SRX

 View Only
last person joined: 16 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  Can't perform Ping between Juniper SRX and Cisco Nexus

    Posted 12-31-2021 05:32
    Hi Team,

    I need your support.
    Refer to below image I can't perform between Nexus and SRX.

    Nexus are into VPC domain mode and SRX in cluster mode (Without secondary node for the moment).
    Create routing instance and zone from SRX side and VRF from Nexus side.
    Zone 01 : Backup-1 interface reth0.1001 (Vlan 1001)
    Zone 02: Backup-2 interface reth0.2001 (Vlan 2001)

    SRX ge0/0/1 and ge0/0/2 have Reth0 as parent interface with:
    reth0.1001 (Vlan 1001) IP address 10.128.10.254/24  -  10.128.10.1/24 from Nexus VRF side = Ping doesn't work
    reth0.2001 (Vlan 2001) IP Address 10.128.20.254/24  -  10.128.20.1/24 from Nexus VRF side = Ping doesn't work

    All ping service are openned in each zone and I created Global Policy and Default Policy with Permit Action.
    Please see as attachment Nexus and SRX configuration. 

    I don't know what's wrong.


    ------------------------------
    WYA ABU
    ------------------------------

    Attachment(s)

    txt
    Nexus Config.txt   1 KB 1 version
    txt
    SRX Config.txt   2 KB 1 version


  • 2.  RE: Can't perform Ping between Juniper SRX and Cisco Nexus

    Posted 12-31-2021 05:37
    It looks like you are trying to configure a LAG but have used redundant either instead on the Junos side.

    You need to configure aggregated ethernet ae interfaces instead of reth interfaces.

    https://www.juniper.net/documentation/en_US/junos/topics/example/chassis-cluster-lag-lacp-configuring-cli.html

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------



  • 3.  RE: Can't perform Ping between Juniper SRX and Cisco Nexus

    Posted 01-01-2022 09:24
    Hi Steve,

    Based  on the links below we can configure LACP on RETH interface too.
    I think that PING issue could be configuration problem. 
    I permit Global Policy and Default Policy too. But same issue. 
    May b eI have to permit intra zone policy. 
    Have you check my configuration file ?

    https://www.juniper.net/documentation/us/en/software/junos/chassis-cluster-security-devices/topics/topic-map/security-chassis-cluster-redundant-ethernet-lag-interfaces.html

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB22474&cat=switch_products&actp=LIST

    " The Link Aggregation Control Protocol (LACP) provides additional functionality for LAGs. LACP is supported in standalone deployments, where aggregated Ethernet interfaces are supported, and in chassis cluster deployments, where aggregated Ethernet interfaces and redundant Ethernet interfaces are supported simultaneously.
    You configure LACP on a redundant Ethernet interface by setting the LACP mode for the parent link with the lacp statement. The LACP mode can be off (the default), active, or passive. "


    ​​

    ------------------------------
    WYA ABU
    ------------------------------



  • 4.  RE: Can't perform Ping between Juniper SRX and Cisco Nexus

    Posted 01-01-2022 09:28
    Sorry that I was not clear.  The issue is NOT LACP at all.

    There are two different IEEE standards, both can use LACP options.
    Aggregated ethernet  
    Redundant ethernet

    When you configure Cisco port channel this is the IEEE aggregated ethernet. 
    The Junos matching configuration is ae interfaces.

    Junos reth interfaces are the implementation of the redundant ethernet standard not the aggregated one.

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------



  • 5.  RE: Can't perform Ping between Juniper SRX and Cisco Nexus

    Posted 01-01-2022 14:03
    Hi Steve,

    ae interface can replace reth interface in SRX Cluster design ? 
    I mean that instead configure reth interface should I configure ae interface in my design ? 


    Regards

    ------------------------------
    WYA ABU
    ------------------------------



  • 6.  RE: Can't perform Ping between Juniper SRX and Cisco Nexus

    Posted 01-02-2022 08:43
    Redundant ethernet reth interfaces are used for  SRX clusters that are configured  as Active/Passive where one SRX node is the device passing traffic and the other is in standby to take over.

    In this mode one interface on each physical device is added to the reth interface in specific matching pairs.

    Then when failover occurs the traffic handled by the reth interface moves from one physical device/port to the other one.

    On the other side of these ports on the connected switch the two ports are simply in the same vlan and configured the same as either untagged single vlan access ports or multi vlan trunk ports with identical configuration.  The redundant ethernet standard and failover process prevents any loops from occuring on the srx side.

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------



  • 7.  RE: Can't perform Ping between Juniper SRX and Cisco Nexus

    Posted 01-10-2022 10:46
    Edited by Michael Pappas 01-19-2022 10:50
    Hi Steve,

    I understood your answer correctly but in my case, what should I do to permit Ping  working between Nexus VRF and SRX VR instance ?
    Nexus switch must be in Virtual Port Channel domain and its ports have to be in LACP Active mode. SRX also must be in Cluster mode with Reth interface facing to Nexus. I activated LACP  passive mode on Reth interface.
    I openned all flow on SRX to permit reachability between both device.

    Thanks for your support.
    I put below my SRX configuration :

    oot# show
    chassis {
        cluster {
            reth-count 1;
            redundancy-group 0 {
                node 0 priority 200;
                node 1 priority 100;
            }
            redundancy-group 1 {
                node 0 priority 200;
                node 1 priority 100;
                preempt;
            }
        }
    }
    security {
        policies {
            global {
                policy GLP {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
            default-policy {
                permit-all;
            }
        }
        zones {
            security-zone Backup 1 {
                host-inbound-traffic {
                    system-services {
                        any-service;
                    }
                    protocols {
                        all;
                    }
                }
                interfaces {
                    reth0.1001;
                }
            }
            security-zone Backup 2 {
                host-inbound-traffic {
                    system-services {
                        any-service;
                    }
                }
    			protocols {
                        all;
                    }
                interfaces {
                    reth0.2001;
                }
    		}
        }
    }
    interfaces {
        ge-0/0/1 {
            gigether-options {
                redundant-parent reth0;
            }
        }
        ge-0/0/2 {
            gigether-options {
                redundant-parent reth0;
            }
        }
        reth0 {
            vlan-tagging;
            redundant-ether-options {
                redundancy-group 1;
                lacp {
                    passive;
                    periodic fast;
                }
            }
            unit 1001 {
                description BACKUP 1;
                vlan-id 1001;
                family inet {
                    address 10.128.10.254/24;
                }
            }
            unit 2001 {
                description BACKUP 2;
                vlan-id 2001;
                family inet {
                    address 10.128.20.254/24;
    			}
    		}
        }
    }
    routing-instances {
    	BACKUP {
            interface reth0.1001;
            interface reth0.2001;
            instance-type virtual-router;
        }
    }
    
    {primary:node0}[edit]
    ​


    ------------------------------
    WYA ABU
    ------------------------------