SRX

Hi to all, 

IIs it possible to configure on a two node SRX active/passive two separate Reth interfaces with the same VLAN id and have them be able to work with one GW.  I see some option with switching fabric, but I am not sure that will work. can you give me some pointers on how i can set mine SRX.

What does it mean for two interfaces (be they reth or otherwise) to "work with one GW"?  Please clarify what you're trying to accomplish, preferably with examples.

Since you mentioned switching fabric, it sounds like  you don't want them to be separate reth interfaces  but rather one big reth interface with 2 ports from each node. But it's not clear.

Hi to all, 

IIs it possible to configure on a two node SRX active/passive two separate Reth interfaces with the same VLAN id and have them be able to work with one GW.  I see some option with switching fabric, but I am not sure that will work. can you give me some pointers on how i can set mine SRX.

If you understand my picture, I have a VLANs on SW stack 1 and  reth1 that I want to add to reth2 and SW stack 2 and GW from reth1 to be GW for reth2. Is this possible.

What does it mean for two interfaces (be they reth or otherwise) to "work with one GW"?  Please clarify what you're trying to accomplish, preferably with examples.

Since you mentioned switching fabric, it sounds like  you don't want them to be separate reth interfaces  but rather one big reth interface with 2 ports from each node. But it's not clear.

Hi to all, 

IIs it possible to configure on a two node SRX active/passive two separate Reth interfaces with the same VLAN id and have them be able to work with one GW.  I see some option with switching fabric, but I am not sure that will work. can you give me some pointers on how i can set mine SRX.

So, my understanding is that you'd like the SRX to act as a switch between Stack1 and Stack2, AND also as a GW for devices on both Stack1 and Stack2.

While you can do that in an SRX cluster for individual interfaces using the switch fabric as you suggested, doing this is not supported for RETH interfaces, i.e. reth does not support family ethernet-switching. (Ref: https://www.juniper.net/documentation/us/en/software/junos/chassis-cluster-security-devices/topics/topic-map/security-chassis-cluster-ethernet-switching.html). Here's someone else who has run into this limitation: https://community.juniper.net/discussion/redundant-ethernet-interfaces-on-srx380-chassis-cluster.

One other important note for your Stack2 connections -- ports in the same AE must go to the same SRX node. In your case, both blue connections must go to SRX1, and both red connections must go to SRX2. Connections as shown on your diagram won't work properly. (Ref: https://supportportal.juniper.net/s/article/SRX-EX-Link-aggregation-LACP-supported-non-supported-configurations-on-SRX-and-EX?language=en_US)

If you understand my picture, I have a VLANs on SW stack 1 and  reth1 that I want to add to reth2 and SW stack 2 and GW from reth1 to be GW for reth2. Is this possible.

What does it mean for two interfaces (be they reth or otherwise) to "work with one GW"?  Please clarify what you're trying to accomplish, preferably with examples.

Since you mentioned switching fabric, it sounds like  you don't want them to be separate reth interfaces  but rather one big reth interface with 2 ports from each node. But it's not clear.

Hi to all, 

IIs it possible to configure on a two node SRX active/passive two separate Reth interfaces with the same VLAN id and have them be able to work with one GW.  I see some option with switching fabric, but I am not sure that will work. can you give me some pointers on how i can set mine SRX.

Thank you, Nikolay.

I read many article, but I have some questions that are not clear for me.

First  - I want to use global-mode switching, but in this mode can I set irb interfaces for the ports from RETH2 on the scheme? I think to set ports in trunk mode and then add to l3 irb interface that to use for GW.
set vlans support l3-interface irb.111  
set interfaces irb unit 111 family inet address 10.0.0.X/8 
set interfaces ge-0/0/18 unit 0 family ethernet-switching vlan members support 
set interfaces ge-7/0/18 unit 0 family ethernet-switching vlan members support 
set vlans support vlan-id 111
set securiy zone security-zone interface irb.111 
Second - If I set irb interface without IP address but the vlan is same like that from reth interface(for example reth0.111 and irb.111), does that mean that connected devicess to irb it  will use RETHs IP for GW.
Third - If  is not possible to use reth and irb in same time, for example for reth0.111 and irb.111 does that mean that all configuration for reth0 it should be change to IRB. I mean to delete Reth interface and  add  the ports from reth0 to IRB interfaces and then to add the IRB interfaces to proper security zones.

So, my understanding is that you'd like the SRX to act as a switch between Stack1 and Stack2, AND also as a GW for devices on both Stack1 and Stack2.

While you can do that in an SRX cluster for individual interfaces using the switch fabric as you suggested, doing this is not supported for RETH interfaces, i.e. reth does not support family ethernet-switching. (Ref: https://www.juniper.net/documentation/us/en/software/junos/chassis-cluster-security-devices/topics/topic-map/security-chassis-cluster-ethernet-switching.html). Here's someone else who has run into this limitation: https://community.juniper.net/discussion/redundant-ethernet-interfaces-on-srx380-chassis-cluster.

One other important note for your Stack2 connections -- ports in the same AE must go to the same SRX node. In your case, both blue connections must go to SRX1, and both red connections must go to SRX2. Connections as shown on your diagram won't work properly. (Ref: https://supportportal.juniper.net/s/article/SRX-EX-Link-aggregation-LACP-supported-non-supported-configurations-on-SRX-and-EX?language=en_US)

If you understand my picture, I have a VLANs on SW stack 1 and  reth1 that I want to add to reth2 and SW stack 2 and GW from reth1 to be GW for reth2. Is this possible.

What does it mean for two interfaces (be they reth or otherwise) to "work with one GW"?  Please clarify what you're trying to accomplish, preferably with examples.

Since you mentioned switching fabric, it sounds like  you don't want them to be separate reth interfaces  but rather one big reth interface with 2 ports from each node. But it's not clear.

Hi to all, 

IIs it possible to configure on a two node SRX active/passive two separate Reth interfaces with the same VLAN id and have them be able to work with one GW.  I see some option with switching fabric, but I am not sure that will work. can you give me some pointers on how i can set mine SRX.