SRX

 View Only
last person joined: 13 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  vSRX Cluster - Any Suggestions?

    Posted 06-17-2020 18:04

    Hi all, 

     

    I''ve done some basic testing and everything seems to be working correclty, but i was wondering if anyone could criticize my config / tell me what I could do better?

     

    {primary:node1}[edit]
    ## Last changed: 2020-06-17 23:13:03 UTC
    version 18.4R3-S2;
    groups {
        node0 {
            system {
                host-name N/A;
            }
            interfaces {
                fab0 {
                    fabric-options {
                        member-interfaces {
                            ge-0/0/0;
                        }
                    }
                }
                fab1 {
                    fabric-options {
                        member-interfaces {
                            ge-7/0/0;
                        }
                    }
                }
            }
        }
        node1 {
            system {
                host-name N/A;
            }
            interfaces {
                fab0 {
                    fabric-options {
                        member-interfaces {
                            ge-0/0/0;
                        }
                    }
                }
                fab1 {
                    fabric-options {
                        member-interfaces {
                            ge-7/0/0;
                        }
                    }
                }
            }
        }
    }
    apply-groups node0;
    system {
        }
        services {
            ssh {
                root-login allow;
            }
            web-management {
                http {
                    interface fxp0.0;
                }
                https {
                    system-generated-certificate;
                    interface fxp0.0;
                }
            }
        }
        syslog {
            user * {
                any emergency;
            }
            file messages {
                any any;
                authorization info;
            }
            file interactive-commands {
                interactive-commands any;
            }
        }
        license {
            autoupdate {
                url https://ae1.juniper.net/junos/key_retrieval;
            }
        }
    }
    chassis {
        cluster {
            reth-count 4;
            redundancy-group 1 {
                node 0 priority 200;
                node 1 priority 100;
            }
        }
    }
    security {
        screen {
            ids-option untrust-screen {
                icmp {
                    ping-death;
                }
                ip {
                    source-route-option;
                    tear-drop;
                }
                tcp {
                    syn-flood {
                        alarm-threshold 1024;
                        attack-threshold 200;
                        source-threshold 1024;
                        destination-threshold 2048;
                        queue-size 2000; ## Warning: 'queue-size' is deprecated
                        timeout 20;
                    }
                    land;
                }
            }
        }
        nat {
            source {
                rule-set Global {
                    from routing-instance Testing;
                    to zone WAN;
                    rule A {
                        match {
                            source-address 0.0.0.0/0;
                            destination-address 0.0.0.0/0;
                            application any;
                        }
                        then {
                            source-nat {
                                interface;
                            }
                        }
                    }
                }
            }
        }
        policies {
            from-zone N/A to-zone N/A {
                policy Permit-All {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
            from-zone N/A to-zone N/A {
                policy Permit-All {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
            from-zone N/A to-zone N/A {
                policy Permit-All {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
            from-zone N/A to-zone N/A{
                policy permit-all {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
            from-zone N/A to-zone N/A{
                policy Permit-All {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
            from-zone N/A to-zone N/A {
                policy Permit-All {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
            from-zone N/A to-zone N/A {
                policy Permit-All {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
            from-zone N/A to-zone N/A {
                policy Permit-All {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
            from-zone N/A to-zone N/A{
                policy Permit-All {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
        }
        zones {
            security-zone N/A {
                interfaces {
                    reth0.1066;
                    reth1.1066;
                }
            }
            security-zone N/A{
                host-inbound-traffic {
                    system-services {
                        ping;
                    }
                    protocols {
                        bgp;
                    }
                }
                interfaces {
                    reth0.1000;
                    reth1.1000;
                    reth0.660;
                    reth1.670;
                }
            }
            security-zone N/A {
                host-inbound-traffic {
                    system-services {
                        ping;
                    }
                    protocols {
                        bgp;
                    }
                }
                interfaces {
                    reth0.1001;
                    reth1.1001;
                }
            }
            security-zone N/A {
                host-inbound-traffic {
                    system-services {
                        ssh;
                        ping;
                    }
                }
                interfaces {
                    reth0.669;
                }
            }
            security-zone N/A {
                host-inbound-traffic {
                    system-services {
                        ping;
                    }
                    protocols {
                        bgp;
                    }
                }
                interfaces {
                    reth0.1048;
                    reth1.1048;
                    reth2.1048;
                }
            }
            security-zone N/A {
                host-inbound-traffic {
                    system-services {
                        ping;
                        ssh;
                    }
                }
                interfaces {
                    reth0.667;
                    reth1.667;
                }
            }
        }
    }
    interfaces {
        ge-0/0/1 {
            gigether-options {
                redundant-parent reth0;
            }
        }
        ge-0/0/2 {
            gigether-options {
                redundant-parent reth1;
            }
        }
        ge-0/0/3 {
            gigether-options {
                redundant-parent reth2;
            }
        }
        ge-7/0/1 {
            gigether-options {
                redundant-parent reth0;
            }
        }
        ge-7/0/2 {
            gigether-options {
                redundant-parent reth1;
            }
        }
        ge-7/0/3 {
            gigether-options {
                redundant-parent reth2;
            }
        }
        reth0 {
            vlan-tagging;
            redundant-ether-options {
                redundancy-group 1;
            }
            unit 660 {
                vlan-id 660;
                family inet {
                    address 
                }
            }
            unit 667 {
                vlan-id 667;
                family inet {
                    address 
                }
            }
           
                }
            }
            unit 1000 {
                vlan-id 1000;
                family inet {
                    address 10.100.0.1/24;
                }
            }
            unit 1001 {
                vlan-id 1001;
                family inet {
                    address 10.100.1.1/24;
                }
            }
            unit 1048 {
                vlan-id 1048;
                family inet {
                    address 10.100.48.1/24;
                }
            }
            unit 1066 {
                vlan-id 1066;
                family inet {
                    address 10.100.66.1/24;
                }
            }
        }
        reth1 {
            vlan-tagging;
            redundant-ether-options {
                redundancy-group 1;
            }
            unit 667 {
                vlan-id 667;
                family inet {
                    address 10.66.7.249/24;
                }
            }
            unit 670 {
                vlan-id 670;
                family inet {
                    address 10.67.0.101/24;
                }
            }
            unit 1000 {
                vlan-id 1000;
                family inet {
                    address 10.101.0.1/24;
                }
            }
            unit 1001 {
                vlan-id 1001;
                family inet {
                    address 10.101.1.1/24;
                }
            }
            unit 1048 {
                vlan-id 1048;
                family inet {
                    address 10.101.48.1/24;
                }
            }
            unit 1066 {
                vlan-id 1066;
                family inet {
                    address 10.101.66.1/24;
                }
            }
        }
        reth2 {
            vlan-tagging;
            redundant-ether-options {
                redundancy-group 1;
            }
            unit 1048 {
                vlan-id 1048;
                family inet {
                    address 172.69.241.1/24;
                }
            }
        }
    }
    policy-options {
        policy-statement Default {
            term A {
                from {
                    instance master;
                    route-filter 0.0.0.0/0 exact;
                    route-filter 10.100.0.1/32 exact;
                    route-filter 192.168.138.15/32 exact;
                    route-filter 192.168.138.16/32 exact;
                    route-filter 10.101.0.1/32 exact;
                }
                then accept;
            }
            term B {
                then reject;
            }
        }
        policy-statement N/A{
            from interface reth2.1048;
            then accept;
        }
        policy-statement N/A {
            term A {
                from {
                    instance Manage;
                    route-filter 0.0.0.0/0 exact;
                }
                then reject;
            }
            term B {
                from {
                    instance-any;
                    route-filter 10.0.0.0/8 exact;
                    route-filter 172.16.0.0/12 exact;
                    route-filter 192.168.0.0/16 exact;
                }
                then accept;
            }
        }
        policy-statement WAN-LoadBalance {
            then {
                load-balance per-packet;
            }
        }
    }
    firewall {
        policer 30mb {
            if-exceeding {
                bandwidth-limit 30m;
                burst-size-limit 625k;
            }
            then discard;
        }
    }
    routing-instances {
       N/A{
            instance-type virtual-router;
            interface reth0.1066;
            interface reth1.1066;
            routing-options {
                static {
                    route N/A/24 next-hop N/A;
                }
                instance-import Default;
            }
            protocols {
                bgp {
                    group N/A{
                        type external;
                        local-address 10.100.66.1;
                        peer-as 1066;
                        local-as 1000;
                        neighbor 10.100.66.2;
                    }
                    group N/A {
                        type external;
                        local-address 10.101.66.1;
                        peer-as 1066;
                        local-as 1000;
                        neighbor 10.101.66.2;
                    }
                }
            }
        }
        N/A {
            instance-type virtual-router;
            interface reth0.667;
            interface reth1.667;
            routing-options {
                static {
                    route 0.0.0.0/0 next-hop N/A;
                }
            }
        }
        N/A {
            instance-type virtual-router;
            interface reth0.1001;
            interface reth1.1001;
            routing-options {
                static {
                    route N/A next-hop N/A;
                }
                instance-import Default;
            }
            protocols {
                bgp {
                    group N/A-N0 {
                        type external;
                        local-address 10.100.1.1;
                        peer-as 1001;
                        local-as 1000;
                        neighbor 10.100.1.2;
                    }
                    group N/A-N1 {
                        type external;
                        local-address 10.101.1.1;
                        peer-as 1001;
                        local-as 1000;
                        neighbor 10.101.1.2;
                    }
                }
            }
        }
        N/A {
            instance-type virtual-router;
            interface reth0.1048;
            interface reth1.1048;
            interface reth2.1048;
            routing-options {
                instance-import Default;
            }
            protocols {
                bgp {
                    group Testing {
                        type external;
                        local-address 10.100.48.1;
                        export N/A-Resources;
                        peer-as 1048;
                        local-as 1000;
                        neighbor 10.100.48.2;
                    }
                    group N/A-N1 {
                        type external;
                        local-address 10.101.48.1;
                        export N/A-Resources;
                        peer-as 1048;
                        local-as 1000;
                        neighbor 10.101.48.2;
                    }
                }
            }
        }
    }
    routing-options {
        static {
            route N/A next-hop [ N/A N/A ];
        }
        forwarding-table {
            export WAN-LoadBalance;
        }
        instance-import ToCustomer;
    }
    
    {primary:node1}[edit]
    root@MLB-vSRX-C1N0#
    
    {primary:node1}[edit]
    root@MLB-vSRX-C1N0#
    
    {primary:node1}[edit]
    root@MLB-vSRX-C1N0# sw
                        ^
    unknown command.
    root@MLB-vSRX-C1N0# show chassis
    cluster {
        reth-count 4;
        redundancy-group 1 {
            node 0 priority 200;
            node 1 priority 100;
        }
    }
    
    {primary:node1}[edit]
    root@MLB-vSRX-C1N0# show interfaces
    ge-0/0/1 {
        gigether-options {
            redundant-parent reth0;
        }
    }
    ge-0/0/2 {
        gigether-options {
            redundant-parent reth1;
        }
    }
    ge-0/0/3 {
        gigether-options {
            redundant-parent reth2;
        }
    }
    ge-7/0/1 {
        gigether-options {
            redundant-parent reth0;
        }
    }
    ge-7/0/2 {
        gigether-options {
            redundant-parent reth1;
        }
    }
    ge-7/0/3 {
        gigether-options {
            redundant-parent reth2;
        }
    }
    reth0 {
        vlan-tagging;
        redundant-ether-options {
            redundancy-group 1;
        }
        unit 660 {
            vlan-id 660;
            family inet {
                address 10.66.0.101/24;
            }
        }
        unit 667 {
            vlan-id 667;
            family inet {
                address 10.66.7.248/24;
            }
        }
        unit 669 {
            vlan-id 669;
            family inet {
            }
        }
        unit 1000 {
            vlan-id 1000;
            family inet {
                address 10.100.0.1/24;
            }
        }
        unit 1001 {
            vlan-id 1001;
            family inet {
                address 10.100.1.1/24;
            }
        }
        unit 1048 {
            vlan-id 1048;
            family inet {
                address 10.100.48.1/24;
            }
        }
        unit 1066 {
            vlan-id 1066;
            family inet {
                address 10.100.66.1/24;
            }
        }
    }
    reth1 {
        vlan-tagging;
        redundant-ether-options {
            redundancy-group 1;
        }
        unit 667 {
            vlan-id 667;
            family inet {
                address 10.66.7.249/24;
            }
        }
        unit 670 {
            vlan-id 670;
            family inet {
                address 10.67.0.101/24;
            }
        }
        unit 1000 {
            vlan-id 1000;
            family inet {
                address 10.101.0.1/24;
            }
        }
        unit 1001 {
            vlan-id 1001;
            family inet {
                address 10.101.1.1/24;
            }
        }
        unit 1048 {
            vlan-id 1048;
            family inet {
                address 10.101.48.1/24;
            }
        }
        unit 1066 {
            vlan-id 1066;
            family inet {
                address 10.101.66.1/24;
            }
        }
    }
    reth2 {
        vlan-tagging;
        redundant-ether-options {
            redundancy-group 1;
        }
        unit 1048 {
            vlan-id 1048;
            family inet {
                address 172.69.241.1/24;
            }
        }
    }
    
    {primary:node1}[edit]
    


  • 2.  RE: vSRX Cluster - Any Suggestions?
    Best Answer

     
    Posted 06-17-2020 21:41

     

    Hi RoutingFrames,

     

     

    Greetings, just a few observations:

     

     

     

    unit 660 {
    vlan-id 660;
    family inet {
    address
    }
    }
    unit 667 {
    vlan-id 667;
    family inet {
    address
    }
    There are family inet but there is no IP address, not sure if you did it on purpose and you are planning to add them later.

     

     

     

    security {
        screen {
            ids-option untrust-screen {
                icmp {
                    ping-death;
                }
                ip {
                    source-route-option;
                    tear-drop;
                }
                tcp {
                    syn-flood {
                        alarm-threshold 1024;
                        attack-threshold 200;
                        source-threshold 1024;
                        destination-threshold 2048;
                        queue-size 2000; ## Warning: 'queue-size' is deprecated
                        timeout 20;
                    }


    queue-size 2000; ## Warning: 'queue-size' is deprecated

    This is not doing anything in your configuration as the knob is deprecated as mentioned below.

     

    Other than this everything looks great plus it is working as you desire, kudos to you! 

     

     

     


    If this solves your problem, please mark this post as "Accepted Solution" so we can help others too \:)/

     

    Regards,

    Lil Dexx
    JNCIE-ENT#863, 3X JNCIP-[SP-ENT-DC], 4X JNCIA [cloud-DevOps-Junos-Design], Champions Ingenius, SSYB



  • 3.  RE: vSRX Cluster - Any Suggestions?

    Posted 06-18-2020 06:42

    Good to hear!

     

    Yeah, the "security" bits are all factory config, and I started deleting IP addresses and then I stopped because i'm lazy LOL