Options
SRX HA cluster to EX VC question
Evening Juniper experts!
We have a client who has a requirement for a Juniper SRX HA cluster which is going to a pair of EX switches (can't remember the model number but it's a copper model with four 10GbE SFPs). I'm not in hte office until next week so I can't actually do any of the config but I'm wondering how I set up the redundancy between the SRXs and the EX switches. I have configured the SRX devices in a chassis cluster and the gateway for the subnet will be something like 172.16.128.1/24, which I'll configure under reth1. Now the physical links are on the pair of firewalls are part of the redundancy group which reth1 is a member of, but I'm not sure of how I configure the switches (in a VC pair) on the other end. Physically they are connected as per the diagram and the links are trunking a few VLANs up to the firewall, but do I put the interfaces in a a single AE interfaces (i.e. ge-[1,7]/0/[1-2] --> ae0) or do I have to configure the links so that a single AE interfaces matches the connection to a single one of the firewalls in the cluster (e.g. ge-[1,7]/0/1 --> ae0 --> fw-1, ge-[1,7]/0/2 --> ae1 --> fw-2)? Logically all I want to have is a 'single' switch to a 'single' firewall but am unsure of how this is configured on the switch end.
PS. sorry for this crappy diagram - the laptop at my GF's house doesn't have visio or gimp
We have a client who has a requirement for a Juniper SRX HA cluster which is going to a pair of EX switches (can't remember the model number but it's a copper model with four 10GbE SFPs). I'm not in hte office until next week so I can't actually do any of the config but I'm wondering how I set up the redundancy between the SRXs and the EX switches. I have configured the SRX devices in a chassis cluster and the gateway for the subnet will be something like 172.16.128.1/24, which I'll configure under reth1. Now the physical links are on the pair of firewalls are part of the redundancy group which reth1 is a member of, but I'm not sure of how I configure the switches (in a VC pair) on the other end. Physically they are connected as per the diagram and the links are trunking a few VLANs up to the firewall, but do I put the interfaces in a a single AE interfaces (i.e. ge-[1,7]/0/[1-2] --> ae0) or do I have to configure the links so that a single AE interfaces matches the connection to a single one of the firewalls in the cluster (e.g. ge-[1,7]/0/1 --> ae0 --> fw-1, ge-[1,7]/0/2 --> ae1 --> fw-2)? Logically all I want to have is a 'single' switch to a 'single' firewall but am unsure of how this is configured on the switch end.
PS. sorry for this crappy diagram - the laptop at my GF's house doesn't have visio or gimp
Comments
-
Options
teren
Member Posts: 30 ■■□□□□□□□□
It kind of depends on where you want the RVI's to live, sounds like you want them on the SRX cluster but putting them on the EX's and just running OSPF would be another option, more of a layer 3 approach. Of course this could get somewhat complicated if you need policies between VLANs but still wouldn't be that hard to do with routing-instances.
With that said, it sounds more like you just want to trunk the VLANs back to the SRX cluster. If that is the case, you can just trunk the RETHs back to trunk ports on the EX and that should accomplish what you want, the SRX will just control which port is active. -
Optionslrb
Member Posts: 526
Yep I had thought about extending OSPF down to the RVIs on the switches but all it really needs to be is just a trunk up the SRX cluster. So my understanding after reading the Junos software security guide is that I need to have two AEs on the switch, so:
- ae0 logically connects to one of the firewalls, and contains interfaces which physically to that individual SRX
- ae1 logically connects to the other firewall, and contains the other interfaces which physically connect to that individual SRX
Is that correct? Or do I just need a single AE interfaces with all the interfaces in them? -
Optionslrb
Member Posts: 526
Excellent, thanks for hte confirmation.
God damn I'm really starting to love Junos!
