SRX

I will try to condense this into a succinct posting.  I am looking for some configuration assistance with a design I am working on.  I am trying to configure an active/passive transparent firewall clusterwith aggregated interfaces in both the trust and untrust side of the firewall.  After some experimentation in the lab and a little research I discovered that the high-end SRX firewalls don't support LACP in transparent (layer 2) mode - I had initially tried

The lacp configuration on the redundant ethernet (reths) didn't work, since lacp is not supported in layer 2 mode, so I reconfigured the cluster to use aggregated ethernet (ae) interfaces.  I have attached diagrams and configuration files showing both the reth interfaces with lacp (which isn't supported) and ae interfaces (which I'm not sure wil even work as designed).  I had to combine the 802.3ad and LACP configurations into one file, since I can only attach three files.

If anybody has done this sort of configuration I would appreciate your input.  Is there a way to configure aggregated interfaces on a transparent cluster?

Regards,

Attachment(s)

Visio-SRX3400 L2 LACP_Forum.pdf   150 KB 1 version

SRX3400 L2 802.3ad + LACP_Forum.txt   10 KB 1 version

Visio-SRX3400 L2 802.3ad_Forum.pdf   150 KB 1 version

Were you able to resolve your issue? I'm attempting a similar configuration and wondering what your resolution was to the issue. LACP is not supported on L2, but were you able to get LAG to work without LACP? Your configuration used ae interfaces on the SRX - you can just use RETH interfaces as these are aggregated ethernets underneath.

GFO

GFO,

Thank you for your response.  I was able to get a working configuration, with the assistance of my local Juniper SE manager, Rapatrick Murrell.  Rapatrick was kind enough to develop a working configuration in his POC lab and share it with me.

I will attach a copy of the working diagram and cluster configuration file.

Regards,