Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

header-navigation

Solutions

Featured solutions AI Campus and branch Data center WAN Security Service provider Cloud operator Industries
Campus and Branch

Welcome to the NOW Way to Wi-Fi

Take your networking performance to new heights with a modern, cloud-native, AI-Native architecture. Only Juniper can help you unleash the full potential of Wi-Fi 7 with our AI-Native platform for innovation.
Prepare for liftoff
Business intelligence analyst dashboard on virtual screen. Big data Graphs Charts.

AI Data Center Networking

Juniper’s AI data center solution is a quick way to deploy high performing AI training and inference networks that are the most flexible to design and easiest to manage with limited IT resources.
Find out more
Enterprise AI-Native Networking

Enterprise AI‑Native Routing

Juniper's Ai-Native routing solution delivers robust 400GbE and 800GbE capabilities for unmatched performance, reliability, and sustainability at scale.
Explore enterprise routing
Zero trust security

Ops4AI Lab

Visit our lab in Sunnyvale, CA and see our AI data center solution for yourself. You can try out your own model’s functionality and performance, too.
Visit the lab
Enterprise AI-Native Networking

Enterprise AI‑Native Routing

Juniper's Ai-Native routing solution delivers robust 400GbE and 800GbE capabilities for unmatched performance, reliability, and sustainability at scale.
Explore enterprise routing
Higher Education

Shaping Student Experiences: The NOW Way to Build Higher Education Networks

Join Juniper Networks CIO Sharon Mandell and a virtual summit of C-level IT leaders from prestigious institutions as they discuss ongoing efforts to support digital transformation.
Register to attend
Hand on tablet with healthcare overlay of graphics

Security in healthcare

In this IDC Spotlight report, discover how AI networking can automate and strengthen a healthcare ecosystem to defeat criminals and prevent loss. 
Gain insights into ecosystem security
Retail

The Future of In-Store Technologies

Join us for an enlightening webinar with Kevin McCartan, Senior IT Service Delivery Engineer at Musgrave; retail guru Jack Stratten of Insider Trends; and Christian Gilby, Director of Product Marketing at Juniper Networks, as they discuss the future of in-store technologies.
Reserve my spot

Products

Wireless access Wired access SD-WAN / SASE Routing and switching Security Mist AI™ Management software Network operating system Blueprint for AI-Native Acceleration Optics
  • Operations
ACX7020 router

Juniper ACX7020 Cloud Metro Access Router

Legacy networks simply cannot meet the demands of today’s rapidly evolving metro landscape. Unlock a new generation of highly scalable architectures and automated operations with the Juniper ACX7020. 
Learn more
EX4000 Ethernet Switch

Next-gen AI-Native EX4000 line of switches

Lack of AI innovation from your current networking vendor slowing you down? Embrace Juniper’s cloud-native, AI-Native access switches that support every level and layer, across nearly every deployment.
Discover how
The Q and AI text with an image of Bob Friday and Kedar Dhuru.

The Q&AI Podcast

Delivering practical solutions and enriching discussions, this podcast series is a vital resource for those seeking an in-depth exploration of AI's transformative potential.
Catch the latest episode

Services

Services
Services AI Care

Juniper AI Care Services Revolutionize Your Service Experience

Our industry-first AI-Native services couple AIOps with our deep expertise across the full network life cycle. You can move from reactive response to proactive insight and action.
Explore AI Care Services
Services AI Data Center

Juniper AI Data Center Deployment Services Optimize Your AI Model Runs

We use our expertise and validated designs to help design, deploy, validate and tune networks, including GPUs and storage, to get the most from your AI infrastructure operation.
Learn about AI Data Center Deployment Services

Partners

Partners

Support and Documentation

Support and Documentation

Learn

About Juniper Training Events The Feed Resources Technology learning topics Thought leadership and insights
Audience raising hands up while businessman is speaking in training at the office.

Juniper certification and training news

See the latest
Ringing of the bell

All global events

See the latest
AI-native-now

AI-Native NOW event series

Register now
Juniper's Christina Hendrix at the head of a conference table. With the text "The NOW Way to Network" overlayed, with "NOW" emphasizing the "O" in green color.

The NOW Way to Network

Watch the video series
AI Native Now

Executive insights

Dive deep with leading experts and thought leaders on all the topics that matter most to your business, from AI to network security to driving rapid, relevant transformation for your business.
Learn more
A keynote speaker giving a presentation at a conference. There are dozens of people sitting around them. The presentation is displayed via projector on all the walls in the room.

Leadership voices

Juniper Networks’ leaders operate on the front lines of creating the network of the future. Take a look around to see what’s on their minds.
Watch now
Bob Friday and Jessica Garrison speaking

Bob Friday Talks

Join Bob as he ventures into all the knowns -- and -- unknowns -- of AI.
Catch the latest episode
Documentation
Menu
License Guide
Quick Starts
Validated Designs
Explore Pathfinder Apps
CLI Explorer
Feature Explorer
Hardware Compatibility Tool
Port Checker
Browse All
Collapse

Pathfinder Apps

All

By Software

By Hardware

Learn More
Pathfinder HomeCLI ExplorerCompliance AdvisorFeature ExplorerHardware Compatibility ToolJunos XML API ExplorerJunos YANG Data Model ExplorerPort CheckerPower CalculatorSNMP MIB ExplorerSystem Log Explorer
CLI ExplorerFeature ExplorerJunos XML API ExplorerJunos YANG Data Model ExplorerSNMP MIB ExplorerSystem Log Explorer
Compliance AdvisorFeature ExplorerHardware Compatibility ToolPort CheckerPower Calculator
Home Documentation Junos OS Chassis Cluster User Guide for SRX Series Devices Setting Up a Chassis Cluster

Chassis Cluster User Guide for SRX Series Devices

keyboard_arrow_up
close
keyboard_arrow_left
Chassis Cluster User Guide for SRX Series Devices
Table of Contents Expand all
list Table of Contents
file_download PDF
{ "lLangCode": "en", "lName": "English", "lCountryCode": "us", "transcode": "en_US" }
English
ON THIS PAGE
keyboard_arrow_right

Chassis Cluster Redundant Ethernet Interfaces

date_range 19-Mar-24
arrow_backward
arrow_forward

A redundant Ethernet (reth) interface is a pseudo-interface that includes minimum one physical interface from each node of a cluster. A reth interface of the active node is responsible for passing the traffic in a chassis cluster setup. For more information, see the following topics:

Understanding Chassis Cluster Redundant Ethernet Interfaces

For SRX300, SRX320, SRX340, SRX345, SRX380, SRX1500, SRX1600, SRX2300, SRX4100, SRX4200, and SRX4300 devices, the total number of logical interfaces that you can configure across all the redundant Ethernet (reth) interfaces in a chassis cluster deployment is 1024.

For SRX5800, SRX5600, SRX5400, and SRX4600 devices, the total number of logical interfaces that you can configure across all the redundant Ethernet (reth) interfaces in a chassis cluster deployment is 4096.

Starting with Junos OS Release 12.1X45-D10 and later, sampling features such as flow monitoring, packet capture, and port mirroring are supported on reth interfaces.

A redundant Ethernet interface must contain, at minimum, a pair of Fast Ethernet interfaces or a pair of Gigabit Ethernet interfaces that are referred to as child interfaces of the redundant Ethernet interface (the redundant parent). If two or more child interfaces from each node are assigned to the redundant Ethernet interface, a redundant Ethernet interface link aggregation group can be formed. A single redundant Ethernet interface might include a Fast Ethernet interface from node 0 and a Fast Ethernet interface from node 1 or a Gigabit Ethernet interface from node 0 and a Gigabit Ethernet interface from node 1.

On SRX5600, and SRX5800 devices, interfaces such as 10-Gigabit Ethernet (xe), 40-Gigabit Ethernet, and 100-Gigabit Ethernet can be redundant Ethernet (reth) interfaces.

SRX4100 and SRX4200 devices support 10-Gigabit Ethernet (xe) interfaces as redundant Ethernet (reth) interfaces.

A redundant Ethernet interface is referred to as a reth in configuration commands.

A redundant Ethernet interface's child interface is associated with the redundant Ethernet interface as part of the child interface configuration. The redundant Ethernet interface child interface inherits most of its configuration from its parent.

The maximum number of redundant Ethernet interfaces that you can configure varies, depending on the device type you are using, as shown in Table 1. The number of redundant Ethernet interfaces configured determines the number of redundancy groups that can be configured in the SRX Series Firewalls.

Table 1: Maximum Number of Redundant Ethernet Interfaces Allowed (SRX300, SRX320, SRX340, SRX345, SRX380, SRX1500, SRX1600, SRX2300, SRX4100, SRX4200, SRX4300, SRX4600, SRX5400, SRX5600, SRX5800)

Device

Maximum Number of reth Interfaces

SRX4600

128

SRX4100, SRX4200, and SRX4300

128

SRX5400, SRX5600, SRX5800

128

SRX300, SRX320, SRX340, SRX345,SRX380

128

SRX1500

128

SRX1600

128

SRX2300

128

You can enable promiscuous mode on redundant Ethernet interfaces. When promiscuous mode is enabled on a Layer 3 Ethernet interface, all packets received on the interface are sent to the central point or Services Processing Unit (SPU), regardless of the destination MAC address of the packet. If you enable promiscuous mode on a redundant Ethernet interface, promiscuous mode is then enabled on any child physical interfaces.

To enable promiscuous mode on a redundant Ethernet interface, use the promiscuous-mode statement at the [edit interfaces] hierarchy.

A redundant Ethernet interface inherits its failover properties from the redundancy group x that it belongs to. A redundant Ethernet interface remains active as long as its primary child interface is available or active. For example, if reth0 is associated with redundancy group 1 and redundancy group 1 is active on node 0, then reth0 is up as long as the node 0 child of reth0 is up.

Point-to-Point Protocol over Ethernet (PPPoE) over redundant Ethernet (reth) interface is supported on SRX300, SRX320, SRX340, SRX345, SRX380, SRX1500, and SRX1600 devices in chassis cluster mode. This feature allows an existing PPPoE session to continue without starting a new PPP0E session in the event of a failover.

On SRX300, SRX320, SRX340, SRX345, and SRX380 devices, the number of child interfaces is restricted to 16 on the reth interface (eight per node).

When using SRX Series Firewalls in chassis cluster mode, it is not recommended to configure any local interfaces (or combination of local interfaces) along with redundant Ethernet interfaces.

For example:

The following configuration of chassis cluster with redundant Ethernet interfaces in which interfaces are configured as local interfaces:

content_copy zoom_out_map
ge-2/0/2 {
    unit 0 {
        family inet { 
            address 10.1.1.1/24;
        }
    }
}

The following configuration of chassis cluster redundant Ethernet interfaces, in which interfaces are configured as part of redundant Ethernet interfaces, is supported:

content_copy zoom_out_map
interfaces {
    ge-2/0/2 {
        gigether-options {
            redundant-parent reth2;
        }
    }
    reth2 {
        redundant-ether-options {
            redundancy-group 1;
        }
        unit 0 {
            family inet {
                address 10.1.1.1/24;
            }
        }
    }
}

You can enable promiscuous mode on redundant Ethernet interfaces. When promiscuous mode is enabled on a Layer 3 Ethernet interface, all packets received on the interface are sent to the central point or Services Processing Unit (SPU), regardless of the destination MAC address of the packet. If you enable promiscuous mode on a redundant Ethernet interface, promiscuous mode is then enabled on any child physical interfaces.

To enable promiscuous mode on a redundant Ethernet interface, use the promiscuous-mode statement at the [edit interfaces] hierarchy.

IP-over-IP Tunneling

IP-over-IP tunneling is supported over the reth interface in SRX chassis cluster configuration. Tunneling allows the encapsulation of one IP packet over another IP packet.

The tunnel configuration is created on both the primary and secondary devices. The traffic passing through the IP-IP tunnel is synced from primary device to secondary device. The tunnel configuration on secondary device is considered as backup and active in the event of failure of the primary device. The traffic resumes on the secondary device in the event of the failure of the primary.

On SRX Series Firewalls, Generic Routing Encapsulation (GRE) and IP-IP tunnels use internal interfaces, gr-0/0/0 and ip-0/0/0, respectively. The Junos OS creates these interfaces at system bootup; they are not associated with physical interfaces.

See Also

Example: Configuring Chassis Cluster Redundant Ethernet Interfaces

This example shows how to configure chassis cluster redundant Ethernet interfaces. A redundant Ethernet interface is a pseudointerface that contains two or more physical interfaces, with at least one from each node of the cluster.

Requirements

Before you begin:

Overview

After physical interfaces have been assigned to the redundant Ethernet interface, you set the configuration that pertains to them at the level of the redundant Ethernet interface, and each of the child interfaces inherits the configuration.

If multiple child interfaces are present, then the speed of all the child interfaces must be the same.

A redundant Ethernet interface is referred to as a reth in configuration commands.

You can enable promiscuous mode on redundant Ethernet interfaces. When promiscuous mode is enabled on a Layer 3 Ethernet interface, all packets received on the interface are sent to the central point or Services Processing Unit regardless of the destination MAC address of the packet. If you enable promiscuous mode on a redundant Ethernet interface, promiscuous mode is then enabled on any child physical interfaces.

To enable promiscuous mode on a redundant Ethernet interface, use the promiscuous-mode statement at the [edit interfaces] hierarchy.

Configuration

Configuring Chassis Cluster Redundant Ethernet Interfaces for IPv4 Addresses

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

content_copy zoom_out_map
{primary:node0}[edit]
set interfaces ge-0/0/0 gigether-options redundant-parent reth1
set interfaces ge-7/0/0 gigether-options redundant-parent reth1 
set interfaces fe-1/0/0 fast-ether-options redundant-parent reth2 
set interfaces fe-8/0/0 fast-ether-options redundant-parent reth2 
set interfaces reth1 redundant-ether-options redundancy-group 1 
set interfaces reth1 unit 0 family inet mtu 1500 
set interfaces reth1 unit 0 family inet address 10.1.1.3/24 
set security zones security-zone Trust interfaces reth1.0
Step-by-Step Procedure

To configure redundant Ethernet interfaces for IPv4:

  1. Bind redundant child physical interfaces to reth1.

    content_copy zoom_out_map
    {primary:node0}[edit]
user@host# set interfaces ge-0/0/0 gigether-options redundant-parent reth1
user@host# set interfaces ge-7/0/0 gigether-options redundant-parent reth1

  2. Bind redundant child physical interfaces to reth2.

    content_copy zoom_out_map
    {primary:node0}[edit]
user@host# set interfaces fe-1/0/0 fast-ether-options redundant-parent reth2
user@host# set interfaces fe-8/0/0 fast-ether-options redundant-parent reth2

  3. Add reth1 to redundancy group 1.

    content_copy zoom_out_map
    {primary:node0}[edit]
user@host# set interfaces reth1 redundant-ether-options redundancy-group 1

  4. Set the MTU size.

    content_copy zoom_out_map
    {primary:node0}[edit]
user@host# set interfaces reth1 unit 0 family inet mtu 1500

    The maximum transmission unit (MTU) set on the reth interface can be different from the MTU on the child interface.

  5. Assign an IP address to reth1.

    content_copy zoom_out_map
    {primary:node0}[edit]
user@host# set interfaces reth1 unit 0 family inet address 10.1.1.3/24

  6. Associate reth1.0 to the trust security zone.

    content_copy zoom_out_map
    {primary:node0}[edit]
user@host# set security zones security-zone Trust interfaces reth1.0

Configuring Chassis Cluster Redundant Ethernet Interfaces for IPv6 Addresses

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

content_copy zoom_out_map
{primary:node0}[edit]
set interfaces ge-0/0/0 gigether-options redundant-parent reth1
set interfaces ge-7/0/0 gigether-options redundant-parent reth1 
set interfaces fe-1/0/0 fast-ether-options redundant-parent reth2 
set interfaces fe-8/0/0 fast-ether-options redundant-parent reth2 
set interfaces reth2 redundant-ether-options redundancy-group 1 
set interfaces reth2 unit 0 family inet6 mtu 1500 
set interfaces reth2 unit 0 family inet6 address 2010:2010:201::2/64 
set security zones security-zone Trust interfaces reth2.0
Step-by-Step Procedure

To configure redundant Ethernet interfaces for IPv6:

  1. Bind redundant child physical interfaces to reth1.

    content_copy zoom_out_map
    {primary:node0}[edit]
user@host# set interfaces ge-0/0/0 gigether-options redundant-parent reth1
user@host# set interfaces ge-7/0/0 gigether-options redundant-parent reth1

  2. Bind redundant child physical interfaces to reth2.

    content_copy zoom_out_map
    {primary:node0}[edit]
user@host# set interfaces fe-1/0/0 fast-ether-options redundant-parent reth2
user@host# set interfaces fe-8/0/0 fast-ether-options redundant-parent reth2

  3. Add reth2 to redundancy group 1.

    content_copy zoom_out_map
    {primary:node0}[edit]
user@host# set interfaces reth2 redundant-ether-options redundancy-group 1

  4. Set the MTU size.

    content_copy zoom_out_map
    {primary:node0}[edit]
user@host# set interfaces reth2 unit 0 family inet6 mtu 1500

  5. Assign an IP address to reth2.

    content_copy zoom_out_map
    {primary:node0}[edit]
user@host# set interfaces reth2 unit 0 family inet6 address 2010:2010:201::2/64

  6. Associate reth2.0 to the trust security zone.

    content_copy zoom_out_map
    {primary:node0}[edit]
user@host# set security zones security-zone Trust interfaces reth2.0
Step-by-Step Procedure

To set the number of redundant Ethernet interfaces for a chassis cluster:

  1. Specify the number of redundant Ethernet interfaces:

    content_copy zoom_out_map
    {primary:node0}[edit]

user@host# set chassis cluster reth-count 2

Results

From configuration mode, confirm your configuration by entering the show interfaces command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

For brevity, this show command output includes only the configuration that is relevant to this example. Any other configuration on the system has been replaced with ellipses (...).

content_copy zoom_out_map
{primary:node0}[edit]
user@host# show interfaces 
interfaces {
    ...
    fe-1/0/0 {
        fastether-options {
            redundant-parent reth2;
        }
    }
    fe-8/0/0 {
        fastether-options {
            redundant-parent reth2;
        }
    }
    ge-0/0/0 {
        gigether-options {
            redundant-parent reth1;
        }
    }
    ge-7/0/0 {
        gigether-options {
            redundant-parent reth1;
        }
    }
    reth1 {
        redundant-ether-options {
            redundancy-group 1;
        }
        unit 0 {
            family inet {
                mtu 1500;
                address 10.1.1.3/24;
            }
        }
    }
    reth2 {
        redundant-ether-options {
            redundancy-group 1;
        }
        unit 0 {
            family inet6 {
                mtu 1500;
                address 2010:2010:201::2/64;
            }
        }
    }
    ...
}

If you are done configuring the device, enter commit from configuration mode.

Verification

Confirm that the configuration is working properly.

Verifying Chassis Cluster Redundant Ethernet Interfaces

Purpose

Verify the configuration of the chassis cluster redundant Ethernet interfaces.

Action

From operational mode, enter the show interfaces terse | match reth1 command:

content_copy zoom_out_map
{primary:node0}
user@host> show interfaces terse | match reth1

ge-0/0/0.0             up    up   aenet    --> reth1.0
ge-7/0/0.0             up    up   aenet    --> reth1.0
reth1                  up    up
reth1.0                up    up   inet     10.1.1.3/24

Verifying Chassis Cluster Control Links

Purpose

Verify information about the control interface in a chassis cluster configuration.

Action

From operational mode, enter the show chassis cluster interfaces command:

content_copy zoom_out_map
{primary:node0}
user@host> show chassis cluster interfaces
Control link status: Up

Control interfaces:
    Index   Interface   Monitored-Status   Internal-SA   Security
    0       em0         Up                 Disabled      Disabled
    1       em1         Up                 Disabled      Disabled

Fabric link status: Up

Fabric interfaces:
    Name    Child-interface    Status                    Security
                               (Physical/Monitored)
    fab0    xe-3/0/6           Up   / Up                 Enabled
    fab0
    fab1    xe-9/0/6           Up   / Up                 Enabled
    fab1

Redundant-ethernet Information:
    Name         Status      Redundancy-group
    reth0        Up          1
    reth1        Up          1

See Also

Example: Configuring Chassis Cluster Redundant Ethernet Interfaces on SRX4600

This example shows how to configure child links or physical links on SRX4600 device in chassis cluster mode.

Requirements

Before you begin:

Overview

You can configure up to eight number of child links for a reth bundle on SRX4600 devices per chassis.

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

content_copy zoom_out_map
{primary:node0}[edit]
set interfaces xe-1/0/0:0 gigether-options redundant-parent reth0
set interfaces xe-1/0/0:1 gigether-options redundant-parent reth0
set interfaces xe-1/0/0:2 gigether-options redundant-parent reth0
set interfaces xe-1/0/0:3 gigether-options redundant-parent reth0
set interfaces xe-1/0/1:0 gigether-options redundant-parent reth0
set interfaces xe-1/0/1:1 gigether-options redundant-parent reth0
set interfaces xe-1/0/1:2 gigether-options redundant-parent reth0
set interfaces xe-1/0/1:3 gigether-options redundant-parent reth0
set interfaces xe-1/1/0 gigether-options redundant-parent reth1
set interfaces xe-1/1/1 gigether-options redundant-parent reth1
set interfaces reth0 redundant-ether-options redundancy-group 1
set interfaces reth0 unit 0 family inet address 192.0.2.1/24
set interfaces reth1 redundant-ether-options redundancy-group 1
set interfaces reth1 redundant-ether-options lacp active
set interfaces reth1 unit 0 family inet address 198.51.100.1/24
set security zones security-zone Trust-zone interfaces reth0.0
set security zones security-zone Untrust-zone interfaces reth1.0
set chassis cluster reth-count 10

Configuring redundant Ethernet interfaces

Step-by-Step Procedure

To configure redundant Ethernet interfaces:

  1. Bind eight redundant child physical interfaces to reth0.

    content_copy zoom_out_map
    {primary:node0}[edit]
user@host# set interfaces xe-1/0/0:0 gigether-options redundant-parent reth0
user@host# set interfaces xe-1/0/0:1 gigether-options redundant-parent reth0
user@host# set interfaces xe-1/0/0:2 gigether-options redundant-parent reth0
user@host# set interfaces xe-1/0/0:3 gigether-options redundant-parent reth0
user@host# set interfaces xe-1/0/1:0 gigether-options redundant-parent reth0
user@host# set interfaces xe-1/0/1:1 gigether-options redundant-parent reth0
user@host# set interfaces xe-1/0/1:2 gigether-options redundant-parent reth0
user@host# set interfaces xe-1/0/1:3 gigether-options redundant-parent reth0

  2. Bind redundant child physical interfaces to reth1.

    content_copy zoom_out_map
    {primary:node0}[edit]
user@host# set interfaces xe-1/1/0 gigether-options redundant-parent reth1
user@host# set interfaces xe-1/1/1 gigether-options redundant-parent reth1

  3. Specify the number of redundant Ethernet interfaces:

    content_copy zoom_out_map
    {primary:node0}[edit]

user@host# set chassis cluster reth-count 10

  4. Add reth0 to redundancy group 1.

    content_copy zoom_out_map
    {primary:node0}[edit]
user@host# set interfaces reth0 redundant-ether-options redundancy-group 1

  5. Assign an IP address to reth0.

    content_copy zoom_out_map
    {primary:node0}[edit]
user@host# set interfaces reth0 unit 0 family inet address 192.0.2.1/24

  6. Add reth1 to redundancy group1.

    content_copy zoom_out_map
    {primary:node0}[edit]
user@host# set interfaces reth1 redundant-ether-options redundancy-group 1
user@host# set interfaces reth1 redundant-ether-options lacp active

  7. Assign an IP address to reth1.

    content_copy zoom_out_map
    {primary:node0}[edit]
user@host# set interfaces reth1 unit 0 family inet address 198.51.100.1/24

  8. Associate reth0.0 to the trust security zone.

    content_copy zoom_out_map
    {primary:node0}[edit]
user@host# set security zones security-zone Trust-zone interfaces reth0.0

  9. Associate reth1.0 to untrust security zone.

    content_copy zoom_out_map
    {primary:node0}[edit]
user@host# set security zones security-zone Untrust-zone interfaces reth1.0

Results

From configuration mode, confirm your configuration by entering the show interfaces command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

For brevity, this show command output includes only the configuration that is relevant to this example. Any other configuration on the system has been replaced with ellipses (...).

content_copy zoom_out_map
{primary:node0}[edit]
user@host# show interfaces 
xe-1/0/0:0 {
    gigether-options {
        redundant-parent reth0;
    }
}
xe-1/0/0:1 {
    gigether-options {
        redundant-parent reth0;
    }
}
xe-1/0/0:2 {
    gigether-options {
        redundant-parent reth0;
    }
}
xe-1/0/0:3 {
    gigether-options {
        redundant-parent reth0;
    }
}
xe-1/0/1:0 {
    gigether-options {
        redundant-parent reth0;
    }
}
xe-1/0/1:1 {
    gigether-options {
        redundant-parent reth0;
    }
}
xe-1/0/1:2 {
    gigether-options {
        redundant-parent reth0;
    }
}
xe-1/0/1:3 {
    gigether-options {
        redundant-parent reth0;
    }
}
xe-1/1/0 {
    gigether-options {
        redundant-parent reth1;
    }
}
xe-1/1/1 {
    gigether-options {
        redundant-parent reth1;
    }
}
reth0 {
    redundant-ether-options {
        redundancy-group 1;
    }
    unit 0 {
        family inet {
            address 192.0.2.1/24;
        }
    }
}
reth1 {
    redundant-ether-options {
        redundancy-group 1;
        lacp {
            active;
        }
    }
    unit 0 {
        family inet {
            address 198.51.100.1/24;
        }
    }
}

If you are done configuring the device, enter commit from configuration mode.

Verification

Confirm that the configuration is working properly.

Verify Chassis Cluster Redundant Ethernet Interfaces

Purpose

Verify the configuration of the chassis cluster redundant Ethernet interfaces on SRX4600 device.

Action

From operational mode, enter the show interfaces terse | match reth0 command:

content_copy zoom_out_map
{primary:node0}
user@host> show interfaces terse | match reth0

xe-1/0/0:0.0            up    down aenet    --> reth0.0
xe-1/0/0:1.0            up    down aenet    --> reth0.0
xe-1/0/0:2.0            up    down aenet    --> reth0.0
xe-1/0/0:3.0            up    down aenet    --> reth0.0
xe-1/0/1:0.0            up    down aenet    --> reth0.0
xe-1/0/1:1.0            up    down aenet    --> reth0.0
xe-1/0/1:2.0            up    down aenet    --> reth0.0
xe-1/0/1:3.0            up    down aenet    --> reth0.0
reth0                   up    down
reth0.0                 up    down inet     192.0.2.1/24
Meaning

You can view the maximum number of configured child link interfaces of a reth bundle from four to eight in one chassis.

Verifying Chassis Cluster Control Links

Purpose

Verify information about the control interface in a chassis cluster configuration.

Action

From operational mode, enter the show chassis cluster interfaces command:

content_copy zoom_out_map
{primary:node0}
user@host> show chassis cluster interfaces

Control link status: Down

Control interfaces:
    Index   Interface   Monitored-Status   Internal-SA   Security
    0       em0         Down               Disabled      Disabled
    1       em1         Down               Disabled      Disabled

Fabric link status: Down

Fabric interfaces:
    Name    Child-interface    Status                    Security
                               (Physical/Monitored)
    fab0    xe-0/0/2           Up   / Down               Disabled
    fab0

Redundant-ethernet Information:
    Name         Status      Redundancy-group
    reth0        Down        1
    reth1        Up          1
    reth2        Down        Not configured
    reth3        Down        Not configured
    reth4        Down        Not configured
    reth5        Down        Not configured
    reth6        Down        Not configured
    reth7        Down        Not configured
    reth8        Down        Not configured
    reth9        Down        Not configured

Redundant-pseudo-interface Information:
    Name         Status      Redundancy-group
    lo0          Up          0

Example: Configuring IP-over-IP Tunnel on SRX Series Firewalls

This example shows how to create IP-IP tunnel with a forwarding next-hop to pass IPv4 traffic through the tunnel and synchronize the configuration from primary device to secondary device.

Requirements

Before you begin:

This example uses the following hardware and software components:

  • Junos OS Release 23.1R1 or later version.

  • SRX345 Device

Overview

Packets are routed to an internal interface where they are encapsulated with an IP packet and then forwarded to the encapsulating packet's destination address. The IP-IP interface is an internal interface only and is not associated with a physical interface. You must configure the interface for it to perform IP tunneling.

Topology

Figure 1 Illustrates IP-over-IP scenario with SRX Series Firewalls operating in chassis cluster mode.

Figure 1: Configuring SRX Series Firewalls using IP-IP TunnelConfiguring SRX Series Firewalls using IP-IP Tunnel

Configuration

Configuring IP-IP tunnel with Chassis Cluster Redundant Ethernet Interfaces for IPv4 Addresses

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

content_copy zoom_out_map
{primary:node0}[edit] 
set chassis cluster reth-count 2
set chassis cluster redundancy-group 0 node 0 priority 100
set chassis cluster redundancy-group 0 node 1 priority 1
set chassis cluster redundancy-group 1 node 0 priority 100
set chassis cluster redundancy-group 1 node 1 priority 1

set interfaces reth0 redundant-ether-options redundancy-group 1
set interfaces reth1 redundant-ether-options redundancy-group 1

set interfaces reth0 unit 0 family inet address 22.0.0.254/24

set interfaces reth1 unit 0 family inet address 1.0.0.254/24

set interfaces ip-0/0/0 unit 0 tunnel source 22.0.0.254
set interfaces ip-0/0/0 unit 0 tunnel destination 22.0.0.200
set interfaces ip-0/0/0 unit 0 family inet address 33.0.0.254/24

set interfaces ge-0/0/1 gigether-options redundant-parent reth0
set interfaces ge-0/0/2 gigether-options redundant-parent reth1
set interfaces ge-7/0/1 gigether-options redundant-parent reth0
set interfaces ge-7/0/2 gigether-options redundant-parent reth1

set interfaces fab0 fabric-options member-interfaces ge-0/0/0
set interfaces fab1 fabric-options member-interfaces ge-7/0/0
content_copy zoom_out_map
{peer}
set interfaces ip-0/0/0 unit 0 tunnel source 22.0.0.200
set interfaces ip-0/0/0 unit 0 tunnel destination 22.0.0.254
set interfaces ip-0/0/0 unit 0 family inet address 33.0.0.200/24
set interfaces ge-0/0/1 unit 0 family inet address 22.0.0.200/24
set interfaces ge-0/0/2 unit 0 family inet address 2.0.0.200/24
set routing-options static route 1.0.0.0/24 next-hop ip-0/0/0.0
Step-by-Step Procedure

To configure redundant Ethernet interfaces for IPv4:

  1. Set up redundancy group 0 for the Routing Engine failover properties, and set up redundancy group 1 (all interfaces are in one redundancy group in this example) to define the failover properties for the redundant Ethernet interfaces.

    content_copy zoom_out_map
    {primary:node0}[edit]
user@host# set chassis cluster redundancy-group 0 node 0 priority 100
user@host# set chassis cluster redundancy-group 0 node 1 priority 1
user@host# set chassis cluster redundancy-group 1 node 0 priority 100
user@host# set chassis cluster redundancy-group 1 node 1 priority 1

  2. Set up the redundant Ethernet (reth) interfaces.

    content_copy zoom_out_map
    {primary:node0}[edit]
user@host# set chassis cluster reth-count 2
user@host# set interfaces ge-0/0/1 gigether-options redundant-parent reth0
user@host# set interfaces ge-0/0/2 gigether-options redundant-parent reth1
user@host# set interfaces ge-7/0/1 gigether-options redundant-parent reth0
user@host# set interfaces ge-7/0/2 gigether-options redundant-parent reth1
user@host# set interfaces reth0 redundant-ether-options redundancy-group 1
user@host# set interfaces reth0 unit 0 family inet address 22.0.0.254/24
user@host# set interfaces reth1 redundant-ether-options redundancy-group 1
user@host# set interfaces reth1 unit 0 family inet address 1.0.0.254/24

  3. Configure tunnel over redundant ethernet interface on both the nodes.

    content_copy zoom_out_map
    {primary:node0}[edit]
user@host# set interfaces ip-0/0/0 unit 0 tunnel source 22.0.0.254
user@host# set interfaces ip-0/0/0 unit 0 tunnel destination 22.0.0.200
user@host# set interfaces ip-0/0/0 unit 0 family inet address 33.0.0.254/24

  4. Configure tunnel session on the peer.

    content_copy zoom_out_map
    {peer}
user@host# set interfaces ip-0/0/0 unit 0 tunnel source 22.0.0.200
user@host# set interfaces ip-0/0/0 unit 0 tunnel destination 22.0.0.254
user@host# set interfaces ip-0/0/0 unit 0 family inet address 33.0.0.200/24
user@host# set interfaces ge-0/0/1 unit 0 family inet address 22.0.0.200/24
user@host# set interfaces ge-0/0/2 unit 0 family inet address 2.0.0.200/24
user@host# set routing-options static route 1.0.0.0/24 next-hop ip-0/0/0.0

  5. Configure routing-options on both the nodes:

    content_copy zoom_out_map
    {primary:node0}
set routing-options static route 2.0.0.0/24 next-hop ip-0/0/0.0

  6. Configure fabric interfaces on both the nodes.

    content_copy zoom_out_map
    {primary:node0}[edit]
user@host# set interfaces fab0 fabric-options member-interfaces ge-0/0/0
user@host# set interfaces fab1 fabric-options member-interfaces ge-7/0/0

Results

From configuration mode, confirm your configuration by entering the show interfaces command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

For brevity, this show command output includes only the configuration that is relevant to this example. Any other configuration on the system has been replaced with ellipses (...).

content_copy zoom_out_map
{primary:node0}[edit]
user@host# show interfaces 
ip-0/0/0 {
    unit 0 {
        tunnel {
            source 22.0.0.254;
            destination 22.0.0.200;
        }
        family inet {
            address 33.0.0.254/24;
        }
    }
}
ge-0/0/1 {
    gigether-options {
        redundant-parent reth0;
    }
}
ge-0/0/2 {
    gigether-options {
        redundant-parent reth1;
    }
}
ge-7/0/1 {
    gigether-options {
        redundant-parent reth0;
    }
}
ge-7/0/2 {
    gigether-options {
        redundant-parent reth1;
    }
}
fab0 {
    fabric-options {
        member-interfaces {
            ge-0/0/0;
        }
    }
}
fab1 {
    fabric-options {
        member-interfaces {
            ge-7/0/0;
        }
    }
}
reth0 {
    redundant-ether-options {
        redundancy-group 1;
    }
    unit 0 {
        family inet {
            address 22.0.0.254/24;
        }        
    }
}
reth1 {
    redundant-ether-options {
        redundancy-group 1;
    }
    unit 0 {
        family inet {
            address 1.0.0.254/24;
        }        
    }
}

Verification

Purpose

Display the information about chassis cluster interfaces and status.

Action

From operational mode, enter the show chassis cluster interfaces,show chassis cluster status, and show security flow session command.

content_copy zoom_out_map
{primary:node0}
user@host> show chassis cluster interfaces
Control link status: Up

Control interfaces:
    Index   Interface   Monitored-Status   Internal-SA   Security
    0       fxp1        Up                 Disabled      Disabled

Fabric link status: Down

Fabric interfaces:
    Name    Child-interface    Status                    Security
                               (Physical/Monitored)
    fab0    ge-0/0/0          Up   / Up                 Disabled
    fab0
    fab1    ge-0/0/7          Up   / Up                 Disabled
    fab1

Redundant-ethernet Information:
    Name         Status      Redundancy-group
    reth0        Up          1
    reth1        Up          1

Redundant-pseudo-interface Information:
    Name         Status      Redundancy-group
    lo0          Up          0
content_copy zoom_out_map
{primary:node0}
user@host> show chassis cluster status
Monitor Failure codes:
    CS  Cold Sync monitoring        FL  Fabric Connection monitoring
    GR  GRES monitoring             HW  Hardware monitoring
    IF  Interface monitoring        IP  IP monitoring
    LB  Loopback monitoring         MB  Mbuf monitoring
    NH  Nexthop monitoring          NP  NPC monitoring
    SP  SPU monitoring              SM  Schedule monitoring
    CF  Config Sync monitoring      RE  Relinquish monitoring
    IS  IRQ storm

Cluster ID: 1
Node   Priority Status               Preempt Manual   Monitor-failures

Redundancy group: 0 , Failover count: 1
node0  200      primary              no      no       None
node1  100      secondary            no      no       None

Redundancy group: 1 , Failover count: 1
node0  200      primary              no      no       None
node1  100      secondary            no      no       None
content_copy zoom_out_map
{primary:node0}
user@host> show security flow session
node0:
--------------------------------------------------------------------------

Session ID: 6323, Policy name: N/A, HA State: Active, Timeout: N/A, Session State: Valid
  In: 2012::2:2/1 --> 2012::2:1/1;ipip, Conn Tag: 0x0, If: reth1.0, Pkts: 0, Bytes: 0,

Session ID: 6324, Policy name: N/A, HA State: Active, Timeout: N/A, Session State: Valid
  In: 2012::2:2/1 --> 2012::2:1/1;ipv6, Conn Tag: 0x0, If: reth1.0, Pkts: 0, Bytes: 0,

Session ID: 6361, Policy name: self-traffic-policy/1, HA State: Active, Timeout: 56, Session State: Valid
  In: fe80::2:2/1 --> ff02::5/1;ospf, Conn Tag: 0x0, If: ip-0/0/0.1, Pkts: 153842, Bytes: 12371296,
  Out: ff02::5/1 --> fe80::2:2/1;ospf, Conn Tag: 0x0, If: .local..0, Pkts: 0, Bytes: 0,

Session ID: 6362, Policy name: self-traffic-policy/1, HA State: Active, Timeout: 52, Session State: Valid
  In: 100.0.2.2/1 --> 224.0.0.5/1;ospf, Conn Tag: 0x0, If: ip-0/0/0.1, Pkts: 152030, Bytes: 12178352,
  Out: 224.0.0.5/1 --> 100.0.2.2/1;ospf, Conn Tag: 0x0, If: .local..0, Pkts: 0, Bytes: 0,

Session ID: 6363, Policy name: self-traffic-policy/1, HA State: Active, Timeout: 60, Session State: Valid
  In: 100.0.2.2/49152 --> 100.0.2.1/3784;udp, Conn Tag: 0x0, If: ip-0/0/0.1, Pkts: 1509142, Bytes: 78475384,
  Out: 100.0.2.1/3784 --> 100.0.2.2/49152;udp, Conn Tag: 0x0, If: .local..0, Pkts: 0, Bytes: 0,

Session ID: 6364, Policy name: self-traffic-policy/1, HA State: Active, Timeout: 60, Session State: Valid
  In: fe80::2:2/49152 --> fe80::2:1/3784;udp, Conn Tag: 0x0, If: ip-0/0/0.1, Pkts: 1509355, Bytes: 108673560,
  Out: fe80::2:1/3784 --> fe80::2:2/49152;udp, Conn Tag: 0x0, If: .local..0, Pkts: 0, Bytes: 0,
Total sessions: 6

node1:
--------------------------------------------------------------------------

Session ID: 1304, Policy name: N/A, HA State: Backup, Timeout: N/A, Session State: Valid
  In: 2012::2:2/1 --> 2012::2:1/1;ipip, Conn Tag: 0x0, If: reth1.0, Pkts: 0, Bytes: 0,

Session ID: 1305, Policy name: N/A, HA State: Backup, Timeout: N/A, Session State: Valid
  In: 2012::2:2/1 --> 2012::2:1/1;ipv6, Conn Tag: 0x0, If: reth1.0, Pkts: 0, Bytes: 0,

Session ID: 1306, Policy name: self-traffic-policy/1, HA State: Backup, Timeout: 1482, Session State: Valid
  In: 100.0.2.2/49152 --> 100.0.2.1/3784;udp, Conn Tag: 0x0, If: ip-0/0/0.1, Pkts: 0, Bytes: 0,
  Out: 100.0.2.1/3784 --> 100.0.2.2/49152;udp, Conn Tag: 0x0, If: .local..0, Pkts: 0, Bytes: 0,

Session ID: 1307, Policy name: self-traffic-policy/1, HA State: Backup, Timeout: 1538, Session State: Valid
  In: fe80::2:2/49152 --> fe80::2:1/3784;udp, Conn Tag: 0x0, If: ip-0/0/0.1, Pkts: 0, Bytes: 0,
  Out: fe80::2:1/3784 --> fe80::2:2/49152;udp, Conn Tag: 0x0, If: .local..0, Pkts: 0, Bytes: 0,
Total sessions: 4
content_copy zoom_out_map
{primary:node0}
user@host> show security flow statistics
node0:
--------------------------------------------------------------------------
    Current sessions: 6
    Packets received: 12528819
    Packets transmitted: 12523469
    Packets forwarded/queued: 44
    Packets copied: 0
    Packets dropped: 5306
    Services-offload packets processed: 0
    Fragment packets: 0
    Pre fragments generated: 0
    Post fragments generated: 0

node1:
--------------------------------------------------------------------------
    Current sessions: 4
    Packets received: 1608551
    Packets transmitted: 1588679
    Packets forwarded/queued: 0
    Packets copied: 0
    Packets dropped: 19874
    Services-offload packets processed: 0
    Fragment packets: 0
    Pre fragments generated: 0
    Post fragments generated: 0

Meaning

The chassis cluster configuration displays the reth interface as the bind interface to exchange routes through IP-over-IP tunnel.

Related Documentation

Change History Table

Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.

Release
Description
12.1X45-D10
Starting with Junos OS Release 12.1X45-D10 and later, sampling features such as flow monitoring, packet capture, and port mirroring are supported on reth interfaces.
arrow_backward PREVIOUS Chassis Cluster Redundancy Groups
NEXT arrow_forward Configuring Chassis Clustering on SRX Series Devices
footer-navigation

© 1999 - 2025 Juniper Networks, Inc. All rights reserved.

Scroll to top