SRX

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



  • 1.  SRX cluster - cisco l3 switch

    Posted 09-22-2021 05:52
    EDIT:
    So after tshoot, it was my security policies restricting internet traffic which solved issue#2.

    regarding issue#1 , on cisco tried to put two interfaces under LAcP again, I can see etherchannel now comes up however I'm not able to ping to 8.8.8.8 from the switch sourcing vlans. If these link are not under LACP then the ping happens without any issue.
    Switch>ping 8.8.8.8
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
    .....
    Success rate is 0 percent (0/5)
    Switch>​
    
    Switch#ping 8.8.8.8 so vlan40
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
    Packet sent with a source address of 10.x.134.1
    .....
    Success rate is 0 percent (0/5)
    


    Issue#3: i'm still seeing single routes for clients in SRX route table

    Any support is appreciated.

    Hello all,

    Please can you advise if this design will work? the l3 SVI are on Cisco switch, I want to use reth interfaces on cluster and use vlan tagging however i'm not able to successfully reach out to internet from cisco switch.
    Issues:
    1) for some reason on cisco switch the port channel group doesn't come up, although on srx show lacp interfaces shows status "collecting distributing" so I removed lacp config and trying to work with min 1 link between SRX and cisco switch.
    2) as mentioned above, none of the SVI are able to ping out to 8.8.8.8 using ping 8.8.8.8 source vl10,20 or 30.  There is static default route on cisco switch pointing to SRX reth0.30 interface ip 10.x.130.2
    3) for some reason SRX route table shows an [access-internal/12] entry for all the clients on the LAN side, please see e.g below, is this normal? if thats the case then the route table would look ugly.
    10.x.134.11/32   *[Access-internal/12] 08:24:33, metric2 0
                        >  to 10.x.130.1 via reth0.30
    ​


    SRX config

    reth0 {
            vlan-tagging;
            redundant-ether-options {
                redundancy-group 1;
                
            }
            unit 10 {
                vlan-id 10;
                
            }
            unit 20 {
                vlan-id 20;
            }
            unit 30 {
                vlan-id 30;
                family inet {
                    address 10.x.130.2/23 {
                        primary;
                    }
                }
            }
            unit 40 {
                vlan-id 40;
            }
            unit 45 {
                vlan-id 45;
            }
            unit 46 {
                vlan-id 46;
            }
    }
    
    source {
        rule-set LAN-to-WAN {
            from zone [ LAN junos-host ];
            to zone WAN;
            rule source-nat-rule {
                match {
                    source-address 0.0.0.0/0;
                }
                then {
                    source-nat {
                        interface;
                    }
                }
            }
        }
    }
    
    
    static {
        route 10.x.130.0/23 next-hop 10.x.130.1;
        route 172.x.20.0/22 next-hop 10.x.130.1;
        route 172.x.44.0/23 next-hop 10.x.130.1;
        route 172.x.46.0/23 next-hop 10.x.130.1;
        route 10.x.134.0/23 next-hop 10.x.130.1;
        route 0.0.0.0/0 {
            next-hop ISP-GW;
            qualified-next-hop dl0.0;
        }
        route 10.x.132.0/24 next-hop 10.x.130.1;
    }
    ​


  • 2.  RE: SRX cluster - cisco l3 switch

    Posted 09-26-2021 20:15
    Anyone please able to assist with this , id be really grateful!

    Thank you.


  • 3.  RE: SRX cluster - cisco l3 switch

     
    Posted 21 days ago
    There is a difference between reth and ae interfaces. Reth is redundant ethernet and is single ports where simple failover occurs.  So if you want an ae bundle you won't be using the reth option.

    To have ae with failover on chassis cluster in SRX have a look at this documentation.

    https://www.juniper.net/documentation/us/en/software/junos/chassis-cluster-security-devices/topics/topic-map/security-chassis-cluster-redundant-ethernet-lag-interfaces.html

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------