How to Connect a Juniper SRX Firewall to Windows Azure Virtual Network Gateway the Easy Way

Thanks to a MS MVP Shannon Fritz who wrote a great blog post about setting up the Azure side of the Networking I thought that I only add to his great work and show you how to connect your local network running a Juniper SRX or J Series to the Azure Infrastructure in 1 easy step.  OK a bit more than one step but how about 1 commit its just like a step.

I’ll run down each section of the required config assuming that you already have a running SRX in production and that you have a fully functional Azure VM, Virtual Network and a Gateway already deployed in your Azure Account. The Azure side can be see in Shannon’s blog post.

This VPN form your local network to your Azure cloud Virtual Network will be route based.

 

Prep your trust zone

You will have to ensure that you have an address book entry which matches the Local Network which you registered with azure.

set security zone security zone trust address-book address Complete-Local-Network 10.0.0.0/8

 

Create a VPN Security Zone for Azure

A separate zone is not a full requirement I just like to have my VPN’s in there own zone to separate policies easier.

We will also add in the VPN interface we are going to use for Azure routing and an address book for all of our azure networks which matches the azure address space.

set security zone security-zone azure address-book address Azure-Virtual-Network 172.19.0.0/16

set security zone security-zone azure interface st0.172

st0.172 was my selection of a sub interface for the azure network you can make the sub interface your desired number.

 

Fragmentation Settings

One of the common mistakes new firewall people make are with the packet size travelling through VPN’s and slow performance.  This is primarily because the new firewall people do not get the proper tcp-mss flow size. Set the correct size and your packets flow smother and faster Azure recommends 1350

set security flow tcp-mss ipsec-vpn 1350

 

Routing Configuration

We now need to tell the SRX where to send your data  we will be adding a static route for the 172.16.0.0/16 network to the Azure tunnel interface st0.172

set routing-options static route 172.16.0.0/16 next-hop st0.172

 

Policy Configuration

Now that we tell the packets to go to azure tunnel interface we have to allow them that whole authorization piece.

We are going to setup a simple authorization policy for traffic form our entire network to our entire azure network.  We will also setup the reciprocal policy so that traffic can be initiated starting from either site to the other.

We will also allow any traffic through the tunnel and log it.  In a production environment you may want to define tighter security policies.

This policy sets outbound from your network to the Azure network.

set security policy from zone trust to zone azure policy trust-to-azure match source-address Complete-Local-Network

set security policy from zone trust to zone azure policy trust-to-azure match destination-address  Azure-Virtual-Network

set security policy from zone trust to zone azure policy trust-to-azure match application any

set security policy from zone trust to zone azure policy trust-to-azure then permit

set security policy from zone trust to zone azure policy trust-to-azure then log session-init

set security policy from zone trust to zone azure policy trust-to-azure then log session-close

This policy sets outbound from the Azure network to your network Azure network.

set security policy from zone trust to zone azure policy azure-to-trust match source-address Azure-Virtual-Network 

set security policy from zone trust to zone azure policy azure-to-trust match destination-address  Complete-Local-Network

set security policy from zone trust to zone azure policy azure-to-trust match application any

set security policy from zone trust to zone azure policy azure-to-trust then permit

set security policy from zone trust to zone azure policy azure-to-trust then log session-init

set security policy from zone trust to zone azure policy azure-to-trust then log session-close

 

VPN Settings

OK we have everything in place now except for the actual tunnel to Azure.  The tunnel to Azure is going to be a IPSec IKEv2 Preshared key tunnel  this is currently the only supported funnel for the SRX.

Once tou create your gateway in azure you will be given your tunnel IP Endpoint address along with the initial preshared key.  The key can be changed at anytime my reissuing a key in the Azure interface.

I will use 1.1.1.1 as the address the a example key of mysecretkey for the shared secret my example external interface is reth7.77

Below is the ike and ipsec settings.

set security ike proposal azure-proposal authentication-method pre-shared-keys
set security ike proposal azure-proposal dh-group group2
set security ike proposal azure-proposal authentication-algorithm sha1
set security ike proposal azure-proposal encryption-algorithm aes-256-cbc
set security ike proposal azure-proposal lifetime-seconds 28800
set security ike policy azure-policy-1 mode main
set security ike policy azure-policy-1 proposals azure-proposal
set security ike policy azure-policy-1 pre-shared-key ascii-text mysecretkey
set security ike gateway azure-gateway-1 ike-policy azure-policy-1
set security ike gateway azure-gateway-1 address 1.1.1.1
set security ike gateway azure-gateway-1 external-interface reth7.77
set security ike gateway azure-gateway-1 version v2-only

set security ipsec proposal azure-ipsec-proposal protocol esp
set security ipsec proposal azure-ipsec-proposal authentication-algorithm hmac-sha1-96
set security ipsec proposal azure-ipsec-proposal encryption-algorithm aes-256-cbc
set security ipsec proposal azure-ipsec-proposal lifetime-seconds 3600
set security ipsec policy azure-vpn-policy-1 proposals azure-ipsec-proposal
set security ipsec vpn azure-ipsec-vpn-1 bind-interface st0.172
set security ipsec vpn azure-ipsec-vpn-1 ike gateway azure-gateway-1
set security ipsec vpn azure-ipsec-vpn-1 ike ipsec-policy azure-vpn-policy-1
set security ipsec vpn azure-ipsec-vpn-1 establish-tunnels immediately

 

Your All Done, Just that last step left remember I promised it would be a single step.

commit comment “VPN Setup to Azure”

You’re all up and running now you can ping, remote desktop etc to any of your VM’s

Verification

You can now verify your tunnel is up and running with the following commands

show security ike active-peer
node0:
————————————————————————–
Remote Address                      Port     Peer IKE-ID                         XAUTH username                      Assigned IP
1.1.1.1                         500      1.1.1.1                      

show security ike security-associations
node0:
————————————————————————–
Index   State  Initiator cookie  Responder cookie  Mode           Remote Address  
7776655 UP     6t6t5t4r4e43e540  3e34ew34eeadb945  IKEv2          1.1.1.    

show security ipsec security-associations
node0:
————————————————————————–
  Total active tunnels: 1
  ID    Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway  
  <111111 ESP:aes-256/sha1 aaaaaaa 3185/ unlim –   root 500   1.1.1.1    
  >111112 ESP:aes-256/sha1 bbbbbbb 3185/ unlim –  root 500   1.1.1.1    

show security ipsec statistics              
node0:
————————————————————————–

ESP Statistics:
  Encrypted bytes:           399912
  Decrypted bytes:           314925
  Encrypted packets:           3309
  Decrypted packets:           3333
AH Statistics:
  Input bytes:                    0
  Output bytes:                   0
  Input packets:                  0
  Output packets:                 0
Errors:
  AH authentication failures: 0, Replay errors: 0
  ESP authentication failures: 0, ESP decryption failures: 0
  Bad headers: 0, Bad trailers: 0

node1:
————————————————————————–

ESP Statistics:
  Encrypted bytes:                0
  Decrypted bytes:                0
  Encrypted packets:              0
  Decrypted packets:              0
AH Statistics:
  Input bytes:                    0
  Output bytes:                   0
  Input packets:                  0
  Output packets:                 0
Errors:
  AH authentication failures: 0, Replay errors: 0
  ESP authentication failures: 0, ESP decryption failures: 0
  Bad headers: 0, Bad trailers: 0

 

Enjoy working with Azure and your Juniper SRX

 

 

 

 

 

 

Config Backup–What if you had a Backup for Every Commit?

I’m not kidding, OK on each device Juniper keeps that last 49 old plus the active config for a total of 50.  But what if you needed to look back further than that.

Well you can in fact you can configure JUNOS to save a backup of every commit to a FTP server.  Its simple, here’s how.

edit

set system archival configuration transfer-on-commit archive sites ftp://server/path

 

Active FTP server

system {
    archival {
        configuration {
            transfer-on-commit;
                archive-sites {
                    "ftp://admin:password@192.168.1.100/configurations";
                }
        }
    }
}

Passive FTP server

system {
    archival {
        configuration {
            transfer-on-commit;
                archive-sites {
                    "pasvftp://admin:password@192.168.1.100/configurations";
                }
        }
    }
}

 

And your all done.

 

Reference Juniper KB 20952

WARNING: THIS DEVICE HAS BOOTED FROM THE BACKUP JUNOS IMAGE

This happens when the main image is corrupt or has failed a boot.  When this happens you may or may not have a functional switch.

Did I mention I love this message!!!

****************************************************************************************
** **
** WARNING: THIS DEVICE HAS BOOTED FROM THE BACKUP JUNOS IMAGE **
** **
** It is possible that the primary copy of JUNOS failed to boot up **
** properly, and so this device has booted from the backup copy. **
** **
** Please re-install JUNOS to recover the primary copy in case **
** it has been corrupted. **
** **
****************************************************************************************

What should happen is that you have a backup image which is the same as your primary image and you boot up and everything is OK.

Sometimes I have run into the instance where the configuration partition is corrupt and you cannot write to it because it booted as a read only.  The switch may still function correctly if it is a member of a virtual chassis however you cannot commit any new changes.

You have to take the switch down for maintenance and correct the primary image.

Some times the method of just copying the alternate image to primary with the command request system snapshot slice alternate does not copy because of the corruption.

You can try and download a new image form a tftp, ftp or web sever using request system software add url:\\server/path

There is time when this will not work because either the networking or virtual chassis is not up on the individual switch so there is no network access, you can try using a USB stick.

If all else fails you can do the following, boot into the loader and then tftp a new image

Steps:

1- Reboot the Switch

2- Interrupt the boot at the loader prompt

Hit [Enter] to boot immediately, or space bar for command prompt.

3- You will now be at the boot loader prompt

loader>

4- Set the following info up at the loader prompt

set ipaddr=x.x.x.x

set netmask=x.x.x.x

set serverip=x.x.x.x

Where ipaddr is the switch temporary IP address, netmask is the netmask for the switch, serverip is the tftp server address, note the tftp server should be on the same L2 lan segment.

5- Then issue the install command with a path and image, you can add the option  –format  for example

install –format tftp://172.16.1.1/Juniper/EX/switchimage.tgz

At this point the switch is factory default reload your config or add it back to your virtual chassis and your back up and running.  By using the format option you add the image to both the primary and secondary image slices.

SRX Chassis Cluster with Redundant LACP LAG trunk

Ok here is the config Example, we will be configuring a SRX240 Chassis Cluster to have a reth1 LAG of 2G using LACP.

on the srx first set the members, you can do this on each interface but I link smaller configs and use interface-range a lot.

interface-range reth1-members
member ge-0/0/10;
member ge-0/0/11;
member ge-5/0/10;
member ge-5/0/11;
gigether-options {
    redundant-parent reth1;
}

as always here is the set version

set interfaces interface-range reth1-members member ge-0/0/10
set interfaces interface-range reth1-members member ge-0/0/11
set interfaces interface-range reth1-members member ge-5/0/10
set interfaces interface-range reth1-members member ge-5/0/11
set interfaces interface-range reth1-members gigether-options redundant-parent reth10

now configure the reth1 interface

reth1
description Trunk_4_SWT01-;
redundant-ether-options {
    redundancy-group 1;
    link-speed 1g;
    minimum-links 1;
    lacp {
        active;
        periodic fast;
    }
}
unit 0 {
    family inet {
        address 192.168.51.254/24;
    }
}

OK were all done on the SRX until test time, now for the EX Switch Side remember we need two different LACP on the switch to match the two SUB LAG LACP trunks on the SRX, I am using ase4 and ae5

ae4 members

interface-range ae4-members
member ge-0/0/21;
member ge-2/0/21;
ether-options {
    802.3ad ae4;
}

set interfaces interface-range ae4-members member ge-0/0/21
set interfaces interface-range ae4-members member ge-2/0/21
set interfaces interface-range ae4-members ether-options 802.3ad ae4

ae4 interface

ae4
description Trunk_4_FW01-Node0;
aggregated-ether-options {
    minimum-links 1;
    link-speed 1g;
    lacp {
        active;
        periodic fast;
    }
}
unit 0 {
    description FW01;
    family ethernet-switching;
}

set interfaces ae4 description Trunk_4_FW01-Node0
set interfaces ae4 aggregated-ether-options minimum-links 1
set interfaces ae4 aggregated-ether-options link-speed 1g
set interfaces ae4 aggregated-ether-options lacp active
set interfaces ae4 aggregated-ether-options lacp periodic fast
set interfaces ae4 unit 0 description FW01
set interfaces ae4 unit 0 family ethernet-switching

ae5 members

interface-range ae5-members
member ge-1/0/21;
member ge-3/0/21;
ether-options {
    802.3ad ae5;
}

set interfaces interface-range ae5-members member ge-1/0/21
set interfaces interface-range ae5-members member ge-3/0/21
set interfaces interface-range ae5-members ether-options 802.3ad ae5

ae5 interface

ae5
description Trunk_4_FW01-Node1;
aggregated-ether-options {
    minimum-links 1;
    link-speed 1g;
    lacp {
        active;
        periodic fast;
    }
}
unit 0 {
    description FW01;
    family ethernet-switching;
}

set interfaces ae5 description Trunk_4_FW01-Node1
set interfaces ae5 aggregated-ether-options minimum-links 1
set interfaces ae5 aggregated-ether-options link-speed 1g
set interfaces ae5 aggregated-ether-options lacp active
set interfaces ae5 aggregated-ether-options lacp periodic fast
set interfaces ae5 unit 0 description FW01
set interfaces ae5 unit 0 family ethernet-switching

OK now the cabling,

SRX-Node0-ge-0/0/10 to EXSwitch-member0-ge-0/0/21

SRX-Node1-ge-5/0/10 to EXSwitch-member0-ge-1/0/21

SRX-Node0-ge-0/0/11 to EXSwitch-member0-ge-2/0/21

SRX-Node1-ge-5/0/11 to EXSwitch-member0-ge-3/0/21

 

Now let check and see how we did

Switch ae4

>show interfaces ae4 detail
Physical interface: ae4, Enabled, Physical link is Up
  Interface index: 132, SNMP ifIndex: 606, Generation: 135
  Description: Trunk_4_FW01-Main
  Link-level type: Ethernet, MTU: 1514, Speed: 2Gbps, BPDU Error: None, MAC-REWRITE Error: None, Loopback: Disabled, Source filtering: Disabled, Flow control: Disabled,
  Minimum links needed: 1, Minimum bandwidth needed: 0
  Device flags   : Present Running
  Interface flags: SNMP-Traps Internal: 0x0
  Current address: 00:1f:12:31:56:87, Hardware address: 00:1f:12:31:56:87
  Last flapped   : 2013-08-04 15:34:55 EDT (00:04:46 ago)
  Statistics last cleared: Never
  Traffic statistics:
   Input  bytes  :              9282502                 2048 bps
   Output bytes  :            505549141                 2048 bps
   Input  packets:                36169                    2 pps
   Output packets:              3936096                    2 pps
   IPv6 transit statistics:
    Input  bytes  :                   0
    Output bytes  :                   0
    Input  packets:                   0
    Output packets:                   0

  Logical interface ae4.0 (Index 133) (SNMP ifIndex 788) (Generation 251)
    Description: FW01
    Flags: SNMP-Traps 0x0 Encapsulation: ENET2
    Statistics        Packets        pps         Bytes          bps
    Bundle:
        Input :             0          0             0            0
        Output:             0          0             0            0
    Link:
      ge-0/0/21.0
      ge-2/0/21.0
    LACP info:        Role     System             System      Port    Port  Port
                             priority          identifier  priority  number   key
      ge-0/0/21.0    Actor        127  00:1f:12:31:56:80       127      15     5
      ge-0/0/21.0  Partner        127  00:10:db:ff:70:00       127      23   130
      ge-2/0/21.0    Actor        127  00:1f:12:31:56:80       127      17     5
      ge-2/0/21.0  Partner        127  00:10:db:ff:70:00       127      24   130
    LACP Statistics:       LACP Rx     LACP Tx   Unknown Rx   Illegal Rx
      ge-0/0/21.0              291         444            0            0
      ge-2/0/21.0              295         445            0            0
    Marker Statistics:   Marker Rx     Resp Tx   Unknown Rx   Illegal Rx
      ge-0/0/21.0                0           0            0            0
      ge-2/0/21.0                0           0            0            0
    Protocol eth-switch, Generation: 281, Route table: 0
      Flags: None

Switch ae5

>show interfaces ae5 detail
Physical interface: ae5, Enabled, Physical link is Up
  Interface index: 133, SNMP ifIndex: 607, Generation: 136
  Description: Trunk_4_FW01-Main
  Link-level type: Ethernet, MTU: 1514, Speed: 2Gbps, BPDU Error: None, MAC-REWRITE Error: None, Loopback: Disabled, Source filtering: Disabled, Flow control: Disabled,
  Minimum links needed: 1, Minimum bandwidth needed: 0
  Device flags   : Present Running
  Interface flags: SNMP-Traps Internal: 0x0
  Current address: 00:1f:12:31:56:88, Hardware address: 00:1f:12:31:56:88
  Last flapped   : 2013-08-04 15:34:55 EDT (00:06:10 ago)
  Statistics last cleared: Never
  Traffic statistics:
   Input  bytes  :               101462                 3608 bps
   Output bytes  :              6447381                 2560 bps
   Input  packets:                  778                    3 pps
   Output packets:                45906                    3 pps
   IPv6 transit statistics:
    Input  bytes  :                   0
    Output bytes  :                   0
    Input  packets:                   0
    Output packets:                   0

  Logical interface ae5.0 (Index 136) (SNMP ifIndex 790) (Generation 254)
    Description: FW01
    Flags: SNMP-Traps 0x0 Encapsulation: ENET2
    Statistics        Packets        pps         Bytes          bps
    Bundle:
        Input :             0          0             0            0
        Output:             0          0             0            0
    Link:
      ge-1/0/21.0
      ge-3/0/21.0
    LACP info:        Role     System             System      Port    Port  Port
                             priority          identifier  priority  number   key
      ge-1/0/21.0    Actor        127  00:1f:12:31:56:80       127      16     6
      ge-1/0/21.0  Partner        127  00:10:db:ff:70:00       127      25   130
      ge-3/0/21.0    Actor        127  00:1f:12:31:56:80       127      18     6
      ge-3/0/21.0  Partner        127  00:10:db:ff:70:00       127      26   130
    LACP Statistics:       LACP Rx     LACP Tx   Unknown Rx   Illegal Rx
      ge-1/0/21.0              350         502            0            0
      ge-3/0/21.0              351         502            0            0
    Marker Statistics:   Marker Rx     Resp Tx   Unknown Rx   Illegal Rx
      ge-1/0/21.0                0           0            0            0
      ge-3/0/21.0                0           0            0            0
    Protocol eth-switch, Generation: 284, Route table: 0
      Flags: None

SRX reth1

> show interfaces reth1 detail
Physical interface: reth1, Enabled, Physical link is Up
  Interface index: 129, SNMP ifIndex: 571, Generation: 132
  Description: Trunk_4_SWT01-
  Link-level type: Ethernet, MTU: 1514, Speed: 2Gbps, BPDU Error: None, MAC-REWRITE Error: None, Loopback: Disabled, Source filtering: Disabled, Flow control: Disabled,
  Minimum links needed: 1, Minimum bandwidth needed: 0
  Device flags   : Present Running
  Interface flags: SNMP-Traps Internal: 0x0
  Current address: 00:10:db:ff:70:01, Hardware address: 00:10:db:ff:70:01
  Last flapped   : 2013-08-04 19:34:56 UTC (00:06:51 ago)
  Statistics last cleared: Never
  Traffic statistics:
   Input  bytes  :               207204                 3936 bps
   Output bytes  :               218116                 3952 bps
   Input  packets:                 1671                    0 pps
   Output packets:                 1727                    2 pps
  Ingress queues: 8 supported, 4 in use
  Queue counters:       Queued packets  Transmitted packets      Dropped packets
    0 best-effort                    0                    0                    0
    1 expedited-fo                   0                    0                    0
    2 assured-forw                   0                    0                    0
    3 network-cont                   0                    0                    0
  Egress queues: 8 supported, 4 in use
  Queue counters:       Queued packets  Transmitted packets      Dropped packets
    0 best-effort                    4                    4                    0
    1 expedited-fo                   0                    0                    0
    2 assured-forw                   0                    0                    0
    3 network-cont                1727                 1727                    0
  Queue number:         Mapped forwarding classes
    0                   best-effort
    1                   expedited-forwarding
    2                   assured-forwarding
    3                   network-control

  Logical interface reth1.0 (Index 98) (SNMP ifIndex 622) (Generation 165)
    Flags: SNMP-Traps 0x0 Encapsulation: ENET2
    Statistics        Packets        pps         Bytes          bps
    Bundle:
        Input :             0          0             0            0
        Output:             0          0             0            0
    Link:
      ge-0/0/10.0
        Input :             0          0             0            0
        Output:            17          0          3107            0
      ge-0/0/11.0
        Input :             0          0             0            0
        Output:            17          0          3107            0
      ge-5/0/10.0
        Input :             0          0             0            0
        Output:            17          0          3139            0
      ge-5/0/11.0
        Input :             0          0             0            0
        Output:            18          0          3328            0
    LACP info:        Role     System             System      Port    Port  Port
                             priority          identifier  priority  number   key
      ge-0/0/10.0    Actor        127  00:10:db:ff:70:00       127      23     2
      ge-0/0/10.0  Partner        127  00:1f:12:31:56:80       127      15     5
      ge-0/0/11.0    Actor        127  00:10:db:ff:70:00       127      24     2
      ge-0/0/11.0  Partner        127  00:1f:12:31:56:80       127      17     5
      ge-5/0/10.0    Actor        127  00:10:db:ff:70:00       127      25     2
      ge-5/0/10.0  Partner        127  00:1f:12:31:56:80       127      16     6
      ge-5/0/11.0    Actor        127  00:10:db:ff:70:00       127      26     2
      ge-5/0/11.0  Partner        127  00:1f:12:31:56:80       127      18     6
    LACP Statistics:       LACP Rx     LACP Tx   Unknown Rx   Illegal Rx
      ge-0/0/10.0              418         416            0            0
      ge-0/0/11.0              419         420            0            0
      ge-5/0/10.0              419         417            0            0
      ge-5/0/11.0              419         417            0            0
    Marker Statistics:   Marker Rx     Resp Tx   Unknown Rx   Illegal Rx
      ge-0/0/10.0                0           0            0            0
      ge-0/0/11.0                0           0            0            0
      ge-5/0/10.0                0           0            0            0
      ge-5/0/11.0                0           0            0            0
    Security: Zone: Null
    Flow Statistics :
    Flow Input statistics :
      Self packets :                     0
      ICMP packets :                     0
      VPN packets :                      0
      Multicast packets :                0
      Bytes permitted by policy :        0
      Connections established :          0
    Flow Output statistics:
      Multicast packets :                0
      Bytes permitted by policy :        0
    Flow error statistics (Packets dropped due to):
      Address spoofing:                  0
      Authentication failed:             0
      Incoming NAT errors:               0
      Invalid zone received packet:      0
      Multiple user authentications:     0
      Multiple incoming NAT:             0
      No parent for a gate:              0
      No one interested in self packets: 0
      No minor session:                  0
      No more sessions:                  0
      No NAT gate:                       0
      No route present:                  0
      No SA for incoming SPI:            0
      No tunnel found:                   0
      No session for a gate:             0
      No zone or NULL zone binding       0
      Policy denied:                     0
      Security association not active:   0
      TCP sequence number out of window: 0
      Syn-attack protection:             0
      User authentication errors:        0
    Protocol inet, MTU: 1500, Generation: 178, Route table: 0
      Flags: Sendbcast-pkt-to-re
      Addresses, Flags: Is-Preferred Is-Primary
        Destination: 192.168.51/24, Local: 192.168.51.254, Broadcast: 192.168.51.255, Generation: 177

And there you have it a 2 node SRX240H connected to a 4 member EX4200 Virtual Chassis.  All up and running at 2Gbps LACP trunk form the SRX to the Switch.

Note on the Switch configuration I omitted the vlan portion of the configuration and I assume you can handle that part AOK.

So you want to protect your Cluster and you do reth what about LACP reth?

So let me try and explain how juniper does this…..let me just say this is simply amazing and right on.

Juniper set this up to give you more bandwidth and a hitless fail over.

a reth interface typically has 2 members where the redundancy group for that member is running is where the active port is, juniper does not take down the backup interface but keeps it up and active however does not use it to pass traffic.

Now lets through LACP trunks into the mix to add more bandwidth to the interface.

This is accomplished by creating a RETH/LACP trunk. or really creating an active LACP and a redundant LACP, remember Juniper keeps the redundant port active, so in order to make the switch happy and up we need three LACP configs, what no just two.  OK let me explain.

Typical you when you do LACP you create a trunk on device A and the matching config on device B.  But we have to account for the redundant portion, remember juniper keeps this ports up and ready but does not pass traffic on it.  This will mess up the LACP on the switch.

On the SRX we create a reth and LACP trunk on a total of 4 interfaces two on each nodes in the cluster all connecting to the switch. but on the switch side we need to creat two LACP trunks one for the active reth and one for the redundant reth trunk.

Wow that’s a mouth full.  Juniper explains this here but saying on the SRX when you add LACP to the reth you are actually creating one LACP but with 2 sub LAGs underneath. Cool eh. so the active node has a 2 port LACP trunk which connects to the switch LACP trunk A and the redundant node in the group creates a second sub-LAG  to the switches second LACP trunk.

So on the switch you have two LACP trunks up and active however the SRX only sends traffic down one.  If you try and add all 4 ports to a single LACP trunk on the switch this will not come up and will not pass traffic.  on the redundant LACP trunk the SRX keeps it up and passing LACP packets so that it is ready to switch traffic over in a hitless manor.

Sweet eh?  I’ll di a follow up post on this config and give you examples.

You have Suspended Jobs!!!!!! on Juniper

hey there have you ever accidently hit CTRL-Z while editing a config in Juniper because of old Cisco Bad Habits you have.

You end up at this prompt

{master:0}[edit]
root@SWT01#
Suspended
root@SWT01:RE:0%

So what you have to do just incase there is any other people like you doing the same thing on the switch is type jobs at the % prompt and you will get a list of suspended jobs

root@SWT01:RE:0% jobs
[1]  + Suspended                     cli
root@SWT01:RE:0%

Now to get back to your config type fg 1 where 1 is the [1] from the list of suspended jobs and you will get put back into your config and then you can exit properly

root@SWT01:RE:0% fg 1
cli
root@SWT01#

{master:0}[edit]
root@SWT01#

Your welcome!!!! Enjoy!!!!

Juniper to Cisco PPP T1 Connection (Back-to-Back)

This example will show you how to configure your Juniper SRX or J Series Routers to connect to a Cisco Router acting as a telco Cloud.

First off we need to connect our routers together.

I am using a Cisco 3640 router with the following hardware NM-2FE2W in slot 0 and a VWIC-2MFT-T1/E1 WIC slot 0.  The router is running c3640-ik9o3s-mz.124-23.bin

I made a T1 Cross Over (Back-to-Back) cable.  I used a 6 foot piece of CAT5 cable trimmed the green and brown pairs down to keep them out of the way.  Crimped the cable with the following pin out.

Side of Cable	Pin 1	Pin 2	Pin 4	Pin 5
A-Side	Orange	White/Orange	Blue	White/Blue
B-Side	Blue	White/Blue	Orange	White/Orange

note: locking tab faces down, pins are facing up

With the above cable you can physically connect 2 T1 CSD/DSU Cards together and get CD or carrier detect, from there you can configure your T1 interfaces.

It does not matter which side you use on either router as it is a simple T1 crossover cable.

Here is the code used on the Cisco side, you have to configure 2 configuration areas the controller and the interface.

The controller area tells the controller on the card which port protocol to use and then enables that area in the config.

.csharpcode, .csharpcode pre
{
font-size: small;
color: black;
font-family: consolas, “Courier New”, courier, monospace;
background-color: #ffffff;
/*white-space: pre;*/
}
.csharpcode pre { margin: 0em; }
.csharpcode .rem { color: #008000; }
.csharpcode .kwrd { color: #0000ff; }
.csharpcode .str { color: #006080; }
.csharpcode .op { color: #0000c0; }
.csharpcode .preproc { color: #cc6633; }
.csharpcode .asp { background-color: #ffff00; }
.csharpcode .html { color: #800000; }
.csharpcode .attr { color: #ff0000; }
.csharpcode .alt
{
background-color: #f4f4f4;
width: 100%;
margin: 0em;
}
.csharpcode .lnum { color: #606060; }

controller T1 0/0     !! This is the controller in slot 0 wic 0 port 0
description Connected to Juniper SRX240H t1-5/0/0
framing esf     !! this sets the line protocol to enhanced super frame
clock source internal     !! this sets the Cisco controller to apply clocking for the link (to mimic telco side)
linecode b8zs     !! this sets the line code to B8Zs Bipolar with 8 Zero Substitution
channel-group 0 timeslots 1-24 speed 64     !! this creates a serial interface Serial0/0:0 to use if you change the first 0 to a 3 then the serial interface would be Serial0/0:3  in rhis example we are utilizing all 24 DS0 channles for a full T1 you could use less by doing 1-8,24 to use DS0 1 to DS0 8 and the signalling on DS0 24 this would give you a 512K fractional T1

The Serial interface area of the Cisco Config

interface Serial0/0:0     !! This is the serial interface created from the controller code
ip address 192.168.64.2 255.255.255.252  !! This is the IP Address on the Cisco Interface
encapsulation ppp     !! make the encapsulation PPP
no ip route-cache     !! turns of IP route cache
no cdp enable     !! turns off Cisco CDP protocol

OK the Cisco Side of the configuration is complete, note you may need to issue no shutdown on the controller and the serial interface as Cisco’s Default is to leave everything turned off (administratively down).

And now for the fun part the Juniper code.  I used an SRX240 in a Active/Passive Cluster but the code is the same for the J-Series as well.

The other side of the T1 Cross Over Cable is plugged into a SRX-MP-1T1E1 Mini-PIM this was plugged into mPIM port 1 of node 0 of the chassis cluster.  This makes the port named t1-1/0/0 – yes 1 as it is the 1st slot in the overall chassis cluster.  Note the  the first mPIM slot in node 1 would be t1-5/0/0

clocking external;
encapsulation ppp;
unit 0 {
    family inet {
        address 192.168.64.1/30;
    }
}

A lot less code eh.  to enter the code its just a single line see below:

set interfaces t1-1/0/0 clocking external encapsulation ppp unit 0 family inet address 192.168.64.1/30

IF you wanted to do each item separately you would enter this following

set interfaces t1-1/0/0 clocking external
set interfaces t1-1/0/0 encapsulation ppp
set interfaces t1-1/0/0 unit 0 family inet address 192.168.64.1/30

the you will see both sides are up up in the cisco term.

See below

Cisco Interfaces

Cisco#show interfaces Serial0/0:0
Serial0/0:0 is up, line protocol is up
  Hardware is DSCC4 Serial
  Internet address is 192.168.64.2/30
  MTU 1500 bytes, BW 1536 Kbit/sec, DLY 20000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation PPP, LCP Open
  Open: IPCP, loopback not set
  Keepalive set (10 sec)
  Last input 02:37:58, output 00:00:01, output hang never
  Last clearing of "show interface" counters 08:16:59
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 5845
  Queueing strategy: weighted fair
  Output queue: 0/1000/64/5845 (size/max total/threshold/drops)
     Conversations  0/2/256 (active/max active/max total)
     Reserved Conversations 0/0 (allocated/max allocated)
     Available Bandwidth 1152 kilobits/sec
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     59390 packets input, 36873298 bytes, 0 no buffer
     Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
     1 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 1 abort
     61018 packets output, 36895382 bytes, 0 underruns
     0 output errors, 0 collisions, 439 interface resets
     0 unknown protocol drops
     0 output buffer failures, 0 output buffers swapped out
     0 carrier transitions
  Timeslot(s) Used:1-24, SCC: 0, Transmitter delay is 0 flags
Cisco#

And the Juniper side short check

{primary:node0}
root@SRX240H> show interfaces t1-1/0/0 terse
Interface               Admin Link Proto    Local                 Remote
t1-1/0/0                up    up
t1-1/0/0.0              up    up   inet     192.168.64.1/30

{primary:node0}
root@SRX240H>

And the Extended version

{primary:node0}
root@WPJFW01> show interfaces t1-1/0/0 extensive
Physical interface: t1-1/0/0, Enabled, Physical link is Up
  Interface index: 161, SNMP ifIndex: 539, Generation: 164
  Link-level type: PPP, MTU: 1504, Clocking: External, Speed: T1, Loopback: None, FCS: 16,
  Framing: ESF
  Device flags   : Present Running
  Interface flags: Point-To-Point SNMP-Traps Internal: 0x0
  Link flags     : Keepalives
  Hold-times     : Up 0 ms, Down 0 ms
  Keepalive settings: Interval 10 seconds, Up-count 1, Down-count 3
  Keepalive statistics:
    Input : 2123 (last seen 00:00:08 ago)
    Output: 2158 (last sent 00:00:03 ago)
  LCP state: Opened
  NCP state: inet: Opened, inet6: Not-configured, iso: Not-configured, mpls:
  Not-configured
  CHAP state: Closed
  PAP state: Closed
  CoS queues     : 8 supported, 8 maximum usable queues
  Last flapped   : 2013-07-29 18:54:04 UTC (08:24:23 ago)
  Statistics last cleared: 2013-07-29 21:16:04 UTC (06:02:23 ago)
  Traffic statistics:
   Input  bytes  :             36651982                    0 bps
   Output bytes  :             37574164                    0 bps
   Input  packets:                59399                    0 pps
   Output packets:                59407                    0 pps
  Input errors:
    Errors: 1, Drops: 0, Framing errors: 1, Policed discards: 0, L3 incompletes: 0,
    L2 channel errors: 0, L2 mismatch timeouts: 0, HS link CRC errors: 0, SRAM errors: 0,
    Resource errors: 0
  Output errors:
    Carrier transitions: 0, Errors: 0, Drops: 0, Aged packets: 0, MTU errors: 0,
    Resource errors: 0
  Egress queues: 8 supported, 4 in use
  Queue counters:       Queued packets  Transmitted packets      Dropped packets
    0 best-effort                55115                55115                    0
    1 expedited-fo                   0                    0                    0
    2 assured-forw                   0                    0                    0
    3 network-cont                4292                 4292                    0
  Queue number:         Mapped forwarding classes
    0                   best-effort
    1                   expedited-forwarding
    2                   assured-forwarding
    3                   network-control
  DS1   alarms   : None
  DS1   defects  : None
  T1  media:            Seconds        Count  State
    SEF                          0            0  OK
    BEE                          0            0  OK
    AIS                          0            0  OK
    LOF                          0            0  OK
    LOS                          0            0  OK
    YELLOW                       0            0  OK
    BPV                          0            0
    EXZ                          0            0
    LCV                          0            0
    PCV                          0            0
    CS                           0            0
    LES                          0
    ES                           0
    SES                          0
    SEFS                         0
    BES                          0
    UAS                          0
  HDLC configuration:
    Policing bucket: Disabled
    Shaping bucket : Disabled
    Giant threshold: 1506, Runt threshold: 0
    Timeslots      : All active
    Line encoding: B8ZS
    Buildout       : 0 to 132 feet
    Byte encoding: Nx64K, Data inversion: Disabled, Idle cycle flag: flags,
    Start end flag: shared
  DS1 BERT configuration:
    BERT time period: 10 seconds, Elapsed: 0 seconds
    Induced Error rate: 0, Algorithm: 2^15 - 1, O.151, Pseudorandom (9)
  Packet Forwarding Engine configuration:
    Destination slot: 1
  CoS information:
    Direction : Output
    CoS transmit queue               Bandwidth               Buffer Priority   Limit
                              %            bps     %           usec
    0 best-effort            95        1459200    95              0      low    none
    3 network-control         5          76800     5              0      low    none

  Logical interface t1-1/0/0.0 (Index 82) (SNMP ifIndex 606) (Generation 152)
    Flags: Point-To-Point SNMP-Traps 0x0 Encapsulation: PPP
    Security: Zone: trust
    Allowed host-inbound traffic : bootp bfd bgp dns dvmrp igmp ldp msdp nhrp ospf pgm pim
    rip router-discovery rsvp sap vrrp dhcp finger ftp tftp ident-reset http https ike
    netconf ping reverse-telnet reverse-ssh rlogin rpm rsh snmp snmp-trap ssh telnet
    traceroute xnm-clear-text xnm-ssl lsping ntp sip r2cp
    Flow Statistics :
    Flow Input statistics :
      Self packets :                     55106
      ICMP packets :                     55106
      VPN packets :                      0
      Multicast packets :                0
      Bytes permitted by policy :        36591986
      Connections established :          34173
    Flow Output statistics:
      Multicast packets :                0
      Bytes permitted by policy :        36592742
    Flow error statistics (Packets dropped due to):
      Address spoofing:                  0
      Authentication failed:             0
      Incoming NAT errors:               0
      Invalid zone received packet:      0
      Multiple user authentications:     0
      Multiple incoming NAT:             0
      No parent for a gate:              0
      No one interested in self packets: 0
      No minor session:                  0
      No more sessions:                  0
      No NAT gate:                       0
      No route present:                  0
      No SA for incoming SPI:            0
      No tunnel found:                   0
      No session for a gate:             0
      No zone or NULL zone binding       0
      Policy denied:                     0
      Security association not active:   0
      TCP sequence number out of window: 0
      Syn-attack protection:             0
      User authentication errors:        0
    Protocol inet, MTU: 1500, Generation: 166, Route table: 0
      Flags: Sendbcast-pkt-to-re
      Addresses, Flags: Is-Preferred Is-Primary
        Destination: 192.168.64.0/30, Local: 192.168.64.1, Broadcast: 192.168.64.3,
        Generation: 169

{primary:node0}
root@SRX240H>

 

Have fun….