SRX Services Gateway
Reply
Visitor
svein-erik
Posts: 4
Registered: ‎09-30-2011
0

SRX240H chassis cluster configuration

Hi!

 

I'm trying to configure two SRX240H's in an active/passive chassis cluster. I have attached an overview of the setup I'm trying to create.

 

How can I achieve this setup? Is it possible to add multiple interfaces on the same chassis to a reth? My understanding is that it should be possible with JunOS 11.2, but the firewalls were shipped with JunOS 10.3R2.11, so I guess I need to upgrade?

 

They way I'm thinking of doing it is to assign two interfaces from each chassis to the same reth for the trusted zone. This would allow a single switch to fail without needing to failover the firewalls. Is that correct?

 

If you have other comments about the topology, or if you know another way to accomplish the same task, I'd be very thankful!

Trusted Contributor
ttl_expired
Posts: 429
Registered: ‎11-11-2008
0

Re: SRX240H chassis cluster configuration

Your setup looks good!  I am doing the exact thing your are mentioning even with the 10.3 code.  I have 4 interfaces part of my reth groups ( 2 from each chassis) which then form an LACP LAG to the downstream switch.  The only thing to remember is that the two ports from the Active unit will be one lag and the 2 ports from the Backup unit will be another lag from the switches point of view.

 

since you have new units I would upgrade them to 10.4R7 unless you need something specific from 11 code.  If you read through this forum alot of users have issues with the 11 series.

 

 

Visitor
svein-erik
Posts: 4
Registered: ‎09-30-2011
0

Re: SRX240H chassis cluster configuration

Thanks!

 

Did you do it with two SRX240's in your setup? How do I set this up in practice? Do I first need to create two LACP LAGs, and then add those to the reth, or will that be taken care of if I add the interfaces directly to the reth?

Trusted Contributor
ttl_expired
Posts: 429
Registered: ‎11-11-2008
0

Re: SRX240H chassis cluster configuration

I used 650's which is the same code as 240.  Just create your reth and enable LACP.  The SRX takes care of the rest.  On your switch you will have to create two different LAG'S, one going to node 0 and one going to node 1.

 

It seems strange that the switch end has two distinct LAG's while the SRX has one but behind the scenes the SRX actually creates the two seperate lags for you.

 

Here is my setup example.  I am doing vlan tagging towards my switch so ignore those if your interface is layer 3.

 

reth0 {
    vlan-tagging;
    redundant-ether-options {
        redundancy-group 1;
        lacp {
            active;
        }
    }
    unit 99 {
        vlan-id 99;
        family inet {
            address x.x.x.x;
        }
    }

 

Visitor
svein-erik
Posts: 4
Registered: ‎09-30-2011
0

Re: SRX240H chassis cluster configuration

Thanks for the example!

 

I've read in the feature support guides for JunOS 10.3 and 10.4 that LAGs are unsupported in chassis cluster mode for both SRX240 and SRX650. Seems strange that it would work when it says that it isn't supported, but perhaps I'm not reading it right?

 

The documentation kind of confuses me, because there is a lot of old information floating around :smileyfrustrated:

Visitor
svein-erik
Posts: 4
Registered: ‎09-30-2011
0

Re: SRX240H chassis cluster configuration

Is it possible to add more than one interface from the same chassis to a reth without using LACP? Simply having only one physical interface from one chassis active, and then failing over to the next pyshical interface if the link is lost?

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.