SRX Services Gateway
Reply
Contributor
raj_bjs77
Posts: 29
Registered: ‎05-28-2011
0

Redundancy between SRX and 2 core switches

Hi,

 

We have 1 SRX 650 with 4 - gig port. we have 2 core switches below this has vrrp for the users.

 

I want to connect both core uplink to 2 interface on SRX so that one uplink is backup to another.

 

I understand this will form loop. Can this be achieved by some way using 1 SRX with 2 interfaces.

 

 

Raj

Distinguished Expert
keithr
Posts: 979
Registered: ‎09-10-2009
0

Re: Redundancy between SRX and 2 core switches

I may be remembering incorrectly, but I'm pretty sure the 4 onboard ports on the SRX 650 do not support "family ethernet-switching," so you can't have a layer 2 connection that uses both links, nor run spanning tree on them for loop prevention or use aggregate interfaces.

 

With the onboard ports only, you'll have to create 2 separate routed links to your core switches.  You can then set two static default routes, one to each core switch, and you can use a qualified next-hop with a preference for one link.  If it fails, it will take the secondary route to the other core/link.

-kr


---
If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated.
Contributor
raj_bjs77
Posts: 29
Registered: ‎05-28-2011
0

Re: Redundancy between SRX and 2 core switches

Hi,

 

I am going to use OSPF between the SRX and core switches for route learning. Do you have some config for the same in my scenario.

 

Raj

Trusted Expert
Kashif-rana
Posts: 417
Registered: ‎01-29-2008
0

Re: Redundancy between SRX and 2 core switches

Hi Raj

 

Below is the sample configuration for your requirement. Kindly note that I am assuming that you are using the VLAN load balancing means some of the VLANS gateway is master on core switch-1 and some VLANS gateway is master on core switch-2. BUT if all the VLANS gateway IP is master on Core switch 1 or 2 then for the below OSPF configuration on core switches use metric 5 for all VLANS on core switch-1 and metric 10 for all VLANS on core switch-2.

 

Configuration on SRX-650

--------------------------------------

set interfaces ge-0/0/0 description "Connected to Core-SW1"
set interfaces ge-0/0/0.0 family inet address 1.1.1.2/30

set interfaces ge-0/0/1 description "Connected to Core-SW2"
set interfaces ge-0/0/1.0 family inet address 2.2.2.2/30

set protocols ospf area 0 interface ge-0/0/0.0
set protocols ospf area 0 interface ge-1/0/0.0

 

 

Configuration on Core Switch-1

------------------------------------------

set protocols ospf area 0 interface vlan.2 passive
set protocols ospf area 0 interface vlan.2 metric 5   // Assuming that for VLAN 2 core switch-1 is master so lower metric
.
.
.
.
set protocols ospf area 0 interface vlan.10 passive
set protocols ospf area 0 interface vlan.10 metric 10 // Assuming that for VLAN 2 core switch-1 is backup so higher metric

set routing-options static route 0/0 next-hop 1.1.1.2 

 

 

 

Configuration on Core Switch-2

------------------------------------------

set interfaces ge-0/0/1 description "Connected to SRX"
set interfaces ge-0/0/1.0 family inet address 1.1.1.1/30

set protocols ospf area 0 interface vlan.2 passive
set protocols ospf area 0 interface vlan.2 metric 10 // Assuming that for VLAN 2 core switch-2 is backup so higher metric
.
.
.
.
set protocols ospf area 0 interface vlan.10 passive
set protocols ospf area 0 interface vlan.10 metric 5 // Assuming that for VLAN 2 core switch-2 is master so lower metric

set routing-options static route 0/0 next-hop 2.2.2.2



HTH

Kashif Rana
JNCIE-SEC, JNCIE-ENT, JNCIE-SP, JNCIS(FWV,SSL),JNCIA(IDP,AC,WX),BIG IP-F5-LTM, CCNP
----------------------------------------------------------------------------------------------------------------------------------------

If this post was helpful, please mark this post as an "Accepted Solution".Kudos are always appreciated!
Contributor
raj_bjs77
Posts: 29
Registered: ‎05-28-2011
0

Re: Redundancy between SRX and 2 core switches

Thanks..will try and let u know...I am going to use /30 subnet between these interfaces.

 

Raj

Trusted Expert
Kashif-rana
Posts: 417
Registered: ‎01-29-2008
0

Re: Redundancy between SRX and 2 core switches

Just the last note, When the interface between Core-SW1 and SRX is down then all the Master VRRP Gateway IP of VLANS should be switched to Core-SW2, So on both Core-SW1 and Core-SW2, under the VRRP instances track the interfaces connected to SRX. For example:

 

set interfaces vlan.2 family inet address 10.10.10.2/24 vrrp-group 2 track interface ge-0/0/0 (Interface connected to SRX)

 

Cheers !!

Kashif Rana
JNCIE-SEC, JNCIE-ENT, JNCIE-SP, JNCIS(FWV,SSL),JNCIA(IDP,AC,WX),BIG IP-F5-LTM, CCNP
----------------------------------------------------------------------------------------------------------------------------------------

If this post was helpful, please mark this post as an "Accepted Solution".Kudos are always appreciated!
Trusted Expert
Kashif-rana
Posts: 417
Registered: ‎01-29-2008
0

Re: Redundancy between SRX and 2 core switches

Kindly modify the VRRP on the Both core switches as below. Support VLAN 2 is master Core Switch-1, When interface of Core Swich-1 connected to SRX is down its  VRRP priority should be lower than VRRP priority on the Core Switch-2 for VLAN 2, so the VRRP would shift on the Core Switch-2:

 

On Core Switch-1

------------------------

 

set interfaces vlan.2 family inet address 10.10.10.2/24 vrrp-group 2 virtual-address 10.10.10.1 priority 200 track interface ge-0/0/0 priority-cost 100

 

On Core Swtich-2

-------------------------

 

set interfaces vlan.2 family inet address 10.10.10.2/24 vrrp-group 2 virtual-address 10.10.10.1 priority 150 track interface ge-0/0/0

 

HTH

Kashif Rana
JNCIE-SEC, JNCIE-ENT, JNCIE-SP, JNCIS(FWV,SSL),JNCIA(IDP,AC,WX),BIG IP-F5-LTM, CCNP
----------------------------------------------------------------------------------------------------------------------------------------

If this post was helpful, please mark this post as an "Accepted Solution".Kudos are always appreciated!
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.