Example: IDP Series HA Design with Juniper Networks EX Series Switches

The following sections describe an example redundant path deployment where the Juniper Networks EX Series switch deployment uses Spanning Tree Protocol (STP) to select the active path:


Figure 15 shows a network topology where there are redundant paths to the Internet. One path is active and the other is passive.

Figure 15: Redundant Path Design: IDP Series HA Depends on STP (Juniper Networks EX Series)

Image g036678.gif

STP uses bridge protocol data unit (BPDU) packets to exchange information with other switches. BPDUs send hello packets out at regular intervals to exchange information across bridges and detect loops in a network topology. STP uses the information provided by the BPDUs to elect a root bridge, identify root ports for each switch, identify designated ports for each physical LAN segment, and prune specific redundant links to create a loop-free tree topology. All leaf devices calculate the best path to the root device and place their ports in blocking or forwarding states based on the best path to the root. The resulting tree topology provides a single active Layer 2 data path between any two end stations.

The IDP Series device does not participate in STP. Rather, when Layer 2 bypass is enabled, the IDP Series devices pass through the BPDU packets so the switches can communicate with each other. If Layer 2 bypass is not enabled, the IDP Series device drops the BPDU packets and the route cannot be chosen. The same is true when the IDP Series device is gracefully shutdown or encounters failure. The IDP Series device cannot forward the BPDU packets, so STP forwards traffic through the backup path.

Deployment Steps

To deploy this solution, follow these basic steps:

  1. Set up and configure the EX Series devices using the documentation that came with your switch. Note the following requirements:

    • Hardware—Connect the EX switch ports to IDP Series traffic interface pairs to so that the IDP Series deployment is transparent to the original network path. If your original path connected ge-0/0/6 on one switch with ge-0/0/6 on the other, you undo that cabling and place the IDP Series device in between. You connect the switch on one side to IDP Series eth2 and the switch on the other side to IDP Series eth3.
    • Failure detection mechanism—Implement STP. For information on Junos OS spanning tree protocol, see the EX Series documentation. The following command sample shows the commands use to configure an EX Series switch shown in the example network:

      root# show | display set
      set version 10.2R1.8
      set system root-authentication encrypted-password "$1$KeXQ4XiR$kqfcT.Fxc6GPw1ts7KVBM."
      set system syslog user * any emergency
      set system syslog file messages any notice
      set system syslog file messages authorization info
      set system syslog file interactive-commands interactive-commands any
      set interfaces ge-0/0/6 unit 0 family ethernet-switching port-mode access
      set interfaces ge-0/0/6 unit 0 family ethernet-switching vlan members vlan200
      set interfaces ge-0/0/7 unit 0 family ethernet-switching port-mode access
      set interfaces ge-0/0/7 unit 0 family ethernet-switching vlan members vlan200
      set interfaces ge-0/0/8 unit 0 family ethernet-switching port-mode access
      set interfaces ge-0/0/8 unit 0 family ethernet-switching vlan members vlan200
      set protocols igmp-snooping vlan all
      set protocols stp bridge-priority 40k
      set protocols stp max-age 20
      set protocols stp hello-time 3
      set protocols stp forward-delay 15
      set protocols stp interface ge-0/0/6.0 cost 200000
      set protocols lldp interface all
      set protocols lldp-med interface all
      set ethernet-switching-options storm-control interface all
      set vlans vlan200 vlan-id 60
      set vlans vlan200 interface ge-0/0/6.0  
      set vlans vlan200 interface ge-0/0/7.0
      set vlans vlan200 interface ge-0/0/8.0
      set poe interface all
  2. Set up and configure the IDP Series devices. Consider the following configuration notes.

    Table 10: IDP Series Configuration Guidelines



    IDP Series device hardware

    Use a cross-over cable to connect one device HA port to the other HA port.

    State sync

    Use ACM to enable Third-Party HA and assign each device an identifier.

    Figure 16: ACM Third-Party HA Pages

    Image s036850.gif


    In NSM, create a cluster object and then add the IDP Series devices to NSM as cluster members. Whenever you push updates (such as OS version updates, detector engine updates, or security policy updates), select the cluster object as the target. NSM pushes updates to members in sequence: member A and then member B.

    Figure 17: NSM Device Cluster

    Image s036849.gif

    Note: For third-party high availability deployments, the cluster status displayed in the NSM Realtime Monitor > IDP Cluster Monitor always indicates failure. Disregard this status. You cannot use the NSM Cluster Monitor to display status.

    Layer 2 bypass

    Use ACM to enable Layer 2 bypass.

    Interface signaling

    Do not enable. When interface signaling is disabled, the HA feature monitors the state of IDP engines. If an IDP engine fails, any remaining IDP engines are signaled to disregard the Layer 2 bypass setting and drop Layer 2 traffic, including BPDUs.

    Peer port modulation

    Do not enable.

  3. On the IDP Series device, you can use the synchronization details in sctop flow tables and the device log files to verify and troubleshoot the HA deployment. Logs related to HA communication are written locally to /var/idp/device/sysinfo/logs/hasignal.log.

Related Documentation

The following related topics are included in IDP Series Deployment Scenarios:

The following additional related topics are included in the IDP Series Administration Guide: