I've never used reth interfaces in L2 mode. I think Steve's point was to use the reth MEMBER interfaces (the ge- interfaces that are part of the reth, not the reth itself) in L2 mode, with swfab0 and swfab1 configured, but if reth in L2 mode works, that's pretty cool, too. Do try failover, though, it would be interesting to see how that's handled.
I remember seeing that note about IKE being supported only on lo0 and reth. I'm not sure how irb is so different from lo0 in that regard, but just try using an lo0 interface as your VPN anchor and see how it goes.
Original Message:
Sent: 08-05-2025 15:47
From: Anonymous
Subject: SRX300 Same Network Across Multiple Reth
This message was posted by a user wishing to remain anonymous
So I just tried to do this, although I may have done something wrong - I noticed the following:
I could not set sub interfaces under the reth interface when using ethernet-switching e.g:
reth0 {
native-vlan-id 80;
redundant-ether-options {
redundancy-group 1;
}
unit 0 {
description "Local Wireless Path 1";
family ethernet-switching {
interface-mode trunk;
vlan {
members [ VLAN-A VLAN-C ]
}
}
}
unit 90 {
description "Maintenance";
family
ethernet-switching {
interface-mode trunk;
vlan {
members VLAN-B
}
}
}
This gave the error "Only unit 0 is valid for this encapsulation"
So instead I assigned each reth's unit 0 with trunk and native vlans as required e.g:
reth0 {
native-vlan-id 80;
redundant-ether-options {
redundancy-group 1;
}
unit 0 {
description "Local Wireless Path 1";
family ethernet-switching {
interface-mode trunk;
vlan {
members [ VLAN-A VLAN-B VLAN-C ]
}
}
}
This committed successfully but I noticed I needed to apply the l2-learning global-mode switching and reboot for the irb interfaces to come up. I also set up the security zones to use the respective irb interfaces for each vlan. At the moment I can ping the remote juniper from the local juniper and vice-versa and the interfaces show as "UP"
Only issue now is that despite the irb interfaces used for the each ike gateway being "UP" and pingable, I do not see any ike traffic leaving the clustered (local) juniper and the ike debug-enable logs never populate (ping and ike are set in the same security zone).
For example irb.80 is setup along with the vlan information :
VLAN-A {
vlan-id 80;
l3-interface irb.80;
}
irb {
unit 80 {
description "Local Wireless Path 1";
family inet {
address 172.16.80.1/24;
}
}
}
However I am wondering if the external interface set in the ike gateway is correct as it is currently pointing at the irb.80 interface, not the reth sub-interface as it was before. I noticed from this page: https://www.juniper.net/documentation/us/en/software/junos/chassis-cluster-security-devices/topics/topic-map/security-chassis-cluster-active-passive-deployments.html
that there is an excerpt that states:
"Note: In SRX chassis clustering, only reth and lo0 interfaces are supported for the IKE external interface configuration. Other interface types can be configured, but IPsec VPN might not work."
I appreciate the example listed (https://supportportal.juniper.net/s/article/SRX-How-to-configure-Ethernet-switching-in-chassis-cluster-mode) does not use reth interfaces which would be my next attempt. Otherwise I am a little bit confused and I was wondering in summary:
- if reth interfaces and ethernet-switching are compatible
- if the juniper had to be in switching mode (I read somewhere it needed to be in transparent mode which from what I observed means the irb interfaces won't go "UP" in this case)
- if there is anything else wrong with the above implementation?
- if reth interfaces are not compatible and I just assign ethernet-switching without them, how does the juniper know how to handle the failover for the vlans?
Apologies for the tome, I have been having difficulty discerning how much can and cannot be done.
Original Message:
Sent: 07-25-2025 19:27
From: spuluka
Subject: SRX300 Same Network Across Multiple Reth
have all the sub interfaces on the reth interface be standard ethernet and assigned to the vlan instead of layer 3 interfaces.
Then add to the vlan configuration that the layer 3 interface will be an irb.
vlans {
vlan-trust {
vlan-id 80;
l3-interface irb.0;
}
Configure the desired ip addresses on the irb sub interfaces for each vlan
irb {
unit 0 {
family inet {
address 172.16.80.1/24;
}
}
------------------------------
Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
http://puluka.com/home
Original Message:
Sent: 07-25-2025 13:52
From: Anonymous
Subject: SRX300 Same Network Across Multiple Reth
This message was posted by a user wishing to remain anonymous
Hi there,
I have two interfaces connected to two networks. One interface has three Vlans 80 and 90 associated with subnets 172.16.80.1/24 and 172.16.90.1/24 respectively. The other has access to three vlans 80, 90 and 100 (vlan 100 is associated with 172.16.100.1/24). I have just setup two SRX's set up in clustering mode with two reth interfaces. Given both ports on each SRX will share the 80 vlan, is there a way so that the two reth interfaces can access the 80 and 90 vlan (and have the IP assigned)? The aim is that either port can use either vlan 80 to make multipoint IPSEC connections to the remote SRX device (if it is available) via local and remote wireless connections.
I was hoping it would be something like the below, but from some reading ethernet-switching is disabled (unless in transparent mode) and it is not advised to directly set the layer 3 address on both interfaces due to identical routes.
reth0 {
flexible-vlan-tagging;
native-vlan-id 80;
redundant-ether-options {
redundancy-group 1;
}
unit 80 {
vlan-id 80;
description "Local Wireless Path 1";
family inet {
address 172.16.80.1/24;
}
}
unit 90 {
vlan-id 90;
description "Maintenance";
family inet {
address 172.16.90.1/24;
}
}
}
reth1 {
flexible-vlan-tagging;
native-vlan-id 100;
redundant-ether-options {
redundancy-group 2;
}
unit 80 {
vlan-id 80;
description "Remote Wireless Path 2";
family inet {
address 172.16.80.1/24;
}
}
unit 90 {
vlan-id 90;
description "Maintenance";
family inet {
address 172.16.90.1/24;
}
}
unit 100 {
vlan-id 100;
description "Other Intermediate Network";
family inet {
address 172.16.100.1/24;
}
}
}
Any help would be much appreciated.