OSPF between a vSRX-Cluster and a standalone vSRX over vQFX on EVE-NG

I promised to deliver this and here it is: OSPF over vQFX 😉
These days I lab a lot with EVE and I love it more every day – the possibilities are endless and the Labs are very very quick configured and running. With 2 new CPU’s my EVE now runs with decent Speed so compared to VMware ESX 6.0 there is no extreme performance difference anymore. I can live with that. Since D63 on the vQFX is running very stable and smooth I thought of this small OSPF Lab – I will add more “Quick-Labs” in the Future.

WARNING:
The SRX in Clustermode runs very well on EVE – however there is an optical error. If you build a Cluster, the interface mappings on EVE are completely wrong. This is due to the SRX getting a new interface (em0) as second interface Card – so if you select ge-0/0/0 in EVE, you really select em0.

But why is that you will ask? The answer is simple:
EVE is not aware of Cluster-Naming or Cluster Interfaces – so you have to think twice, what you have to select – I needed Wireshark to see what happened…
From top down the first Interface in EVE is fxp0, the second Interface is em0, the third is ge-0/0/0 or 7/0/0, the fourth is ge-0/0/1 or 7/0/1 and so on (see the Table below from Juniper):

Once I figured that out I could successfully build the Cluster (this time fully working, not just partially) and here is the Lab:

Topology:

 

vSRX-NG5+6 (the SRX-Cluster):

set version 15.1X49-D90.7
set groups node0 system host-name vSRX-NG5
set groups node1 system host-name vSRX-NG6
set apply-groups "${node}"
set system root-authentication encrypted-password "$5$i6krJW/Y$G.KrWGkf3RPukhgAVNOJDY0pdCtCd0TTAOKT3/5/4A3"
set system syslog user * any emergency
set system syslog file messages any any
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands any
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set chassis cluster control-link-recovery
set chassis cluster reth-count 2
set chassis cluster redundancy-group 0 node 0 priority 200
set chassis cluster redundancy-group 0 node 1 priority 100
set chassis cluster redundancy-group 1 node 0 priority 200
set chassis cluster redundancy-group 1 node 1 priority 100
set security zones security-zone internal host-inbound-traffic system-services all
set security zones security-zone internal host-inbound-traffic protocols all
set security zones security-zone internal interfaces reth0.0
set interfaces ge-0/0/5 gigether-options redundant-parent reth0
set interfaces ge-7/0/5 gigether-options redundant-parent reth0
set interfaces fab0 fabric-options member-interfaces ge-0/0/0
set interfaces fab1 fabric-options member-interfaces ge-7/0/0
set interfaces reth0 redundant-ether-options redundancy-group 1
set interfaces reth0 unit 0 family inet address 10.10.10.2/24
set protocols ospf area 0.0.0.0 interface reth0.0
set protocols lldp interface all

 

 

vSRX-NG7 (the standalone SRX):

set version 15.1X49-D90.7
set system host-name vSRX-NG7
set system root-authentication encrypted-password "$5$6X6aODJh$tmTDU.0wKBkuF0tTDeOJQkaHGVUeVXY8RWJMY9BLpDD"
set security zones security-zone internal host-inbound-traffic system-services all
set security zones security-zone internal host-inbound-traffic protocols all
set security zones security-zone internal interfaces ge-0/0/1.0
set interfaces ge-0/0/1 unit 0 family inet address 10.10.10.1/24
set protocols ospf area 0.0.0.0 interface ge-0/0/1.0
set protocols lldp interface ge-0/0/1

 

 

Lab-C01 (Coreswitch 01, vQFX running 15.1X53-D63.9):

set version 15.1X53-D63.9
set system host-name LAB-C01
set system root-authentication encrypted-password "$1$YBH6cP7S$QFmKOiVnTEpuot6QaEWYw."
set system services ssh root-login allow
set system services netconf ssh
set system services rest http port 8080
set system services rest enable-explorer
set system syslog user * any emergency
set system syslog file messages any notice
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands any
set system extensions providers juniper license-type juniper deployment-scope commercial
set system extensions providers chef license-type juniper deployment-scope commercial
set chassis aggregated-devices ethernet device-count 2
set interfaces xe-0/0/0 unit 0 family ethernet-switching interface-mode access
set interfaces xe-0/0/0 unit 0 family ethernet-switching vlan members vl-10
set interfaces xe-0/0/1 unit 0 family ethernet-switching interface-mode access
set interfaces xe-0/0/1 unit 0 family ethernet-switching vlan members vl-10
set interfaces xe-0/0/10 ether-options 802.3ad ae0
set interfaces xe-0/0/11 ether-options 802.3ad ae0
set interfaces ae0 aggregated-ether-options minimum-links 1
set interfaces ae0 aggregated-ether-options lacp active
set interfaces ae0 aggregated-ether-options lacp periodic fast
set interfaces ae0 unit 0 family ethernet-switching interface-mode trunk
set interfaces ae0 unit 0 family ethernet-switching vlan members all
set interfaces em0 unit 0 family inet dhcp
set interfaces em1 unit 0 family inet address 169.254.0.2/24
set protocols lldp interface all
set protocols igmp-snooping vlan default
set vlans default vlan-id 1
set vlans vl-10 description OSPF-VLAN
set vlans vl-10 vlan-id 10

 

 

Lab-C02 (Coreswitch 02, vQFX running 15.1X53-D63.9):

set version 15.1X53-D63.9
set system host-name LAB-C02
set system root-authentication encrypted-password "$1$hy9eoMhU$T.tkfC86QC6LTdln/lYSW/"
set system services ssh root-login allow
set system services netconf ssh
set system services rest http port 8080
set system services rest enable-explorer
set system syslog user * any emergency
set system syslog file messages any notice
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands any
set system extensions providers juniper license-type juniper deployment-scope commercial
set system extensions providers chef license-type juniper deployment-scope commercial
set chassis aggregated-devices ethernet device-count 2
set interfaces xe-0/0/0 unit 0 family ethernet-switching interface-mode access
set interfaces xe-0/0/0 unit 0 family ethernet-switching vlan members vl-10
set interfaces xe-0/0/1 unit 0 family ethernet-switching interface-mode access
set interfaces xe-0/0/1 unit 0 family ethernet-switching vlan members vl-10
set interfaces xe-0/0/10 ether-options 802.3ad ae0
set interfaces xe-0/0/11 ether-options 802.3ad ae0
set interfaces ae0 aggregated-ether-options minimum-links 1
set interfaces ae0 aggregated-ether-options lacp active
set interfaces ae0 aggregated-ether-options lacp periodic fast
set interfaces ae0 unit 0 family ethernet-switching interface-mode trunk
set interfaces ae0 unit 0 family ethernet-switching vlan members all
set interfaces em0 unit 0 family inet dhcp
set interfaces em1 unit 0 family inet address 169.254.0.2/24
set protocols lldp interface all
set protocols igmp-snooping vlan default
set vlans default vlan-id 1
set vlans vl-10 description OSPF-VLAN
set vlans vl-10 vlan-id 10

 

Download this Lab for your EVE here: (Size 16kB, zip-Archive)
EVE-OSPF-vSRX-vQFX-Lab

11 thoughts on “OSPF between a vSRX-Cluster and a standalone vSRX over vQFX on EVE-NG

  1. Sergei

    Hi,
    Curious to know, if you was able to setup a MC-LAG over vQFX? I’m struggling with that without any success 🙁

    Reply
  2. christianscholz Post author

    Hi Sergei, I didn’t try that (yet) – what is the Problem you are having? I assume you use 3 vQFXes, right?

    Reply
    1. christianscholz Post author

      how is your cluster configured? can you share the config? Watch out for asymmetric Traffic-Flow if your SRX is running “active-active”

      Reply
  3. syed

    Hi Christian,

    I am unable to build a cluster setup for vSRX image, as the steps to bring the cluster on both the devices are a single command.
    Device-1>set chassis cluster cluster-id 1 node 0
    Device-2>set chassis cluster cluster-id 1 node 1

    Once it boots UP, it cannot detect the 2nd device interfaces in sequence than that of 1st device. Rather both of them comes UP with their own ge-0/0/0 interfaces

    Reply
    1. christianscholz Post author

      How are they connected? Did you delete the “old” interfaces first before building the Cluster?

      Reply
  4. Dan Massameno

    Hi,

    Didn’t know who else to ask. I’m using the vQFX in our GNS3 lab and it has em0, em1,… em11 interfaces in the GNS3 UI. From the vQFX CLI I can configure these interfaces with IPv4 addresses and ping, no problem. But it doesn’t do FAMILY ETHERNET-SWITCHING…

    oot@vqfx-re# set interfaces em4 unit 0 family ?
    Possible completions:
    > ccc Circuit cross-connect parameters
    > inet IPv4 parameters
    > inet6 IPv6 protocol parameters
    > iso OSI ISO protocol parameters
    > mpls MPLS protocol parameters

    What am I missing? I would like to do some experiments with bridging and STP.

    Thanks!

    Reply
  5. Dan Massameno

    Found the answer experimentally.

    If the RE and the PFE are hooked up correctly with their em1 interfaces then you will have xe-0/0/[0-11]. Those map to the GNS3 UI as such…

    em3 xe-0/0/0
    em4 xe-0/0/1
    em5 xe-0/0/2
    em6 xe-0/0/3
    em7 xe-0/0/4
    em8 xe-0/0/5
    em9 xe-0/0/6
    em10 xe-0/0/7
    em11 xe-0/0/8
    Unknown xe-0/0/9
    Unknown xe-0/0/10
    Unknown xe-0/0/11

    Don’t know how to access xe-0/0/[9-11] but I’m happy with nine available.

    Reply
  6. Alex

    Hello Christian,
    I am working on creating a cluster of 2 SRX and connecting it via to 2 Reth interfaces to two vQFX switches via AE interlaces (Internet * Admin)
    the cluster is ok but RETH – AE connections don’t get up so I got the following question:
    – is it correct that if on the diagram I connected ge-0/0/2 on SRX1 to xe-0/0/0 on vQFX switch then I need actually to configure ge-0/0/2+1 =(ge-0/0/3) on the SRX
    – is there any changes should be done to speed/MTU on SRX interface side as they are GE and on the vQFX interface is xe
    – I am using vsrxng-17.3R.10 with degault QMEU version tpl(2.4.0), should I use
    version 4.1.0 instead? , now it takes 20 min to get up

    ==== here is my configuration:

    ——On WL_AGG_SW1
    set vlans Internet description “Internet vlan”
    set vlans Internet vlan-id 30

    set chassis aggregated-devices ethernet device-count 2

    # I am deleting them to remove default EVE configs
    delete interfaces xe-0/0/2
    delete interfaces xe-0/0/3

    set interfaces xe-0/0/2 ether-options 802.3ad ae0
    set interfaces xe-0/0/2 description “### WL_SRX ge-0/0/2”
    set interfaces xe-0/0/3 ether-options 802.3ad ae0
    set interfaces xe-0/0/2 description “### WL_SRX ge-7/0/2”

    set interfaces ae0 description “### WL_SRX Reth0”
    set interfaces ae0 aggregated-ether-options minimum-links 1
    set interfaces ae0 aggregated-ether-options lacp active
    set interfaces ae0 unit 0 family ethernet-switching interface-mode access
    set interfaces ae0 unit 0 family ethernet-switching vlan members Internet

    ————— ON SRX ——————————————
    #Cluster and security zones configs are in place

    set chassis cluster redundancy-group 1 interface-monitor ge-0/0/2 weight 255
    set chassis cluster redundancy-group 1 interface-monitor ge-7/0/2 weight 255
    set chassis cluster redundancy-group 1 interface-monitor reth1 weight 255


    set interfaces ge-0/0/2 gigether-options redundant-parent reth1
    set interfaces ge-7/0/2 gigether-options redundant-parent reth1
    set interfaces reth1 redundant-ether-options redundancy-group 1
    set interfaces reth1 vlan-tagging
    set interfaces reth1 unit 0 vlan-id 30
    set interfaces reth1 unit 0 family inet address 100.1.1.1/29
    set security zones security-zone Internet interfaces reth1.0

    Reply
  7. Alex

    ok I figured it out with the interface mapping:
    on SRX ge-0/0/4 port = ge-0/0/3 interface
    on SRX ge-0/0/2 port = ge-0/0/1 interface

    Also On the diagram I have srx1 srx2 connected via ge-0/0/0 & ge-0/0/1 so actually in configuration it’s this em0 interface and ge-0/0/0 , Actually it’s already mentioned in the post but I didn’t get quickly 🙂

    so for now got the physics up and need to check RETH-AE & LACP

    Reply
    1. Tyler

      I was wondering if you actually got the “XE” on vQFX and “GE” on vSRX interfaces to talk to each other? I am stuck on that spot. I was able to figure out the mapping issue and verify it by connecting the one of the vSRX GE interfaces to a vMX.

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Captcha * Time limit is exhausted. Please reload CAPTCHA.