On a pair of Juniper firewalls that do not have dedicated physical HA ports, which ports can be assigned for HA? Do all Juniper firewalls that support NSRP have dedicated HA interfaces (HA1 & HA2)? This article provides answers.

 

The following Juniper firewalls have dedicated physical HA ports (HA1 and HA2) for NSRP:

• NS-5000 series

The following firewalls do not have dedicated physical HA ports (HA1 and  HA2):

• ISG-1000 and ISG-2000 series

• SSG-300 and SSG-500 devices

• SSG-140 device

Which interfaces do you assign to these firewalls for HA when configuring NSRP?

 

1. Some devices have a predefined interface assigned to the HA zone so you can use that.  Some do not, so you have to assign an interface to the HA zone.  Refer to the specifics below:

• ISG-1000 and ISG-2000 devices

An interface is not assigned by default to the HA Zone (shown with the 'get interface' command).  Therefore, an interface is assigned to the HA zone with the command: set interface <interface_name> zone ha

• SSG-300 and SSG-500 devices

By default, the eth0/3 interface is assigned to the HA Zone (shown with the 'get interface' command). 

• SSG-140 devices

An interface is not assigned by default to the HA Zone (shown with the 'get interface' command).  Therefore, an interface is assigned to the HA zone the following command: set interface <interface_name> zone ha       

2. Based on the type of NSRP setup you are configuring, you can bind 1 or 2 physical Ethernet interfaces to the HA zone. An additional interface is assigned to the HA zone with the command: set interface <interface_name> zone ha

Below are the guidelines.

• NSRP Active/Passive: Minimum one port in HA zone to carry Control messages (like VSD heartbeats Configuration & RTO messages)

• NSRP Active/Passive: Binding 2 ports will provide redundancy between the HA ports, each port can be as a backup for another port.  One HA link  (HA1) will support Control messages only (VSD heartbeats), and the other HA link (HA2) handles (Configuration & RTO messages)

• NSRP Active/Active: Minimum one port in HA zone to carry Control messages like (VSD heartbeats Configuration & RTO messages)

• NSRP Active/Active:  Binding 2 ports will provide redundancy between the HA ports, each port can be as a backup for another port. One HA link  (HA1) will support Control messages only (VSD heartbeats), and the other HA link (HA2) handles (Configuration & RTO messages)

• NSRP Active/Active with data path forwarding enabled:

• Minimum one gigabit port either copper or fiber in HA zone to carry both control messages and to forward real-time data traffic between the VSD groups

• Binding 2 gigabit ports to the HA zone; one will carry control messages and the other will forward real-time data traffic between the VSD groups and both will be acting as backup to each other

• Binding 2 copper 10/100 port to the HA zone; one will carry control messages and the other port will forward real-time data traffic between the VSD groups. In the event one port fails control messages are still passed thru the interface which is UP and the data path forwarding will be disabled until the second interface is UP.

Refer to the following link for additional information on which HA interfaces will become the control and data channel for NSRP: KB11468 and KB9955.

The interfaces assigned to the HA zone are dedicated for NSRP; they cannot be additionally used for passing traffic.

 

2020-12-15: Article checked for accuracy; references to EOL devices removed; article valid and relevant