Network Configuration
Overview
Configuration of the solution starts with the configuration of the perimeter security; integration between the edge, perimeter and the data center core; and then continues with configuration of the access and aggregation roles in the data center (in this solution, those roles are collapsed into the QFabric POD). Finally, the network must be configured in the virtual switching role.
Configuring the Network Between the Data Center Edge and the Data Center Core
This configuration includes elements of high availability as the configuration and operation of the solution are heavily reliant on the use of Juniper Networks Virtual Chassis and employ multi-chassis link aggregation (MC-LAG) between each data center operational role.
SRX chassis clustering provides high availability and redundancy by grouping two SRX Series services gateways (must be the same model) into a cluster. The cluster consists of a primary node and a secondary node. These nodes provide backup for each other in the event of software, hardware, or network failures. Session state is synchronized between the nodes in the SRX cluster to ensure that established sessions are maintained during failover and reversion. The two nodes synchronize configuration, processes, and services utilizing two Ethernet links: a control link is established to enable control plane synchronization and a fabric link is established to enable data plane communication (traversal of network traffic between cluster nodes).
Redundant Ethernet Trunk Group LAGs (RETH interfaces) can be established across nodes in a chassis cluster (Figure 1). Link aggregation allows a redundant Ethernet interface (known as a RETH interface in the CLI) to add multiple child interfaces from both nodes of an SRX cluster, creating a single, virtual interface over which upstream and downstream devices can communicate. This solution features active/standby SRX cluster configuration: all active links are located on one SRX, and all standby links are on the other SRX. In an SRX active/backup cluster, LAG member links from the active node will forward data traffic. Link Aggregation Control Protocol (LACP) is enabled on the redundant Ethernet interface similar to any aggregated Ethernet (AE) interface configured in other routers/ or switches. The SRX RETH interface configuration includes all member interfaces from both the active and backup node.
Figure 1: Configuration of RETH Interfaces and MC-LAG Between Core and Perimeter (Right) Compared to Configuration of RETH Interfaces and AE (Left)
Topology
The topology used in this section of the configuration is shown in Figure 2.
Figure 2: Interface Configuration Between Edge, Perimeter, and Core
Table 1 shows the configuration parameters used in the configuration of MC-LAG between the VDC-core-sw1 and the edge-r1 nodes. These settings are used throughout the configuration and are aggregated here.
Table 1: MC-LAG Settings Between Core 1 and Edge 1
MC-LAG Node | MC-LAG Client | Interface | mc-ae-id | LACP-id | IRB Interface | prefer-status | chassis-id |
|---|---|---|---|---|---|---|---|
VDC-edge-r1 | VDC-edge-fw0 | ae1 | 1 | 00:00:00:00:00:01 | irb.0 | active | 0 |
VDC-edge-r1 | VDC-edge-fw1 | ae3 | 2 | 00:00:00:00:00:02 | irb.0 | active | 0 |
VDC-core-sw1 | VDC-pod1-sw1 | ae0 | 1 | 00:00:00:00:00:01 | irb.50 | active | 0 |
VDC-core-sw1 | VDC-pod1-sw1 | ae1 | 2 | 00:00:00:00:00:02 | irb.51 | active | 0 |
VDC-core-sw1 | VDC-pod1-sw1 | ae2 | 3 | 00:00:00:00:00:03 | irb.52 | active | 0 |
VDC-core-sw1 | VDC-pod1-sw1 | ae3 | 4 | 00:00:00:00:00:04 | irb.53 | active | 0 |
VDC-core-sw1 | VDC-pod2-sw1 | ae4 | 5 | 00:00:00:00:00:05 | irb.54 | active | 0 |
VDC-core-sw1 | VDC-pod2-sw1 | ae5 | 6 | 00:00:00:00:00:06 | irb.55 | active | 0 |
VDC-core-sw1 | VDC-edge-fw0 | ae6 | 7 | 00:00:00:00:00:07 | irb.10 | active | 0 |
VDC-core-sw1 | VDC--edge-fw1 | ae7 | 8 | 00:00:00:00:00:08 | irb.10 | active | 0 |
VDC-core-sw1 | VDC-oob-mgmt | ae8 | 9 | 00:00:00:00:00:09 | irb.20 | active | 0 |
VDC-core-sw1 | VDC-lb1-L2-Int-standby | ae10 | 11 | 00:00:00:00:00:11 | NA | active | 0 |
VDC-core-sw1 | VDC-lb1-L3-Ext-active | ae11 | 12 | 00:00:00:00:00:12 | irb.15 | active | 0 |
VDC-core-sw1 | VDC-lb1-L3-Ext-standby | ae12 | 13 | 00:00:00:00:00:13 | irb.15 | active | 0 |
VDC-core-sw1 | VDC-lb1-L2-Int-active | ae13 | 14 | 00:00:00:00:00:14 | NA | active | 0 |
Table 2shows the configuration parameters used in the configuration of MC-LAG between the VDC-core-sw1 and the edge-r1 nodes. These settings are used throughout the configuration and are aggregated here.
Table 2: MC-LAG Between Core 1 and Edge 1
MC-LAG Node | MC-LAG Client | Interface | mc-ae-id | LACP-id | IRB Interface | prefer-status | chassis-id |
|---|---|---|---|---|---|---|---|
VDC-edge-r2 | VDC-edge-fw0 | ae1 | 1 | 00:00:00:00:00:01 | irb.0 | active | 1 |
VDC-edge-r2 | VDC-edge-fw1 | ae3 | 2 | 00:00:00:00:00:02 | irb.0 | active | 1 |
VDC-core-sw2 | VDC-pod1-sw1 | ae0 | 1 | 00:00:00:00:00:01 | irb.50 | active | 1 |
VDC-core-sw2 | VDC-pod1-sw1 | ae1 | 2 | 00:00:00:00:00:02 | irb.51 | active | 1 |
VDC-core-sw2 | VDC-pod1-sw1 | ae2 | 3 | 00:00:00:00:00:03 | irb.52 | active | 1 |
VDC-core-sw2 | VDC-pod1-sw1 | ae3 | 4 | 00:00:00:00:00:04 | irb.53 | active | 1 |
VDC-core-sw2 | VDC-pod2-sw1 | ae4 | 5 | 00:00:00:00:00:05 | irb.54 | active | 1 |
VDC-core-sw2 | VDC-pod2-sw1 | ae5 | 6 | 00:00:00:00:00:06 | irb.55 | active | 1 |
VDC-core-sw2 | VDC-edge-fw0 | ae6 | 7 | 00:00:00:00:00:07 | irb.10 | active | 1 |
VDC-core-sw2 | VDC--edge-fw1 | ae7 | 8 | 00:00:00:00:00:08 | irb.10 | active | 1 |
VDC-core-sw2 | VDC-oob-mgmt | ae8 | 9 | 00:00:00:00:00:09 | irb.20 | active | 1 |
VDC-core-sw2 | VDC-lb1-L2-Int-standby | ae10 | 11 | 00:00:00:00:00:11 | NA | active | 1 |
VDC-core-sw2 | VDC-lb1-L3-Ext-active | ae11 | 12 | 00:00:00:00:00:12 | irb.15 | active | 1 |
VDC-core-sw2 | VDC-lb1-L3-Ext-standby | ae12 | 13 | 00:00:00:00:00:13 | irb.15 | active | 1 |
VDC-core-sw2 | VDC-lb1-L2-Int-active | ae13 | 14 | 00:00:00:00:00:14 | NA | active | 1 |
To configure the network between the data center edge and the data center core, follow these steps:
- Configure the SRX reth1 interface and members toward VDC-edge-r1
and VDC-edge-r2.
set chassis cluster reth-count 4 - Configure the MC-LAG bundle (ae1 and ae3) on VDC-edge-r1
toward the SRX .
set interfaces xe-1/1/0 gigether-options 802.3ad ae1set interfaces xe-1/1/1 gigether-options 802.3ad ae1## Configure ae1 MC-LAG A/A L2 Interface ####set interfaces ae1 description To-Firewall-reth1set interfaces ae1 flexible-vlan-taggingset interfaces ae1 encapsulation flexible-ethernet-servicesset interfaces ae1 aggregated-ether-options lacp activeset interfaces ae1 aggregated-ether-options lacp system-priority 100set interfaces ae1 aggregated-ether-options lacp system-id 00:00:00:00:00:01set interfaces ae1 aggregated-ether-options lacp admin-key 1set interfaces ae1 aggregated-ether-options mc-ae mc-ae-id 1set interfaces ae1 aggregated-ether-options mc-ae redundancy-group 1set interfaces ae1 aggregated-ether-options mc-ae chassis-id 0set interfaces ae1 aggregated-ether-options mc-ae mode active-activeset interfaces ae1 aggregated-ether-options mc-ae status-control activeset interfaces ae1 aggregated-ether-options mc-ae events iccp-peer-down force-icl-downset interfaces ae1 aggregated-ether-options mc-ae events iccp-peer-down prefer-status-control-activeset interfaces ae1 unit 0 encapsulation vlan-bridgeset interfaces ae1 unit 0 vlan-id 11set interfaces ae1 unit 0 multi-chassis-protection 192.168.168.2 interface ae0.1### Configured 2 Member links for ae3###set interfaces xe-1/2/0 gigether-options 802.3ad ae3set interfaces xe-1/2/1 gigether-options 802.3ad ae3## Configure ae1 MC-LAG A/A L2 Interface ####set interfaces ae3 description To-Firewall-Standbyset interfaces ae3 flexible-vlan-taggingset interfaces ae3 encapsulation flexible-ethernet-servicesset interfaces ae3 aggregated-ether-options lacp activeset interfaces ae3 aggregated-ether-options lacp system-priority 100set interfaces ae3 aggregated-ether-options lacp system-id 00:00:00:00:00:03set interfaces ae3 aggregated-ether-options lacp admin-key 3set interfaces ae3 aggregated-ether-options mc-ae mc-ae-id 3set interfaces ae3 aggregated-ether-options mc-ae redundancy-group 1set interfaces ae3 aggregated-ether-options mc-ae chassis-id 0set interfaces ae3 aggregated-ether-options mc-ae mode active-activeset interfaces ae3 aggregated-ether-options mc-ae status-control activeset interfaces ae3 aggregated-ether-options mc-ae events iccp-peer-down force-icl-downset interfaces ae3 aggregated-ether-options mc-ae events iccp-peer-down prefer-status-control-activeset interfaces ae3 unit 0 encapsulation vlan-bridgeset interfaces ae3 unit 0 vlan-id 11set interfaces ae3 unit 0 multi-chassis-protection 192.168.168.2 interface ae0.1 - Configure the bridge domain and IRB interfaces on VDC-edge-r1.
set bridge-domains bd1 domain-type bridgeset bridge-domains bd1 vlan-id 11set bridge-domains bd1 interface ae1.0 ###MC-LAG interface##set bridge-domains bd1 interface ae0.1 ### MC_LAG ICL link ###set bridge-domains bd1 interface ae3.0 ###MC-LAG interface##set bridge-domains bd1 routing-interface irb.0 ### L2/L3 routing interface###### Configure the IRB interface for L2/L3 routing ##set interfaces irb unit 0 family inet address 192.168.26.1/24 arp 192.168.26.2 l2-interface ae0.1set interfaces irb unit 0 family inet address 192.168.26.1/24 arp 192.168.26.2 mac 50:c5:8d:87:af:f0set interfaces irb unit 0 family inet address 192.168.26.1/24 arp 192.168.26.2 publishset interfaces irb unit 0 family inet address 192.168.26.1/24 vrrp-group 1 virtual-address 192.168.26.254set interfaces irb unit 0 family inet address 192.168.26.1/24 vrrp-group 1 priority 250set interfaces irb unit 0 family inet address 192.168.26.1/24 vrrp-group 1 fast-interval 100set interfaces irb unit 0 family inet address 192.168.26.1/24 vrrp-group 1 preemptset interfaces irb unit 0 family inet address 192.168.26.1/24 vrrp-group 1 accept-dataset interfaces irb unit 0 family inet address 192.168.26.1/24 vrrp-group 1 authentication-type md5set interfaces irb unit 0 family inet address 192.168.26.1/24 vrrp-group 1 authentication-key "$9$WKVXVYaJDkqfoaFnCA0O" - Configure ICCP and ICL links for MC-LAG on vdc-edge-r1.
set interfaces ae0 flexible-vlan-taggingset interfaces ae0 encapsulation flexible-ethernet-servicesset interfaces ae0 aggregated-ether-options lacp activeset interfaces ae0 aggregated-ether-options lacp periodic slowset interfaces xe-1/0/0 hold-time up 100set interfaces xe-1/0/0 hold-time down 15000set interfaces xe-1/0/0 gigether-options 802.3ad ae0set interfaces xe-1/0/1 hold-time up 100set interfaces xe-1/0/1 hold-time down 15000set interfaces xe-1/0/1 gigether-options 802.3ad ae0
Note: Hold-down timer configured higher than the BFD timer(1 sec) for better convergence
set interfaces ae0 unit 0 description "ICCP Link between edge-r1 and edge-r2"set interfaces ae0 unit 0 vlan-id 4000set interfaces ae0 unit 0 vlan-id 4000set interfaces ae0 unit 0 family inet address 192.168.1.1/30set interfaces ae0 unit 1 description "ICL Link to edge-r2-vlan-11"set interfaces ae0 unit 1 encapsulation vlan-bridgeset interfaces ae0 unit 1 vlan-id 11 - Configure the Inter-Control Center Communications Protocol
(ICCP) on vdc-edge-r1.
set protocols iccp local-ip-addr 192.168.168.1set protocols iccp peer 192.168.168.2 redundancy-group-id-list 1set protocols iccp peer 192.168.168.2 liveness-detection minimum-interval 500set protocols iccp peer 192.168.168.2 liveness-detection multiplier 2set protocols iccp peer 192.168.168.2 liveness-detection detection-time threshold 2000Note: The BFD timer is configured as 1 second in this solution testing. This setting provided sub-2-second convergence in testing.
- Configure the MC-LAG bundle (ae1 and ae3) on VDC-edge-r2
toward the SRX.
set interfaces xe-1/1/0 gigether-options 802.3ad ae1set interfaces xe-1/1/1 gigether-options 802.3ad ae1set interfaces ae1 description To-Firewall-reth1set interfaces ae1 flexible-vlan-taggingset interfaces ae1 encapsulation flexible-ethernet-servicesset interfaces ae1 aggregated-ether-options lacp activeset interfaces ae1 aggregated-ether-options lacp system-priority 100set interfaces ae1 aggregated-ether-options lacp system-id 00:00:00:00:00:01set interfaces ae1 aggregated-ether-options lacp admin-key 1set interfaces ae1 aggregated-ether-options mc-ae mc-ae-id 1set interfaces ae1 aggregated-ether-options mc-ae redundancy-group 1set interfaces ae1 aggregated-ether-options mc-ae chassis-id 1set interfaces ae1 aggregated-ether-options mc-ae mode active-activeset interfaces ae1 aggregated-ether-options mc-ae status-control standbyset interfaces ae1 aggregated-ether-options mc-ae events iccp-peer-down force-icl-downset interfaces ae1 unit 0 encapsulation vlan-bridgeset interfaces ae1 unit 0 vlan-id 11set interfaces ae1 unit 0 multi-chassis-protection 192.168.168.1 interface ae0.1set interfaces xe-1/2/0 gigether-options 802.3ad ae3set interfaces xe-1/2/1 gigether-options 802.3ad ae3set interfaces ae3 description To-Firewall-reth1set interfaces ae3 flexible-vlan-taggingset interfaces ae3 encapsulation flexible-ethernet-servicesset interfaces ae3 aggregated-ether-options lacp activeset interfaces ae3 aggregated-ether-options lacp system-priority 100set interfaces ae3 aggregated-ether-options lacp system-id 00:00:00:00:00:03set interfaces ae3 aggregated-ether-options lacp admin-key 3set interfaces ae3 aggregated-ether-options mc-ae mc-ae-id 3set interfaces ae3 aggregated-ether-options mc-ae redundancy-group 1set interfaces ae3 aggregated-ether-options mc-ae chassis-id 1set interfaces ae3 aggregated-ether-options mc-ae mode active-activeset interfaces ae3 aggregated-ether-options mc-ae status-control standbyset interfaces ae3 aggregated-ether-options mc-ae events iccp-peer-down force-icl-downset interfaces ae3 unit 0 encapsulation vlan-bridgeset interfaces ae3 unit 0 vlan-id 11set interfaces ae3 unit 0 multi-chassis-protection 192.168.168.1 interface ae0.1 - Configuring the bridge domain and IRB interface on VDC-edge-r2.
set bridge-domains bd1 domain-type bridgeset bridge-domains bd1 vlan-id 11set bridge-domains bd1 interface ae1.0set bridge-domains bd1 interface ae0.1set bridge-domains bd1 interface ae3.0set bridge-domains bd1 routing-interface irb.0set interfaces irb unit 0 family inet address 192.168.26.2/24 arp 192.168.26.1 l2-interface ae0.1set interfaces irb unit 0 family inet address 192.168.26.2/24 arp 192.168.26.1 mac 50:c5:8d:87:87:f0set interfaces irb unit 0 family inet address 192.168.26.2/24 arp 192.168.26.1 publishset interfaces irb unit 0 family inet address 192.168.26.2/24 vrrp-group 1 virtual-address 192.168.26.254set interfaces irb unit 0 family inet address 192.168.26.2/24 vrrp-group 1 priority 125set interfaces irb unit 0 family inet address 192.168.26.2/24 vrrp-group 1 fast-interval 100set interfaces irb unit 0 family inet address 192.168.26.2/24 vrrp-group 1 preemptset interfaces irb unit 0 family inet address 192.168.26.2/24 vrrp-group 1 accept-dataset interfaces irb unit 0 family inet address 192.168.26.2/24 vrrp-group 1 authentication-type md5set interfaces irb unit 0 family inet address 192.168.26.2/24 vrrp-group 1 authentication-key "$9$WKVXVYaJDkqfoaFnCA0O" - Configure the ICCP and ICL link for the MC-LAG on vdc-edge-r2.
### Configure LACP parameters for ICL/ICCP link ##set interfaces ae0 flexible-vlan-taggingset interfaces ae0 encapsulation flexible-ethernet-servicesset interfaces ae0 aggregated-ether-options lacp activeset interfaces ae0 aggregated-ether-options lacp periodic slow## LAG member link configuration ###set interfaces xe-1/0/0 hold-time up 100set interfaces xe-1/0/0 hold-time down 15000set interfaces xe-1/0/0 gigether-options 802.3ad ae0set interfaces xe-1/0/1 hold-time up 100set interfaces xe-1/0/1 hold-time down 15000set interfaces xe-1/0/1 gigether-options 802.3ad ae0Note: Hold-down timer configured higher than the BFD timer (1 sec) to get improved convergence if prefer-status-control active is configured on both MC-LAG nodes.
### ICCP Logical link ###set interfaces ae0 unit 0 description "ICCP link between edge-r2 to edge-r1"set interfaces ae0 unit 0 vlan-id 4000set interfaces ae0 unit 0 family inet address 192.168.1.2/30### ICL Logical Link ###set interfaces ae0 unit 1 description "ICL Link to edge-r2-vlan-11"set interfaces ae0 unit 1 encapsulation vlan-bridgeset interfaces ae0 unit 1 vlan-id 11 - Configure the ICCP protocol for MC-LAG on vdc-edge-r2.
set protocols iccp local-ip-addr 192.168.168.2set protocols iccp peer 192.168.168.1 redundancy-group-id-list 1set protocols iccp peer 192.168.168.1 liveness-detection minimum-interval 500set protocols iccp peer 192.168.168.1 liveness-detection multiplier 2set protocols iccp peer 192.168.168.1 liveness-detection detection-time threshold 2000
Verification
The following verification commands (with sample output) can be used to confirm that the transport, clustering, and MC-LAG configuration were successful.
