SRX

last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Questions about SRX1400 active/passive cluster

    Posted 01-02-2014 05:38

    Hi!

    I have no experience about SRX clusters. I have done a lot of SSG-clusters, and a lot of standalone SRX. I have two SRX1400 in my lab, and I've made a config that seems to work. But as I'm quite unexperienced with this, I would love is someone could tell me if I have done something stupid before it's put into production...

    Here's my config (it's all of it, but it's only the clustering parts that are interesting so far).

     

    groups {
    node0 {
        system {
            host-name SRX1400-1;
            backup-router 10.10.10.1 destination [ 0.0.0.0/1 128.0.0.0/1 ];
        }
        interfaces {
            fxp0 {
                unit 0 {
                    family inet {
                        address 10.10.10.15/24;
                    }
                }
            }
        }
    }
    node1 {
        system {
            host-name SRX1400-2;
            backup-router 10.10.10.1 destination [ 0.0.0.0/1 128.0.0.0/1 ];
        }
        interfaces {
            fxp0 {
                unit 0 {
                    family inet {
                        address 10.10.10.16/24;
                    }
                }
            }
        }
    }
}
apply-groups "${node}";
system {
    root-authentication {
        encrypted-password "$1$Uso07km7$ILmpww1TjYgMua7XWlyJj.";
    }
    name-server {
        8.8.8.8;
    }
    login {
        user user {
            full-name "user1";
            uid 2000;
            class super-user;
            authentication {
                encrypted-password "blablabla";
            }
        }
    }
    services {
        ssh;
        telnet;
        web-management {
            http {
                interface fxp0.0;
            }
        }
    }
    syslog {
        user * {
            any emergency;
        }
        file messages {
            any notice;
            authorization info;
        }
        file interactive-commands {
            interactive-commands any;
        }
    }
}
chassis {
    cluster {
        control-link-recovery;
        reth-count 1;
        redundancy-group 0 {
            node 0 priority 129;
            node 1 priority 128;
        }
        redundancy-group 1 {
            node 0 priority 129;
            node 1 priority 128;
            interface-monitor {
                xe-0/0/8 weight 255;
                xe-0/0/9 weight 255;
            }
        }
    }
}
interfaces {
    xe-0/0/8 {
        gigether-options {
            redundant-parent reth0;
        }
    }
    xe-0/0/9 {
        gigether-options {
            redundant-parent reth0;
        }
    }
    fab0 {
        fabric-options {
            member-interfaces {
                ge-0/0/0;
            }
        }
    }
    reth0 {
        vlan-tagging;
        redundant-ether-options {
            redundancy-group 1;
            minimum-links 1;
        }
        unit 100 {
            description LAN
            vlan-id 100;
            family inet {
                address 10.20.30.1/24;
            }
        }
        unit 101 {
            description Mgmt;
            vlan-id 101;
            family inet {
                address 10.10.10.3/24;
            }
        }
    }
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop 10.10.10.1;
    }
}
security {
    zones {
        security-zone trust {
            interfaces {
                reth0.100;
                reth0.101;
            }
        }
    }
}

     


    Two questions; is this ok..? Second, on the switch I have the two 10gigs from each SRX as a trunk. It seems to work, but is that expected? Can either xe-0/0/8 or xe-0/0/9 be removed with no noticeable impact? Or is this supposed to be done another way? Have I misunderstood the concept of reth? The plan is to have all traffic over reth0 with lots of different vlans (about 200 in total)

    Would really appreciate opinions.



  • 2.  RE: Questions about SRX1400 active/passive cluster

    Posted 01-02-2014 11:38

    Hi

     

    - You need to configure something for fab1 (=fabric on node 1 - to
    which port it is connected)?

     

    - I think you need to configure interfaces for node1 so reth1 contains
    4 interfaces total. Are you aware about interface renumbering in chassis
    cluster? If not, post "show interfaces terse" here and I will try to
    explain.

     

    On the switch, you need to configure 2 separate LAGs having 2 links
    each (one LAG includes links going to xe-0/0/8 and xe-0/0/9 of
    cluster (node0), other LAG includes other two links (going to node1)).

     

    - Setting weight to 255 may be too tough because it will switch over
    the RG even if 1 link fails. Is it what you want? If not set a lower
    weight for example 200.

     

    - Consider using "preempt" option for redundacy group 1 or monitoring
    the other two links as well (when you configure them).



  • 3.  RE: Questions about SRX1400 active/passive cluster

    Posted 01-03-2014 01:33

    Hi, thanks a lot for your reply! Very helpful 🙂

     

    I was googling "Fabric link status: Down" after I posted this, but before I got your reply. I then understood that fab1 was fabric on node1. I believed that fab1 was for dual fabric-links. Can't quite understand how I missed this - I did read several KB's first.

     

    I then also understood the interface-numbering in chassis cluster. As you suspected, I was not aware of that initially - I thought it was the same as with SSG.

     

    - What does the "preempt" option do? I now have enabled monitoring for all four links. What's better/worse?

     

    - I think I want it to fail over the RG if both links on one node fails. Should weight then be 200 for instance?

     

    Anyways, I have now made some changes, does this look better?

     

    Thank you very much for your good answer - very grateful!

     

    groups {
    node0 {
        system {
            host-name SRX1400-1;
            backup-router 10.10.10.1 destination [ 0.0.0.0/1 128.0.0.0/1 ];
        }
        interfaces {
            fxp0 {
                unit 0 {
                    family inet {
                        address 10.10.10.15/24;
                    }
                }
            }
        }
    }
    node1 {
        system {
            host-name SRX1400-2;
            backup-router 10.10.10.1 destination [ 0.0.0.0/1 128.0.0.0/1 ];
        }
        interfaces {
            fxp0 {
                unit 0 {
                    family inet {
                        address 10.10.10.16/24;
                    }
                }
            }
        }
    }
}
apply-groups "${node}";
system {
    root-authentication {
        encrypted-password "$1$Uso07km7$ILmpww1TjYgMua7XWlyJj.";
    }
    name-server {
        8.8.8.8;
    }
    login {
        user stianj {
            full-name "user1";
            uid 2000;
            class super-user;
            authentication {
                encrypted-password "blablabla";
            }
        }
    }
    services {
        ssh;
        telnet;
        web-management {
            http {
                interface fxp0.0;
            }
        }
    }
    syslog {
        user * {
            any emergency;
        }
        file messages {
            any notice;
            authorization info;
        }
        file interactive-commands {
            interactive-commands any;
        }
    }
}
chassis {
    cluster {
        control-link-recovery;
        reth-count 1;
        redundancy-group 0 {
            node 0 priority 129;
            node 1 priority 128;
        }
        redundancy-group 1 {
            node 0 priority 129;
            node 1 priority 128;
            interface-monitor {
                xe-0/0/8 weight 255;
                xe-0/0/9 weight 255;
                xe-4/0/8 weight 255;
                xe-4/0/9 weight 255;
            }
        }
    }
}
interfaces {
    xe-0/0/8 {
        gigether-options {
            redundant-parent reth0;
        }
    }
    xe-0/0/9 {
        gigether-options {
            redundant-parent reth0;
        }
    }
    xe-4/0/8 {
        gigether-options {
            redundant-parent reth0;
        }
    }
    xe-4/0/9 {
        gigether-options {
            redundant-parent reth0;
        }
    }
    fab0 {
        fabric-options {
            member-interfaces {
                ge-0/0/0;
            }
        }
    }
    fab1 {
        fabric-options {
            member-interfaces {
                ge-4/0/0;
            }
        }
    }
    reth0 {
        vlan-tagging;
        redundant-ether-options {
            redundancy-group 1;
            minimum-links 1;
            lacp {
                active;
            }
        }
        unit 100 {
            description LAN;
            vlan-id 100;
            family inet {
                address 10.20.30.1/24;
            }
        }
        unit 101 {
            description Mgmt;
            vlan-id 101;
            family inet {
                address 10.10.10.3/24;
            }
        }
    }
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop 10.10.10.1;
    }
}
security {
    zones {
        security-zone trust {
            interfaces {
                reth0.100;
                reth0.101;
            }
        }
    }
}

     



  • 4.  RE: Questions about SRX1400 active/passive cluster
    Best Answer

    Posted 01-03-2014 13:03

    Hi

     

    Looks better.

     

    With your current config, failure of either xe-0/0/8 or xe-0/0/9 will make the RG1 fail over to node 1. If you set weight = 200 for all links, both xe-0/0/8 and xe-0/0/9 need to fail for this switchover to happen.

     

    Now the question is - what if xe-0/0/8 and xe-0/0/9 recover (go up again) while xe-4/0/8 and xe-4/0/9 go down when RG1 is primary on node1? With your initial config (monitoring only 2 interfaces), RG1 will stay on node1, dropping all traffic. To solve the problem, either monitor links on node1 (as you do now) or use "preempt" that will switchover RG1 to node0 as soon as links xe-0/0/8 and/or xe-0/0/9 recover. Or do both. 

     

    I recommend that you play with this in lab for a while, it usually takes me 2-3 hours to explain all the SRX clustering theory and no chance to type all that here. But I hope you get the idea. If you have a specific question let me know.



  • 5.  RE: Questions about SRX1400 active/passive cluster

    Posted 01-05-2014 12:40

    Hi!

     

    Thanks again. All of what you write makes perfect sense 🙂 Just one more question. With the interface-monitoring on all four interfaces with weight 200 - what happens if one interface on each node goes down?

     

    Ok, even one more question, it seems... Sorry about that! As you can see from my last config, I have this in my reth0 definition:

     

            redundant-ether-options {
            redundancy-group 1;
            minimum-links 1;
            lacp {
                active;
            }
        }

    Is this redundant in a reth-interface?

     

    Last, the gratuitous-arp-count setting, what's the default, and what's the best value for it?

     

    Thank you very much again, I think I have it under control now 🙂



  • 6.  RE: Questions about SRX1400 active/passive cluster

    Posted 01-05-2014 15:04

    Hi

     

    With the interface-monitoring on all four interfaces with weight 200 - what happens if one interface on each node goes down -> nothing happens (no switchover, no priority change) because threshold value of 0 will not be reached (it will be equal to 255-200=55 on both nodes, by the way).

     

    Not sure about second question, minimum-links 1 is the default so you can skip this setting. LACP is not used by default so you enable it when needed.

     

    Default number of G-ARPs is 4 and it is usually ok to leave this default.

     

    Good luck with your cluster and do not hesitate to ask further questions, I'm happy to assist.