SRX

Hi,

I am trying to set up a SRX650 cluster. Initially I used directly connected cables between both nodes to do initial configuration. This worked fine and the cluster set up correctly.

Now I am installing the cluster on the customers network, but the difference is that we interconnect the nodes using a layer-2 network. Now the nodes don't see eachother and the cluster is broken. The network is based on HP ProCurve 5400 series switches.

I used a separate VLAN for the control-port (untagged on the switchports), no IP on the VLAN and added the VLAN to the trunk. I enabled jumbo packages support on this VLAN as mentioned in Junipers application note "Clustering Across L2 Networks.pdf".

For the data-port I added a different VLAN, with the same settings (no IP, jumbo etc).

If I check the cluster status using "show chassis cluster control-plane statistics" on either node, I only see data being send, but nothing being received.

After a few days, my local Juniper SE sent me two text messages with some new information:

• Disable IGMP snooping on the switched network (I presume only on the VLANs used for the HA)
• the control-port apparently is sending out traffic TAGGED with VLAN ID 4094.

However, any query on the KB or the Forum doesn't reveal any conformation about this!

I set the switch config for the switchports used by the control-ports to a untagged interface in VLAN 4094 (as it is already tagged by the SRX) and added this VLAN to the trunks. I also disabled IGMP on both VLANS. No change however in the clustering...

Does anyone have a SRX cluster already running over a switched network? Please send me your config specifications as Juniper does not give sufficient information on this setup.

It is possible.  Please reference this thread.

Thanks

http://forums.juniper.net/t5/SRX-Services-Gateway/SRX240-cluster-control-link/m-p/29403#M1145

The HA link between the Branch SRX Clusters is hardcoded with a VLAN ID of 4096. This can present a problem with switches that don’t support this high of a VLAN IDs. Can verify this by configuring the ports on the HP switch with VLAN ID of 4096?

802.1Q VLAN-id is 12-bit wide meaning 0...4095 values are possible.

 Surely you mean 4095, not 4096?

Rgds

Alex

Just a quick update. I created a call with JTAC and got a reply this was NOT supported - case closed. Later my local SE contacted me with some more information. They are working on supporting this officially, it is technical possible at this time.

The VLAN 4094 tagged on the control-port is one thing, furthermore you need the jumbo frame support enabled and disable CRC / Checksum checking on the switchports for the control-port as this traffic does not adhere to correct checksums.

Regards,

Aurora

Attachment(s)

L2HAAppNotev2.pdf   1.35 MB 1 version

Hello,

Probably this is where it goes wrong:

"I set the switch config for the switchports used by the control-ports to a untagged interface in VLAN 4094 (as it is already tagged by the SRX) and added this VLAN to the trunks."

The switch port has to be tagged for vlan 4094. If not, the switch will not accept tagged vlan 4094 frames coming from the SRX.

Thanks,

Casper

---

@ghostrider wrote:

The switch port has to be tagged for vlan 4094. If not, the switch will not accept tagged vlan 4094 frames coming from the SRX.

 

---

Not necessarily. Some switches (I tested it on Cisco 3500XL years ago) will accept and pass tagged frames on an access port but might report "baby giants" if tagged frame size is greater than 1518 bytes.

Rgds

Alex