Navigation
Table of Contents
Guide That Contains This Content
[+] Expand All
[-] Collapse All
Verification
Purpose
The following verification commands (with sample output) can be used to confirm that the transport, clustering, and MC-LAG configuration were successful.
Results
Verify that MC-LAG is up on the edge routers.
- This output shows an active state for the MC-LAG connections
on the edge routers and confirms that the two MC-LAG bundles are operational.
In a failure state, the typical error showing a broken configuration
will be “Exchange error” on this output, which implies
there is misconfiguration on the ICCP/MC-AE configuration.
root@VDC-edge-r01-re0>show interfaces mc-aeMember Link : ae1 Current State Machine's State: mcae active state Local Status : active Local State : up Peer Status : active Peer State : up Logical Interface : ae1.0 Topology Type : bridge Local State : up Peer State : up Peer Ip/MCP/State : 192.168.168.2 ae0.1 up
Member Link : ae3 Current State Machine's State: mcae active state Local Status : active Local State : up Peer Status : active Peer State : up Logical Interface : ae3.0 Topology Type : bridge Local State : up Peer State : up Peer Ip/MCP/State : 192.168.168.2 ae0.1 up {master}root@VDC-edge-r01-re0> - Verify the reth0 interface on the edge-firewall.
root@VDC-edge-fw01-n1>show interfaces reth0Physical interface: reth0, Enabled, Physical link is Up Interface index: 128, SNMP ifIndex: 628 Description: Trust Zone toward POD Link-level type: Ethernet, MTU: 9188, Speed: 40Gbps, BPDU Error: None,
MAC-REWRITE Error: None, Loopback: Disabled, Source filtering: Disabled,
Flow control: Disabled, Minimum links needed: 1, Minimum bandwidth needed: 0 Device flags : Present Running Interface flags: SNMP-Traps Internal: 0x0 Current address: 00:10:db:ff:10:00, Hardware address: 00:10:db:ff:10:00 Last flapped : 2013-10-17 17:05:37 PDT (5d 17:34 ago) Input rate : 20352 bps (28 pps) Output rate : 4480 bps (8 pps)Logical interface reth0.0 (Index 68) (SNMP ifIndex 647)Flags: SNMP-Traps 0x0 VLAN-Tag [ 0x8100.10 ] Encapsulation: ENET2 Statistics Packets pps Bytes bps Bundle: Input : 111252547290 28 13795224589923 20352 Output: 112746013568 8 14431770429808 4480 Security: Zone: trust Allowed host-inbound traffic : bootp bfd bgp dns dvmrp igmp ldp msdp nhrp ospf pgm pim rip router-discovery rsvp sap vrrp dhcp finger ftp tftp
ident-reset http https ike netconf ping reverse-telnet reverse-ssh rlogin rpm rsh snmp snmp-trap ssh telnet
traceroute xnm-clear-text xnm-ssl lsping ntp sip r2cp Protocol inet, MTU: 9170 Flags: Sendbcast-pkt-to-re Addresses, Flags: Is-Preferred Is-Primary Destination: 192.168.25/24, Local: 192.168.25.3, Broadcast:
192.168.25.255 Protocol multiservice, MTU: Unlimited Flags: Is-PrimaryLogical interface reth0.32767 (Index 67) (SNMP ifIndex 662)Flags: SNMP-Traps 0x0 VLAN-Tag [ 0x0000.0 ] Encapsulation: ENET2 Statistics Packets pps Bytes bps Bundle: Input : 0 0 0 0 Output: 0 0 0 0 Security: Zone: Null Protocol multiservice, MTU: Unlimited Flags: None - Verify that the edge router is selecting the active firewall
node for traffic forwarding. This selection is done based on the gratuitous
ARP request sent by the active SRX firewall.
- Check the route for the firewall reth0 IP address.
root@VDC-edge-r01-re0>show route 192.168.26.3inet.0: 66 destinations, 77 routes (66 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 192.168.26.0/24 *[Direct/0] 1w6d 23:12:12 > via irb.0 - Check the forwarding table to see if the next hop and
interface are chosen correctly
Active firewall node (Node 2 is active)root@VDC-edge-r01-re0> show route forwarding-table destination 192.168.26.3Routing table: default.inet Internet: Destination Type RtRef Next hop Type Index NhRef Netif 192.168.26.3/32 dest 0 0:10:db:ff:10:1 ucst 597 39 ae3.0 Routing table: __master.anon__.inet Internet: Destination Type RtRef Next hop Type Index NhRef Netif default perm 0 rjct 519 1
Note: When a failover occurs, the secondary node must announce to the peer device that it is now owner of the MAC address associated with the RETH interface (the RETH MAC is shared between nodes). It does this using gratuitous ARP, or an ARP message that is broadcast without an ARP request. Once a gratuitous ARP is sent, the local switch udpates its MAC table to map the new MAC/port pairing. By default, the SRX sends four gratuitous ARPs per RETH on a failover. These are sent from the control plane and through the data plane.
- Check the route for the firewall reth0 IP address.
- Verify both LAGs on the edge router (ae1 and ae3). –Note
that even though both the LACP LAGs appear in an “up”
state, only the LAG link toward the active cluster firewall node will
forward traffic; the standby node will remain up and ready to take
over in case of failure.
root@VDC-edge-r01-re0>show lacp interfaces ae1Aggregated interface: ae1 LACP state: Role Exp Def Dist Col Syn Aggr Timeout Activity xe-1/1/0 Actor No No Yes Yes Yes Yes Fast Active xe-1/1/0 Partner No No Yes Yes Yes Yes Fast Active xe-1/1/1 Actor No No Yes Yes Yes Yes Fast Active xe-1/1/1 Partner No No Yes Yes Yes Yes Fast Active LACP protocol: Receive State Transmit State Mux State xe-1/1/0 Current Fast periodic Collecting distributing xe-1/1/1 Current Fast periodic Collecting distributing {master}root@VDC-edge-r01-re0>show lacp interfaces ae3Aggregated interface: ae3 LACP state: Role Exp Def Dist Col Syn Aggr Timeout Activity xe-1/2/0 Actor No No Yes Yes Yes Yes Fast Active xe-1/2/0 Partner No No Yes Yes Yes Yes Fast Active xe-1/2/1 Actor No No Yes Yes Yes Yes Fast Active xe-1/2/1 Partner No No Yes Yes Yes Yes Fast Active LACP protocol: Receive State Transmit State Mux State xe-1/2/0 Current Fast periodic Collecting distributing xe-1/2/1 Current Fast periodic Collecting distributing
