SRX

 View Only
last person joined: 16 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  SRX340 Cluster

    Posted 02-13-2021 10:37
    Hello all

    Please advise me related an issue that I have it with a srx340 cluster connected to an EX4300-32f  configured in virtual-chassis.

    On SRX340 I have JUNOS 15.1X49-D170.4 built 2019-02-22 and on EX4300-32F I have JUNOS 18.1R3-S6.1 built 2019-06-07.

    The EX4300 VC aggregate other EX2300-VC over GE ports with LACP (2 member on each lacp coming from EX2300-VC to EX-4300F)

    The EX-4300F is connected to srx340 cluster over 2 GE links.
    When I configure lacp on EX4300 and cluster the traffic is failed
    Currently the configuration works if between EX4300-VC and srx340 cluster I have only one link (ge-0/0/32 on EX4300 and ge-0/0/9 on srx340 cluster). When I plug second link in EX4300 the ping "request time-out" when remove it traffic coming up.
    Exactly the same think happen when I configure lacp active periodic slow or fast on reth1 interface and on ae interface from EX4300.

    So, this configuration should work with two links between EX-4300-VC and srx340 cluster  but didn't.
    Thank you
    Eugen
    On srx340 I have the following configuration:

    groups {
    node0 {
    system {
    host-name IFGW-1;
    }
    interfaces {
    fxp0 {
    unit 0 {
    family inet {
    address 2.2.2.2/24;
    }
    }
    }
    }
    }
    node1 {
    system {
    host-name IFGW-2;
    }
    interfaces {
    fxp0 {
    unit 0 {
    family inet {
    address 2.2.2.3/24;
    }
    }
    }
    }
    }
    }
    reth-count 2;
    redundancy-group 0 {
    node 0 priority 100;
    node 1 priority 1;
    }
    redundancy-group 1 {
    node 0 priority 100;
    node 1 priority 1;
    preempt;
    interface-monitor {
    ge-0/0/9 weight 255;
    ge-5/0/9 weight 255;
    }
    }
    configuration-synchronize {
    no-secondary-bootup-auto;
    }
    ......
    vlan-tagging;
    redundant-ether-options {
    redundancy-group 1;
    }
    unit 1 {
    vlan-id 1;
    family inet {
    address 1.1.1.1/24;
    }
    }
    unit 101 {
    vlan-id 101;
    family inet {
    address 192.168.101.1/25;
    }
    }
    --------------------
    Configuration EX4300-VC

    interfaces ge-0/0/32
    ether-options {
    802.3ad ae60;
    }
    inactive: unit 0 {
    family ethernet-switching {
    storm-control default;
    }
    }

    interfaces ge-1/0/32
    ether-options {
    802.3ad ae60;
    }
    inactive: unit 0 {
    family ethernet-switching;
    }

    interfaces ae60
    description "TRUNK TO SRX CLUSTER";
    aggregated-ether-options {
    minimum-links 1;
    }
    unit 0 {
    family ethernet-switching {
    interface-mode trunk;
    vlan {
    members [ 1 101-140 201-240 1051 1091 2051 2091 3000-3005 ];
    }
    }
    }
















  • 2.  RE: SRX340 Cluster

    Posted 02-14-2021 06:36
    Your issue is the fact that reth interfaces works in a active/passive fassion, where the LACP bonding of the interfaces on your EX4300's expect active/active.

    In this case you should just create an ordinary trunk port from your switch to designated SRX node. Failover of your SRX cluster will then move the mac address from node0 to node1 via gratious-arp etc.

    If you actively wants LACP on these links, then you need two ae's, one for each node as described in this KB article: https://kb.juniper.net/InfoCenter/index?page=content&id=KB31771&pmv=print - here you have two links from each SRX cluster member matched to two different ae's on the switch.

    I hope this brings you to a workable design/solution :-)

    ------------------------------
    --
    Jonas Hauge Klingenberg - Juniper Ambassador
    ------------------------------



  • 3.  RE: SRX340 Cluster

    Posted 02-14-2021 06:57
    In an ex virtual chassis all devices are merged into a single active device under the control of a single routing engine.  Thus all blades and ports are active at all times.  Redundancy for hardware then uses ae interfaces with member interfaces on two different blades.

    With an SRX active/passive failover cluster all the interfaces on the passive device are essentially inactive unless failover occurs.

    Failover is via Redundant ethernet protocol.  This is where a pair of ethernet interfaces back each other up and only ONE is active while the other is inactive.  These are shown in the SRX as the reth.x interfaces.

    So instead of an ae interface you make those matching pair of SRX interfaces members of the same reth.x interface.  Only one will be active at a time.

    And on the ex switch side these will be then two identically configured single trunk ports with all the same vlans assigned to them.  There will be no loop because on the SRX side redundant ethernet keeps only one connect active at a time.

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------