Tawfique Ahmed: September 2017

Before Starting LAG configuration, See the below details.

## Link aggregation group (LAG)
## Link Aggregation Control Protocol (LACP)

When configuring LAGs, consider the following guidelines:

You must configure the LAG on both sides of the link.
You must set the interfaces on either side of the link to the same speed.
You can configure and apply firewall filters on a LAG.
You can optionally configure LACP for link negotiation.
You can optionally configure LACP for link protection.

-------------------------------------------------------For Site A----------------------------------------------------

1.The first step is to specify the number of aggregated links on the switch. This command is to specify number of bundle (aggregated interface) you want to create.:

set chassis aggregated-devices ethernet device-count 1

Here we will create one bundle links each having two Ethernet from different VC member (switch).

2.Next, we have to remove the logical unit configuration from the interfaces that are to be bundled, as logical units are not allowed on aggregated links:

delete interfaces ge-0/0/0 unit 0
delete interfaces ge-1/0/0 unit 0

3.Next, set the interfaces to use LACP (802.3ad) and to be members of a logical aggregated ethernet port (ports begin with ae).
To associate physical interface with an aggregated Ethernet interface, hit the following command:

set interfaces ge-0/0/0 ether-options 802.3ad ae0
set interfaces ge-1/0/0 ether-options 802.3ad ae0

4.Then we need to set the LACP mode for our new aggregated interface. We’ll make the Juniper side Active, so that it initiates the transmissison of LACP packets:

set interfaces ae0 aggregated-ether-options lacp active

5.Finally, we need to set the aggregated link to be a trunk, and tell it which VLAN’s to trunk.
Configure interface parameters like VLANs, MTU, port-mode, etc. in ae interfaces:

set interfaces ae0 unit 0 family ethernet-switching port-mode trunk
set vlans NOC vlan-id 10
set vlans IT vlan-id 20
set interfaces ae0 unit 0 family ethernet-switching vlan members IT
set interfaces ae0 unit 0 family ethernet-switching vlan members NOC
set interfaces ge-0/0/6 unit 0 family ethernet-switching vlan members IT
set interfaces ge-1/0/6 unit 0 family ethernet-switching vlan members IT
set interfaces ge-0/0/5 unit 0 family ethernet-switching vlan members NOC
set interfaces ge-1/0/5 unit 0 family ethernet-switching vlan members NOC

6.Veryfing:
root> show lacp interfaces
Aggregated interface: ae0
LACP state: Role Exp Def Dist Col Syn Aggr Timeout Activity
ge-0/0/0 Actor No No Yes Yes Yes Yes Fast Active
ge-0/0/0 Partner No No Yes Yes Yes Yes Fast Active
ge-1/0/0 Actor No No Yes Yes Yes Yes Fast Active
ge-1/0/0 Partner No No Yes Yes Yes Yes Fast Active
LACP protocol: Receive State Transmit State Mux State
ge-0/0/0 Current Fast periodic Collecting distributing
ge-1/0/0 Current Fast periodic Collecting distributing

root> show ethernet-switching interfaces

Interface State VLAN members Tag Tagging Blocking
ae0.0 up IT 20 tagged unblocked
NOC 10 tagged unblocked

root> show vlans

Name Tag Interfaces
IT 20 ae0.0*, ge-0/0/6.0, ge-1/0/6.0
NOC 10 ae0.0*, ge-0/0/5.0*, ge-1/0/5.0
default
ge-0/0/1.0, ge-0/0/2.0, ge-0/0/3.0, ge-0/0/4.0,
ge-0/0/7.0, ge-0/0/8.0, ge-0/0/9.0, ge-0/0/10.0,
ge-0/0/11.0, ge-0/0/12.0, ge-0/0/13.0, ge-0/0/14.0,
ge-0/0/15.0, ge-0/0/16.0, ge-0/0/17.0, ge-0/0/18.0,
ge-0/0/19.0, ge-0/0/20.0, ge-0/0/21.0, ge-0/0/22.0,
ge-0/0/23.0, ge-0/0/24.0, ge-0/0/25.0, ge-0/0/26.0,
ge-0/0/27.0, ge-0/0/28.0, ge-0/0/29.0, ge-0/0/30.0,
ge-0/0/31.0, ge-0/0/32.0, ge-0/0/33.0, ge-0/0/34.0,
ge-0/0/35.0, ge-0/0/36.0, ge-0/0/37.0, ge-0/0/38.0,
ge-0/0/39.0, ge-0/0/40.0, ge-0/0/41.0, ge-0/0/42.0,
ge-0/0/43.0, ge-0/0/44.0, ge-0/0/45.0, ge-0/0/46.0,
ge-0/0/47.0, ge-1/0/1.0, ge-1/0/2.0, ge-1/0/3.0,
ge-1/0/4.0, ge-1/0/7.0, ge-1/0/8.0, ge-1/0/9.0,
ge-1/0/10.0, ge-1/0/11.0, ge-1/0/12.0, ge-1/0/13.0,
ge-1/0/14.0, ge-1/0/15.0, ge-1/0/16.0, ge-1/0/17.0,
ge-1/0/18.0, ge-1/0/19.0

-------------------------------------------------For Site B---------------------------------------------------------

1.The first step is to specify the number of aggregated links on the switch. This command is to specify number of bundle (aggregated interface) you want to create.:

set chassis aggregated-devices ethernet device-count 1

Here we will create one bundle links each having two Ethernet from different VC member (switch).

2.Next, we have to remove the logical unit configuration from the interfaces that are to be bundled, as logical units are not allowed on aggregated links:

delete interfaces ge-0/0/0 unit 0
delete interfaces ge-1/0/0 unit 0

3.Next, set the interfaces to use LACP (802.3ad) and to be members of a logical aggregated ethernet port (ports begin with ae).
To associate physical interface with an aggregated Ethernet interface, hit the following command:

set interfaces ge-0/0/0 ether-options 802.3ad ae0
set interfaces ge-1/0/0 ether-options 802.3ad ae0

4.Then we need to set the LACP mode for our new aggregated interface. We’ll make the Juniper side Active, so that it initiates the transmissison of LACP packets:

set interfaces ae0 aggregated-ether-options lacp active

5.Finally, we need to set the aggregated link to be a trunk, and tell it which VLAN’s to trunk.
Configure interface parameters like VLANs, MTU, port-mode, etc. in ae interfaces:

set interfaces ae0 unit 0 family ethernet-switching port-mode trunk
set vlans NOC vlan-id 10
set vlans IT vlan-id 20
set interfaces ae0 unit 0 family ethernet-switching vlan members IT
set interfaces ae0 unit 0 family ethernet-switching vlan members NOC
set interfaces ge-0/0/6 unit 0 family ethernet-switching vlan members IT
set interfaces ge-1/0/6 unit 0 family ethernet-switching vlan members IT
set interfaces ge-0/0/5 unit 0 family ethernet-switching vlan members NOC
set interfaces ge-1/0/5 unit 0 family ethernet-switching vlan members NOC

6.Veryfing:
root> show lacp interfaces
Aggregated interface: ae0
LACP state: Role Exp Def Dist Col Syn Aggr Timeout Activity
ge-0/0/0 Actor No No Yes Yes Yes Yes Fast Active
ge-0/0/0 Partner No No Yes Yes Yes Yes Fast Active
ge-1/0/0 Actor No No Yes Yes Yes Yes Fast Active
ge-1/0/0 Partner No No Yes Yes Yes Yes Fast Active
LACP protocol: Receive State Transmit State Mux State
ge-0/0/0 Current Fast periodic Collecting distributing
ge-1/0/0 Current Fast periodic Collecting distributing

root> show ethernet-switching interfaces
Interface State VLAN members Tag Tagging Blocking
ae0.0 up IT 20 tagged unblocked
NOC 10 tagged unblocked

root> show vlans
Name Tag Interfaces
IT 20
ae0.0*, ge-0/0/6.0, ge-1/0/6.0
NOC 10
ae0.0*, ge-0/0/5.0*, ge-1/0/5.0
default
ge-0/0/1.0, ge-0/0/2.0, ge-0/0/3.0, ge-0/0/4.0,
ge-0/0/7.0, ge-0/0/8.0, ge-0/0/9.0, ge-0/0/10.0,
ge-0/0/11.0, ge-0/0/12.0, ge-0/0/13.0, ge-0/0/14.0,
ge-0/0/15.0, ge-0/0/16.0, ge-0/0/17.0, ge-0/0/18.0,
ge-0/0/19.0, ge-0/0/20.0, ge-0/0/21.0, ge-0/0/22.0,
ge-0/0/23.0, ge-0/0/24.0, ge-0/0/25.0, ge-0/0/26.0,
ge-0/0/27.0, ge-0/0/28.0, ge-0/0/29.0, ge-0/0/30.0,
ge-0/0/31.0, ge-0/0/32.0, ge-0/0/33.0, ge-0/0/34.0,
ge-0/0/35.0, ge-0/0/36.0, ge-0/0/37.0, ge-0/0/38.0,
ge-0/0/39.0, ge-0/0/40.0, ge-0/0/41.0, ge-0/0/42.0,
ge-0/0/43.0, ge-0/0/44.0, ge-0/0/45.0, ge-0/0/46.0,
ge-0/0/47.0, ge-1/0/1.0, ge-1/0/2.0, ge-1/0/3.0,
ge-1/0/4.0, ge-1/0/7.0, ge-1/0/8.0, ge-1/0/9.0,
ge-1/0/10.0, ge-1/0/11.0, ge-1/0/12.0, ge-1/0/13.0,
ge-1/0/14.0, ge-1/0/15.0, ge-1/0/16.0, ge-1/0/17.0,
ge-1/0/18.0, ge-1/0/19.0

HA configuration for SRX340

-------------------------------------------------------------------------------------------------------------

Before starting configuration of my srx340 for cluster, remove some configuration items to avoid some post configuration errors.
In each srx do the followings:

First delete all logical interface which are used for control link/plane(ge-0/0/1)
& Data/fabric link/plane(ge-0/0/2).
***Note:Control link and Data link interface are varying for different Models.

delete system host-name
delete vlans
delete interfaces vlan
delete security
delete interfaces ge-0/0/1
delete interfaces ge-0/0/2
delete interfaces ge-0/0/3 unit 0 family ethernet-switching
delete interfaces ge-0/0/4 unit 0 family ethernet-switching

After this operation make sure there is no ethernet-switching left:
root@srx1# show | match ethernet-switching | count
Count: 0 lines
[edit]
root@srx1#

Then Physically connect the two devices and ensure that they are the same models.
For example,on the SRX340 Services Gateway, connect the dedicated control ports on node 0 and node 1.
***Note: For SRX300, SRX320, SRX340, and SRX345 devices, connect ge-0/0/1 on node 0 to ge-0/0/1 on node 1.

1.Set the two devices to cluster mode and reboot the devices. You must enter the following
operational mode commands on both devices, for example:

On node 0:
---------------
user@host> set chassis cluster cluster-id 1 node 0 reboot
On node 1:
---------------
user@host> set chassis cluster cluster-id 1 node 1 reboot

#After reboot if you check the prompt of srx1, you will see the prompt changes like below:

{hold:node0}
root@srx1>
{secondary:node0}
root@srx1>
{primary:node0}
root@srx1>

#Check cluster status:

root@srx1> show chassis cluster status
Cluster ID: 1
Node Priority Status Preempt Manual failover

Redundancy group: 0 , Failover count: 1
node0 1 primary no no
node1 1 secondary no no

***Note: After clustering occurs, For SRX340 device, the ge-0/0/1 interface on node 1 changes to ge-5/0/1.

2.Set up hostnames and management IP addresses on the first node only (srx-nd0) for each device using configuration groups.These configurations are specific to each device and are unique to its specific node.

set groups node0 system host-name srx-nd0
set groups node0 interfaces fxp0 unit 0 family inet address 192.168.33.1/24
set groups node1 system host-name srx-nd1
set groups node1 interfaces fxp0 unit 0 family inet address 192.168.33.2/24

3.Set the 'apply-groups' command so that the individual configurations for each node set by the previous commands are applied only to that node.

set apply-groups "${node}"

4.Define the interfaces used for the fab connection (data plane links for RTO sync) by using physical ports ge-0/0/2 from each node. These interfaces must be connected back-to-back. Configure fabric links on the first node only (srx-nd0):

set interfaces fab0 fabric-options member-interfaces ge-0/0/2
set interfaces fab1 fabric-options member-interfaces ge-5/0/2

#After commit, config should sync into srx-nd1 node as well. Now check cluster interfaces status:

root@srx1> show chassis cluster interfaces
Control link 0 name: fxp1
Control link status: Up

Fabric interfaces:
Name Child-interface Status
fab0 fe-0/0/5 up
fab0
fab1 fe-2/0/5 up
fab1
Fabric link status: Up

5.Set up redundancy group 0 for the Routing Engine failover properties, and set up redundancy group 1 (all interfaces are in one redundancy group in this example) to define the failover properties for the
redundant Ethernet interfaces. A cluster without an RG is useless. Lets create a redundancy group and test it.RG0 is used for control plane and RG1 will be our service RG.
set chassis cluster reth-count 2
set chassis cluster redundancy-group 0 node 0 priority 200
set chassis cluster redundancy-group 0 node 1 priority 100
set chassis cluster redundancy-group 1 node 0 priority 200
set chassis cluster redundancy-group 1 node 1 priority 100

6.Set up interface monitoring to monitor the health of the interfaces and trigger redundancy group failover.

******Note: Juniper does not recommend Interface monitoring for redundancy group 0 because it causes the control plane to switch from one node to another node in case interface flap occurs.

set chassis cluster redundancy-group 1 interface-monitor ge-0/0/3 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-0/0/4 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-5/0/3 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-5/0/4 weight 255

***Note: Interface failover only occurs after the weight reaches 0.

#Let's check the cluster configuration:
{primary:node0}
root@SRX> show configuration chassis cluster

reth-count 2;
redundancy-group 0 {
node 0 priority 200;
node 1 priority 100;
}
redundancy-group 1 {
node 0 priority 200;
node 1 priority 100;
preempt;
interface-monitor {
ge-0/0/3 weight 255;
ge-0/0/4 weight 255;
ge-5/0/3 weight 255;
ge-5/0/4 weight 255;
}
}

7.Set up the redundant Ethernet (reth) interfaces and assign the redundant interface to a zone.

set interfaces ge-0/0/3 gigether-options redundant-parent reth0
set interfaces ge-5/0/3 gigether-options redundant-parent reth0
set interfaces reth0 redundant-ether-options redundancy-group 1
set interfaces reth0 unit 0 family inet address 198.51.100.1/24

set interfaces ge-0/0/4 gigether-options redundant-parent reth1
set interfaces ge-5/0/4 gigether-options redundant-parent reth1
set interfaces reth1 redundant-ether-options redundancy-group 1
set interfaces reth1 unit 0 family inet address 203.0.113.233/24

set security zones security-zone Trusted
set security zones security-zone Untrusted
set security zones security-zone Trusted host-inbound-traffic system-services all
set security zones security-zone Untrusted host-inbound-traffic system-services all
set security zones security-zone Untrust interfaces reth1.0
set security zones security-zone Trust interfaces reth0.0

#If you want to create a subinterface with vlan tagging do the following(Optional)
set interfaces reth0 vlan-tagging
set interfaces reth0 unit 150 vlan-id 150
set interfaces reth0 unit 150 family inet address 192.168.150.200/24
set interfaces reth1 unit 0 family inet address 10.16.9.1/24

set security zones security-zone Trusted interfaces reth0.150
set security zones security-zone Untrusted interfaces reth1.0

Case 01:
If we deactivate interface monitor it doesn't effect on HA.

Verification

------------------------------------------------------------------------------------------------------------

show chassis cluster status
show chassis cluster interfaces
show chassis cluster statistics
show chassis cluster control-plane statistics
show chassis cluster data-plane statistics
show chassis cluster status redundancy-group 1

show configuration

-------------------------------------------------------------------------------------------------------

root@srx# run show configuration
## Last commit: 2017-08-07 16:41:31 GMT+6 by root
version 15.1X49-D90.7;
groups {
node0 {
system {
host-name srx-nd0;
}
interfaces {
fxp0 {
unit 0 {
family inet {
address 192.168.33.1/24;
}
}
}
}
}
node1 {
system {
host-name srx-nd1;
}
interfaces {
fxp0 {
unit 0 {
family inet {
address 192.168.33.2/24;
}
}
}
}
}
}
apply-groups "${node}";
system {
auto-snapshot;
time-zone GMT+6;
root-authentication {
encrypted-password "$5$ZsCeZsruXu$TZ8Kvvzb/mxQOMqf8AxJkFqW.r5OZFnrdagxRl8LSH."; ## SECRET-DATA

}
services {
ssh;
telnet;

}
}

}
chassis {
cluster {
reth-count 2;
redundancy-group 0 {
node 0 priority 200;
node 1 priority 100;
}
redundancy-group 1 {
node 0 priority 200;
node 1 priority 100;
preempt;
interface-monitor {
ge-0/0/3 weight 255;
ge-0/0/4 weight 255;
ge-5/0/3 weight 255;
ge-5/0/4 weight 255;
}
}
}
}
security {
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set nsw_srcnat {
from zone Internal;
to zone Internet;
rule nsw-src-interface {
match {
source-address 0.0.0.0/0;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}
policies {
from-zone Internal to-zone Internet {
policy All_Internal_Internet {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone Internal;
security-zone Internet {
screen untrust-screen;
}
security-zone Trusted {
host-inbound-traffic {
system-services {
all;
}
}
interfaces {
reth0.0;
}
}
security-zone Untrusted {
host-inbound-traffic {
system-services {
all;
}
}
interfaces {
reth1.0;
}
}
}
}
interfaces {
ge-0/0/3 {
gigether-options {
redundant-parent reth0;
}
}
ge-0/0/4 {
gigether-options {
redundant-parent reth1;
}
}
ge-5/0/3 {
gigether-options {
redundant-parent reth0;
}
}
ge-5/0/4 {
gigether-options {
redundant-parent reth1;
}
}
fab0 {
fabric-options {
member-interfaces {
ge-0/0/2;
}
}
}
fab1 {
fabric-options {
member-interfaces {
ge-5/0/2;
}
}
}
fxp0 {
unit 0 {
family inet;
}
}
reth0 {

redundant-ether-options {
redundancy-group 1;
}
unit 0 {
family inet {
address 198.51.100.1/24;
}
}
}
reth1 {
redundant-ether-options {
redundancy-group 1;
}
unit 0 {
family inet {
address 203.0.113.233/24;
}

Tawfique Ahmed

Sunday, September 24, 2017

Multi-chassis LAG Configuration (LACP)

Wednesday, September 20, 2017

HA configuration for Juniper SRX340 Router

Contributors