Tawfique Ahmed: November 2017

Virtual Chassis Fabric

For QFX5100-24Q (Spine 1):-

Before start configuration:

Plug out all cable among spines and leafs.

Show chassis hardware

Step 01:

############## For same model switches ############

request virtual-chassis mode fabric reboot

############## For different model switches ############

request virtual-chassis mode fabric mixed reboot

Step 02:

As we want to set members (Spine and leaf) manually,

Therefore we have to set pre-provisioned otherwise have to set non pre-provisioned.

user@Qfx-24Q# set virtual-chassis preprovisioned

Step 03:

Now we have to set the members role such as routing-engine or line-card.

Command syntax

set virtual-chassis member member-ID serial-number SERIALNUMB role routing-engine /line-card

set virtual-chassis member 0 serial-number VGXXXXXXX315 role routing-engine

set virtual-chassis member 1 serial-number VGXXXXXXX028 role routing-engine

set virtual-chassis member 2 serial-number TRXXXXXX0076 role line-card

set virtual-chassis member 3 serial-number TRXXXXXX0046 role line-card

set virtual-chassis member 4 serial-number TRXXXXXX0201 role line-card

set virtual-chassis member 5 serial-number TRXXXXXX0130 role line-card

set virtual-chassis member 6 serial-number TRXXXXXX0040 role line-card

set virtual-chassis member 7 serial-number TRXXXXXX0089 role line-card

set virtual-chassis member 8 serial-number TRXXXXXX0074 role line-card

set virtual-chassis member 9 serial-number TRXXXXXX0038 role line-card

set virtual-chassis member 10 serial-number TRXXXXXX0056 role line-card

set virtual-chassis member 11 serial-number TRXXXXXX0125 role line-card

set virtual-chassis member 12 serial-number TRXXXXXX0100 role line-card

Step 04:

Now we have to configure the Virtual chassis ports (VCP). As we have 11 leafs in this spine-leaf architectures, therefore we will configure first 11(0-10) ports as VCP for QFX-5100-24Q.

request virtual-chassis vc-port set pic-slot 0 port 0

request virtual-chassis vc-port set pic-slot 0 port 1

request virtual-chassis vc-port set pic-slot 0 port 2

request virtual-chassis vc-port set pic-slot 0 port 3

request virtual-chassis vc-port set pic-slot 0 port 4

request virtual-chassis vc-port set pic-slot 0 port 5

request virtual-chassis vc-port set pic-slot 0 port 6

request virtual-chassis vc-port set pic-slot 0 port 7

request virtual-chassis vc-port set pic-slot 0 port 8

request virtual-chassis vc-port set pic-slot 0 port 9

request virtual-chassis vc-port set pic-slot 0 port 10

Step 05:

Now we will configure hostname and management IP address.

set system host-name SWITCH_VCF

set interface vme0 unit 0 family inet address 10.64.110.1/30

(Optional) Disable the neighbor discovery protocols

delete protocols lldp

For QFX5100-24Q (Spine 2):-

request virtual-chassis mode fabric reboot

request virtual-chassis vc-port set pic-slot 0 port 0

request virtual-chassis vc-port set pic-slot 0 port 1

request virtual-chassis vc-port set pic-slot 0 port 2

request virtual-chassis vc-port set pic-slot 0 port 3

request virtual-chassis vc-port set pic-slot 0 port 4

request virtual-chassis vc-port set pic-slot 0 port 5

request virtual-chassis vc-port set pic-slot 0 port 6

request virtual-chassis vc-port set pic-slot 0 port 7

request virtual-chassis vc-port set pic-slot 0 port 8

request virtual-chassis vc-port set pic-slot 0 port 9

request virtual-chassis vc-port set pic-slot 0 port 10

For QFX5100-48T (Leaf 1-11):-

request virtual-chassis mode fabric reboot

request virtual-chassis vc-port set pic-slot 0 port 48

request virtual-chassis vc-port set pic-slot 0 port 49

N.B No need to configure VCPs on Leaf Nodes if QSFP interface use as VCP.

After doing all the configurations plug in all the cables according to the diagram.

Verification:

user@Qfx-24Q#show virtual-chassis status

Preprovisioned Virtual Chassis Fabric

Fabric ID: cd95.5928.3205

Fabric Mode: Enabled

Mstr Mixed Route Neighbor List

Member ID Status Serial No Model prio Role Mode Mode ID Interface

0 (FPC 0) Prsnt VGXXXXXXX315 qfx5100-24q-2p 129 Master* N F 5 vcp-255/0/3

9 vcp-255/0/7

11 vcp-255/0/9

2 vcp-255/0/0

3 vcp-255/0/1

12 vcp-255/0/10

4 vcp-255/0/2

6 vcp-255/0/4

7 vcp-255/0/5

8 vcp-255/0/6

10 vcp-255/0/8

1 (FPC 1) Prsnt VGXXXXXXX028 qfx5100-24q-2p 129 Backup N F 5 vcp-255/0/3

3 vcp-255/0/1

2 vcp-255/0/0

4 vcp-255/0/2

6 vcp-255/0/4

7 vcp-255/0/5

8 vcp-255/0/6

9 vcp-255/0/7

10 vcp-255/0/8

11 vcp-255/0/9

2 (FPC 2) Prsnt TRXXXXXX0076 qfx5100-48t-6q 0 Linecard N F 0 vcp-255/0/48

1 vcp-255/0/49

3 (FPC 3) Prsnt TRXXXXXX0046 qfx5100-48t-6q 0 Linecard N F 0 vcp-255/0/48

1 vcp-255/0/49

4 (FPC 4) Prsnt TRXXXXXX0201 qfx5100-48t-6q 0 Linecard N F 0 vcp-255/0/48

1 vcp-255/0/49

5 (FPC 5) Prsnt TRXXXXXX0130 qfx5100-48t-6q 0 Linecard N F 0 vcp-255/0/48

1 vcp-255/0/49

6 (FPC 6) Prsnt TRXXXXXX0040 qfx5100-48t-6q 0 Linecard N F 0 vcp-255/0/48

1 vcp-255/0/49

7 (FPC 7) Prsnt TRXXXXXX0089 qfx5100-48t-6q 0 Linecard N F 0 vcp-255/0/48

1 vcp-255/0/49

8 (FPC 8) Prsnt TRXXXXXX0074 qfx5100-48t-6q 0 Linecard N F 0 vcp-255/0/48

1 vcp-255/0/49

9 (FPC 9) Prsnt TRXXXXXX0038 qfx5100-48t-6q 0 Linecard N F 0 vcp-255/0/48

1 vcp-255/0/49

10 (FPC 10) Prsnt TRXXXXXX0056 qfx5100-48t-6q 0 Linecard N F 0 vcp-255/0/48

1 vcp-255/0/49

11 (FPC 11) Prsnt TRXXXXXX0125 qfx5100-48t-6q 0 Linecard N F 0 vcp-255/0/48

1 vcp-255/0/49

12 (FPC 12) Prsnt TRXXXXXX0100 qfx5100-48t-6q 0 Linecard N F 0 vcp-255/0/48

1 vcp-255/0/49

root> show system license keys

HA configuration for SRX340:
---------------------------------------------

Before starting configuration of my srx340 for cluster, remove some configuration items to avoid some post configuration errors.
In each srx do the followings:

First delete all logical interface which are used for control link/plane(ge-0/0/1)
& Data/fabric link/plane(ge-0/0/2) and also which you need under the reth (ge-0/0/3 & ge-0/0/4) for both routers.
***Note:Control link and Data link interface are varying for different Models.

delete system host-name
delete security
delete interfaces ge-0/0/1
delete interfaces ge-0/0/2
delete interfaces ge-0/0/3
delete interfaces ge-0/0/4

After this operation make sure there is no ethernet-switching left:

root@srx1# show | match ethernet-switching | count
Count: 0 lines
[edit]
root@srx1#

Then Physically connect the two devices (Both control & fabric ports) and ensure that they are the same models and OS version also.
For example,on the SRX340 Services Gateway, connect the dedicated control & fabric ports on node 0 and node 1.
***Note: For SRX300, SRX320, SRX340, and SRX345 devices, connect ge-0/0/1 on node 0 to ge-0/0/1 on node 1.

1.Set the two devices to cluster mode and reboot the devices. You must enter the following
operational mode commands on both devices, for example:

On node 0:
---------------
user@host> set chassis cluster cluster-id 1 node 0 reboot
On node 1:
---------------
user@host> set chassis cluster cluster-id 1 node 1 reboot

#After reboot if you check the prompt of srx1, you will see the prompt changes like below:

{hold:node0}
root@srx1>
{secondary:node0}
root@srx1>
{primary:node0}
root@srx1>

#Check cluster status:

root@srx1> show chassis cluster status
Cluster ID: 1
Node Priority Status Preempt Manual failover

Redundancy group: 0 , Failover count: 1
node0 1 primary no no
node1 1 secondary no no

***Note: After clustering occurs, For SRX340 device, the ge-0/0/1 interface on node 1 changes to ge-5/0/1.

2.Set up hostnames and management IP addresses on the first node only (srx-nd0) for each device using configuration groups.These configurations are specific to each device and are unique to its specific node.

set groups node0 system host-name srx-nd0
set groups node0 interfaces fxp0 unit 0 family inet address 192.168.33.1/24
set groups node1 system host-name srx-nd1
set groups node1 interfaces fxp0 unit 0 family inet address 192.168.33.2/24

3.Set the 'apply-groups' command so that the individual configurations for each node set by the previous
commands are applied only to that node.

set apply-groups "${node}"

4.Define the interfaces used for the fab connection (data plane links for RTO sync) by using physical ports ge-0/0/2
from each node. These interfaces must be connected back-to-back, or through a Layer 2 infrastructure.
Configure fabric links on the first node only (srx-nd0):

set interfaces fab0 fabric-options member-interfaces ge-0/0/2
set interfaces fab1 fabric-options member-interfaces ge-5/0/2

#After commit, config should sync into srx-nd1 node as well. Now check cluster interfaces status:

root@srx1> show chassis cluster interfaces
Control link 0 name: fxp1
Control link status: Up

Fabric interfaces:
Name Child-interface Status
fab0 fe-0/0/5 up
fab0
fab1 fe-2/0/5 up
fab1
Fabric link status: Up

5.Set up redundancy group 0 for the Routing Engine failover properties, and set up redundancy group 1 (all interfaces are in one redundancy group in this example) to define the failover properties for the
redundant Ethernet interfaces. A cluster without an RG is useless. Lets create a redundancy group and test it. RG0 is used for control plane and RG1 will be our service RG.

set chassis cluster reth-count 2
set chassis cluster redundancy-group 0 node 0 priority 200
set chassis cluster redundancy-group 0 node 1 priority 100
set chassis cluster redundancy-group 1 node 0 priority 200
set chassis cluster redundancy-group 1 node 1 priority 100

6.Set up interface monitoring to monitor the health of the interfaces and trigger redundancy group failover.

******Note: Juniper does not recommend Interface monitoring for redundancy group 0 because it causes the control plane to switch from one node to another node in case interface flap occurs.

set chassis cluster redundancy-group 1 interface-monitor ge-0/0/3 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-0/0/4 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-5/0/3 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-5/0/4 weight 255

***Note: Interface failover only occurs after the weight reaches 0.

#Let's check the cluster configuration:
{primary:node0}
root@srx1> show configuration chassis cluster

reth-count 2;
redundancy-group 0 {
node 0 priority 200;
node 1 priority 100;
}
redundancy-group 1 {
node 0 priority 200;
node 1 priority 100;
preempt;
interface-monitor {
ge-0/0/3 weight 255;
ge-0/0/4 weight 255;
ge-5/0/3 weight 255;
ge-5/0/4 weight 255;
}
}

7.Set up the redundant Ethernet (reth) interfaces and assign the redundant interface to a zone.

set interfaces ge-0/0/3 gigether-options redundant-parent reth0
set interfaces ge-5/0/3 gigether-options redundant-parent reth0
set interfaces reth0 redundant-ether-options redundancy-group 1
set interfaces reth0 redundant-ether-options lacp active
set interfaces reth0 unit 0 family inet address 198.51.100.1/24

set interfaces ge-0/0/4 gigether-options redundant-parent reth1
set interfaces ge-5/0/4 gigether-options redundant-parent reth1
set interfaces reth1 redundant-ether-options redundancy-group 1
set interfaces reth1 redundant-ether-options lacp active
set interfaces reth1 unit 0 family inet address 203.0.113.233/24

8. Finally create the zone, allow services & protocols and put the reth interfaces into the zone. You must create policies for each zones otherwise you can't get reach-ability.

set security zones security-zone Trusted
set security zones security-zone Untrusted
set security zones security-zone Trusted host-inbound-traffic system-services all
set security zones security-zone Trusted host-inbound-traffic protocols all
set security zones security-zone Untrusted host-inbound-traffic system-services all
set security zones security-zone Untrusted host-inbound-traffic protocols all
set security zones security-zone Untrusted interfaces reth1.0
set security zones security-zone Trusted interfaces reth0.0

set security policies from-zone Trusted to-zone Trusted policy any-to-any match source-address any
set security policies from-zone Trusted to-zone Trusted policy any-to-any match destination-address any
set security policies from-zone Trusted to-zone Trusted policy any-to-any match application any
set security policies from-zone Trusted to-zone Trusted policy any-to-any then permit

set security policies from-zone Trusted to-zone Untrusted policy any-to-any match source-address any
set security policies from-zone Trusted to-zone Untrusted policy any-to-any match destination-address any
set security policies from-zone Trusted to-zone Untrusted policy any-to-any match application any
set security policies from-zone Trusted to-zone Untrusted policy any-to-any then permit

#If you want to create a subinterface with vlan tagging do the following(Optional)
set interfaces reth0 vlan-tagging
set interfaces reth0 unit 150 vlan-id 150
set interfaces reth0 unit 150 family inet address 192.168.150.200/24
set interfaces reth1 unit 0 family inet address 10.16.9.1/24

set security zones security-zone Trusted interfaces reth0.150
set security zones security-zone Untrusted interfaces reth1.0

Case 01:
If we deactivate interface monitor it doesn't effect on HA.

#Verification
show chassis cluster status
show chassis cluster interfaces
show chassis cluster statistics
show chassis cluster control-plane statistics
show chassis cluster data-plane statistics
show chassis cluster status redundancy-group 1
show security flow statistics node all
show security flow status node all

LAG Configuration for both EX3300:
-----------------------------------------------------

1. First, We have to remove the logical unit configuration from the interfaces that are to be bundled, as logical units are not allowed on aggregated links:

delete interfaces ge-0/0/46 unit 0
delete interfaces ge-1/0/46 unit 0

2.The next step is to specify the number of aggregated links on the switch. This command is to specify number of bundle (aggregated interface) you want to create.:

set chassis aggregated-devices ethernet device-count 1

3.Next, set the interfaces to use LACP (802.3ad) and to be members of a logical aggregated ethernet port (ports begin with ae).
To associate physical interface with an aggregated Ethernet interface, hit the following command:

set interfaces ge-0/0/46 ether-options 802.3ad ae0
set interfaces ge-1/0/46 ether-options 802.3ad ae0

4.Then we need to set the LACP mode for our new aggregated interface. We’ll make the Juniper side Active, so that it initiates the transmissison of LACP packets:

set interfaces ae0 aggregated-ether-options lacp active

Tawfique Ahmed

Monday, November 20, 2017

Configuration of Virtual Chassis Fabric: - Use of Provisioning Method

Wednesday, November 15, 2017

HA configuration with LACP for Juniper SRX340 Router

Contributors