SRX

Hi,


I have a SRX 240 Cluster which is already configured and working. At present I have a 4 interfaces configured one for internet, dmz, test lan and office lan.
I have to setup vlans for datacenter.

Management vlan (mgmt) on reth4

Tenant vlans (for eg tenant16,tenant17,tenant18 and so on) on reth5

Management vlan will be trunked through 2 cisco switches and tenant vlans will be trunked through a Netgear Switch.

I have come up with the below config on my SRX 240 cluster.

set chassis cluster reth-count 9

Create redundant interface
set interfaces ge-0/0/7 gigether-options redundant-parent reth4
set interfaces ge-5/0/7 gigether-options redundant-parent reth4
set interfaces ge-0/0/8 gigether-options redundant-parent reth5
set interfaces ge-5/0/8 gigether-options redundant-parent reth5


Monitoring
set chassis cluster redundancy-group 1 interface-monitor ge-0/0/7 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-5/0/7 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-0/0/8 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-5/0/8 weight 255


set interfaces reth4 redundant-ether-options redundancy-group 1    
set interfaces reth5 redundant-ether-options redundancy-group 1


set interfaces reth4 vlan-tagging    
set interfaces reth4 unit 4000 vlan-id 4000
set interfaces reth4 unit 4000 family inet address 172.16.0.1/24        
set security zones security-zone trust interface reth4.4000                Place the vlan created in the trust zone

set interfaces reth4.0 family ethernet-switching vlan port-mode trunk            Set the interface in trunk mode to accept multiple vlans.
                              
set interfaces reth4.0 family ethernet-switching vlan members mgmt            Selecting all will allow default vlan 1 which has a hugh stp convergence.   
OR
set interfaces reth4.0 family ethernet-switching vlan members all            Allow all vlans (even future vlans to pass)

set interfaces reth5 vlan-tagging

set interfaces reth5 unit 16 vlan-id 16
set interfaces reth5 unit 16 family inet address 10.0.16.0/24    

set interfaces reth5 unit 17 vlan-id 17
set interfaces reth5 unit 17 family inet address 10.0.17.0/24

set interfaces reth5 unit 18 vlan-id 18
set interfaces reth5 unit 18 family inet address 10.0.18.0/24    

set security zones security-zone trust interface reth5.16                Place the vlan created in the trust zone
set security zones security-zone trust interface reth5.17
set security zones security-zone trust interface reth5.18

set interfaces reth5.0 family ethernet-switching vlan port-mode trunk            Set the interface in trunk mode to accept multiple vlans
set interfaces reth5.0 family ethernet-switching vlan members all            Allow all vlans (even future vlans to pass)

I will be configuring trunks on the Cisco and Netgear switches. I have other vlans like 3999 and 3998 on Netgear Switch which dont need to be routed.

Can anyone tell me if I am on the right track? Or do I need changes. Please help.

Hello ,

In case of reth4 & reth5  , we cannot have the same interface family as "inet " and "ethernet-switching"  . It should work fine with vlan-tagging enabled . You can remove the unit 0 with ethernet switching . 

From my lab :

reth4 {

    vlan-tagging;
    unit 0 {
        ##
        ## Warning: An interface cannot have both family ethernet-switching and vlan-tagging configured
        ##
        family ethernet-switching {
            port-mode trunk;
        }
    }
    unit 400 {
        vlan-id 400;
        family inet {
            address X.X.X.X/24;
        }
    }
}

Thanks a million Joses for your response.

So does that mean i need to remove the below commands from my config

set interfaces reth4.0 family ethernet-switching vlan port-mode trunk

set interfaces reth4.0 family ethernet-switching vlan members mgmt

set interfaces reth5.0 family ethernet-switching vlan port-mode trunk

set interfaces reth5.0 family ethernet-switching vlan members all

Please correct me if I am wrong.

Hello ,

Yes , since that configuration is for Layer 2 trunking  ( Mainly acts like switch ) . But if we enable VLAN tagging in SRX with VLAN ID , it should be fine .

Alrite Sam

Just one more thing. Since there will be 2 ports from the SRX 240 Cluster for each reth does that mean i will have to configure 2 ports from Netgear Switch and 2 ports from 2 different Cisco Switches as trunk ports.

reth4 --> ge-0/0/7 --> Netgear Switch Port 0/0         Configured as trunk on Netgear

reth4 --> ge-5/0/7 --> Netgear Switch Port 0/1         Configured as trunk on Netgear

reth5 --> ge-0/0/8 -->Cisco Switch 1 GigabitEthernet0/15       Configured as trunk on Cisco Switch 1

reth5 --> ge-5/0/8 -->Cisco Switch 2 GigabitEthernet0/15       Configured as trunk on Cisco Switch 2

Will this work? I am not sure how the reth interfaces behave. I know that both physical interfaces of the reth are active but only one is used.

Regards,

Neville

Hello ,

So the reth interface is like a reduntant interface  where only one interface will be active at a time from the active node . the other interface will be passive .

Ie :

reth4 --> ge-0/0/7 --> Netgear Switch Port 0/0         Configured as trunk on Netgear   --> Active

reth4 --> ge-5/0/7 --> Netgear Switch Port 0/1         Configured as trunk on Netgear   --> Passive

Both the interfaces will not be active at a time .

As per your setup , the 2 ports from Netgear and 2 ports from CISCO should be in same VLAN ( thats the only basic config needed )  VLAN tagging come next if you need multiple tagged packet through the same physical port .

For that in SRX we need only VLAN tagging to enable ie it will be acting as L3 VLAN