SRX

Expand all | Collapse all

SRX cluster with EX switches

  • 1.  SRX cluster with EX switches

    Posted 11-24-2020 09:51
      |   view attached
    Hello,

    I need some guidance regarding the srx and ex setup I'm trying, Please can someone validate the design if this is the best way to achieve below requirement

    1) Failover between SRX hardware
    2) Failover between EX switches

    I'm using Active/passive configuration for SRX, and plan to connect switches in virtual cluster mode.

    I'm at a stage where, If I plug a laptop to one of the switch SW2, I get the DHCP lease on reth4.20 interface, however I'm not able to ping to internet on 8.8.8.8, neither the default gateway of the subnet from where the laptop gets the IP lease. Also when I plug the laptop on SW1 on vlan 20 access port, I don't get any DHCP lease.

    Please can someone guide where am I going wrong? below is the config

    Thanking in advance.

    root@srx320-poe-01# run show configuration 
    ## Last commit: 2020-11-24 15:35:11 GST by
    version 20200407.122723_builder.r1099298;
    groups {
        node0 {
            system {
                host-name srx320-poe-01;
                backup-router 10.10.10.1 destination 0.0.0.0/0;
            }
            interfaces {
                fxp0 {
                    unit 0 {
                        family inet {
                            address 10.10.10.195/24;
                        }
                    }
                }
            }
        }
        node1 {
            system {
                host-name srx320-poe-02;
                backup-router 10.10.10.1 destination 0.0.0.0/0;
            }
            interfaces {
                fxp0 {
                    unit 0 {
                        family inet {
                            address 10.10.10.196/24;
                        }
                    }
                }
            }
        }
    }
    apply-groups "${node}";
    system {
        root-authentication {
            encrypted-password ""; ## SECRET-DATA
        }
        login {
            user admin {
                full-name "Admin";
                uid 100;
                class super-user;
                authentication {
                    encrypted-password ""; ## SECRET-DATA
                }
            }
        }
        services {
            ssh {
                root-login allow;
                connection-limit 5;
            }
            netconf {
                ssh;
            }
            dhcp-local-server {
                group DATA {
                    interface reth4.20;
                }
            }
            web-management {
                https {
                    system-generated-certificate;
                    interface all;
                }
            }
        }
        time-zone Asia/Dubai;
        name-server {
            8.8.8.8;
            8.8.4.4;                        
        }
        syslog {
            archive size 100k files 3;
            user * {
                any emergency;
            }
            file messages {
                any notice;
                authorization info;
            }
            file interactive-commands {
                interactive-commands any;
            }
        }
        max-configurations-on-flash 5;
        max-configuration-rollbacks 5;
        license {
            autoupdate {
                url https://ae1.juniper.net/junos/key_retrieval;
            }
        }
    }
    chassis {
        cluster {
            control-link-recovery;
            reth-count 8;
            heartbeat-interval 2000;
            redundancy-group 0 {
                node 0 priority 200;
                node 1 priority 100;
            }
            redundancy-group 4 {
                node 0 priority 200;
                node 1 priority 100;
                preempt;
            }
        }
    }
    security {
        screen {
            ids-option untrust-screen {
                icmp {
                    ping-death;
                }
                ip {
                    source-route-option;
                    tear-drop;
                }
                tcp {
                    syn-flood {
                        alarm-threshold 1024;
                        attack-threshold 200;
                        source-threshold 1024;
                        destination-threshold 2048;
                        timeout 20;
                    }
                    land;
                }
            }
        }
        nat {
            source {
                rule-set trust-to-untrust {
                    from zone trust;
                    to zone untrust;
                    rule source-nat-rule {
                        match {
                            source-address 0.0.0.0/0;
                        }
                        then {
                            source-nat {
                                interface;  
                            }
                        }
                    }
                }
            }
            proxy-arp {
                interface dl0.0 {
                    address {
                        9x.x.x.x/32;
                    }
                }
            }
        }
        policies {
            from-zone trust to-zone trust {
                policy trust-to-trust {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
            from-zone trust to-zone untrust {
                policy trust-to-untrust {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
        }
        zones {
            security-zone trust {
                host-inbound-traffic {
                    system-services {
                        all;
                        dhcp;
                    }
                    protocols {
                        all;
                    }
                }
                interfaces {
                    irb.0;
                    reth4.10;
                    reth4.20 {
                        host-inbound-traffic {
                            system-services {
                                ping;
                                ssh;
                                traceroute;
                                dhcp;
                                all;
                            }
                            protocols {
                                all;
                            }
                        }
                    }
                    reth4.30;
                }
            }
            security-zone untrust {
                screen untrust-screen;      
                host-inbound-traffic {
                    system-services {
                        ssh;
                        https;
                    }
                    protocols {
                        all;
                    }
                }
                interfaces {
                    dl0.0;
                }
            }
        }
    }
    interfaces {
        ge-0/0/2 {
            description FABRIC;
        }
        ge-0/0/3 {
            gigether-options {
                redundant-parent reth4;
            }
        }
        ge-0/0/4 {
            gigether-options {
                redundant-parent reth4;
            }
        }
        cl-1/0/0 {
            dialer-options {
                pool 1 priority 1;
            }
            act-sim 1;
            cellular-options {
                sim 1 {
                    select-profile profile-id 1;
                    radio-access automatic;
                    gateway x.x.x.x/32;
                }
            }
        }
        ge-3/0/3 {
            gigether-options {
                redundant-parent reth4;
            }
        }
        ge-3/0/4 {
            gigether-options {
                redundant-parent reth4;
            }
        }
        cl-4/0/0 {
            dialer-options {
                pool 1;
                pool 2 priority 1;
            }
            act-sim 1;
            cellular-options {
                sim 1 {
                    select-profile profile-id 1;
                    radio-access automatic;
                }
            }
        }
        dl0 {
            unit 0 {
                family inet {
                    negotiate-address;
                }
                dialer-options {
                    pool 1;                 
                    dial-string [ 1234 "***#" ];
                    route 0.0.0.0/0;
                    always-on;
                }
            }
        }
        fab0 {
            fabric-options {
                member-interfaces {
                    ge-0/0/2;
                }
            }
        }
        fab1 {
            fabric-options {
                member-interfaces {
                    ge-3/0/2;
                }
            }
        }
        irb {
            unit 0 {
                family inet;
            }
        }
        reth3 {
            vlan-tagging;
        }
        reth4 {
            vlan-tagging;
            redundant-ether-options {
                redundancy-group 4;
            }
            unit 10 {
                vlan-id 10;
                family inet {
                    address 192.168.1.1/24;
                }
            }
            unit 20 {
                vlan-id 20;
                family inet {
                    address 172.16.16.1/24 {
                        primary;
                    }
                }
            }
            unit 30 {
                vlan-id 30;
                family inet {
                    address 172.16.17.1/24;
                }
            }
        }
        swfab0 {
            fabric-options {
                member-interfaces {
                    ge-0/0/6;
                }
            }
        }
        swfab1 {
            fabric-options {
                member-interfaces {
                    ge-3/0/6;
                }
            }
        }
    }
    access {
        address-assignment {
            pool DATA {                     
                family inet {
                    network 172.16.16.0/24;
                    range r1 {
                        low 172.16.16.20;
                        high 172.16.16.250;
                    }
                    dhcp-attributes {
                        name-server {
                            8.8.8.8;
                        }
                        router {
                            172.16.16.1;
                        }
                    }
                }
            }
        }
    }
    protocols {
        l2-learning {
            global-mode switching;
        }
        lldp {
            interface reth4;
        }
        rstp {
            interface all;
        }
    }
    poe {
        interface all;
    }
    routing-options {
        static {
            route 10.10.10.0/24 next-hop 10.10.10.1;
            route 0.0.0.0/0 next-hop dl0.0;
        }
    }
    
    {primary:node0}[edit]
    root@srx320-poe-01# ​




  • 2.  RE: SRX cluster with EX switches

     
    Posted 11-24-2020 22:59
    I don't know why you are configuring  proxy-arp. 

    You cannot use the same RETH interface to connect to the switches like that.  You should change the interface connecting to SW2 to a different reth interface and then create a VLAN with an irb, where the irb interface has the IP addresses (172.16.16.1 for VLAN 20) instead.   

    Also, can you ping the internet from the SRX?  

    Try debug a packet flow.

                https://kb.juniper.net/InfoCenter/index?page=content&id=kb16110

    That will tell you where the traffic flow creation is failing,

    Regards,

    ------------------------------
    Yasmin Lara
    Juniper Ambassador
    JNCIE-SP, JNCIE-ENT, JNCIE-DC, JNCIE-SEC
    JNCDS-DC, JNCIA-DevOps, JNCIP-CLOUD, CCNP-ENT
    ------------------------------



  • 3.  RE: SRX cluster with EX switches

    Posted 11-25-2020 02:27
      |   view attached
    Hi Ylara,

    Thanks for you response.

    I was actually following this design (attached srx-design.JPG) from an instructor of srx/ex cluster course on udemy as it meets my requirement, however that course is based on older srx/ex OS hence getting it validated for current times. In that design he is using LAG on reth 0 interfaces and ae on switches. I've tried doing LAG and ae as well, but having similar behavior of DHCP on vlan20 not available on SW1, therefore removed the LAG and ae to troubleshoot with single links. He did make the EX switches into virtual chassis cluster does that make a difference? as for now my EX switches are acting stand alone. I've ordered DAC SFP+ cables for converting EX switches to Virtual chassis cluster.

    I read on one of the KB that vlan tagging should be preferred for reth interface over separately creating irb l3 interfaces. 

    sorry,please ignore the proxy arp configuration. it will be removed.

    Yes, i'm able to ping the internet from SRX

    root@srx320-poe-01# run ping 8.8.8.8
    PING 8.8.8.8 (8.8.8.8): 56 data bytes
    64 bytes from 8.8.8.8: icmp_seq=0 ttl=113 time=274.457 ms
    64 bytes from 8.8.8.8: icmp_seq=1 ttl=113 time=27.270 ms
    64 bytes from 8.8.8.8: icmp_seq=2 ttl=113 time=87.339 ms
    64 bytes from 8.8.8.8: icmp_seq=3 ttl=113 time=44.703 ms
    64 bytes from 8.8.8.8: icmp_seq=4 ttl=113 time=43.391 ms
    64 bytes from 8.8.8.8: icmp_seq=5 ttl=113 time=43.518 ms
    ^C
    --- 8.8.8.8 ping statistics ---
    6 packets transmitted, 6 packets received, 0% packet loss
    round-trip min/avg/max/stddev = 27.270/86.780/274.457/85.916 ms

    I'll try the debug packet flow and update the post.


  • 4.  RE: SRX cluster with EX switches

     
    Posted 11-25-2020 11:58
    Oh ok! That design has the two switches connected in a virtual chassis

    If the two switches are NOT in a virtual chassis but are two separate standalone switches you have two options: 


    Also, having vlan tagging on the reth interface and an irb L3 interface are NOT mutually exclusive.   The difference is whether the reth interface is L3 and has the IP address configured OR the reth is L2 and the irb is the interface with the IP address.   

    Regards,

    ------------------------------
    Yasmin Lara
    Juniper Ambassador
    JNCIE-SP, JNCIE-ENT, JNCIE-DC, JNCIE-SEC
    JNCDS-DC, JNCIA-DevOps, JNCIP-CLOUD, CCNP-ENT
    ------------------------------



  • 5.  RE: SRX cluster with EX switches

    Posted 11-26-2020 08:01
    Hi Yasmin,

    Thanks for the detailed options for design. 

    In the second option of stand alone switches, as you said the IP will be on irb0.20 but in the diagram you've mentioned reth4.20 above the IP.  Please can you clarify if below config would be correct if design was second option?

    irb {
    unit 0 {
    family inet;
    }
    unit 10 {
    family inet {
    address 192.168.1.1/24;
    }
    }
    unit 20 {
    family inet {
    address 172.16.16.1/24;
    }
    }
    unit 30 {
    family inet {
    address 172.16.17.1/24;
    }
    }​
    
    reth4 {                                 
        vlan-tagging;
        redundant-ether-options {
            redundancy-group 4;
        }
        unit 10 {
            vlan-id 10;
            
        }
        unit 20 {
            vlan-id 20;
            
        }
        unit 30 {
            vlan-id 30;
            
        }
    
    
        dhcp-local-server {
            group DATA {
                interface irb.20;
            }
            group MGMT {
                interface irb.10;
            }
            group WLAN {
                interface irb.30;
            }
    
    
    [edit security zones security-zone trust interfaces]
        
         irb.20 {
             host-inbound-traffic {
                 system-services {
                     ping;
                     ssh;
                     traceroute;
                     dhcp;
                 }
                 protocols {
                     all;
                 }
             }
         }
         irb.10 {
             host-inbound-traffic {
                 system-services {
                     ping;
                     ssh;
                     dhcp;
                     traceroute;
                 }
                 protocols {
                     all;
                 }
             }
         }
         irb.30 {
             host-inbound-traffic {
                 system-services {
                     ping;
                     ssh;
                     dhcp;
                     traceroute;
                 }
                 protocols {
                     all;
                 }
             }
         }
    I'm struggling to do the debug packet flow, I've followed the KB and configured below but seems to be unsuccessful, the file basic-datapath seems to be empty or not capturing any traffic. I had tried to source the ping from ip add 172.16.16.1 to 8.8.8.8

    {primary:node0}[edit]
    root@srx320-poe-01# show security flow 
    traceoptions {
        file basic-datapath;
        packet-filter MatchTraffic {
            source-prefix 172.16.16.1/32;
            destination-prefix 8.8.8.8/32;
        }
        packet-filter MatchTrafficReverse {
            source-prefix 8.8.8.8/32;
            destination-prefix 172.16.16.1/32;
        }
    }
    
    {primary:node0}[edit]
    root@srx320-poe-01# run show log basic-datapath 
    
    {primary:node0}[edit]
    root@srx320-poe-01# ​

    Many thanks for your guidance & appreciate your support :)

    KR
    Zeeshan




  • 6.  RE: SRX cluster with EX switches

     
    Posted 11-26-2020 11:56
    In the diagram, I meant to show you that the IP addresses were removed from the reth,  They need to be configured as L2. and you also need to configure the vlans, like this: 

    set vlan v20 vlan-id 20

    set vlan v20 l3-interface irb.20

    set interfaces reth4 unit 20 family ethernet-switching vlan members v20

    set interfaces reth5 unit 20 family ethernet-switching vlan members v20



    And for the packet try removing the 172.16.16.1 address. 

    {primary:node0}[edit]

    set security flow traceoptions file basic-datapath

    set security flow traceoptions packet-filter MatchTraffic destination-prefix 8.8.8.8/32

    set security flow traceoptions packet-filter MatchTrafficReverse source-prefix 8.8.8.8/32

    IMPORTANT: This option will work only if your SRX supports switching mode. 

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB31081

    https://www.juniper.net/documentation/en_US/junos/topics/example/security-mixed-mode-configuring.html

    http://cdn2.hubspot.net/hubfs/213747/Juniper/Assets/Ethernet_Switching_Configuration_Guide_for_SRX_Series_-_App_Note.pdf?t=1472249094610


    Regards,

    ------------------------------
    Yasmin Lara
    Juniper Ambassador
    JNCIE-SP, JNCIE-ENT, JNCIE-DC, JNCIE-SEC
    JNCDS-DC, JNCIA-DevOps, JNCIP-CLOUD, CCNP-ENT
    ------------------------------