Hi everyone!
I would like to ask for some help. We are trying to put together 2 SRX240 firewalls in a cluster with a Cisco switch between them and with LACP between them on the reth interfaces.
The control and the fabric link won't work through the switch only when we connect them together. The management link works fine through the switch. Also the LACP wont aggregate, there's no connection between the two firewalls through these links.
Here is the config from the SRXs and the switch:
set groups node0 interfaces fxp0 unit 0 family inet address 10.X.Y.2/24
set groups node1 interfaces fxp0 unit 0 family inet address 10.X.Y.3/24
set chassis cluster reth-count 1
set chassis cluster redundancy-group 1 node 0 priority 200
set chassis cluster redundancy-group 1 node 1 priority 100
set chassis cluster redundancy-group 1 interface-monitor ge-0/0/14 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-0/0/15 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-5/0/15 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-5/0/14 weight 255
set security zones security-zone MGMT host-inbound-traffic system-services ping
set security zones security-zone MGMT host-inbound-traffic protocols all
set security zones security-zone MGMT interfaces reth1.100
set security zones security-zone MGMT interfaces reth1.104
set security zones security-zone MGMT interfaces reth1.108
set security zones security-zone MGMT interfaces reth1.254
set interfaces ge-0/0/14 gigether-options redundant-parent reth1
set interfaces ge-0/0/15 gigether-options redundant-parent reth1
set interfaces ge-5/0/14 gigether-options redundant-parent reth1
set interfaces ge-5/0/15 gigether-options redundant-parent reth1
set interfaces fab0 fabric-options member-interfaces ge-0/0/2
set interfaces fab1 fabric-options member-interfaces ge-5/0/2
set interfaces reth1 vlan-tagging
set interfaces reth1 redundant-ether-options redundancy-group 1
set interfaces reth1 redundant-ether-options minimum-links 1
set interfaces reth1 redundant-ether-options lacp passive
set interfaces reth1 redundant-ether-options lacp periodic slow
set interfaces reth1 unit 100 vlan-id 100
set interfaces reth1 unit 100 family inet address 10.X.Y.1/24
set interfaces reth1 unit 104 vlan-id 104
set interfaces reth1 unit 104 family inet address 10.X.Y.1/22
set interfaces reth1 unit 108 vlan-id 108
set interfaces reth1 unit 108 family inet address 10.X.Y.1/23
set interfaces reth1 unit 254 vlan-id 254
set interfaces reth1 unit 254 family inet address 10.X.Y.1/24
vlan 100
name MGMT
vlan 104
name whatever
vlan 108
name whatever108
vlan 33
name control
vlan 34
name fabric
vlan 254
name vlan254
interface Port-channel10
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 100,104,108,254
switchport mode trunk
!
interface Port-channel20
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 100,104,108,254
switchport mode trunk
!
interface GigabitEthernet0/1
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet0/2
switchport access vlan 33
switchport mode access
!
interface GigabitEthernet0/3
switchport access vlan 34
switchport mode access
!
interface GigabitEthernet0/13
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet0/14
switchport access vlan 33
switchport mode access
!
interface GigabitEthernet0/15
switchport access vlan 34
switchport mode access
interface GigabitEthernet0/37
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 100,104,108,254
switchport mode trunk
channel-group 10 mode active
!
interface GigabitEthernet0/38
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 100,104,108,254
switchport mode trunk
channel-group 10 mode active
!
interface GigabitEthernet0/47
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 100,104,108,254
switchport mode trunk
channel-group 20 mode active
!
interface GigabitEthernet0/48
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 100,104,108,254
switchport mode trunk
channel-group 20 mode active
!
interface Vlan100
ip address 10.X.Y.50 255.255.255.0
!
ip default-gateway 10.X.Y.1
And here is how the devices are connected together:
Juniper SRX 240 primary side:
SRX -> Cisco SW
ge-0/0/0 -> GigabitEthernet0/1 (mgmt)
ge-0/0/1 -> GigabitEthernet0/2 (control)
ge-0/0/2 -> GigabitEthernet0/3 (fabric)
ge-0/0/14 -> GigabitEthernet0/37 (lacp)
ge/0/0/15 -> GigabitEthernet0/38 (lacp)
Juniper SRX 240 secondary:
ge-0/0/0 -> GigabitEthernet0/13 (mgmt)
ge-0/0/1 -> GigabitEthernet0/14 (control)
ge-0/0/2 -> GigabitEthernet0/15 (fabric)
ge-0/0/14 -> GigabitEthernet0/47 (lacp)
ge/0/0/15 -> GigabitEthernet0/48 (lacp)
So what am I missing? The fabric and control links are not supposed to be access ports but rather trunk ports?
I'd appriciate any help and thanks for your help in advance.
Best regards,
Tihi
#SRX240#cisco#link#HA#AGGREGATE#control#cluster#Juniper#LACP#switch#fabric