Switching

 View Only
last person joined: 3 days ago 

Ask questions and share experiences about EX and QFX portfolios and all switching solutions across your data center, campus, and branch locations.
  • 1.  SRX345 ingle RETH to multiple EX switch stacks

    Posted 09-16-2022 11:19

    Good afternoon all,

    I have a scenario where my SRX cluster is the DHCP server for my site.

    SS1 (Switch stack) is currently in RETH0. DHCP is working.
    i would like to add SS2 and SS3 to RETH0. When i do this, i see them as prt of RETH0 however, DHCP does not work.

    Am i allowed multiple switch stacks under a single RETH?

    Diagram below

    Thanks all



    ------------------------------
    DAN RAWLINGS
    ------------------------------


  • 2.  RE: SRX345 ingle RETH to multiple EX switch stacks

    Posted 09-16-2022 12:04
    You can add multiple switch stacks under a single RETH. Physical configuration goes on the physical interface, along with the association to an reth. Logical interface configuration goes under interface reth, along with the association to a failover redundancy group.   Are you propagating dhcp pool to the corresponding logical reth interfaces as well?  Do a  " show interface terse"  and validate if all the physical interfaces are in the reth  as intended 







    ------------------------------
    ANKUR
    ------------------------------



  • 3.  RE: SRX345 ingle RETH to multiple EX switch stacks

    Posted 09-16-2022 14:15

    Thanks for the reply Ankur

    all interfaces are attributed to reth0 - its literally the DHCP not binding and the switch is not available via mgmt / ping.

    here are some checks from the SRX to aide

    node0> show interfaces terse | match /8
    ge-0/0/8 up up
    ge-0/0/8.5 up up aenet --> reth0.5
    ge-0/0/8.10 up up aenet --> reth0.10
    ge-0/0/8.33 up up aenet --> reth0.33
    ge-0/0/8.34 up up aenet --> reth0.34
    ge-0/0/8.32767 up up aenet --> reth0.32767
    ge-5/0/8 up up
    ge-5/0/8.5 up up aenet --> reth0.5
    ge-5/0/8.10 up up aenet --> reth0.10
    ge-5/0/8.33 up up aenet --> reth0.33
    ge-5/0/8.34 up up aenet --> reth0.34
    ge-5/0/8.32767 up up aenet --> reth0.32767

    {primary:node0}
    node0> show interfaces terse | match reth0
    ge-0/0/2.5 up up aenet --> reth0.5
    ge-0/0/2.10 up up aenet --> reth0.10
    ge-0/0/2.33 up up aenet --> reth0.33
    ge-0/0/2.34 up up aenet --> reth0.34
    ge-0/0/2.32767 up up aenet --> reth0.32767
    ge-0/0/8.5 up up aenet --> reth0.5
    ge-0/0/8.10 up up aenet --> reth0.10
    ge-0/0/8.33 up up aenet --> reth0.33
    ge-0/0/8.34 up up aenet --> reth0.34
    ge-0/0/8.32767 up up aenet --> reth0.32767
    ge-5/0/2.5 up up aenet --> reth0.5
    ge-5/0/2.10 up up aenet --> reth0.10
    ge-5/0/2.33 up up aenet --> reth0.33
    ge-5/0/2.34 up up aenet --> reth0.34
    ge-5/0/2.32767 up up aenet --> reth0.32767
    ge-5/0/8.5 up up aenet --> reth0.5
    ge-5/0/8.10 up up aenet --> reth0.10
    ge-5/0/8.33 up up aenet --> reth0.33
    ge-5/0/8.34 up up aenet --> reth0.34
    ge-5/0/8.32767 up up aenet --> reth0.32767
    reth0 up up
    reth0.5 up up inet 10.80.5.1/24
    reth0.10 up up inet 10.80.10.1/24
    reth0.33 up up inet 10.80.33.1/24
    reth0.34 up up inet 10.80.34.1/24
    reth0.32767 up up

    {primary:node0}
    node0> show configuration interfaces reth0.33
    description ***Corp***;
    vlan-id 33;
    family inet {
    address 10.xx.33.1/24;
    }

    {primary:node0}
    node0> show arp interface reth0.33

    {primary:node0}
    node0> show chassis mac-addresses
    node0:
    --------------------------------------------------------------------------
    MAC address information:
    Public base address 58:xx:xx:xx:xx:01
    Public count 126
    Private base address 58:xx:xx:xx:xx:7f
    Private count 1

    node1:
    --------------------------------------------------------------------------
    MAC address information:
    Public base address 58:xx:xx:xx:xx:01
    Public count 126
    Private base address 58:xx:xx:xx:xx:7f
    Private count 1

    {primary:node0}
    node0> show lldp neighbors
    Local Interface Parent Interface Chassis Id Port info System Name
    ge-5/0/8 reth0 28:xx:xx:xx:xx:80 ge-1/1/0.0 asw1..gb
    ge-0/0/8 reth0 28:xx:xx:xx:xx:80 ge-0/1/0.0 asw1..gb
    ge-0/0/2 reth0 80:xx:xx:xx:xx:00 ***CSRX1.N0-RETH0*** csw1..gb
    ge-0/0/3 reth1 80:xx:xx:xx:xx:00 ***CSRX1.N0-RETH1*** csw1..gb
    ge-5/0/2 reth0 80:xx:xx:xx:xx:00 ***CSRX1.N1-RETH0*** csw1..gb
    ge-5/0/3 reth1 80:xx:xx:xx:xx:00 ***CSRX1.N1-RETH1*** csw1..gb


    DHCP config is good as we are receiving on the originally connected stack.

    Any further suggestions?
    Regards
    Dan



    ------------------------------
    DAN RAWLINGS
    ------------------------------



  • 4.  RE: SRX345 ingle RETH to multiple EX switch stacks

    Posted 09-16-2022 14:49
    Can you ping the switch stacks from the SRX or from its interfaces?  or SSH from SRX into the Switch?  Are host inbound services defined as well?

    ------------------------------
    ANKUR
    ------------------------------



  • 5.  RE: SRX345 ingle RETH to multiple EX switch stacks

    Posted 09-20-2022 04:18

    Hi Ankur,

    sorry for the delay, been a long weekend here in the UK

    i can ping SS1 but not 2 and 3

    here is an output of the services -

    set system services ssh root-login deny
    set system services ssh protocol-version v2
    set system services ssh client-alive-count-max 10
    set system services ssh client-alive-interval 180
    set system services ssh rate-limit 15
    set system services netconf ssh
    set system services dhcp-local-server requested-ip-interface-match
    set routing-instances LOCAL-PRIVATE system services dhcp-local-server group CLIENT interface reth0.33 upto reth0.224
    set routing-instances NCG-MGMT-ON-NET system services dhcp-local-server group CLIENT interface reth0.10
    set routing-instances WIFI-MGMT system services dhcp-local-server group CLIENT interface reth0.5

    Hope this helps
    thanks
    Dan



    ------------------------------
    DAN RAWLINGS
    ------------------------------



  • 6.  RE: SRX345 ingle RETH to multiple EX switch stacks

    Posted 09-20-2022 10:10
    These are system services on the SRX what i was referring to was the host inbound services  for the reth interfaces that defined for S2 and S3 for eg 
    set security zones security-zone ABC interface ge-0/0/xx  host-inbound-traffic system-services all
    set security zones security-zone ABC interface ge-0/0/xx  host-inbound-traffic protocol icmp 

    Where security zone ABC is configured with the reth interfaces corresponding to S2 and S3  that are connected to ge-0/0 interfaces on the SRX.  You may want to enable trace options on the interface  to  check the traffic. If you have JTAC support may want to open a ticket with them for trace options.  If you have any access to the switch it may be worth checking if the switch is configured correctly to route traffic via SRX.

    ------------------------------
    ANKUR
    ------------------------------



  • 7.  RE: SRX345 ingle RETH to multiple EX switch stacks

    Posted 09-21-2022 05:46
    Hey Ankur,

    unfortunately the srx's are configured to be in packet mode and not flow mode. Therefore there are no security zones defined.
    we have firewall filters configured - please see below


    set firewall family inet filter V4-DATA-SEC term DHCP from protocol udp
    set firewall family inet filter V4-DATA-SEC term DHCP from source-port 67
    set firewall family inet filter V4-DATA-SEC term DHCP from source-port 68
    set firewall family inet filter V4-DATA-SEC term DHCP from destination-port 67
    set firewall family inet filter V4-DATA-SEC term DHCP from destination-port 68
    set firewall family inet filter V4-DATA-SEC term DHCP then policer 32K
    set firewall family inet filter V4-DATA-SEC term BLOCK-CORE-INFRA from source-address xx.0.0.0/8
    set firewall family inet filter V4-DATA-SEC term BLOCK-CORE-INFRA from destination-address xx.xx.0.0/10
    set firewall family inet filter V4-DATA-SEC term GOOGLE-DNS from destination-address 8.8.8.8/32
    set firewall family inet filter V4-DATA-SEC term GOOGLE-DNS from destination-address 8.8.4.4/32
    set firewall family inet filter V4-DATA-SEC term GOOGLE-DNS then accept
    set firewall family inet filter V4-DATA-SEC term SMTP-PORT25 from protocol tcp
    set firewall family inet filter V4-DATA-SEC term SMTP-PORT25 from destination-port 25
    set firewall family inet filter V4-DATA-SEC term SMTP-PORT25 then discard
    set firewall family inet filter V4-DATA-SEC term NTP from protocol udp
    set firewall family inet filter V4-DATA-SEC term NTP from destination-port 123
    set firewall family inet filter V4-DATA-SEC term NTP then policer 32K
    set firewall family inet filter V4-DATA-SEC term OTHER-DNS from protocol udp
    set firewall family inet filter V4-DATA-SEC term OTHER-DNS from destination-port 53
    set firewall family inet filter V4-DATA-SEC term OTHER-DNS then policer 32K
    set firewall family inet filter V4-DATA-SEC term XVLAN-TALK from source-address xx.0.0.0/8
    set firewall family inet filter V4-DATA-SEC term XVLAN-TALK from destination-address xx.0.0.0/8
    set firewall family inet filter V4-DATA-SEC term XVLAN-TALK then discard
    set firewall family inet filter V4-DATA-SEC term CATCH-ALL from source-address xx.0.0.0/8
    set firewall family inet filter V4-DATA-SEC term CATCH-ALL then accept

    set firewall family inet filter CoPP term FRAG from is-fragment
    set firewall family inet filter CoPP term FRAG from protocol icmp
    set firewall family inet filter CoPP term FRAG from protocol tcp
    set firewall family inet filter CoPP term FRAG from protocol udp
    set firewall family inet filter CoPP term FRAG then discard
    set firewall family inet filter CoPP term BGP-DST from source-address xx.xx.0.0/10
    set firewall family inet filter CoPP term BGP-DST from protocol tcp
    set firewall family inet filter CoPP term BGP-DST from destination-port 179
    set firewall family inet filter CoPP term BGP-DST then accept
    set firewall family inet filter CoPP term BGP-SRC from source-address xx.xx.0.0/10
    set firewall family inet filter CoPP term BGP-SRC from protocol tcp
    set firewall family inet filter CoPP term BGP-SRC from source-port 179
    set firewall family inet filter CoPP term BGP-SRC then accept
    set firewall family inet filter CoPP term OSPF from source-address xx.xx.0.0/10
    set firewall family inet filter CoPP term OSPF from protocol ospf
    set firewall family inet filter CoPP term OSPF then accept
    set firewall family inet filter CoPP term CORE-SRV from source-address xx.xx.xx.0/24
    set firewall family inet filter CoPP term CORE-SRV from source-address xx.xx.xx.0/24
    set firewall family inet filter CoPP term CORE-SRV then accept
    set firewall family inet filter CoPP term DHCP from protocol udp
    set firewall family inet filter CoPP term DHCP from source-port 67
    set firewall family inet filter CoPP term DHCP from source-port 68
    set firewall family inet filter CoPP term DHCP from destination-port 67
    set firewall family inet filter CoPP term DHCP from destination-port 68
    set firewall family inet filter CoPP term DHCP then policer 32K
    set firewall family inet filter CoPP term IKE-DST from protocol udp
    set firewall family inet filter CoPP term IKE-DST from destination-port 500
    set firewall family inet filter CoPP term IKE-DST then accept
    set firewall family inet filter CoPP term ESP from protocol esp
    set firewall family inet filter CoPP term ESP then accept
    set firewall family inet filter CoPP term CATCH-ALL from source-address 0.0.0.0/0
    set firewall family inet filter CoPP term CATCH-ALL then discard
    set firewall family inet filter CoPP term DEFAULT then accept

    Rgds
    Dan

    ------------------------------
    DAN RAWLINGS
    ------------------------------