SRX

 View Only
last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  SRX clustering over a switched network. Is this even possible?

    Posted 12-16-2009 01:33

    Hi,

     

    I am trying to set up a SRX650 cluster. Initially I used directly connected cables between both nodes to do initial configuration. This worked fine and the cluster set up correctly.

    Now I am installing the cluster on the customers network, but the difference is that we interconnect the nodes using a layer-2 network. Now the nodes don't see eachother and the cluster is broken. The network is based on HP ProCurve 5400 series switches.

     

    I used a separate VLAN for the control-port (untagged on the switchports), no IP on the VLAN and added the VLAN to the trunk. I enabled jumbo packages support on this VLAN as mentioned in Junipers application note "Clustering Across L2 Networks.pdf".

    For the data-port I added a different VLAN, with the same settings (no IP, jumbo etc).

     

    If I check the cluster status using "show chassis cluster control-plane statistics" on either node, I only see data being send, but nothing being received.

     

    After a few days, my local Juniper SE sent me two text messages with some new information:

    • Disable IGMP snooping on the switched network (I presume only on the VLANs used for the HA)
    • the control-port apparently is sending out traffic TAGGED with VLAN ID 4094.

    However, any query on the KB or the Forum doesn't reveal any conformation about this!

     

    I set the switch config for the switchports used by the control-ports to a untagged interface in VLAN 4094 (as it is already tagged by the SRX) and added this VLAN to the trunks. I also disabled IGMP on both VLANS. No change however in the clustering...

     

    Does anyone have a SRX cluster already running over a switched network? Please send me your config specifications as Juniper does not give sufficient information on this setup.

     



  • 2.  RE: SRX clustering over a switched network. Is this even possible?

    Posted 12-16-2009 07:54


  • 3.  RE: SRX clustering over a switched network. Is this even possible?

    Posted 12-16-2009 12:23

    The HA link between the Branch SRX Clusters is hardcoded with a VLAN ID of 4096. This can present a problem with switches that don’t support this high of a VLAN IDs. Can verify this by configuring the ports on the HP switch with VLAN ID of 4096?



  • 4.  RE: SRX clustering over a switched network. Is this even possible?

    Posted 12-16-2009 12:29

    802.1Q VLAN-id is 12-bit wide meaning 0...4095 values are possible.

     Surely you mean 4095, not 4096?

    Rgds

    Alex



  • 5.  RE: SRX clustering over a switched network. Is this even possible?
    Best Answer

    Posted 12-17-2009 00:46
      |   view attached

    Just a quick update. I created a call with JTAC and got a reply this was NOT supported - case closed. Later my local SE contacted me with some more information. They are working on supporting this officially, it is technical possible at this time.

     

    The VLAN 4094 tagged on the control-port is one thing, furthermore you need the jumbo frame support enabled and disable CRC / Checksum checking on the switchports for the control-port as this traffic does not adhere to correct checksums.

     

    Regards,

    Aurora

    Attachment(s)

    pdf
    L2HAAppNotev2.pdf   1.35 MB 1 version


  • 6.  RE: SRX clustering over a switched network. Is this even possible?

    Posted 02-01-2010 08:00

    Hello,

     

    Probably this is where it goes wrong:

    "I set the switch config for the switchports used by the control-ports to a untagged interface in VLAN 4094 (as it is already tagged by the SRX) and added this VLAN to the trunks."

     

    The switch port has to be tagged for vlan 4094. If not, the switch will not accept tagged vlan 4094 frames coming from the SRX.

     

    Thanks,

    Casper



  • 7.  RE: SRX clustering over a switched network. Is this even possible?

    Posted 02-01-2010 08:36

     


    @ghostrider wrote:

    The switch port has to be tagged for vlan 4094. If not, the switch will not accept tagged vlan 4094 frames coming from the SRX.

     


     

    Not necessarily. Some switches (I tested it on Cisco 3500XL years ago) will accept and pass tagged frames on an access port but might report "baby giants" if tagged frame size is greater than 1518 bytes.

     

    Rgds

    Alex