i run two SRX240 in a Chassis Cluster and two EX4200 in a Virtual CHassis, and i want to connect either machine on the one clusters to one on the other
so on the SRX i configured ge-0/0/4 and ge-5/0/4 to become reth0.
i would like to connect these ge-0/0/20 and ge-1/0/20 on the EX-chassis, which i configured to be of ether-options 802.3ad (and so form interface ae1)
(so if one machine of either cluster fails, theres still always a connection.)
interface config looks like this:
SRX: interface reth0.0 family inet address 10.8.50.2/24
EX: interface ae1.0 family inet address 10.8.50.1/24
i can ping either side if the SRX redundancy group is active on node0, but if i do a failover to node1 it stops working until i pull the cable on node 0.
i guess my problem is the LAG configuration on the EX side, maybe because both SRX ports are physically "up" and the EX LAG doesnt get that only one of those is useful, but i have no idea how to fix it 😄
any advice would be great. (i not only appreciate direct solutions, im always happy to just be pointed in the right direction or just given the proper KB article, so i can try to figure out myself.)
i'd be happy to provide more information about the configuration if needed.
Thanks in advance
on another note: i dont really need link aggregation on the EX as the SRX doesnt support more than 1g on the reth-interfaces anyway, it was just my first idea,
so if there's a better (or working) way to connect both EX to either SRX without losing the connection on a failover, i'd be happy to hear it
You are correct - don't run LAG on the EX. I did a similar scenario with 4EX talking to an HA SRX pair. Ran two VLAN's. One VLAN connected to Reth1 on my SRX, the second to RETH2 - worked perfectly.
Here is a link to a Juniper white paper on High Availability in Branch Offices - read through it, especially from page 15 onward.
Hey, thanks for the reply,
so i tried to understand the pdf and configure my interfaces as trunk vlan ports, still not working.
i set my EX-interfaces ge-0/0/20 and ge-1/0/20 to L2 (family ethernet-switching) with port-mode trunk, being member of vlan srx-trunk (vlan-id.255)
then i added an interface vlan.255 family inet address 10.8.50.1/24 (remember SRX reth0 has 10.8.50.2/24), and added this interface as vlan srx-trunk's L3-Interface.
run show interface terse shows:
ge-0/0/20.0 up up eth-switch
ge-1/0/20.0 up up eth-switchvlan.255 up up inet 10.8.50.1/24
and run show vlans:srx-trunk 255 ge-0/0/20.0*, ge-1/0/20.0*
no pinging works so far.
What i did not get from the guide:
why are you supposed to add another interface (ge-0/0/12 in the guide) to the same vlan, shouldnt there be two at least for redundancy? maybe you can explain the use of the /12 interface, i have like no clue why you would need that one.
On page 15 of that guide, the interface ge-0/0/12.0 is added to VLAN 163 as an access port.
set vlans vlan163 vlan-id 163
set vlans vlan163 interface ge-0/0/12.0
# Configure the vlan and associate with the downlink access port
That would be a port where endpoints (computers) connect.
Your trunked ports between the EX and SRX are ge-0/0/0 and ge-1/0/0 on the EX stack. There's actually a typo, it should say:
set interfaces ge-0/0/0 unit 0 family ethernet-switching port-mode trunk
set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members vlan163
set interfaces ge-1/0/0 unit 0 family ethernet-switching port-mode trunk
set interfaces ge-1/0/0 unit 0 family ethernet-switching vlan members vlan163
# Allow interconnect vlan on EX trunk interfaces connecting to SRX cluster
In the document the second line doesn't have "vlan163" listed.
thanks for clearing the typo, (but i already thought about this and put the interface into the vlan 🙂
Still i dont understand how i could access the SRX from the EX (through the vlan).
I dont need to connect any endpoint computers to the SRX vlan, i just want to pass traffic from EX-Cluster to the SRX Cluster through the SRX port reth0.
can i just route it through the l3-interface on vlan 255?
this is the output of "show route 10.8.50.2" (the ip on reth0.0 family inet) on the EX:
ex-test0# run show route 10.8.50.2 inet.0: 12 destinations, 12 routes (12 active, 0 holddown, 0 hidden)+ = Active Route, - = Last Active, * = Both10.8.50.0/24 *[Direct/0] 00:17:43 > via vlan.255
so this looks "ok" to me, but i probably did not fully understand the idea behind the vlan trunk.
my Problem is probably the SRX side, because it doesnt know about the vlan on the EX and tries to route
SRX> show route 10.8.50.1
inet.0: 15 destinations, 15 routes (15 active, 0 holddown, 0 hidden)+ = Active Route, - = Last Active, * = Both10.8.50.0/24 *[Direct/0] 00:25:44 > via reth3.0
so the route sends packets into the vlan trunk, but the destination ip is not "inside" the vlan, right?
now i feel really stupid, because i simply forgot to set the right vlan id on the srx cluster side. fixed that and it works!
i will accept muttbarkers solution (simply because he was the first to bring up the paper), actually you both kinda helped. thanks so much.
I have a situation with SRX550 clusters and SRX240 clusters both I want to connect to Ex3300 virtual chassis. How do I configure so that the VC uses the firewall as it's gateway out?