Support Support Downloads Knowledge Base Service Request Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] What are the minimum hardware and software requirements for a Chassis Cluster?

0

0

Article ID: KB16141 KB Last Updated: 05 Mar 2017Version: 3.0
Summary:

This article lists the minimum requirements for configuring SRX devices in a chassis cluster. 

Symptoms:

What are the minimum hardware and software requirements for a SRX Chassis Cluster to function properly?

Two modes are supported -- Active/Passive and Active/Active.

Active/Passive mode is the most commonly used HA mode in which all the traffic is processed by the "Active" or "Master" firewall, while the "Passive" or "Slave" firewall is in a warm standby mode ready to take over as the "Active" firewall in case of failure on the original "Active" firewall.  In this mode, there is only two Redundancy Groups (RG). The first one is RG0 which is for "Control Plane", and RG1 is for the "Data Plane".  RE is always part for RG0, and on whichever node RG0 is primary, that node is the Primary node.

Active/Active mode allows both firewalls to process traffic providing a load sharing HA scenario. In this mode, there can be more than two "Redundancy Groups (RG). The first one is RG0 which is for the "Control Plane", and the other RG's are for the "Data Plane". RE is always part for RG0, and on whichever node RG0 is primary, that node is the Primary node.

Only the data plane can work in Active/Active mode because the RE is part of RG0 and only one RE can be active at any given point.

For additional information on chassis clustering, refer to Chassis Cluster for Security Devices

Cause:

Solution:

NOTE:  Step-by-step configuration instructions are provided in KB15650 - SRX Getting Started - Configure Chassis Cluster (High Availability).

The minimum requirements for chassis clustering are:

Step 1.  Hardware:
The hardware on both the devices should be identical.  Also, the placement of cards should be identical.
There are a couple exceptions:

  • For SRX5600 and SRX5800 chassis clusters, the placement and type of Services Processing Cards (SPCs) must match in the two clusters.
  • For SRX3400 and SRX3600 chassis clusters, the placement and type of SPCs, Input/Output Cards (IOCs), and Networking Processing Cards (NPCs) must match in the two devices. 
  • For SRX1400 chassis clusters, the placement and type of Network and Services Processing Card (NSPC)(or 1 SPC and 1 NPC ) and System I/0 Card(SYSIO) must match in the two devices.
  • For the SRX650, SRX240, and SRX210 devices, there is no such limitation as high-end SRX devices.

Step 2.  Software: 
The Junos software version must be the same on both devices.

       Verify using this command on both devices:
        root> show version
        Model: srx650
        JUNOS Software Release [11.4R7.5]



Step 3.  License Keys:
There is not a separate license for chassis cluster. However, both firewalls must have the identical features and license keys enabled or installed. 


Step 4.  Removal of existing configuration on FXP0 and FXP1:

In the SRX configuration, remove any existing configuration associated with the interfaces that will be transformed into fxp0 (out-of-band management) and fxp1 (control link) when the chassis cluster feature is enabled. The interfaces that are mapped to fxp0 and fxp1 are device specific. For more information on this, refer to KB15356 - How are interfaces assigned on J-Series and SRX platforms when the chassis cluster is enabled?

For help on removing the existing configuration on these interfaces, refer to KB27713 - How to remove references to the interfaces that will be used as fxp0 and fxp1.



Additional requirements for the control plane, control link, data plane and data link are provided below:

Control Plane & Control Link:

Note:  Before enabling chassis cluster on the SRX devices, connect the Control Plane & Data Plane.

The control plane software, which operates in active/backup mode, is an integral part of Junos Software that is active on the primary node of a cluster. It achieves redundancy by communicating state, configuration, heartbeats and other information to the inactive Routing Engine on the secondary node. If the primary Routing Engine fails, the secondary one is ready to assume control.
  • On SRX5600 and SRX5800 devices, by default, all control ports are disabled. Each SPC in a device has two control ports, and each device can have multiple SPCs plugged into it. To set up the control link in a chassis cluster with SRX5600 or SRX5800 devices, you connect and configure the control ports that you will use on each device (fpcn and fpcn) and then initialize the device in cluster mode.
  • For SRX3400 and SRX3600 devices, there are dedicated chassis cluster (HA) control ports on the switch fabric board. No control link configuration is needed for SRX3400 and SRX3600 devices.
  • For SRX1400 devices, there are dedicated chassis cluster (HA) control ports (ge-0/0/10 and ge-0/0/11 ) on the SYS I/O Card.
  • For SRX650, SRX550 and SRX240 devices, the ge-0/0/1 interface is used for the control link.
  • For SRX 220 devices, the ge-0/0/7 interface is used for the control link.
  • For SRX100 and SRX210 devices, the fe-0/0/7 interface is used for the control link.
For more information, see Understanding the Chassis Cluster Control Plane.

For more information, see Understanding Chassis Cluster Control Links.


Data Plane & Data Link:

Note: Before enabling chassis cluster on the SRX devices, connect the Control Plane & Data Plane.

The data plane software, which operates in Active/Active mode, manages flow processing and session state redundancy and processes transit traffic. If only one RG is used, then it will work in Active/Passive mode. To provide  session (or flow) redundancy, the data plane software synchronizes its state by sending special payload packets called runtime objects (RTOs) from one node to the other across the fabric data link. The following table show which ports can be used as the fabric data link:

SRX5000 SRX3000 SRX1400 SRX650 SRX550 SRX240 SRX220 SRX210 SRX100
Gigabit Ethernet Gigabit Ethernet Gigabit
Ethernet
Gigabit Ethernet Gigabit Ethernet Gigabit Ethernet Gigabit Ethernet Fast Ethernet Fast Ethernet
10-Gigabit Ethernet 10-Gigabit Ethernet 10-Gigabit Ethernet
(10 GE SYSIO)
Gigabit Ethernet

Important:  The fabric link has to be connected back to back, and the fabric data link does not support fragmentation.

For more information, see Understanding the Chassis Cluster Data Plane


Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Security Alerts and Vulnerabilities

Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search