Once we have provisioned our site and we see both IPSEC tunels to OAM hubs and to EHUB are up, we can create a LAN segments to connect site end user devices to the SDWAN network.
For this first basic configuration, we are going to use this topology:
We have a SRX345 cluster (spoke site) connected to a EX4300 virtual chassis.
We want to configure a LAN segment (vlan 123) towards the EX VC.
On the EX, we will configure interfaces properly (check this to understand supported vs unsupported configuration https://kb.juniper.net/InfoCenter/index?page=content&id=KB22474 . Hint, here we will have 2 ae interfaces on VC).
On the EX, we will also configure an IRB L3 interface on a matching vlan (vlan 123) emulating an end user device. The goal is to verify communications between irb and reth10.
To create a LAN segment, we go to Resource and click on the srx345 site.
From there we select the LAN tab and click on the “+” icon:
Unless previously configured, we need to create reth interface towards the VC. We click on “Add RETH Interface”:
We create the reth interface:
In the example above:
- reth has 4 interfaces (2 on node0, 2 on node1)
- redundancy group to which reth interface belongs to
- LACP enabled, active fast
- internally, SRX will treat the 4 interfaces as 2 aggregated ethernet interfaces (one with 2 interfaces on node0, one with two interfaces on node1)
- Force up is enabled is needed to onboard EX virtual chassis with MIST (see later)
- LLDP can be enabled on the interface
- please notice, LLDP must be disabled with SRX4100
CSO picks the first available reth: reth10. For LAN segments, reth10 is the first available reth interface.
Reth interfaces in the range reth0-reth9 are reserved and cannot be used for LAN segments.
We create the LAN segment on reth10:
When configuring a LAN segment:
- we choose a name
- we associate the segment with a reth interface
- we choose a vlan id
- optionally, can enable native vlan capability
- we associate segment (reth ifl) to a department (security zone)
- optionally, we can enable dhcp
- if so, SRX will act as dhcp server for the lan segment
- it is possible to specify an allocation pool
- we set reth ifl ip address
Next, we deploy changes:
Once deploy is complete, we can log into the device and verify configuration was loaded:
set groups spoke-AMS_LAB_DefaultVPN-vpn-routing-config interfaces reth10 unit 123 family inet address 192.168.123.1/24
set groups spoke-AMS_LAB_DefaultVPN-vpn-routing-config routing-instances LAN-AMS_LAB_DefaultVPN interface reth10.123
set groups reth10-config chassis cluster redundancy-group 10 interface-monitor ge-0/0/6 weight 128
set groups reth10-config chassis cluster redundancy-group 10 interface-monitor ge-0/0/7 weight 128
set groups reth10-config chassis cluster redundancy-group 10 interface-monitor ge-5/0/6 weight 128
set groups reth10-config chassis cluster redundancy-group 10 interface-monitor ge-5/0/7 weight 128
set groups reth10-config interfaces ge-0/0/6 ether-options 802.3ad lacp force-up
set groups reth10-config interfaces ge-0/0/6 ether-options 802.3ad ae0
set groups reth10-config interfaces ge-0/0/7 ether-options 802.3ad lacp force-up
set groups reth10-config interfaces ge-0/0/7 ether-options 802.3ad ae0
set groups reth10-config interfaces ge-5/0/6 ether-options 802.3ad lacp force-up
set groups reth10-config interfaces ge-5/0/6 ether-options 802.3ad ae5
set groups reth10-config interfaces ge-5/0/7 ether-options 802.3ad lacp force-up
set groups reth10-config interfaces ge-5/0/7 ether-options 802.3ad ae5
set groups reth10-config interfaces reth10 redundant-ether-options redundancy-group 10
set groups reth10-config interfaces reth10 redundant-ether-options lacp active
set groups reth10-config interfaces reth10 redundant-ether-options lacp periodic fast
set groups dept-configuration security zones security-zone Default interfaces reth10.123
set groups dept-configuration interfaces reth10 flexible-vlan-tagging
set groups dept-configuration interfaces reth10 unit 123 vlan-id 123
set groups dept-configuration interfaces reth10 unit 123 family inet filter input lan_ingress_filter
set groups dept-configuration interfaces reth10 unit 123 family inet filter group 1
set groups dept-configuration routing-instances LAN-AMS_LAB_DefaultVPN interface reth10.123
set apply-groups reth10-config
set interfaces ge-0/0/6 ether-options redundant-parent reth10
set interfaces ge-0/0/7 ether-options redundant-parent reth10
set interfaces ge-5/0/6 ether-options redundant-parent reth10
set interfaces ge-5/0/7 ether-options redundant-parent reth10
set protocols lldp interface reth10On the EX we configure L2 ethernet switching ports towards the cluster properly and add the L3 by configuring an IRB ifl.
Finally, from the EX we can verify connectivity:
umanferdini@ex4300-60-61-vc> show interfaces terse irb
Interface Admin Link Proto Local Remote
irb up up
irb.123 up up inet 192.168.77.2/24
{master:0}
umanferdini@ex4300-60-61-vc> show vlans
Routing instance VLAN name Tag Interfaces
default-switch default 1
default-switch v123 123
ae0.0*
ae1.0*
{master:0}
umanferdini@ex4300-60-61-vc> ping 192.168.77.1 rapid count 10
PING 192.168.77.1 (192.168.77.1): 56 data bytes
!!!!!!!!!!
--- 192.168.77.1 ping statistics ---
10 packets transmitted, 10 packets received, 0% packet loss
round-trip min/avg/max/stddev = 1.372/8.550/68.345/19.935 ms
Everything seems ok!
Ciao
IoSonoUmberto
IoSonoUnRouter 
2 thoughts on “Basic LAN configuration behind a spoke site with CSO”