Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] Assigning ports or interfaces for the HA link (NSRP)

0

0

Article ID: KB11296 KB Last Updated: 15 Dec 2020Version: 11.0
Summary:

On a pair of Juniper firewalls that do not have dedicated physical HA ports, which ports can be assigned for HA? Do all Juniper firewalls that support NSRP have dedicated HA interfaces (HA1 & HA2)? This article provides answers.

 

Symptoms:

The following Juniper firewalls have dedicated physical HA ports (HA1 and HA2) for NSRP:

  • NS-5000 series

The following firewalls do not have dedicated physical HA ports (HA1 and  HA2):

  • ISG-1000 and ISG-2000 series

  • SSG-300 and SSG-500 devices

  • SSG-140 device

Which interfaces do you assign to these firewalls for HA when configuring NSRP?

 

Solution:
  1. Some devices have a predefined interface assigned to the HA zone so you can use that.  Some do not, so you have to assign an interface to the HA zone.  Refer to the specifics below:

  • ISG-1000 and ISG-2000 devices

An interface is not assigned by default to the HA Zone (shown with the 'get interface' command).  Therefore, an interface is assigned to the HA zone with the command: set interface <interface_name> zone ha

  • SSG-300 and SSG-500 devices

By default, the eth0/3 interface is assigned to the HA Zone (shown with the 'get interface' command). 

  • SSG-140 devices

An interface is not assigned by default to the HA Zone (shown with the 'get interface' command).  Therefore, an interface is assigned to the HA zone the following command: set interface <interface_name> zone ha       

  1. Based on the type of NSRP setup you are configuring, you can bind 1 or 2 physical Ethernet interfaces to the HA zone. An additional interface is assigned to the HA zone with the command: set interface <interface_name> zone ha

Below are the guidelines.

  • NSRP Active/Passive: Minimum one port in HA zone to carry Control messages (like VSD heartbeats Configuration & RTO messages)

  • NSRP Active/Passive: Binding 2 ports will provide redundancy between the HA ports, each port can be as a backup for another port.  One HA link  (HA1) will support Control messages only (VSD heartbeats), and the other HA link (HA2) handles (Configuration & RTO messages)

  • NSRP Active/Active: Minimum one port in HA zone to carry Control messages like (VSD heartbeats Configuration & RTO messages)

  • NSRP Active/Active:  Binding 2 ports will provide redundancy between the HA ports, each port can be as a backup for another port. One HA link  (HA1) will support Control messages only (VSD heartbeats), and the other HA link (HA2) handles (Configuration & RTO messages)

  • NSRP Active/Active with data path forwarding enabled:

  • Minimum one gigabit port either copper or fiber in HA zone to carry both control messages and to forward real-time data traffic between the VSD groups

  • Binding 2 gigabit ports to the HA zone; one will carry control messages and the other will forward real-time data traffic between the VSD groups and both will be acting as backup to each other

  • Binding 2 copper 10/100 port to the HA zone; one will carry control messages and the other port will forward real-time data traffic between the VSD groups. In the event one port fails control messages are still passed thru the interface which is UP and the data path forwarding will be disabled until the second interface is UP.

Refer to the following link for additional information on which HA interfaces will become the control and data channel for NSRP: KB11468 and KB9955.

The interfaces assigned to the HA zone are dedicated for NSRP; they cannot be additionally used for passing traffic.

 

Modification History:

2020-12-15: Article checked for accuracy; references to EOL devices removed; article valid and relevant

 

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search