SRX

 View Only
last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

SRX chassis cluster Reth Subinterface LACP and NAT

  • 1.  SRX chassis cluster Reth Subinterface LACP and NAT

    Posted 08-17-2022 17:46
    Hello,

    Please see image for an idea of what I am trying to do, but I will do my best to explain it below as well.
    I set up 2 SRX 1500's in a chassis cluster. I added physical ports to logical link reth1. The ports for reth1 are connected to an ex3300 that would serve as an intermediary L2 step to ISP1 and ISP2. The connection between reth1 and the switch are setup in LACP.  LACP is up and functional.
    I want to source NAT Static IP servers . I ran across a couple of errors when attempting to assign physical ports in Security Zone Servers because it I had set the physical ports as access ports and learned that family ethernet-switching and family inet cannot be in the same Security Zone. Please note I added Reth1.100 as an interface to Security Zone Servers first and then attempted to add ports ge-0/0/10 and ge-0/0/11 after when I received the error that all interfaces in the security zone need to be a part of the same family.
    I learned that here: https://www.juniper.net/documentation/us/en/software/junos/multicast-l2/topics/topic-map/layer-2-interfaces.html#id-understanding-mixed-mode-transparent-and-route-mode-on-security-devices


    As a test I did create an vlan.100 interface with IP 100.100.100.2 and I was able to ping 100.100.100.3, so the switch is not the issue in terms of LACP connectivity.

    Relevant configuration:
    set security zones security-zone Servers interfaces reth1.100 host-inbound-traffic system-services all
    set interfaces reth1 vlan-tagging
    set interfaces reth1 redundant-ether-options redundancy-group 2
    set interfaces reth1 redundant-ether-options lacp active
    set interfaces reth1 redundant-ether-options lacp periodic slow
    set interfaces reth1 unit 100 vlan-id 100
    set interfaces reth1 unit 100 family inet address 100.100.100.3/28

    I am also setting up other reth1 subinterfaces but before doing so I want to make sure I can get this to work, just in case there is a suggestion to remove unit 100 and add ip address to unit 0 of Reth1. :)

    I am not sure how to setup NAT for my statically assigned servers to be translated to Reth1.100 interface IP.  Is this even possible? If possible, how should the ports be configured?
    A lot of documentation seems to point to adding an ip address to the ports that are in the same security zone but I don't want to NAT the port IPs, I want to NAT the server IPs.

    Also, if you need additional details, please let me know.

    Thank you for your attention!


    ------------------------------
    D POM
    ------------------------------