SRX

Hi,

I would like to set up a pair of SRX3400 in active active mode to get max performance. Each SRX has 10GE interfaces (firewall on a stick), and we will be running these as sub-interfaces (dot1q vlans) for the networks we want to firewall.

My question is around reth, and active active. What I would like is for say vlans 10,11,12 to be active on node0 and 13,14,15 on node 1. Therefore can I assign vlans to reths, i.e. reth0 has 10,11,12 and reth1 13,14,15? Reading the documentation is states only physical not logical.

Is this possible? Help much appreciated. Icing on the cake is that I actually have two 10GE per SRX and would like to aggregate these as well for resilience, but from reading online docs and this forum I believe this to be possible even with reths.

Appreciate any help as this is my first experience with Juniper

Everything's a logical interface with JunOS. You'd create tagged logical interfaces on your firewalls, and then assign to reth interfaces. active/active is achieved by having an RG1 and RG2, assign the reths evenly to each, and then have one fw active on RG1 and the other on RG2.

The basic dot1q setup would look something like this:

    xe-2/0/0 {
        vlan-tagging;
        unit 131 {
            vlan-id 131;
            family inet {
                address xxxx;
            }
        }
        unit 141 {
            vlan-id 141;
            family inet {
                address yyyyy;
            }
        }
    }

And then add reth membership and all the clustering stuff

Thanks for your reply, so the answer sounds like yes.

As I actually want to use LACP on two 10GE interfaces I am assuming that I can assign ae2.141 (vlan 141) into the reth and the have my finaly solution.

Understand that I need to load balance these reths between the two SRX's

Many thanks

John

Hi joaddams ,

Regarding Subinterfaces , you should assign physical interfaces to Reth interfaces & after that create subinterfaces on the Reth itself  ( Not Tagging physical interfaces & then putting them at Reth interface) :

Example :

set interfaces ge-0/0/0 gigether-options redundant-parent reth0
set interfaces ge-0/0/1 gigether-options redundant-parent reth0

set interfaces reth0 vlan-tagging
set interfaces reth0 redundant-ether-options redundancy-group 1
set interfaces reth0 unit 5 vlan-id 5
set interfaces reth0 unit 5 family inet address 5.5.5.5/24
set interfaces reth0 unit 6 vlan-id 6
set interfaces reth0 unit 6 family inet address 6.6.6.6/24

Regarding LACP , Since you are using SRX3k ( & Junos version 10.1 or Higher , recommeneded 10.2R3.10 ) You can do it with standalone device & with Chassis cluster as well

But with Chassis cluster it is not done using " ae" interfaces , once you assign more then 2 interfaces to a reth a LAG will be cretaed automatically , no need for "ae" interfaces (  "ae" is used to create LAG with standalone devices but not with Chassis cluster )

Example :

set interfaces ge-0/0/0 gigether-options redundant-parent reth0
set interfaces ge-0/0/1 gigether-options redundant-parent reth0

set interfaces ge-8/0/0 gigether-options redundant-parent reth0
set interfaces ge-8/0/1 gigether-options redundant-parent reth0

set interfaces reth0 redundant-ether-options lacp active

Putting the above 4 physical interfaces at a Reth forms a LAG Automatically without the need for "ae" interfaces

**************  Click on the button saying " Accept  as Solution"  if  My Post solved your problem  **************

SSHSSH is right

1. If you want to do vlan-tagging, do it on rth instead of phy intf ... so that you can failover when one intf is down in reth

2. In order to implement active-active scenario you should use Redundancy Group (RG). Since all interfaces in a RG can be active one node in a cluster. So you can assign rth0 to RG1 and rth1 to RG2 ... and configure as following

[ Configure RGs]

set chassis cluster redundancy-group 1 node 0 priority 100
set chassis cluster redundancy-group 1 node 1 priority 1

set chassis cluster redundancy-group 2 node 0 priority 1
set chassis cluster redundancy-group 2 node 1 priority 100

[ Assign reth to intf ]

set interfaces xe-1/0/0 gigether-options redundant-parent reth0
set interfaces xe-9/0/0 gigether-options redundant-parent reth0

set interfaces xe-1/0/1 gigether-options redundant-parent reth1
set interfaces xe-9/0/1 gigether-options redundant-parent reth1

[ Bind reth with RGs ]

set interfaces reth0 redundant-ether-options redundancy-group 1

set interfaces reth1 redundant-ether-options redundancy-group 2

NOTE: You can not bind bind sub-intf e.g. xe-1/0/0.0 with reth0 and xe-1/0/0.1 with reth1. Therefore you can not made active-active on sub-intf level. Instead SRX implements it on phy intf level.

 3. Now, when you have achieved redundancy through SRX-3400 cluster, you can further enhace it by placing 4 phy intf in one reth ... equivalent to LAG/LACP as suggested by SSHSSH

Regards

Question on LACP in Reth.

If you are connected to a single Cisco switch with all four interfaces in the same Port Channel, how will it know not to send traffic to interfaces on the non-active node?  E.G.  8/0/0 and 8/0/1?  Do these interfaces still process traffic even though the reth group is active on the other node? E.G. active with 0/0/0 and 0/0/1?

I would personally make sure the child interfaces part of the aggregated-ethernet interface are part of the same node.

I would also adjust the OSPF costs so that aggregated-ethernet interface on node0 is preferred over node1.

If you had one switch stack, or a VC of some type, all of your PC or AE links will be on that same stack.  Is it possible to split this across two SRXs in HA with two links of four in the PC or AE going to one SRX, and the other two going to the other SRX.

Based on what I have been able to come up with, it seems that the RG0 node is the only node that responds to traffic in the PC or AE, and that the other node is having a hard time with communications sent to it by the downstream switch links in the PC or AE?

Is this type of deployment out of scope? 

Sorry if this seems simple, just a bit lost with respect to this application. 

Usually I just have a link from a switch that participates in a vrrp group and really only one of the links is active, therefore the reth on the srx that is active will communicate fine.  I have since ran into a deployment scenario where a single PC from a single VC is split across HA SRXs and things seem to be off a touch. 

I have tried this deployment outside of a RG1 just using and AE config say ae0.0 that spans the two SRXs, E.G.

ge-1/0/0 and ge-1/0/1 are a part of ae0.0 on node0 and ge-14/0/0 and 14/0/1 are a part of ae0.0 one node1...  and also with reth groups and LACP configs.

Any insight would be greatly appreciated, thanks!

Sorry I'm really not sure what you're asking.

Though I disgraced myself with the dot1q answer, I'll take another stab at this.

cole, if I hear you right, what you are asking is: Can one LAG on the switch be used to service the SRX cluster? The answer is that this is not supported.

>>

The redundant Ethernet interface LAG child links from each node in the chassis cluster must be connected to a different LAG at the peer devices. If a single peer switch is used to terminate the redundant Ethernet interface LAG, two separate LAGs must be used in the switch.

>>

(https://www.juniper.net/techpubs/software/junos-security/junos-security10.2/junos-security-swconfig-security/topic-43686.html)

Since you're using a VC, that acts as "a single switch" with multiple routing engines and line cards. You need to configure one LAG for node 0, and a separate LAG for node 1.

"Though I disgraced myself with the dot1q answer, I'll take another stab at this."

LOL, I know right?  Rough sometimes trying to know it all.\

This is the scenario I was referencing, thanks for the link / input!

Ill post a visio later tonight, but you get the gist.

If you have a good core switch, I would recommend not using the firewall on a stick method.  Instead create a "distribution" routing-instance on the core switches and use VRRP between the core switches to host the default gateways.

Then use OSPF between the core router's distribution.inet.0 and inet.0, while having the SRX in the middle.  What you create is a six-pack topology.

This effectively creates a line-rate distribution layer without a firewall, and when you need to go outside the distribution layer, you're forced through the firewall.

No need to use reth interfaces with this firewall setup as it's just OSPF p2p links.  It's also active/active, but I would adjust the OSPF costs on the secondary node to be a little higher, so that all the traffic prefers the master node.  Makes troubleshooting much easier.

On the other hand if you need to enforce firewall policy between all VLANs then this wouldn't work.

Hi,

Did you test failover with that "six pack" design?

I saw it inside the JUNOS Security Book but when I tested a node crash or node reboot in the lab, statefull session recovery never worked. Basically, when primary node failed sessions became active on the secondary one however when the primary node came back online, active sessions  never returned to node0 even though routing did.

Reason is that the cold-sync process occurs after the interfaces (and routing) comes back online on the recovering node.

I opened a JTAC and talked to development on that issue ... answer is to stick with RETH interfaces for HA.

Thanks,

I've tested this design and didn't see the issues you described.