Juniper SRX Chassis Cluster + LACP Redundant Eth Interfaces

So a co-worker and I spent some time playing around with JunOS 11's (I believe it came in with 11 - correct me if wrong) reth's ability to now be LACP interfaces, as well as just plain redundant. It was not immediately clear how the switch was required to be set up in order to facilitate this new, awesome feature.

- This was used with a ex4200 virtual chassis cluster and SRX Chassis Cluster -

Here is how we got it happily working (assuming you have a chassis cluster up and running):

SRX Config:

set interfaces ge-2/0/0 gigether-options redundant-parent reth1
set interfaces ge-2/0/1 gigether-options redundant-parent reth1
set interfaces ge-2/0/2 gigether-options redundant-parent reth1
set interfaces ge-2/0/3 gigether-options redundant-parent reth1
set interfaces ge-11/0/0 gigether-options redundant-parent reth1
set interfaces ge-11/0/1 gigether-options redundant-parent reth1
set interfaces ge-11/0/2 gigether-options redundant-parent reth1
set interfaces ge-11/0/3 gigether-options redundant-parent reth1

set interfaces reth1 redundant-ether-options redundancy-group 1
set interfaces reth1 redundant-ether-options lacp passive

EX Config:

set interfaces ge-0/0/0 ether-options 802.3ad ae1
set interfaces ge-0/0/1 ether-options 802.3ad ae2
set interfaces ge-0/0/2 ether-options 802.3ad ae1
set interfaces ge-0/0/3 ether-options 802.3ad ae2

set interfaces ge-1/0/0 ether-options 802.3ad ae2
set interfaces ge-1/0/1 ether-options 802.3ad ae1
set interfaces ge-1/0/2 ether-options 802.3ad ae2
set interfaces ge-1/0/3 ether-options 802.3ad ae1

set interfaces ae1 aggregated-ether-options lacp active
set interfaces ae2 aggregated-ether-options lacp active

Now we have LACP bandwidth and redundancy - Either the switch or SRX can die, in theory.

* Have not tested the failover yet - But will before this set up goes to production - Will update the post *

 

Related Posts

CLI Templates for Python + Rust

Do you also write a lot of services that need a few CLI option (e.g. –config) and or little CLI tools from time to time? Want a…

Stop IPv4 Point-To-Point Addressing your Networks

IPv4 addressing on links is no longer required to route IPv4. What you say?? Yes, you can stop IPv4 addressing your point to point links with Legacy…

NAT64: Using `jool` on Ubuntu 20.04

I found that jool has very good tutorials, but all the commands to get going are hidden in these large tutorials. Here are the steps I took…

Raspberry Pi Powered Fireplace

Mr Aijay Adams and I am back making my Fireplace Internet / Smart device controllable. Now, via a very sexy Web UI, when I’m heading back to…

nftables

Are you using the latest Linux kernel firewall?. Here are some notes I’ve saved that I use and forget all the time. I plan to add to…

RPM vs OPKG Cheat Sheet

Recently in the Terragraph project I work on we changed from RPM to OPKG to removes some dependencies (e.g. perl) and make our overall image size smaller….

This Post Has 10 Comments

  1. We tried same configuration between SRX650 cluster and EX3200 switch but have not succeeded. Agreegated interfaces never came up. Can you suggest anything?

  2. Hi Baris,

    You will need two AE’s (ae0 for one SRX and a ae1 for the other SRX). on your ex3200. What does ‘show lacp interfaces’ show? That may also help. Also make sure your ae’s on the EX and the reth on the SRX has lacp enabled and is in active mode.

  3. Hi cooper,

    I’ve just implemented this on using JunOS 11 on a pair of clustered SRX240s.
    The config seems to apply OK but I can’t get the lacp links to come up. (Connected to EX2200s)

    I don’t know if it’s because I have vlan-tagging enabled on the reth interface. I had this configured with a single physical link and was doing inter-VLAN routing on the single interface. Ideally I’d then like to add more links to increase bandwidth but keep the inter-VLAN routing.

    Have you tried this?

    Thanks for a very helpful post anyway. Much appreciated.

  4. Cooper – just to let you know I got it going…
    It was the EX config that was letting me down. I had not configured the: set chassis aggregated-devices ethernet device-count X
    correctly on the switches so the “other” ae on the switch wasn’t coming up, so the SRX had no chance! 🙂

  5. This is awesome! Exactly what I need for our upcoming project!
    Appreciate it! Hope all will go well.

  6. Hi Cooper,

    I have 2 SRX650, Active/passive would like to aggregate the ports connecting to my 2 cisco switch (3560)

    FW1 – ge2/0/1, ge2/0/9 –0– connected to sw1 gi0/1, gi0/2
    FW2 – ge11/0/1, ge11/0/9 –0– connected to sw2 gi0/1, gi0/2

    ports will be under in reth6 and WAN security zone.

    Will this work? Will fw build the ether-channel according per node? whenever which firewall is active.

    —–fw1/fw2 cluster———-
    set interfaces ge-2/0/1 gigether-options redundant-parent reth6
    set interfaces ge-2/0/9 gigether-options redundant-parent reth6
    set interfaces ge-11/0/1 gigether-options redundant-parent reth6
    set interfaces ge-11/0/9 gigether-options redundant-parent reth6

    set interfaces reth6 redundant-ether-options redundancy-group 1
    set interfaces reth6 redundant-ether-options lacp active
    set interfaces reth6 unit 0 family inet address 10.163.14.81/28

    set security zones security-zone Regional-WAN screen All-Zone-screen
    set security zones security-zone Regional-WAN host-inbound-traffic system-services all
    set security zones security-zone Regional-WAN host-inbound-traffic protocols all
    set security zones security-zone Regional-WAN interfaces reth6.0

    —-cisco switch——

    sw1
    interface GigabitEthernet0/1
    description Uplink To fw1 ge2/0/1
    switchport access vlan 100
    switchport mode access
    speed 1000
    duplex full
    channel-group 1 mode active
    !
    interface GigabitEthernet0/2
    description Uplink To fw1 ge2/0/9
    switchport access vlan 100
    switchport mode access
    speed 1000
    duplex full
    channel-group 1 mode active

    sw2
    interface GigabitEthernet0/1
    description Uplink To fw2 ge11/0/1
    switchport access vlan 100
    switchport mode access
    speed 1000
    duplex full
    channel-group 1 mode active
    !
    interface GigabitEthernet0/2
    description Uplink To fw2 ge11/0/9
    switchport access vlan 100
    switchport mode access
    speed 1000
    duplex full
    channel-group 1 mode active

  7. Hi Cooper,

    i have almost same setup 2x srx650 active standby and connected to 2 x cisco switch i would like to enable etherchannel.

    fw1 – ge2/0/0, ge2/0/9 –0– sw1 gi0/1 gi0/2
    fw2 – ge11/0/0, ge11/0/9 –0– sw2 gi0/1 gi0/2

    each 2 port is assigned reth 6 and WAN Zone

    my question is juniper will able to detect which group of ports will form the etherchannel connected to switches?

    —fw1/fw2 cluster———-
    set interfaces ge-2/0/1 gigether-options redundant-parent reth6
    set interfaces ge-2/0/9 gigether-options redundant-parent reth6
    set interfaces ge-11/0/1 gigether-options redundant-parent reth6
    set interfaces ge-11/0/9 gigether-options redundant-parent reth6

    set interfaces reth6 redundant-ether-options redundancy-group 1
    set interfaces reth6 redundant-ether-options lacp active
    set interfaces reth6 unit 0 family inet address 10.163.14.81/28

    set security zones security-zone Regional-WAN screen All-Zone-screen
    set security zones security-zone Regional-WAN host-inbound-traffic system-services all
    set security zones security-zone Regional-WAN host-inbound-traffic protocols all
    set security zones security-zone Regional-WAN interfaces reth6.0

Leave a Reply

Your email address will not be published.