SRX Services Gateway
SRX Services Gateway

Active/Passive cluster and BGP

[ Edited ]
‎05-15-2014 07:45 AM

Dear forums,

 

I'm looking for some configuration advice.

BGP.png

 

It's an HA cluster spread across 2 locations with a 10 gbit link in between.

The setup is active/passive which is pretty simple from the LAN side.

 

However for the WAN failover (with provider independed IPv4/IPv6 ranges) is a different story.

Here we are going to utilize BGP together with the ISP.

 

Ge-0/0/15 (on node 0) and Ge-5/0/15 (on node 1) are going to get IP's assigned to talk with each provider router.

I guess that's the point-to-point peering.

We are getting a private-AS and there is one peer-as.

 

Now i'm not sure where I should put the BGP configuration.

Should I put it in the node/group configuration or in the global cluster configuration?

 

I want to avoid routing conflicts or any other issues I might be overlooking now.

It would all be active/passive, even the WAN connections.
If the BGP path fails in site A, I'm going to let the boxes failover using IP monitoring.

 

Concerning the failover, does the BGP graceful-restart come in to play somehow?

 

All advice is welcome!

 

Thank you

10 REPLIES 10
SRX Services Gateway

Re: Active/Passive cluster and BGP

‎05-15-2014 11:21 AM

Hello there,

This may help

http://www.juniper.net/techpubs/software/junos-security/junos-security95/junos-security-swconfig-sec...

HTH

Thanks
Alex

_____________________________________________________________________

Please ask Your Juniper account team about Juniper Professional Services offerings.
Juniper PS can design, test & build the network/part of the network as per Your requirements

+++++++++++++++++++++++++++++++++++++++++++++

Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
SRX Services Gateway

Re: Active/Passive cluster and BGP

‎05-15-2014 06:22 PM

See the example of Using non Reth interfaces for Dual ISP in the chassis cluster configuration guide starting on page 19.

 

http://kb.juniper.net/InfoCenter/index?page=content&id=TN260

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
SRX Services Gateway

Re: Active/Passive cluster and BGP

‎05-16-2014 04:25 AM

Thank you both for your replies.

Especially Spuluka because the document you provided is golden! Very usefull info in there.
A must read for everyone setting up clustering!

 

However, concerning my setup I read something bad in the document...

It is possible to combine reth and physical (also called local) interfaces in a cluster.

It is even possible to not use any reth interfaces at all, but this is not recommended due to functionality that may be missed when not using the reth interfaces (e.g. ipsec VPN can only be terminated through reth interfaces; also without reth, existing sessions may be cleared in case one node suffers from a power failure and hence interfaces used in the session are disappearing).

 

This is not good news for me... The cluster needs to be able to handle IPSEC VPN's...

 

Essentially, the ISP provided me (for example) IP range 1.1.1.1/29 on site A and IP range 2.2.2.1/29 on site B.

 

I have two scenarios in my head. Local interfaces are not an option as described in the document provided by Spuluka.

  1. I could put the local interfaces (ge-0/0/15(site a) and ge-5/0/15(site b)) each in their individual reth interface and then put the reth from site B in a seperate RG that is active on site B?
  2. I put both ge-0/0/15(site a) and ge-5/0/15(site b) in one reth interface but configure both 1.1.1.x and 2.2.2.x as IP's on that interface.

 

Do you know another solution? All help is appriciated here!

SRX Services Gateway

Re: Active/Passive cluster and BGP

‎05-16-2014 05:42 PM

I'm surprised by the vpn restriction, I never noticed that before.  I've run local interfaces in the cluster but never needed vpn in the same deployment.

 

Another option may be to create a loopback interface to terminate the vpn if you have an available address in the pool.

 

Of the two options you list, I think #1 seems more reliable as it can keep both ISP links active and peered at all times when the sites are up.  this should improve the failover times.

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
SRX Services Gateway

Re: Active/Passive cluster and BGP

‎05-18-2014 06:36 AM

I'm almost certain I've configured VPNs onto non-reth interfaces on SRX clusters before, so I wouldn't worry about it the doco too much.

 

There is really no point in using reths on the ISP side in your toplogy - the upstream is not identical on both sides, so it will never work correctly.

 

Try VPNs to individual interfaces first.

 

If your provider is allowing you to advertise both sets of routes out both interfaces (one backing up the other), then as Steve said, configure a loopback interface with an address from your primary range, and let that be the fail-over mechanism (eg: source all your IPSEC from it and let BGP deal with the path the traffic follows).  If BGP breaks nicely, this is a really clean, fast fail-over.

 

If that doesn't work (which would surprise me), you could configure two loopback interfaces, lo0.0 and lo0.1, each with an address from one of your ranges and then just create a primary and a backup VPN tunnel from all of your sites.

Ben Dale
JNCIP-ENT, JNCIP-SP, JNCIP-DC, JNCIE-SEC #63
Juniper Ambassador
Follow me @labelswitcher
SRX Services Gateway

Re: Active/Passive cluster and BGP

‎05-20-2014 12:02 AM

This is a setup that is rather straightforward and I have had working for some time at my previous job.

 

What hardware are you using? The naming (ge-0/0/15 and ge-5/0/15) implies SRX240, while 10G link implies DC gear. (Using a non-p2p links requires special handling to not break the cluster links fxp1 and fab0/fab1)

 

Now the setup:

 

Use RETH-interfaces towards inside, and use independent interfaces (ge-0/0/15 and ge-5/0/15) towards ISP. Two peerings, one on each link, to the same ISP AS. Both active at the same time. Don't tweak BGP timers, use BFD if you need quicker fault detection (apart from link failures, those are almost instantaneous).

 

IPsec VPN: Assign one of you public addresses (announced via BGP) to a lo0-interface. Terminate the IPsec VPN on this lo0. This has been supported on branch SRX forever, and more recently on DC gear.

 

If you have a strong opinion on which BGP-link to use normally (Active/Passive), you can influence that inbound and outbound with the normal BGP toolset (a subject for another post).

 

 

/Per Westerlund

@PerWesterlund

JNCIP-{ENT,SEC}, JNCIS-SP

SRX Services Gateway

Re: Active/Passive cluster and BGP

‎05-20-2014 02:07 AM

Thanks everyone for your helpfull replies.

 

My lab units are SRX 240's, the real hardware will be SRX 650's.

 

Terminating the VPN's on a loopback adres chosen from the /20 range that will be advertised through BGP will be indeed the best option. This way the tunnels can failover nicely because the peering adresses aren't identical. We are even not allowed to use the peering adresses anything else then the peering.

 

I will need to research more on the BGP stuff since this is pretty new to me. Like the BFD

 

The issue is that my maintenance window is in minutes... Not in hours... It really needs to be plug-and-play.
So I really need to consider all scenario's before I can even think about putting something live.

SRX Services Gateway

Re: Active/Passive cluster and BGP

‎05-20-2014 02:40 AM

It sounds as a really difficult task you have there. If the BGP sessions are not already up and running, and you only have a service window measured in minutes, there is a very high risk of failure.

 

Having a new BGP peering come up without problems on the first try is unfortunately the exception in my experience. A common scenario is that you do the change at a predermined time, hopefully with someone from the ISP already on the phone, and then it doesn't work, and then you start trying to fix the problem.

 

New BGP session in minutes? Yes, it has happened, but rarely. New BGP session not ready within an hour? Yes, that has also happened, but not frequent. It feels like 15 minutes to half an hour until everyone is satisfied and everything is verified is a reasonable expectation if everyone know what they are doing.

 

/Per Westerlund

@PerWesterlund

JNCIP-{ENT,SEC}, JNCIS-SP

SRX Services Gateway

Re: Active/Passive cluster and BGP

‎05-21-2014 01:42 AM

Does anyone have some clear configuration examples for the BGP advertisement/policies?

 

I would like to see a clean example because the juniper documentation is either not enough or overcomplicated.

SRX Services Gateway

Re: Active/Passive cluster and BGP

‎05-21-2014 03:47 AM

Quick update:

So I got the BGP for IPv4 and IPv6 running.

 

But now I have a different issue.

I wanted to use the IP-Monitoring for RG0/RG1 to initiate a failover when the BGP/ISP fails but it seems I can only setup IP-Monitoring from reth interfaces (I don't get why they make that an issue?)

 

error: conversion error: logical-interface-name: 'ge-5/0/15.0': Must be a redundant ethernet interface
error: logical-interface-name: 'ge-5/0/15.0': Must be a redundant ethernet interface
error: statement creation failed: interface

 Since I'm running the BGP from local interfaces I can't monitor the ISP.


Does any one have a suggestion? I could put the local interfaces in reth's in seperate RG's and put the RGx active on the other device? This way each ISP facing interface would be a reth interface and it each would be active...