Hello,
I need some guidance regarding the srx and ex setup I'm trying, Please can someone validate the design if this is the best way to achieve below requirement
1) Failover between SRX hardware
2) Failover between EX switches
I'm using Active/passive configuration for SRX, and plan to connect switches in virtual cluster mode.
I'm at a stage where, If I plug a laptop to one of the switch SW2, I get the DHCP lease on reth4.20 interface, however I'm not able to ping to internet on 8.8.8.8, neither the default gateway of the subnet from where the laptop gets the IP lease. Also when I plug the laptop on SW1 on vlan 20 access port, I don't get any DHCP lease.
Please can someone guide where am I going wrong? below is the config
Thanking in advance.
root@srx320-poe-01# run show configuration
## Last commit: 2020-11-24 15:35:11 GST by
version 20200407.122723_builder.r1099298;
groups {
node0 {
system {
host-name srx320-poe-01;
backup-router 10.10.10.1 destination 0.0.0.0/0;
}
interfaces {
fxp0 {
unit 0 {
family inet {
address 10.10.10.195/24;
}
}
}
}
}
node1 {
system {
host-name srx320-poe-02;
backup-router 10.10.10.1 destination 0.0.0.0/0;
}
interfaces {
fxp0 {
unit 0 {
family inet {
address 10.10.10.196/24;
}
}
}
}
}
}
apply-groups "${node}";
system {
root-authentication {
encrypted-password ""; ## SECRET-DATA
}
login {
user admin {
full-name "Admin";
uid 100;
class super-user;
authentication {
encrypted-password ""; ## SECRET-DATA
}
}
}
services {
ssh {
root-login allow;
connection-limit 5;
}
netconf {
ssh;
}
dhcp-local-server {
group DATA {
interface reth4.20;
}
}
web-management {
https {
system-generated-certificate;
interface all;
}
}
}
time-zone Asia/Dubai;
name-server {
8.8.8.8;
8.8.4.4;
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any notice;
authorization info;
}
file interactive-commands {
interactive-commands any;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
}
chassis {
cluster {
control-link-recovery;
reth-count 8;
heartbeat-interval 2000;
redundancy-group 0 {
node 0 priority 200;
node 1 priority 100;
}
redundancy-group 4 {
node 0 priority 200;
node 1 priority 100;
preempt;
}
}
}
security {
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set trust-to-untrust {
from zone trust;
to zone untrust;
rule source-nat-rule {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
proxy-arp {
interface dl0.0 {
address {
9x.x.x.x/32;
}
}
}
}
policies {
from-zone trust to-zone trust {
policy trust-to-trust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone trust {
host-inbound-traffic {
system-services {
all;
dhcp;
}
protocols {
all;
}
}
interfaces {
irb.0;
reth4.10;
reth4.20 {
host-inbound-traffic {
system-services {
ping;
ssh;
traceroute;
dhcp;
all;
}
protocols {
all;
}
}
}
reth4.30;
}
}
security-zone untrust {
screen untrust-screen;
host-inbound-traffic {
system-services {
ssh;
https;
}
protocols {
all;
}
}
interfaces {
dl0.0;
}
}
}
}
interfaces {
ge-0/0/2 {
description FABRIC;
}
ge-0/0/3 {
gigether-options {
redundant-parent reth4;
}
}
ge-0/0/4 {
gigether-options {
redundant-parent reth4;
}
}
cl-1/0/0 {
dialer-options {
pool 1 priority 1;
}
act-sim 1;
cellular-options {
sim 1 {
select-profile profile-id 1;
radio-access automatic;
gateway x.x.x.x/32;
}
}
}
ge-3/0/3 {
gigether-options {
redundant-parent reth4;
}
}
ge-3/0/4 {
gigether-options {
redundant-parent reth4;
}
}
cl-4/0/0 {
dialer-options {
pool 1;
pool 2 priority 1;
}
act-sim 1;
cellular-options {
sim 1 {
select-profile profile-id 1;
radio-access automatic;
}
}
}
dl0 {
unit 0 {
family inet {
negotiate-address;
}
dialer-options {
pool 1;
dial-string [ 1234 "***#" ];
route 0.0.0.0/0;
always-on;
}
}
}
fab0 {
fabric-options {
member-interfaces {
ge-0/0/2;
}
}
}
fab1 {
fabric-options {
member-interfaces {
ge-3/0/2;
}
}
}
irb {
unit 0 {
family inet;
}
}
reth3 {
vlan-tagging;
}
reth4 {
vlan-tagging;
redundant-ether-options {
redundancy-group 4;
}
unit 10 {
vlan-id 10;
family inet {
address 192.168.1.1/24;
}
}
unit 20 {
vlan-id 20;
family inet {
address 172.16.16.1/24 {
primary;
}
}
}
unit 30 {
vlan-id 30;
family inet {
address 172.16.17.1/24;
}
}
}
swfab0 {
fabric-options {
member-interfaces {
ge-0/0/6;
}
}
}
swfab1 {
fabric-options {
member-interfaces {
ge-3/0/6;
}
}
}
}
access {
address-assignment {
pool DATA {
family inet {
network 172.16.16.0/24;
range r1 {
low 172.16.16.20;
high 172.16.16.250;
}
dhcp-attributes {
name-server {
8.8.8.8;
}
router {
172.16.16.1;
}
}
}
}
}
}
protocols {
l2-learning {
global-mode switching;
}
lldp {
interface reth4;
}
rstp {
interface all;
}
}
poe {
interface all;
}
routing-options {
static {
route 10.10.10.0/24 next-hop 10.10.10.1;
route 0.0.0.0/0 next-hop dl0.0;
}
}
{primary:node0}[edit]
root@srx320-poe-01#