SRX

 View Only
last person joined: 17 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  Port channel between juniper and cisco switch

    Posted 11-18-2019 04:32

    Hello 

     

    What is the correct way to create port-channel between Juniper Srx5400 and for example cisco 2960x?

     

    i have read that ethernet-switching is not supported on srx 4100 and higher but most demo configs go that route.

     

     



  • 2.  RE: Port channel between juniper and cisco switch

    Posted 11-18-2019 04:49

    Can you please share the diagram of the infrastructure you want to create? L2/L3? Standalone/Cluster SRX?



  • 3.  RE: Port channel between juniper and cisco switch

    Posted 11-18-2019 04:58

    Edit:

    Litle config snipped:

     

        ge-0/0/0 {
            unit 0 {
                family inet {
                    address 192.168.1.4/29 {
                        vrrp-group 2 {
                            virtual-address 192.168.1.2;
                            priority 200;
                            accept-data;
                            authentication-type md5;
                            authentication-key "xxx"; ## SECRET-DATA
                        }
                    }
                }
            }
        }
        ge-0/0/2 {
            enable;
            vlan-tagging;
            unit 202 {
                vlan-id 202;
                family inet {
                    address 192.168.3.254/24 {
                        vrrp-group 1 {
                            virtual-address 192.168.3.1;
                            priority 200;
                            accept-data;
                            authentication-type md5;
                            authentication-key "xxx"; ## SECRET-DATA
                        }
                    }
                }
            }
        }

    How could i make above config work with more then one interface. Example ge-0/0/0 + ge-0/0/1 | ge-0/0/2  + ge-0/0/3

     

    Currently ge-0/0/0 and ge-0/0/2 are connected to cisco switch. For redundancy and more capacity i would like to use multiple links (port channel)

     



  • 4.  RE: Port channel between juniper and cisco switch

    Posted 11-18-2019 09:28

    Hi,

    You need to use reth interface for redundancy. I'm pasting similer configuration for reth interface but not tested in LAB. It will help you in guiding.

    set interfaces ge-0/0/0 gigether-options redundant-parent reth0
    set interfaces ge-0/0/2 gigether-options redundant-parent reth0
    set interfaces irb unit 202 family inet address 192.168.1.254/24
    set interfaces reth0 vlan-tagging
    set interfaces reth0 redundant-ether-options redundancy-group 1
    set interfaces reth0 redundant-ether-options lacp active
    set interfaces reth0 redundant-ether-options lacp periodic slow
    set interfaces reth0 unit 0 family ethernet-switching interface-mode trunk
    set interfaces reth0 unit 0 family ethernet-switching vlan members vlan202
    set vlans vlan202 vlan-id 202
    set vlans vlan202 l3-interface irb.202



  • 5.  RE: Port channel between juniper and cisco switch

    Posted 11-18-2019 22:48

    Hello,

     

    Is the above example ment for chassi cluster ? Currently i am running only one router and i would like to attach 2 switches that are redundant. But if possible use both at the same time, if not then switch over to other when first fails. Dirty solution would be to script interface enable/disable when sw1 fails, but surely there is somthing that can create simple portchannel to switch.



  • 6.  RE: Port channel between juniper and cisco switch
    Best Answer

    Posted 11-18-2019 23:22

    Hi, Egert

     

    In Junos an Aggregated-Ethernet (ae) interface is the same thing as a port-channel in Cisco. An ae interface is just a bundle of physical interfaces; this bundle can be a group of L2 (family ethernet-switching) or L3 (family inet) interfaces. As you mentioned, ethernet-switching is not supported in high end SRX, however you can configure a L3 interface with sub-interfaces that will understand vlan-tagging.

     

    Based on the provided configuration I can see that you have two L3 interfaces (one with vlan-tagging) acting as VRRP gateways and you mentioned that you dont have a chassis cluster. The steps you will need to follow are:

     

    1. Enable, at least, 1 ae interaface:

     

    user@host# set chassis aggregated-devices ethernet device-count 1

     

    Ref: https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/device-count-edit-chassis.html

     

    2. Create an ae interface (ae0) by bundling ge-0/0/0 and ge-0/0/2:

     

    user@host# set interfaces ge-0/0/0 gigether-options 802.3ad ae0 
    user@host# set interfaces ge-0/0/2 gigether-options 802.3ad ae0

     

    Ref: https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-interface-config-aggregated-ethernet.html#id-deleting-aggregated-ethernet-interface

     

    3. Configure ae0 with subinterfaces using vlan-tagging (Router-on-a-stick):

     

    user@host# set interfaces ae0 vlan-tagging
    user@host# set interfaces ae0 unit 202 vlan-id 202 user@host# set interfaces ae0 unit 202 family inet address 192.168.3.254/24 vrrp-group 1 virtual-address 192.168.3.1 priority 200 user@host# set interfaces ae0 unit 202 family inet address 192.168.3.254/24 vrrp-group 1 accept-data authentication-type md5 authentication-key [password]

    user@host# set interfaces ae0 unit 205 vlan-id 205
    user@host# set interfaces ae0 unit 205 family inet address 192.168.1.4/29 vrrp-group 2 virtual-address 192.168.1.2 priority 200
    user@host# set interfaces ae0 unit 205 family inet address 192.168.3.254/24 vrrp-group 1 accept-data authentication-type md5 authentication-key [password] Follow the same format to configure other sub-units and note they have to have their own vlan-ids.

     

    With above configuration you just need to make sure that your switch also has a L2 port-channel created acting as a trunk port and passing the vlan-ids created on the sun-units (202 and 205).

     

    Remember that ge-0/0/0 and ge-0/0/2 are currently part of a security-zone; you will need to include ae0.202 and ae0.205 within those security-zones as well.

     

    I really hope this was the information you were looking for. Please mark my comment as "Solution" if it applies.

     



  • 7.  RE: Port channel between juniper and cisco switch

    Posted 11-19-2019 01:28

    Thanks, that was exactly what i needed. i made 2 ae interfaces [ ae0 (g0,g1) / ae1 (g2,g3) ] same in switch side. Now i have two working port channels.

     

     



  • 8.  RE: Port channel between juniper and cisco switch

    Posted 11-19-2019 16:48

    nice! Im glad it worked



  • 9.  RE: Port channel between juniper and cisco switch

    Posted 05-10-2023 16:00

    @lpaniagua , I'm having a similar issue with my setup. I've tried this two different ways. 

    Setup 1: Reth0 = redundancy group 1, lacp active/periodic fast, unit 0 family inet address X.X.X.4, interfaces xe-0/0/16 & xe-7/0/16
                        Reth1 = redundancy group 1, lacp active/periodic fast, unit 0 family inet address X.X.X.5, interfaces xe-0/0/17 & xe-7/0/17

    They are connected to a pair of cisco nexus switches on port channels that are vpc peered. 

    Everything looked like it was working but when a PC on SW2 tried to reach the SRX I wasn't getting a response.  So I changed it to:
    Setup 2: Reth0 = redundancy group 1, lacp active/periodic fast, unit 0 family inet address X.X.X.4, interfaces xe-0/0/16 & xe-7/0/16 & xe-0/0/17 & xe-7/0/17.

    With setup 2, I was getting the same outcome. The cisco POs are just access ports in vlan 1500. I'm using hsrp on vlan 1500. So SW1 vlan 1500 SVI is .2, SW2 vlan 1500 SVI .3 and hsrp is .1. Any PC on SW1 works just fine with no issues. It's just traffic on SW2 that gets lost. 

    I only went with reths because my SRXs are clustered and I wanted to build the most robust connection between the Junipers and Ciscos. If my current setup can be fixed great. If not, if I'm going about this all wrong then so be it. But what is the best way to build this?



    ------------------------------
    CHRIS COUTURE
    ------------------------------