SRX Services Gateway
Showing results for 
Search instead for 
Do you mean 
Reply
Highlighted
Visitor
Posts: 3
Registered: ‎06-02-2017
0 Kudos
Accepted Solution

SRX240 cluster with LACP through a Cisco switch

Hi everyone!

 

I would like to ask for some help. We are trying to put together 2 SRX240 firewalls in a cluster with a Cisco switch between them and with LACP between them on the reth interfaces. 

The control and the fabric link won't work through the switch only when we connect them together. The management link works fine through the switch. Also the LACP wont aggregate, there's no connection between the two firewalls through these links.

 

Here is the config from the SRXs and the switch:

 

 

set groups node0 interfaces fxp0 unit 0 family inet address 10.X.Y.2/24
set groups node1 interfaces fxp0 unit 0 family inet address 10.X.Y.3/24


set chassis cluster reth-count 1
set chassis cluster redundancy-group 1 node 0 priority 200
set chassis cluster redundancy-group 1 node 1 priority 100
set chassis cluster redundancy-group 1 interface-monitor ge-0/0/14 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-0/0/15 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-5/0/15 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-5/0/14 weight 255

set security zones security-zone MGMT host-inbound-traffic system-services ping
set security zones security-zone MGMT host-inbound-traffic protocols all
set security zones security-zone MGMT interfaces reth1.100
set security zones security-zone MGMT interfaces reth1.104
set security zones security-zone MGMT interfaces reth1.108
set security zones security-zone MGMT interfaces reth1.254

set interfaces ge-0/0/14 gigether-options redundant-parent reth1
set interfaces ge-0/0/15 gigether-options redundant-parent reth1
set interfaces ge-5/0/14 gigether-options redundant-parent reth1
set interfaces ge-5/0/15 gigether-options redundant-parent reth1
set interfaces fab0 fabric-options member-interfaces ge-0/0/2
set interfaces fab1 fabric-options member-interfaces ge-5/0/2

set interfaces reth1 vlan-tagging
set interfaces reth1 redundant-ether-options redundancy-group 1
set interfaces reth1 redundant-ether-options minimum-links 1
set interfaces reth1 redundant-ether-options lacp passive
set interfaces reth1 redundant-ether-options lacp periodic slow

set interfaces reth1 unit 100 vlan-id 100
set interfaces reth1 unit 100 family inet address 10.X.Y.1/24
set interfaces reth1 unit 104 vlan-id 104
set interfaces reth1 unit 104 family inet address 10.X.Y.1/22
set interfaces reth1 unit 108 vlan-id 108
set interfaces reth1 unit 108 family inet address 10.X.Y.1/23
set interfaces reth1 unit 254 vlan-id 254
set interfaces reth1 unit 254 family inet address 10.X.Y.1/24

 

vlan 100
 name MGMT
vlan 104
 name whatever
vlan 108
 name whatever108
vlan 33 
 name control
vlan 34
 name fabric
vlan 254
 name vlan254


interface Port-channel10
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 100,104,108,254
 switchport mode trunk
!
interface Port-channel20
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 100,104,108,254
 switchport mode trunk
!
interface GigabitEthernet0/1
 switchport access vlan 100
 switchport mode access
!
interface GigabitEthernet0/2
 switchport access vlan 33
 switchport mode access
!
interface GigabitEthernet0/3
 switchport access vlan 34
 switchport mode access
!

interface GigabitEthernet0/13
 switchport access vlan 100
 switchport mode access
!
interface GigabitEthernet0/14
 switchport access vlan 33
 switchport mode access
!
interface GigabitEthernet0/15
 switchport access vlan 34
 switchport mode access

interface GigabitEthernet0/37
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 100,104,108,254
 switchport mode trunk
 channel-group 10 mode active
!
interface GigabitEthernet0/38
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 100,104,108,254
 switchport mode trunk
 channel-group 10 mode active
!

interface GigabitEthernet0/47
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 100,104,108,254
 switchport mode trunk
 channel-group 20 mode active
!
interface GigabitEthernet0/48
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 100,104,108,254
 switchport mode trunk
 channel-group 20 mode active
!

interface Vlan100
 ip address 10.X.Y.50 255.255.255.0
!
ip default-gateway 10.X.Y.1

 

And here is how the devices are connected together:

 

Juniper SRX 240 primary side:


SRX -> Cisco SW
ge-0/0/0 -> GigabitEthernet0/1 (mgmt)
ge-0/0/1 -> GigabitEthernet0/2 (control)
ge-0/0/2 -> GigabitEthernet0/3 (fabric)
ge-0/0/14 -> GigabitEthernet0/37 (lacp)
ge/0/0/15 -> GigabitEthernet0/38 (lacp)

Juniper SRX 240 secondary:

ge-0/0/0 -> GigabitEthernet0/13 (mgmt)
ge-0/0/1 -> GigabitEthernet0/14 (control)
ge-0/0/2 -> GigabitEthernet0/15 (fabric)
ge-0/0/14 -> GigabitEthernet0/47 (lacp)
ge/0/0/15 -> GigabitEthernet0/48 (lacp)

So what am I missing? The fabric and control links are not supposed to be access ports but rather trunk ports?

 

I'd appriciate any help and thanks for your help in advance.

 

Best regards,

Tihi

 

Distinguished Expert
Posts: 1,098
Registered: ‎08-29-2013
0 Kudos

Re: SRX240 cluster with LACP through a Cisco switch

On switch for control and fab vlans disable igmp-snooping and make mtu 9014 (or the max available) to allow jumbo frames - This change needs on the physical interface level on all memeber interfaces of control and fab vlans

 

 

Thanks,
Suraj
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too
Visitor
Posts: 3
Registered: ‎06-02-2017
0 Kudos

Re: SRX240 cluster with LACP through a Cisco switch

Sorry for not getting back to you sooner but I could only try this now.

I set the system mtu routing 9198 on the switch and also the system mtu jumbo to 9198 but it didn't work.

Once the firewalls were connected to the switch the control and fabric link lost and never came back. Eventually the secondary firewall rebooted for reasons unknown. 

Contributor
Posts: 80
Registered: ‎12-01-2015
0 Kudos

Re: SRX240 cluster with LACP through a Cisco switch

[ Edited ]

you need to set to active and fast 

 

set interfaces ae1 aggregated-ether-options lacp active
set interfaces ae1 aggregated-ether-options lacp periodic fast

 

 

we have a bunch of cisco and junos and I have never had this fail me. 

 

I admit i have never tried it on a RETH but the above should fix you 

 

example

show configuration interfaces ae1 | display set
Jun 07 12:16:09
set interfaces ae1 description "upplink to CORE VIA FEXs rack SA2&3"
set interfaces ae1 aggregated-ether-options minimum-links 1
set interfaces ae1 aggregated-ether-options link-speed 1g
set interfaces ae1 aggregated-ether-options lacp active
set interfaces ae1 aggregated-ether-options lacp periodic fast
set interfaces ae1 unit 0 family ethernet-switching port-mode trunk
set interfaces ae1 unit 0 family ethernet-switching vlan members all
set interfaces ae1 unit 0 family ethernet-switching native-vlan-id 2
set interfaces ae1 unit 0 family ethernet-switching filter output COS-Switch

{master:0}


> show lacp interfaces
Jun 07 12:18:18
Aggregated interface: ae1
LACP state: Role Exp Def Dist Col Syn Aggr Timeout Activity
ge-0/1/0 Actor No No Yes Yes Yes Yes Fast Active
ge-0/1/0 Partner No No Yes Yes Yes Yes Slow Active
ge-0/1/1 Actor No No Yes Yes Yes Yes Fast Active
ge-0/1/1 Partner No No Yes Yes Yes Yes Slow Active
LACP protocol: Receive State Transmit State Mux State
ge-0/1/0 Current Slow periodic Collecting distributing
ge-0/1/1 Current Slow periodic Collecting distributing

 

show lacp statistics interfaces ae1
Jun 07 12:20:57
Aggregated interface: ae1
LACP Statistics: LACP Rx LACP Tx Unknown Rx Illegal Rx
ge-0/1/0 586616 19727 0 0
ge-0/1/1 586613 19729 0 0

 

show lacp statistics interfaces ge-0/1/0
Jun 07 12:21:17
Aggregated interface: ae1
LACP Statistics: LACP Rx LACP Tx Unknown Rx Illegal Rx
ge-0/1/0 586636 19727 0 0

Contributor
Posts: 80
Registered: ‎12-01-2015
0 Kudos

Re: SRX240 cluster with LACP through a Cisco switch

whoop had my cisco side wrong for got the FAST but it worked still 

 

we are in a nexus VPC config I can confirm this will work on a regular switch as well 

 

show lacp interfaces
Jun 07 12:28:58
Aggregated interface: ae1
LACP state: Role Exp Def Dist Col Syn Aggr Timeout Activity
ge-0/1/0 Actor No No Yes Yes Yes Yes Fast Active
ge-0/1/0 Partner No No Yes Yes Yes Yes Fast Active
ge-0/1/1 Actor No No Yes Yes Yes Yes Fast Active
ge-0/1/1 Partner No No Yes Yes Yes Yes Fast Active
LACP protocol: Receive State Transmit State Mux State
ge-0/1/0 Current Fast periodic Collecting distributing
ge-0/1/1 Current Fast periodic Collecting distributing

 

interface Ethernet180/1/32
description vPC to SW
lacp rate fast
switchport mode trunk
switchport trunk allowed vlan 2,900
channel-group 832 mode active

 

 

hope this helps 

Visitor
Posts: 3
Registered: ‎06-02-2017
0 Kudos

Re: SRX240 cluster with LACP through a Cisco switch

Thanks for your aswer, with these tweaks I managed to get the cluster working. Smiley Happy 

Contributor
Posts: 80
Registered: ‎12-01-2015
0 Kudos

Re: SRX240 cluster with LACP through a Cisco switch

glad i could help please marked as solved !! will help others