            0
        H323 ALG                                  0            0
        SIP ALG                                   0            0
        SCCP ALG                                  0            0
        PPTP ALG                                  0            0
        RPC ALG                                   0            0
        RTSP ALG                                  0            0
        RAS ALG                                   0            0
        MAC address learning                      0            0
        GPRS GTP                                  0            0

    Verification:

    run show chassis cluster control-plane statistics
    Control link statistics:
        Control link 0:
            Heartbeat packets sent: 2294
            Heartbeat packets received: 2298
            Heartbeat packets errors: 0
    Fabric link statistics:
        Child link 0
            Probes sent: 2290
            Probes received: 615

    Verification:

    run show chassis cluster status redundancy-group 1
    
    Cluster ID: 1
        Node               Priority    Status    Preempt  Manual failover
    
    	Redundancy group: 1, Failover count: 1
        node0              100          primary   no       no
        node1              50           secondary no       no

    Create a test policy:

    !! NOTE You need to delete/disable this before going into production !!

    set security policies global policy FullAccessTest match source-address any
    set security policies global policy FullAccessTest match destination-address any
    set security policies global policy FullAccessTest match application any
    set security policies global policy FullAccessTest then permit

    Troubleshooting logs:

    run show log jsrpd
    run show log chassisd
    run show log messages
    run show log dcd

     

    Still to complete:

    1) Configure security policies to allow traffic between zones.
    2) Configuring NAT'ting if required.
    3) Configure routing-options.
    4) Configure untrust zone screening

     

    Hopefully that works for you 🙂

     

     

     

     



  • 8.  RE: Going crazy with subinterfaces on SRX300 cluster

    Posted 10-11-2018 05:36

    Useful, thanks!