SRX

last person joined: 7 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  lt-0/0/0 interface on SRX345 cluster

    Posted 07-26-2016 09:54

    Hello everyone.

     

    I'm configuring a new SRX345 cluster running 15.1X49-D50.3. 

     

    I'm trying to use an lt-0/0/0 interface so that I can bring up OSPF between my master routing instance and my MPLS routing instance. However, the lt-0/0/0 interface does not even show up when I do show interfaces terse. Any ideas as to what is going on here? Relevant config and show output is below.

     

     


    {primary:node0}[edit]
root@NU-MDF-SRX345# run show interfaces terse
Interface               Admin Link Proto    Local                 Remote
ge-0/0/0                up    down
gr-0/0/0                up    up
ip-0/0/0                up    up
ge-0/0/1                up    up
ge-0/0/2                up    up
ge-0/0/2.0              up    up   aenet    --> fab0.0
ge-0/0/3                up    down
ge-0/0/3.1000           up    down aenet    --> reth1.1000
ge-0/0/3.1001           up    down aenet    --> reth1.1001
ge-0/0/3.32767          up    down aenet    --> reth1.32767
ge-0/0/4                up    down
ge-0/0/4.1000           up    down aenet    --> reth1.1000
ge-0/0/4.1001           up    down aenet    --> reth1.1001
ge-0/0/4.32767          up    down aenet    --> reth1.32767
ge-0/0/5                up    down
ge-0/0/5.0              up    down aenet    --> reth2.0
ge-0/0/6                up    down
ge-0/0/6.0              up    down aenet    --> reth2.0
ge-0/0/7                up    down
ge-0/0/8                up    down
ge-0/0/9                up    down
ge-0/0/10               up    down
ge-0/0/11               up    down
ge-0/0/12               up    down
ge-0/0/13               up    down
ge-0/0/14               up    down
ge-0/0/15               up    down
ge-5/0/0                up    down
ge-5/0/1                up    up
ge-5/0/2                up    up
ge-5/0/2.0              up    up   aenet    --> fab1.0
ge-5/0/3                up    down
ge-5/0/3.1000           up    down aenet    --> reth1.1000
ge-5/0/3.1001           up    down aenet    --> reth1.1001
ge-5/0/3.32767          up    down aenet    --> reth1.32767
ge-5/0/4                up    down
ge-5/0/4.1000           up    down aenet    --> reth1.1000
ge-5/0/4.1001           up    down aenet    --> reth1.1001
ge-5/0/4.32767          up    down aenet    --> reth1.32767
ge-5/0/5                up    down
ge-5/0/5.0              up    down aenet    --> reth2.0
ge-5/0/6                up    down
ge-5/0/6.0              up    down aenet    --> reth2.0
ge-5/0/7                up    down
ge-5/0/8                up    down
ge-5/0/9                up    down
ge-5/0/10               up    down
ge-5/0/11               up    down
ge-5/0/12               up    down
ge-5/0/13               up    down
ge-5/0/14               up    down
ge-5/0/15               up    down
fab0                    up    up
fab0.0                  up    up   inet     30.17.0.200/24
fab1                    up    up
fab1.0                  up    up   inet     30.18.0.200/24
fxp0                    up    down
fxp1                    up    up
fxp1.0                  up    up   inet     129.16.0.1/2
                                   tnp      0x1100001
fxp2                    up    up
fxp2.0                  up    up   tnp      0x1100001
gre                     up    up
ipip                    up    up
irb                     up    up
lo0                     up    up
lo0.16384               up    up   inet     127.0.0.1           --> 0/0
lo0.16385               up    up   inet     10.0.0.1            --> 0/0
                                            10.0.0.16           --> 0/0
                                            128.0.0.1           --> 0/0
                                            128.0.0.4           --> 0/0
                                            128.0.1.16          --> 0/0
lo0.32768               up    up
lsi                     up    up
mtun                    up    up
pimd                    up    up
pime                    up    up
pp0                     up    up
ppd0                    up    up
ppe0                    up    up
reth0                   up    down
reth1                   up    down
reth1.1000              up    down inet     10.10.0.2/30
reth1.1001              up    down inet
reth1.32767             up    down
reth2                   up    down
reth2.0                 up    down eth-switch
st0                     up    up
swfab0                  up    up
swfab1                  up    up
tap                     up    up
vlan                    up    down
vtep                    up    up
    {primary:node0}[edit]
root@NU-MDF-SRX345# show interfaces lt-0/0/0
unit 1 {
    encapsulation ethernet;
    peer-unit 2;
    family inet {
        address 10.10.0.5/30;
    }
}
unit 2 {
    encapsulation ethernet;
    peer-unit 1;
    family inet {
        address 10.10.0.6/30;
    }
}
    {primary:node0}[edit]
root@NU-MDF-SRX345# show protocols
ospf {
    area 0.0.0.0 {
        interface lt-0/0/0.1;
    }
}
    {primary:node0}[edit]
root@NU-MDF-SRX345# show routing-instances RI-NU-MPLS
instance-type virtual-router;
interface lt-0/0/0.2;
interface reth1.1001;
routing-options {
    autonomous-system 65010;
}
protocols {
    ospf {
        area 0.0.0.0 {
            interface lt-0/0/0.2;
        }
    }
}
    {primary:node0}[edit]
root@NU-MDF-SRX345# show security zones
security-zone ZONE-NU-TRUST {
    interfaces {
        reth1.1000 {
            host-inbound-traffic {
                system-services {
                    ping;
                    traceroute;
                }
                protocols {
                    ospf;
                }
            }
        }
        lt-0/0/0.1 {
            host-inbound-traffic {
                system-services {
                    ping;
                    traceroute;
                }
                protocols {
                    ospf;
                }
            }
        }
    }
}
security-zone ZONE-NU-MPLS {
    interfaces {
        reth1.1001 {
            host-inbound-traffic {
                system-services {
                    ping;
                    traceroute;
                }
                protocols {
                    ospf;
                }
            }
        }
        lt-0/0/0.2 {
            host-inbound-traffic {
                system-services {
                    ping;
                    traceroute;
                }
                protocols {
                    ospf;
                }
            }
        }
    }
}
    {primary:node0}[edit]
root@NU-MDF-SRX345# show security policies
from-zone ZONE-NU-MPLS to-zone ZONE-NU-MPLS {
    policy SECPOL-MPLS-TO-MPLS {
        match {
            source-address any;
            destination-address any;
            application any;
        }
        then {
            permit;
        }
    }
}
from-zone ZONE-NU-TRUST to-zone ZONE-NU-TRUST {
    policy SECPOL-TRUST-TO-TRUST {
        match {
            source-address any;
            destination-address any;
            application any;
        }
        then {
            permit;
        }
    }
}

     



  • 2.  RE: lt-0/0/0 interface on SRX345 cluster

    Posted 07-26-2016 10:15

    Just found this Juniper KB:

     

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB28204&actp=RSS

     

    Quote, "As of Junos 12.1X45, logical tunnel (lt-0/0/0) interfaces are supported on Branch SRX platforms in Standalone mode, and are supported in high-end SRX devices in both Standalone and HA mode.

    The interfaces are not supported in SRX Branch devices in Cluster mode."

     

    Looks like they are STILL not supported on 15.1X49-D50.3. 

     

    Ugh. Smiley Frustrated

     



  • 3.  RE: lt-0/0/0 interface on SRX345 cluster
    Best Answer

    Posted 07-26-2016 10:16

    Hi

     

    lt-interfaces are not supported in branch SRX clusters (they are only supported in standalone mode), see

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB28204&actp=search



  • 4.  RE: lt-0/0/0 interface on SRX345 cluster

     
    Posted 07-26-2016 21:50

    Hi,

     

    Just wandering if you need tunnel services enabled:

    [edit chassis]
    root@MX# show 
    fpc 0 {
    pic 0 {
        tunnel-services {
            bandwidth 1g;
        }
    }
}

    Not sure if this is required on SRX.

    On MX if tunnel-services is not configured, lt interfaces do not show up:

    root@MX# run show interfaces terse lt-0/0/0 
error: device lt-0/0/0 not found

[edit]
root@MX# commit 
commit complete

[edit]
root@MX# run show interfaces terse lt-0/0/0 
Interface               Admin Link Proto    Local                 Remote
lt-0/0/0                up    up
lt-0/0/0.0              up    up   inet     192.168.100.1/30
lt-0/0/0.1              up    up   inet     192.168.100.2/30

    Cheers,

    Ashvin



  • 5.  RE: lt-0/0/0 interface on SRX345 cluster

    Posted 07-27-2016 03:33

    That configuration is not required on the SRX.  Pretty sure the issue is the lack of support for the feature in clusters on the SRX branch as noted above.

     

    SRX Logical Tunnel interfaces

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB21260