vSRX

  • 1.  Am I an idiot or can Juniper vSRX not talk to each other at purely L2?

    Posted 08-14-2020 07:17

    I've got a topology where I have 2 chassis clusters of vSRX, separated by a L2 p2P virtual circuit between our two DCs, one cluster in DC A and another in DC B.

    I am setting up routing between the two, and want to use a transport vlan that is stretched between the two DCs to leverage dynamic routing.

    The problem is, the two vSRXs can't seem to ping each other

    Topology looks like this

    DC A reth0.660 -----> CORE router with same VLAN tagged -----P2P VC-----CORE router with same VLAN tagged ------DC B reth0.660

    I can ping from side A vSRX to side B DC (ie. I can ping 10.66.0.1, the core router on side A from 10.66.0.12, the SRX inside DC B)

    But I can't ping from 10.66.0.11 (vSRX A) to 10.66.0.12 (vSRX B)

    I first assumed this is just the nature of routers, which makes complete sense as they end broadcast domains, but I AM able to ping the vSRX interfaces from a VM across Datacenters at purely L2.

    Ie, windows test VM in DC B on IP 10.66.0.15 can ping 10.66.0.11 in DC A.

     

    Security zone is allowing pings as I can ping each reth0.660 interface @ purely L2 from another VM across the p2P circuit, I just can't talk to each other. 

     

    Any thoughts?



  • 2.  RE: Am I an idiot or can Juniper vSRX not talk to each other at purely L2?
    Best Answer

    Posted 08-14-2020 08:12

    My guess (99% sure) is that you have configured your clusters with the same cluster ID (probably 1). This ID is used to generate virtual mac-addresses for your reth interfaces.

     

    In your case with the same cluster ID and reth, you will have the same mac address in both ends.

     

    You need to change cluster ID on one of your chassis clusters to get this working.



  • 3.  RE: Am I an idiot or can Juniper vSRX not talk to each other at purely L2?

    Posted 08-14-2020 08:15

    Yep!

     

    I have indeed. 

     

    I didn't know that bit was included in the Mac-address randomization. 

     

    I will change and update this. 

     

    edit: that did it. Thank you!