SRX

Hi All, 

 

I have configured 2 SRX as a chassis cluster (Active/Standby) and then connect them to 2 Nexus 6k - there are 4 10G links and form 2 VPCs. Please find the topology as below: 

 

 

I  just used the reth8 interface in SRX cluster and it bundles 4 interfaces - xe-1/0/0, xe-1/0/1, xe-9/0/0, xe-9/0/1, and enabled the vlan-tagging in reth8, reth8.10 has vlan-id 10 and IP 192.168.0.168 - setup for trust zone. 

 

In nexus, the IPs are: 

Nexus 1 - vlan 10 is 192.168.0.251 (HSRP primary)

Nexus 2 - vlan 10 is 192.168.0.252 (HSRP standby)

HSRP vlan 10 - 192.168.0.253

 

Now after the setup, I observed some issues, not sure why: 

1 I find vPc 7 is up while vPc 8 is down, more specifically: 

  Nexus 1 interface E/1/7 is up

  Nexus 1 interface E1/8 is down - hot standby in bundle

  Nexus 2 interface E1/7 is up

  Nexus 2 interface E1/8 is down - hot standby in bundle

  Nexus 1 and 2: Both vPc 8 (interface port-channel 😎 is shown DOWN - no operation member

 

So it looks like all interfaces connects to node 1 SRX, are DOWN. But why ?

 

2 Issue with ping: 

  From Nexus 1 - I can ping reth8.10 IP 192.168.0.168

  From Nexus 2 - I CANNOT ping reth8.10 IP 19.168.0.168

  From SRX - I can ping Nexus 1 vlan 10 IP 192.168.0.251 and HSRP IP 192.168.0.253

  From SRX - I CANNOT ping Nexus 2 vlan 10 P 192.168.0.252

 

This is very strange ... not sure why ?

 

3 Link change made changes ...

I just shut down the following interfaces: 

  Nexus 1 interface E1/7

  Nexus 2 interface E1/8

 

And wait for a moment, then no shut them. After a while, I observed: 

  Nexus 1 interface E/1/7 is down - hot standby in bundle

  Nexus 1 interface E1/8 is up

  Nexus 2 interface E1/7 is down - hot standby in bundle

  Nexus 2 interface E1/8 is up

  Nexus 1 and 2: Both vPc 7 (interface port-channel 7) is shown DOWN - no operation member

 

And now I can ping Nexus 2 vlan 10 P 192.168.0.252 from SRX !!!

 

-----------------------------------------------------------------------------------------------

 

The above is very strange ... can someone assist to understand ? Much appreciated !

 

Cook

Attachement - Configuration

Nexus 1: 

interface port-channel7
  description Uplink Firewall Node0
  switchport mode trunk
  switchport access vlan 10
  switchport trunk native vlan 999
  spanning-tree port type edge trunk
  vpc 7

 

interface port-channel8
  description Uplink Firewall Node1
  switchport mode trunk
  switchport access vlan 10
  switchport trunk native vlan 999
  spanning-tree port type edge trunk
  vpc 8

 

interface Ethernet1/7
  description Juniper Firewall Node0
  no cdp enable
  switchport mode trunk
  switchport access vlan 10
  switchport trunk native vlan 999
  channel-group 7 mode active

 

interface Ethernet1/8
description Juniper Firewall Node1
no cdp enable
switchport mode trunk
switchport access vlan 10
switchport trunk native vlan 999
channel-group 8 mode active

 

interface Vlan10
  no shutdown
  no ip redirects
  ip address 192.168.0.251/24
  ip unreachables
  ip pim sparse-mode
  hsrp version 2
  hsrp 10
    preempt
    priority 110
    ip 192.168.0.253

 

Nexus 2: 

interface port-channel7
  description Uplink Firewall Node0
  switchport mode trunk
  switchport access vlan 10
  switchport trunk native vlan 999
  spanning-tree port type edge trunk
  vpc 7

 

interface port-channel8
  description Uplink Firewall Node1
  switchport mode trunk
  switchport access vlan 10
  switchport trunk native vlan 999
  spanning-tree port type edge trunk
  vpc 8

 

interface Ethernet1/7
  description Juniper Firewall Node0
  no cdp enable
  switchport mode trunk
  switchport access vlan 10
  switchport trunk native vlan 999
  channel-group 7 mode active

 

interface Ethernet1/8
  description Juniper Firewall Node1
  no cdp enable
  switchport mode trunk
  switchport access vlan 10
  switchport trunk native vlan 999
  channel-group 8 mode active

 

interface Vlan10
  no shutdown
  no ip redirects
  ip address 192.168.0.252/24
  ip unreachables
  ip pim sparse-mode
  hsrp version 2
  hsrp 10
    preempt
    ip 192.168.0.253

Attachement - Configuration

SRX: 

set chassis cluster redundancy-group 0 node 0 priority 100
set chassis cluster redundancy-group 0 node 1 priority 1
set chassis cluster redundancy-group 1 node 0 priority 100
set chassis cluster redundancy-group 1 node 1 priority 1
set chassis cluster redundancy-group 1 preempt

 

set chassis cluster reth-count 1

 

set interfaces xe-1/0/0 gigether-options redundant-parent reth8
set interfaces xe-1/0/1 gigether-options redundant-parent reth8
set interfaces xe-9/0/0 gigether-options redundant-parent reth8
set interfaces xe-9/0/1 gigether-options redundant-parent reth8

 

set interfaces reth8 redundant-ether-options redundancy-group 1
set interfaces reth8 vlan-tagging
set interfaces reth8 unit 10 vlan-id 10 family inet address 192.168.0.168/24

set interfaces reth8 redundant-ether-options minimum-links 1
set interfaces reth8 redundant-ether-options lacp passive
set interfaces reth8 redundant-ether-options lacp periodic slow

 

set chassis cluster redundancy-group 1 interface-monitor reth8 weight 255
set chassis cluster control-link-recovery

 

set security zones security-zone trust

set security zones security-zone trust interface reth8.10

set security zones security-zone trust interfaces reth8.10 host-inbound-traffic system-services ping

Hello,

You have to regroup the links in LACP bundle on Nexus side

Please see this KB for supported/non-supported SRX LACP topologies

https://kb.juniper.net/InfoCenter/index?page=content&id=KB22474

HTH

Thx

Alex

Hi Alex, 

Thanks for your reply, I have read the link you sent. 

 

The different is, I have 2 Nexus. So if want to regroup:

 

node 0 connect to Nexus 1 on Eth7 and Eth8 via vPc

node 1 connect to Nexus 2 on Eth7 and Eth8 via vPc

 

So my question is, how many ports will be up ? All 4 ports ?

 

Thanks,

 

Cook

 

On the SRX side, I think redundancy group 1 should monitor member interfaces, not the reth. Should the member interfaces on node 0 go down, you want the redundancy group to fail over to node 1.

Your set up, IMO should work, and it almost seems like something is miscabled. While you're missing pings, can you pull up the Mac address table? Under normal conditions, the SRX Mac address should only show up on vpc 7.

Many thanks for your reply,

As for the MAC, when I tried to ping reth8.10 192.168.0.168 from Nexus 2 vlan 10 192.168.0.252 - Although ping fails, I can see correct the SRX MAC in Nexus 2 - just exact the same MAC in Nexus 1.

Do not understand why ping fails ...

Is the MAC learned from the vpc 7 interface on Nexus 2?

I have justed tested and it is getting MAC form vPc 7 ...

Hi All,

 

Just let you know the issue has been resolved.

 

Now all 4 ports are shown up and all ping successfull.

 

The reason was due to the incorrect cabling ...