SRX

 View Only
last person joined: 18 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  Connect SRX HA cluster to EX Virtual Chassis

    Posted 05-25-2011 05:50

    Hi,

     

    i run two SRX240 in a Chassis Cluster and two EX4200 in a Virtual CHassis, and i want to connect either machine on the one clusters to one on the other

     

    so on the SRX i configured ge-0/0/4 and ge-5/0/4 to become reth0.

    i would like to connect these ge-0/0/20 and ge-1/0/20 on the EX-chassis, which i configured to be of ether-options 802.3ad (and so form interface ae1)

     

    (so if one machine of either cluster fails, theres still always a connection.)

     

    interface config looks like this:

    SRX: interface reth0.0 family inet address 10.8.50.2/24

    EX: interface ae1.0 family inet address 10.8.50.1/24

     

    i can ping either side if the SRX redundancy group is active on node0, but if i do a failover to node1 it stops working until i pull the cable on node 0. 

     

    i guess my problem is the LAG configuration on the EX side, maybe because both SRX ports are physically "up" and the EX LAG doesnt get that only one of those is useful, but i have no idea how to fix it 😄

     

    any advice would be great. (i not only appreciate direct solutions, im always happy to just be pointed in the right direction or just given the proper KB article, so i can try to figure out myself.)

     

    i'd be happy to provide more information about the configuration if needed.

     

    Thanks in advance

    chris



  • 2.  RE: Connect SRX HA cluster to EX Virtual Chassis

    Posted 05-25-2011 06:00

    on another note: i dont really need link aggregation on the EX as the SRX doesnt support more than 1g on the reth-interfaces anyway, it was just my first idea,

     

    so if there's a better (or working) way to connect both EX to either SRX without losing the connection on a failover, i'd be happy to hear it



  • 3.  RE: Connect SRX HA cluster to EX Virtual Chassis
    Best Answer

    Posted 05-25-2011 06:38

    You are correct - don't  run LAG on the EX. I did a similar scenario with 4EX talking to an HA SRX pair. Ran two VLAN's. One VLAN connected to Reth1 on my SRX, the second to RETH2 - worked perfectly.

     

    Here is a link to a Juniper white paper on High Availability in Branch Offices - read through it, especially from page 15 onward.

     

    http://www.juniper.net/us/en/local/pdf/implementation-guides/8010017-en.pdf



  • 4.  RE: Connect SRX HA cluster to EX Virtual Chassis

    Posted 05-26-2011 05:54

    Hey, thanks for the reply,

     

    so i tried to understand the pdf and configure my interfaces as trunk vlan ports, still not working.

     

    i set my EX-interfaces ge-0/0/20 and ge-1/0/20 to L2 (family ethernet-switching) with port-mode trunk, being member of vlan srx-trunk (vlan-id.255)

     

    then i added an interface vlan.255 family inet address 10.8.50.1/24 (remember SRX reth0 has 10.8.50.2/24), and added this interface as vlan srx-trunk's L3-Interface.

     

    run show interface terse shows: 

    ge-0/0/20.0             up    up   eth-switch

    ge-1/0/20.0             up    up   eth-switch
    vlan.255                up    up   inet     10.8.50.1/24  

     

    and run show vlans:
    srx-trunk      255                           ge-0/0/20.0*, ge-1/0/20.0*

     

    no pinging works so far.

     

    What i did not get from the guide: 

    why are you supposed to add another interface (ge-0/0/12 in the guide) to the same vlan, shouldnt there be two at least for redundancy? maybe you can explain the use of the /12 interface, i have like no clue why you would need that one.

     

     



  • 5.  RE: Connect SRX HA cluster to EX Virtual Chassis

    Posted 05-26-2011 09:19

    On page 15 of that guide, the interface ge-0/0/12.0 is added to VLAN 163 as an access port.

     

    set vlans vlan163 vlan-id 163
    set vlans vlan163 interface ge-0/0/12.0
        # Configure the vlan and associate with the downlink access port

    That would be a port where endpoints (computers) connect.

     

    Your trunked ports between the EX and SRX are ge-0/0/0 and ge-1/0/0 on the EX stack.  There's actually a typo, it should say:

     

    set interfaces ge-0/0/0 unit 0 family ethernet-switching port-mode trunk
    set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members vlan163
    set interfaces ge-1/0/0 unit 0 family ethernet-switching port-mode trunk
    set interfaces ge-1/0/0 unit 0 family ethernet-switching vlan members vlan163
         # Allow interconnect vlan on EX trunk interfaces connecting to SRX cluster

     In the document the second line doesn't have "vlan163" listed.



  • 6.  RE: Connect SRX HA cluster to EX Virtual Chassis

    Posted 05-31-2011 02:20

    Hey,

     

    thanks for clearing the typo, (but i already thought about this and put the interface into the vlan 🙂

    Still i dont understand how i could access the SRX from the EX (through the vlan).

     

    I dont need to connect any endpoint computers to the SRX vlan, i just want to pass traffic from EX-Cluster to the SRX Cluster through the SRX port reth0.

    can i just route it through the l3-interface on vlan 255?

     

    this is the output of "show route 10.8.50.2" (the ip on reth0.0 family inet) on the EX:

     

    ex-test0# run show route 10.8.50.2 
    inet.0: 12 destinations, 12 routes (12 active, 0 holddown, 0 hidden)+ = Active Route, - = Last Active, * = Both
    10.8.50.0/24       *[Direct/0] 00:17:43                    > via vlan.255

     

    so this looks "ok" to me, but i probably did not fully understand the idea behind the vlan trunk. Smiley Sad

     

    my Problem is probably the SRX side, because it doesnt know about the vlan on the EX and tries to route 

     

    SRX> show route 10.8.50.1 

    inet.0: 15 destinations, 15 routes (15 active, 0 holddown, 0 hidden)+ = Active Route, - = Last Active, * = Both
    10.8.50.0/24       *[Direct/0] 00:25:44                    > via reth3.0

     

    so the route sends packets into the vlan trunk, but the destination ip is not "inside" the vlan, right?

     



  • 7.  RE: Connect SRX HA cluster to EX Virtual Chassis

    Posted 05-31-2011 02:57

    now i feel really stupid, because i simply forgot to set the right vlan id on the srx cluster side. fixed that and it works!

     

    i will accept muttbarkers solution (simply because he was the first to bring up the paper), actually you both kinda helped. thanks so much.

     

    chris



  • 8.  RE: Connect SRX HA cluster to EX Virtual Chassis

    Posted 10-08-2015 09:17

    I have a situation with SRX550 clusters and SRX240 clusters both I want to connect to Ex3300 virtual chassis.  How do I configure so that the VC uses the firewall as it's gateway out?



  • 9.  RE: Connect SRX HA cluster to EX Virtual Chassis

    Posted 12-02-2022 09:52
    Edited by T_J 12-02-2022 09:52
    Hi , I don't wanna create new discussion, so I will ask here.

    I have 2SRX in cluster (node0 and node1) this is connected to EX in VC. I don't have LAB, so I don't have option to try it...

    Now I have one link from NODE0 to first EX let say 0/0/1 ans second link from NODE1 to EX  1/0/1.

    For example, what happen, if NODE0 (is primary- whole traffic is in this link) and EX link 0/0/1 goes down. - the traffic will be switched on SRX  from NODE0 to NODE1? 

    It is some best recommendation how to do it? I am thinking about to make AE from NODE0 to EX 0/0/1 and 1/0/1 ans second link from NODE1 to EX 0/0/2 and 1/0/2 and these two AE will be in RETH.

    What are you thinking about it?

    Thanks for your answers

    ------------------------------
    TOMAS
    ------------------------------