SRX Services Gateway
Highlighted
SRX Services Gateway

SRX chass cluster and E4300 and cisco switches integration (Etherchannel)

Tuesday

Dear All,

I am beginner in Juniper product.

I would like to request to help and find out my network problem.

I have one server and one NAS and network connectivity as below design.I am using cisco switch,juniper srx and junos e4300 switches.

My first question is my design is correct or not ?

Can i carry firewall traffic with access port ( VLAN 10 ) in cisco switch ?

OR do i need to create trunk and etherchannel in cisco switch also ?

I already run etherchannel in Junos E4300 (ae0,ae1) .

I already traffic server to NAS. what kind of configuration do i need to access server to NAS ?

 

Attachments

10 REPLIES 10
SRX Services Gateway

Re: SRX chass cluster and E4300 and cisco switches integration (Etherchannel)

Tuesday

Hi,

 

Access vlan "VLAN10" are on the cisco and is not transmitted towards SRX.(no tag)

Since traffic will be un-tagged and hence reth0.0 should accept the same.

 

Regards,

 

Rahul

SRX Services Gateway

Re: SRX chass cluster and E4300 and cisco switches integration (Etherchannel)

Wednesday

To answer your queries:

1. I dont see any issue with your design.

2. There is no need to configure between Cisco and SRX as you have only one vlan traffic.

3. You have to configure security policies to allow the traffic between Server and NAS

 

 

Thanks,
Nellikka
JNCIE x3 (SEC #321; SP #2839; ENT #790), CCIE RS #48338
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
SRX Services Gateway

Re: SRX chass cluster and E4300 and cisco switches integration (Etherchannel)

Wednesday

Hello there,

 

Here are my thoughts on your setup: -

 

1. The first question is whether your design is correct or not.

 

=> Although it looks okay to me but I am wondering how are you connecting the NAS server to the virtual chassis. I see two links coming out of NAS. Does your NAS server has 2 NIC cards with same IP address ?

 

2. Can I carry the firewall traffic with access port on cisco switch? 

 

=> Is your reth0 interface tagged with any vlan-id? If yes, then the CISCO port facing SRX will need to be trunk otherwise access is fine.  In either case, CISCO port facing 10.1.1.3 can still be access without any problem.

 

3. what kind of configuration do i need to access server to NAS ?

 

=> Assuming that you are trying to access NAS server from 10.1.1.3 device. You would need the following: -

 

A. 10.1.1.3 should have a route to 10.1.2.2 pointing towards 10.1.1.1. 

B. 10.1.2.2 should have a route to 10.1.1.3 poiting towards 10.1.2.1.

C. Config on SRX: -

 

i) SRX needs to have a security policy to allow traffic between zone of reth0 towards zone of reth1.  Based on what protocol you are using to access the NAS (lets assume for now its SMB), then your policy would need "junos-smb/ junos-smb-session" applications to be allowed. You can also customize the application as per your need. 

 

ii) You may need to have a policy in the reverse direction if you expect sessions to start from NAS towards the 10.1.1.3 too.

 

 

iii) Since reth1 has 2 links to each node, I will also advice you run LACP on reth1 and connected virtual chassis. [NOT MANDATORY]

 

iv) Also , try to configure both reth0 and reth1 in the same redundancy-groups to ensure that the file transfers avoid crossing fabric links on the SRX.  Crossing fabric links generally slows down throughput. [NOT MANDATORY]

 

 

Hope this helps.

 

Thanks and Good Luck!

SRX Services Gateway

Re: SRX chass cluster and E4300 and cisco switches integration (Etherchannel)

Thursday

I consider to run nic teaming in NAS. but i concern about this. can i use same IP address with two NIC ?

Or i didn't need to run etherchannel in E4300 for NAS  ?

 

 Is your reth0 interface tagged with any vlan-id? 

=>reth 0 interface didn't tagged with any vlan-id.

I configure as below in SRX. But i cannot ping NAS to Server and Server to NAS even though i create any to any access rule. So i thought my design is wrong .

 

set interfaces xe-0/0/16 gigether-options redundant-parent reth1
set interfaces xe-0/0/17 gigether-options redundant-parent reth1
set interfaces xe-0/0/18 gigether-options redundant-parent reth0
set interfaces xe-7/0/16 gigether-options redundant-parent reth1
set interfaces xe-7/0/17 gigether-options redundant-parent reth1
set interfaces xe-7/0/18 gigether-options redundant-parent reth0
set interfaces fab0 fabric-options member-interfaces ge-0/0/11
set interfaces fab1 fabric-options member-interfaces ge-7/0/11
set interfaces fxp0 unit 0 family inet
set interfaces reth0 redundant-ether-options redundancy-group 1
set interfaces reth0 unit 0 family inet address 10.1.1.1/24
set interfaces reth1 redundant-ether-options redundancy-group 1
set interfaces reth1 redundant-ether-options lacp passive
set interfaces reth1 redundant-ether-options lacp periodic slow
set interfaces reth1 unit 0 family inet address 10.1.1.2.1/24

 

SRX Services Gateway

Re: SRX chass cluster and E4300 and cisco switches integration (Etherchannel)

Thursday
Are you able to ping server and NAS from SRX?
Thanks,
Nellikka
JNCIE x3 (SEC #321; SP #2839; ENT #790), CCIE RS #48338
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
SRX Services Gateway

Re: SRX chass cluster and E4300 and cisco switches integration (Etherchannel)

Thursday
I cannot ping now and still troubleshooting.
Another problem is I cannot use jweb from management fxp.
SRX Services Gateway

Re: SRX chass cluster and E4300 and cisco switches integration (Etherchannel)

Thursday
Is it possible to share srx full config?
Thanks,
Nellikka
JNCIE x3 (SEC #321; SP #2839; ENT #790), CCIE RS #48338
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
SRX Services Gateway

Re: SRX chass cluster and E4300 and cisco switches integration (Etherchannel)

Friday

Dear All,

Please see the below attachment . I am using fiber link to connect switches and firewall.

i tried my best. I got below error.

when i assign access mode in cisco switch. my server can reach to firewall .but if i change both ten 1/1/1 and 1/1/2 to Trunk port , server cannot reach to firewall.

  • So let me know do i need to change reth0 to trunk also  ?

 

NAS Junos switeches cannot reach to firewall. when i check ehtercahnnel ,it is ok.

But i cannot reach NAS switch to Firewall reth1.

  • So do i need to assign trunk in ae0 and ae1 ?

Do i need to trunk reth1 ?

Now i assign ip address both of reth1 and reth0 .

Let me know eventh thought i didn't use etherchannel ( i remove two cables ) ,should it be ok ?

 

 

Attachments

SRX Services Gateway

Re: SRX chass cluster and E4300 and cisco switches integration (Etherchannel)

Friday

1. There is no need do configure trunk between SRX and Cisco Switch since you have only vlan

2. Allow vlan NAS on ae0 and ae1 interface EX switch. There is no need to configure trunk between SRX and EX Switch since you have only vlan

set interfaces ae0 unit 0 family ethernet-switching vlan members NAS
set interfaces ae1 unit 0 family ethernet-switching vlan members NAS

 

3. reth0 is part of trust security zone and reth1 is part of NAS-NET security zone. There is no security policy configured trust to NAS-NET to allow the traffic from Server to NAS. Configure policy:

 

set policies from-zone trust to-zone NAS-NET policy default-permit match source-address any
set policies from-zone trust to-zone NAS-NET policy default-permit match destination-address any
set policies from-zone trust to-zone NAS-NET policy default-permit match application any
set policies from-zone trust to-zone NAS-NET policy default-permit then permit

Thanks,
Nellikka
JNCIE x3 (SEC #321; SP #2839; ENT #790), CCIE RS #48338
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
SRX Services Gateway

Re: SRX chass cluster and E4300 and cisco switches integration (Etherchannel)

Saturday

Hi ,

Thanks.I already addedd rule for those traffice.but i MY NAS cannot reach to FW reth1.

So i thought my config is something wrong.

Even those i plung my laptop in EX switches and ping to FW , my laptop cannot reachable to firewall. I already add host inbound traffic in Firewall.