SRX Services Gateway
SRX Services Gateway

SRX340 Virtual Chassis & BGP

2 weeks ago

Hi all,

 

We're about to migrate our datacenter equipment from Ubiquiti to Juniper and I'm preparing the migration and configuration.

A little bit of context:

- Two SRX340's

- Two fiber uplinks to our carrier (BGP - advertising default routes)

- Two switches with on every switch the ethernet interfaces from the servers

 

What we want to achieve is high availability on both the WAN and LAN side. Currently I have the following design in mind:

- Two SRX340 in chassis cluster connected to each other (RE redundancy)

- On every node one BGP uplink (same peer AS) (WAN side redundancy)

- On every node a ethernet link to the switch with VRRP (LAN side redundancy)

 

Regarding this, I have the following questions:

1. Is this design something that can work?

2. How does chassis clustering work with physical interfaces for WAN and LAN? I read something about redundancy groups, should we keep that in mind?

3. Are there some configuration examples that we can study?

 

Thanks!

6 REPLIES 6
SRX Services Gateway

Re: SRX340 Virtual Chassis & BGP

[ Edited ]
2 weeks ago

Hi TechDev,

 

Please refer to the following PDF which gives a basic understanding of chassis cluster deployment and behavior - https://kb.juniper.net/library/CUSTOMERSERVICE/GLOBAL_JTAC/NT260/SRX_HA_Deployment_Guide.pdf

 

Although, the above document is specific to datacenter SRX series devices configuration the behavior is the same for branch series SRX as well.

 

Instead of achieving LAN side redundancy via VRRP, we can configure RGs on both LAN and WAN side for redundancy purposes. In a nutshell, we will be aggregating one physical interface from Node0 and another physical interface from Node1, form a reth interface(pseudo-interface) and put that reth interface into a Redundancy Group(RG). You will get to know once you go through the above document.

 

For detailed understanding about chassis cluster, please refer to the following technical document - https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-chassis-cluster-overview...



Thanks,
π00bm@$t€®.
Please, Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
SRX Services Gateway

Re: SRX340 Virtual Chassis & BGP

2 weeks ago

Hi noobmaster,

 

Thanks for the quick response!

I like your suggestion with the aggregation in one reth, but how would you set-up both links then if they have their own WAN facing IP?

Our uplink carrier gives us 5.x.x.186 for uplink 1 and  5.x.x.184 for uplink 2, so I thought that I should connect uplink 1 to node 0 and set the ip address on the physical interface and same thing for the second... Can that also be achieved with a reth?

 

Thanks!

SRX Services Gateway

Re: SRX340 Virtual Chassis & BGP

2 weeks ago

Hi TechDev,

 

Chassis Cluster provides RE redundancy as you stated (control-plane redundancy), however the for data-plane redundancy you need the Reth interfaces. A reth interface is basically a bundle on 2 interfaces (one from each node) but only the link of one of the nodes is active at a time. This makes sure that if one node goes down (hence its interface), the Reth will continue to be up and the traffic will be processed by the other node. Physically the network will look like this:

 

Topology.PNG

 

But logically/virtually, it will look like there is only one SRX and that each Reth is only one interface :

 

logical.PNG

Reth 0 will be the redundant gateway that you were looking for the servers via VRRP. Reth 1 and 2 are the two uplinks that you were looking towards your ISP, and in this case both uplinks will have physical redundancy.

 

I hope this helps you.

 

Please mark this comment as the Solution if applicable
SRX Services Gateway

Re: SRX340 Virtual Chassis & BGP

2 weeks ago

For Chassis Cluster configuration example see below:

 

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-chassis-cluster-verifica...

 

Please mark this comment as the Solution if applicable
SRX Services Gateway

Re: SRX340 Virtual Chassis & BGP

2 weeks ago
Hey Techdev,

Absolutely. We can achieve your requirement via reth interfaces.

Initially your understanding was giving the 2 IP address to physical interfaces. One for node0 another for Node 1.

What I'm proposing is give 2 IP address to reth interfaces.

Create reth1 which will be aggregate of two physical interface of Node 0 and Node 1. And assign an IP address to it. Then create reth2, follow the same process as above.

reth1 = ge-0/0/2(node0) + ge-0/0/2(node1)
reth2= ge-0/0/3(node0) + ge-0/0/3(node1)
reth1 = 5.x.x.186
reth2= 5.x.x.184
RG1 = reth1, reth2

Note: Interface naming convention changes for secondary node in chassis cluster.The above example is for illustration purposes.
Please let me know if you require more clarity. I'm happy to help Smiley Happy


Thanks,
π00bm@$t€®.
Please, Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
SRX Services Gateway

Re: SRX340 Virtual Chassis & BGP

Tuesday

Hi TechDev

 

I can see that the post is not marked as resolved as of yet and I was wondering if you had any luck with the implementation I suggested. If you need further help just let us know.

 

Please mark this comment as the Solution if applicable