Switching

Hello,

I need to replace old SSG140 with SRX345 HA.

My idea is to user 2 x Standalone EX2300 as external switches with multiple vlans to be able to connect same time both SSG and SRX. In that way I can try and test SRX345 configuration and revert back all communication to currently operational SSGs.

I simply disable ports on both EXs that SSGs are connected to, and enable ports that SRXes are connected to and return the same way back when I'm done with config testing.

I've drawn exact cabling scheme that have caused me some issues creating loops somewhere but I can't find it where.

When I connect cables as shown, while ports connecting to SRXes are down, my Direct Link wont work, it goes in some kind of loop causing other network on the other end to go berserk.

Same time, I can see on SSGs console output that its flapping back and forth master becoming slave in NSRP and back.

On the other hand, when I remove uplink on my internal switches, my LAN side cannot access SSGs on its LAN interface, and no outputs on SSGs console.

However my main goal is to completely remove SSGs, but during this transition period, I need to have both there (SRX and SSG), but of course not both active same time, because they share same LAN ip, ISP WAN ips and so on.

Any suggestions on configuring and cabling correctly EX2300 VC on external side to SRXes to achieve the same connectivity that is on presented scheme.

Notice that standalone external EXs have the same vlan config. Vlan10 on both external EXs have the same name and vlan.id., vlan11, 12 etc are the same on both external switches. All vlan ports are in access mode.

 On SRX and SSG interfaces, there are no vlans defined, and communication from LAN through SSGs or SRXes towards internet via both ISPs is working.

SRX345 HA is working as it supposed to be, there are 4 reth interfaces as on the scheme, 3 zones, and the same is on SSG NSRP.

That master/slave flapping between SSGs, unreachable SSGs and unreachable LAN via Direct Link is whats troubling me.

Any suggestions on cabling and configuration are welcome.

Thanks

------------------------------
Vedran Milicevic
------------------------------

I'm not sure I follow all the configuration here.  But I see two things to check on.

On the SSG cluster that is flapping master/slave roles this can be caused by issues with the HA connection between the two by configuration or cabling.  Or the nsrp monitor configuration settings and parameters.

On the cabling I think the diagram shows that the two ex2300 running the dual nic servers are setup in a way that creates a loop for vlan 12.  So you would need to enable spanning tree at least for this vlan. 

------------------------------
Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
http://puluka.com/home
------------------------------

Original Message:
Sent: 06-01-2024 08:29
From: Vedran Milicevic
Subject: EX2300 to SRX345 HA or SSG140 NSRP

Hello,

I need to replace old SSG140 with SRX345 HA.

My idea is to user 2 x Standalone EX2300 as external switches with multiple vlans to be able to connect same time both SSG and SRX. In that way I can try and test SRX345 configuration and revert back all communication to currently operational SSGs.

I simply disable ports on both EXs that SSGs are connected to, and enable ports that SRXes are connected to and return the same way back when I'm done with config testing.

I've drawn exact cabling scheme that have caused me some issues creating loops somewhere but I can't find it where.

When I connect cables as shown, while ports connecting to SRXes are down, my Direct Link wont work, it goes in some kind of loop causing other network on the other end to go berserk.

Same time, I can see on SSGs console output that its flapping back and forth master becoming slave in NSRP and back.

On the other hand, when I remove uplink on my internal switches, my LAN side cannot access SSGs on its LAN interface, and no outputs on SSGs console.

However my main goal is to completely remove SSGs, but during this transition period, I need to have both there (SRX and SSG), but of course not both active same time, because they share same LAN ip, ISP WAN ips and so on.

Any suggestions on configuring and cabling correctly EX2300 VC on external side to SRXes to achieve the same connectivity that is on presented scheme.

Notice that standalone external EXs have the same vlan config. Vlan10 on both external EXs have the same name and vlan.id., vlan11, 12 etc are the same on both external switches. All vlan ports are in access mode.

 On SRX and SSG interfaces, there are no vlans defined, and communication from LAN through SSGs or SRXes towards internet via both ISPs is working.

SRX345 HA is working as it supposed to be, there are 4 reth interfaces as on the scheme, 3 zones, and the same is on SSG NSRP.

That master/slave flapping between SSGs, unreachable SSGs and unreachable LAN via Direct Link is whats troubling me.

Any suggestions on cabling and configuration are welcome.

Thanks

------------------------------
Vedran Milicevic
------------------------------