Mesh Connectivity of ERS8800 with Juniper firewalls

[jrandhawa]

I have a query that I have a setup of 2 ERS8800 working in cluster with IST, SMLT and VRRP configured and above that 2 juniper SRX firewalls working in active passive cluster. Now core switches are connected as Core1-----active Firewall   n Core2------------passive firewall. In this scenario when core 1 goes down traffic stops flowing becoz core 2 is linked to non-forwarding F/w. Please suggest best means by which I can connect core1 and as well Core 2 in a mesh type scenario. Will LACP be the solution?

Thanks and regards
jagjeet Randhawa

[Dominik]

There are some possible soltions for your problem.
I would recommand to enable Interface tracking on your Juniper SRX devices,
if the SRX doensīt reach the IP Interface of the direct connect ERS8600 it has to traverse
to the other SRX.
In a JSRP configuration connected to a Swicthcluster this is a best practice design in my expierence.

Good Luck

[Michael McNamara]

I have a query that I have a setup of 2 ERS8800 working in cluster with IST, SMLT and VRRP configured and above that 2 juniper SRX firewalls working in active passive cluster. Now core switches are connected as Core1-----active Firewall   n Core2------------passive firewall. In this scenario when core 1 goes down traffic stops flowing becoz core 2 is linked to non-forwarding F/w. Please suggest best means by which I can connect core1 and as well Core 2 in a mesh type scenario. Will LACP be the solution?

Thanks and regards
jagjeet Randhawa

Hi Jagjeet and welcome to the forums!

Are you using VRRP on your Juniper SRX appliances? If you use VRRP between your 2 Juniper SRX appliances (along with a VRRP between your 2 ERS 8600s) then you should be fine. If any one of the 4 devices goes down VRRP will transition to the remaining device(s) and assume the IP that you are using for routing.

You can set priorities in VRRP so you'll know which one of the two is the primary (active) and which is the standby (passive).

Cheers!

[jrandhawa]

Hi Michael

Thanks for your reply.
But I am using VRRP on ERS8800) but not on SRX only I am using static routing between both the clusters(ERS & SRX). So can we do that by LACP by binding 4 interfaces from both the cores 2 from each to 4 interfaces on SRXs. Like core1------int1------srx1------int1 n core2----------int1--------srx1-----int2. Again core1---------int2--------srx2------int1 n core2--------int2-----------srx2--------int2. keeping each core1------int1-------LACP1 and core2---------int1----LACP1 . and other core1---------int2------LACP2
core2-----int2--------LACP2. can it be successful? also please have a look on SRX lacp config:

SRX Config:
    set interfaces ge-0/0/1 gigether-options redundant-parent reth0
    set interfaces ge-0/0/2 gigether-options redundant-parent reth0
    set interfaces ge-2/0/1 gigether-options redundant-parent reth0
    set interfaces ge-2/0/2 gigether-options redundant-parent reth0
    set interfaces reth0 redundant-ether-options redundancy-group 0
    set interfaces reth0 redundant-ether-options lacp passive

Thanks
jagjeet

[Michael McNamara]

Hi,

Your asking about high-availability/redundancy but your talking about traffic aggregation.

LACP is utilized to bond multiple physical links into a single virtual link. While the multiple physical links themselves are redundant to each other they don't provide everything you need. You can add SMLT to LACP to get redundant physical links to the same edge device (Juniper SRX).

In this case I think you could probably solve the problem by just running VRRP on your Juniper SRX appliances. You would use a different VRRP ID than you are using for your ERS 8600s. This would allow the virtual IP address to move between either component in the event of a failure.

If you still want to proceed using LACP with SMLT you can check these posts for further details;
http://blog.michaelfmcnamara.com/2009/08/lacp-configuration-examples-part-2/
http://blog.michaelfmcnamara.com/2009/08/lacp-configuration-examples-part-3/

Cheers!

[Dominik]

@jrandhawa

what kind of redundancy do you have configured at your SRX ?
Most common method is to use JSRP to configure a active passiv cluster in Juniper land.

http://jsrx.juniperwiki.com/index.php?title=JSRP

You can give each SRX device an aggregated link to both of your ERS8600.
Here you have the option to use a static link aggregation or a LACP trunk.

On the ERS8600 you have both options, in my expiereince the static link aggregation (SMLT) has some
advantages over the dynamic LACP trunking mechanism.

So your setup would look like this, 2 SRX both have a aggregated link with a physical connection to both of your ERS8600 with a SMLT configuration on this side.
This setup will give you a redundant soltion for your Firewall connection.

Cheers

[jrandhawa]

Hi Dominik/Michael

Let me try out these methods n update you guys accordingly.

Thanks for advising....

Regards
Jagjeet Randhawa