SRX

 View Only
last person joined: 5 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  SRX240 cluster with LACP through a Cisco switch

    Posted 06-02-2017 04:22

    Hi everyone!

     

    I would like to ask for some help. We are trying to put together 2 SRX240 firewalls in a cluster with a Cisco switch between them and with LACP between them on the reth interfaces. 

    The control and the fabric link won't work through the switch only when we connect them together. The management link works fine through the switch. Also the LACP wont aggregate, there's no connection between the two firewalls through these links.

     

    Here is the config from the SRXs and the switch:

     

     

    set groups node0 interfaces fxp0 unit 0 family inet address 10.X.Y.2/24
    set groups node1 interfaces fxp0 unit 0 family inet address 10.X.Y.3/24
    
    
    set chassis cluster reth-count 1
    set chassis cluster redundancy-group 1 node 0 priority 200
    set chassis cluster redundancy-group 1 node 1 priority 100
    set chassis cluster redundancy-group 1 interface-monitor ge-0/0/14 weight 255
    set chassis cluster redundancy-group 1 interface-monitor ge-0/0/15 weight 255
    set chassis cluster redundancy-group 1 interface-monitor ge-5/0/15 weight 255
    set chassis cluster redundancy-group 1 interface-monitor ge-5/0/14 weight 255
    
    set security zones security-zone MGMT host-inbound-traffic system-services ping
    set security zones security-zone MGMT host-inbound-traffic protocols all
    set security zones security-zone MGMT interfaces reth1.100
    set security zones security-zone MGMT interfaces reth1.104
    set security zones security-zone MGMT interfaces reth1.108
    set security zones security-zone MGMT interfaces reth1.254
    
    set interfaces ge-0/0/14 gigether-options redundant-parent reth1
    set interfaces ge-0/0/15 gigether-options redundant-parent reth1
    set interfaces ge-5/0/14 gigether-options redundant-parent reth1
    set interfaces ge-5/0/15 gigether-options redundant-parent reth1
    set interfaces fab0 fabric-options member-interfaces ge-0/0/2
    set interfaces fab1 fabric-options member-interfaces ge-5/0/2
    
    set interfaces reth1 vlan-tagging
    set interfaces reth1 redundant-ether-options redundancy-group 1
    set interfaces reth1 redundant-ether-options minimum-links 1
    set interfaces reth1 redundant-ether-options lacp passive
    set interfaces reth1 redundant-ether-options lacp periodic slow
    
    set interfaces reth1 unit 100 vlan-id 100
    set interfaces reth1 unit 100 family inet address 10.X.Y.1/24
    set interfaces reth1 unit 104 vlan-id 104
    set interfaces reth1 unit 104 family inet address 10.X.Y.1/22
    set interfaces reth1 unit 108 vlan-id 108
    set interfaces reth1 unit 108 family inet address 10.X.Y.1/23
    set interfaces reth1 unit 254 vlan-id 254
    set interfaces reth1 unit 254 family inet address 10.X.Y.1/24

     

    vlan 100
     name MGMT
    vlan 104
     name whatever
    vlan 108
     name whatever108
    vlan 33 
     name control
    vlan 34
     name fabric
    vlan 254
     name vlan254
    
    
    interface Port-channel10
     switchport trunk encapsulation dot1q
     switchport trunk allowed vlan 100,104,108,254
     switchport mode trunk
    !
    interface Port-channel20
     switchport trunk encapsulation dot1q
     switchport trunk allowed vlan 100,104,108,254
     switchport mode trunk
    !
    interface GigabitEthernet0/1
     switchport access vlan 100
     switchport mode access
    !
    interface GigabitEthernet0/2
     switchport access vlan 33
     switchport mode access
    !
    interface GigabitEthernet0/3
     switchport access vlan 34
     switchport mode access
    !
    
    interface GigabitEthernet0/13
     switchport access vlan 100
     switchport mode access
    !
    interface GigabitEthernet0/14
     switchport access vlan 33
     switchport mode access
    !
    interface GigabitEthernet0/15
     switchport access vlan 34
     switchport mode access
    
    interface GigabitEthernet0/37
     switchport trunk encapsulation dot1q
     switchport trunk allowed vlan 100,104,108,254
     switchport mode trunk
     channel-group 10 mode active
    !
    interface GigabitEthernet0/38
     switchport trunk encapsulation dot1q
     switchport trunk allowed vlan 100,104,108,254
     switchport mode trunk
     channel-group 10 mode active
    !
    
    interface GigabitEthernet0/47
     switchport trunk encapsulation dot1q
     switchport trunk allowed vlan 100,104,108,254
     switchport mode trunk
     channel-group 20 mode active
    !
    interface GigabitEthernet0/48
     switchport trunk encapsulation dot1q
     switchport trunk allowed vlan 100,104,108,254
     switchport mode trunk
     channel-group 20 mode active
    !
    
    interface Vlan100
     ip address 10.X.Y.50 255.255.255.0
    !
    ip default-gateway 10.X.Y.1
    

     

    And here is how the devices are connected together:

     

    Juniper SRX 240 primary side:
    
    
    SRX -> Cisco SW
    ge-0/0/0 -> GigabitEthernet0/1 (mgmt)
    ge-0/0/1 -> GigabitEthernet0/2 (control)
    ge-0/0/2 -> GigabitEthernet0/3 (fabric)
    ge-0/0/14 -> GigabitEthernet0/37 (lacp)
    ge/0/0/15 -> GigabitEthernet0/38 (lacp)
    
    Juniper SRX 240 secondary:
    
    ge-0/0/0 -> GigabitEthernet0/13 (mgmt)
    ge-0/0/1 -> GigabitEthernet0/14 (control)
    ge-0/0/2 -> GigabitEthernet0/15 (fabric)
    ge-0/0/14 -> GigabitEthernet0/47 (lacp)
    ge/0/0/15 -> GigabitEthernet0/48 (lacp)
    

    So what am I missing? The fabric and control links are not supposed to be access ports but rather trunk ports?

     

    I'd appriciate any help and thanks for your help in advance.

     

    Best regards,

    Tihi

     


    #SRX240
    #cisco
    #link
    #HA
    #AGGREGATE
    #control
    #cluster
    #Juniper
    #LACP
    #switch
    #fabric


  • 2.  RE: SRX240 cluster with LACP through a Cisco switch

     
    Posted 06-02-2017 06:30

    On switch for control and fab vlans disable igmp-snooping and make mtu 9014 (or the max available) to allow jumbo frames - This change needs on the physical interface level on all memeber interfaces of control and fab vlans

     

     



  • 3.  RE: SRX240 cluster with LACP through a Cisco switch

    Posted 06-07-2017 06:38

    Sorry for not getting back to you sooner but I could only try this now.

    I set the system mtu routing 9198 on the switch and also the system mtu jumbo to 9198 but it didn't work.

    Once the firewalls were connected to the switch the control and fabric link lost and never came back. Eventually the secondary firewall rebooted for reasons unknown. 



  • 4.  RE: SRX240 cluster with LACP through a Cisco switch

    Posted 06-07-2017 10:18

    you need to set to active and fast 

     

    set interfaces ae1 aggregated-ether-options lacp active
    set interfaces ae1 aggregated-ether-options lacp periodic fast

     

     

    we have a bunch of cisco and junos and I have never had this fail me. 

     

    I admit i have never tried it on a RETH but the above should fix you 

     

    example

    show configuration interfaces ae1 | display set
    Jun 07 12:16:09
    set interfaces ae1 description "upplink to CORE VIA FEXs rack SA2&3"
    set interfaces ae1 aggregated-ether-options minimum-links 1
    set interfaces ae1 aggregated-ether-options link-speed 1g
    set interfaces ae1 aggregated-ether-options lacp active
    set interfaces ae1 aggregated-ether-options lacp periodic fast
    set interfaces ae1 unit 0 family ethernet-switching port-mode trunk
    set interfaces ae1 unit 0 family ethernet-switching vlan members all
    set interfaces ae1 unit 0 family ethernet-switching native-vlan-id 2
    set interfaces ae1 unit 0 family ethernet-switching filter output COS-Switch

    {master:0}


    > show lacp interfaces
    Jun 07 12:18:18
    Aggregated interface: ae1
    LACP state: Role Exp Def Dist Col Syn Aggr Timeout Activity
    ge-0/1/0 Actor No No Yes Yes Yes Yes Fast Active
    ge-0/1/0 Partner No No Yes Yes Yes Yes Slow Active
    ge-0/1/1 Actor No No Yes Yes Yes Yes Fast Active
    ge-0/1/1 Partner No No Yes Yes Yes Yes Slow Active
    LACP protocol: Receive State Transmit State Mux State
    ge-0/1/0 Current Slow periodic Collecting distributing
    ge-0/1/1 Current Slow periodic Collecting distributing

     

    show lacp statistics interfaces ae1
    Jun 07 12:20:57
    Aggregated interface: ae1
    LACP Statistics: LACP Rx LACP Tx Unknown Rx Illegal Rx
    ge-0/1/0 586616 19727 0 0
    ge-0/1/1 586613 19729 0 0

     

    show lacp statistics interfaces ge-0/1/0
    Jun 07 12:21:17
    Aggregated interface: ae1
    LACP Statistics: LACP Rx LACP Tx Unknown Rx Illegal Rx
    ge-0/1/0 586636 19727 0 0



  • 5.  RE: SRX240 cluster with LACP through a Cisco switch
    Best Answer

    Posted 06-07-2017 10:32

    whoop had my cisco side wrong for got the FAST but it worked still 

     

    we are in a nexus VPC config I can confirm this will work on a regular switch as well 

     

    show lacp interfaces
    Jun 07 12:28:58
    Aggregated interface: ae1
    LACP state: Role Exp Def Dist Col Syn Aggr Timeout Activity
    ge-0/1/0 Actor No No Yes Yes Yes Yes Fast Active
    ge-0/1/0 Partner No No Yes Yes Yes Yes Fast Active
    ge-0/1/1 Actor No No Yes Yes Yes Yes Fast Active
    ge-0/1/1 Partner No No Yes Yes Yes Yes Fast Active
    LACP protocol: Receive State Transmit State Mux State
    ge-0/1/0 Current Fast periodic Collecting distributing
    ge-0/1/1 Current Fast periodic Collecting distributing

     

    interface Ethernet180/1/32
    description vPC to SW
    lacp rate fast
    switchport mode trunk
    switchport trunk allowed vlan 2,900
    channel-group 832 mode active

     

     

    hope this helps 



  • 6.  RE: SRX240 cluster with LACP through a Cisco switch

    Posted 06-13-2017 05:36

    Thanks for your aswer, with these tweaks I managed to get the cluster working. 🙂 



  • 7.  RE: SRX240 cluster with LACP through a Cisco switch

    Posted 06-19-2017 16:02

    glad i could help please marked as solved !! will help others 



  • 8.  RE: SRX240 cluster with LACP through a Cisco switch

    Posted 07-30-2018 08:20

    Tihi,

          I am about to use this configuration in production and wanted to see if you had any issues with running the LACP in a cluster?  Thank you in advance.

    Rob



  • 9.  RE: SRX240 cluster with LACP through a Cisco switch

    Posted 07-31-2018 00:30

    Hey,

     

    Our mgmt network has been running like this for over a year and so far everything is good. It should be okay. 🙂