Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Chassis Cluster Dual Control Links

Dual control links provide a redundant link for controlling network traffic.

Dual Control Link Connections for SRX Series Firewalls in a Chassis Cluster

You can connect two control links between SRX5600 devices and SRX5800 devices, effectively reducing the chance of control link failure.

Note:

Junos OS does not support dual control links on SRX5400 devices, due to the limited number of slots.

For SRX5600 devices and SRX5800 devices, connect two pairs of the same type of Ethernet ports. For each device, you can use ports on the same Services Processing Card (SPC), but we recommend that you connect the control ports to two different SPCs to provide high availability. Figure 1 shows a pair of SRX5800 devices with dual control links connected. In this example, control port 0 and control port 1 are connected on different SPCs.

Figure 1: Dual Control Link Connections (SRX5800 Devices)Dual Control Link Connections (SRX5800 Devices)

For SRX5600 devices and SRX5800 devices, you must connect control port 0 on one node to control port 0 on the other node. You must also connect control port 1 on one node to control port 1 on the other node. If you connect control port 0 to control port 1, the nodes cannot receive heartbeat packets across the control links.

Resiliency with SCB Dual Control Links

On SRX5600 devices and SRX5800 devices, a Switch Control Board (SCB) card adds 10-Gigabit Ethernet (GbE) Small form-factor pluggables ports (SFPP) ports to provide redundancy. In a chassis cluster setup, you can configure these Ethernet ports as chassis cluster control ports to provide dual control links.

Dual control links help prevent a single point of failure by offering a redundant link for control traffic.

On SCB3 and SCB4, there are two external 10 Gbe ethernet ports located in the front panel. The left port (SCB Ethernet-switch port xe0) is used as the SCB HA port.

For SRX5600 devices and SRX5800 devices operating in chassis cluster, you can configure 10 Gigabit Ethernet ports on the SCB front panels to operate as chassis cluster control ports using Long Reach (LR), Short Reach (SR), and Long Reach Multimode (LRM) interfaces.

You can use the following 10GbE SFPP ports as chassis cluster control ports:

Table 1: SCB External 10GbE Ports
SCB SFPP Ports

SCB2

SFPP-10GbE-LR

SFPP-10GbE-SR

SFPP-10GbE-LRM

SCB3 and SCB4

SFPP-10GbE-LR

SFPP-10GbE-SR

For SRX Series Firewalls operating in chassis cluster, you can configure Ethernet ports on the SCB front panels to operate as chassis cluster control ports.

Note:

SRX5400 Services Gateways do not support dual control links, due to limited slots. These devices supports only chassis cluster control port 0.

Benefits of SCB Dual Control Links:

  • Increase the resiliency of the chassis cluster.
  • Maintain reliability of the chassis cluster in the event of an SPC failure.

Figure 2 shows a chassis cluster using SCB dual control links. The term HA used in the Figure 2 and Table 2 is referred to as chassis cluster.

Figure 2: SCB Dual Control Links in a Chassis ClusterSCB Dual Control Links in a Chassis Cluster

The control port connections on the chassis cluster are as follows:

Table 2: Control Port Connections
Primary Control Link Secondary Control Link
SCB0 is Control Board 0. HA port 0 is on SCB0. SCB1 is Control Board 1. HA port 1 is on SCB1.
Routing Engine 0 is on SCB0. Routing Engine 1 is on SCB1.
The Ethernet port on SCB0 is used as HA port 0. The Ethernet port on SCB1 is used as HA port 1.

The control packets pass through the SCB control links instead of the SPC control links.

Example: Configure a Chassis Cluster Using SCB Dual Control Links

This example shows how to configure SCB dual control links on a chassis cluster.

In standalone mode, you must configure SCB dual control links and reboot the nodes to activate the changes.

Requirements

Before you begin:

Overview

To configure dual control links in a chassis cluster, you connect primary and secondary control links between the SCB chassis cluster control ports as shown in Figure 2.

SCB control links have below properties:

  1. For RE0, SCB0 chassis cluster control port is automatically enabled when system boots in chassis cluster mode.

    SCB0 chassis cluster control port is automatically disabled when system boots in standalone mode.

  2. For RE1, SCB1 chassis cluster control port is automatically enabled after reboot, irrespective of whether the device is in chassis cluster mode or standalone mode.
  3. To temporary disable primary SCB contol link in chassis cluster mode, disable the SCB0 control port on RE0:

    To temporary disable secondary SCB control link, disable the SCB 1 control port on RE1:

    Note:

    These CLI commands will lose effect after redundancy group 0 failover or device reboot.

  4. To permanently disable primary SCB control link in chassis cluster mode:
    • Option1: Delete the SCB control port configurations, add fake FPC control link configurations, and commit.
    • Option2: Disconnect the primary SCB control link cable.
  5. To permanently disable secondary SCB control link in chassis cluster mode, disconnect the secondary SCB control link cable.
  6. To change from cluster mode to standalone mode when using dual SCB control links:
    Note:

    Below steps are for temporary transition from cluster to standalone. If you need to change to standalone mode permanently, disconnect both the primary and secondary SCB control link cables.

    1. Disable SCB1 HA control ports on both nodes through RE1:xe0 !ena 10G FD SW No Forward TX RX None FA XGMII 16356
    2. Reboot the RE0 to set as standalone mode:
    3. To enter the cluster mode again, enable the cluster mode on RE0 and reboot and then enable SCB1 HA control ports on both nodes through RE1 console:xe0 up 10G FD SW No Forward TX RX None FA XGMII 16356
    4. Check the chassis cluster status.

Configuration

Procedure

To configure SCB dual control links for the chassis cluster:

  1. Connect the primary SCB control link cable.

  2. Configure a chassis cluster that uses SCB0 control port for primary control link and SCB1 control port for secondary control link on both nodes.

  3. Configure the chassis cluster. The example configuration is for node 0. For node 1, make sure to configure the same cluster ID.

  4. Reboot both nodes to activate cluster mode.

  5. Connect the secondary SCB control link cable.

Verification

Verification of the Chassis Cluster Status

Purpose

Verify the chassis cluster status.

Action

In operational mode, enter the show chassis cluster status command.

In operational mode, enter the show chassis cluster interfaces command.

In operational mode, enter the show chassis cluster information detail command.

In operational mode, enter the show chassis cluster fpc pic-status command.

Meaning

Use the show chassis cluster command to confirm that the devices in the chassis cluster are communicating with each other and functioning properly.

Transition from SPC Dual Control Links to SCB Dual Control Links

This example shows how to transition SPC dual control links to SCB dual control links. This procedure minimizes traffic disruption and prevents control plane loops during the control link transition.

Requirements

Before you begin:

Overview

In this example, you begin with a working chassis cluster that uses SPC dual control links. The goal is to transition the system to use SCB control links seamlessly. To prevent the formation of a control plane loop, the system must not actively forward over the two different control links at the same time.

Two combinations of simultaneous SPC and SCB control link connections ensure loop-free operation. As part of your transition strategy, you must decide on one of the following control link combinations:

  • SPC as the primary control link with SCB as the secondary control link
  • SCB as the primary control link with SPC as the secondary control link

The transition modes support both the combinations of simultaneous SPC and SCB control links to ensure that only one type of control links is forwarding. If both SPC and SCB control links are active at the same time, a loop can form.

Either supported option (SPC or SCB) works as well as the other. This example illustrates the first option. During the control link transition, the primary SPC control link remains active while you add a secondary SCB control link. Again, this state is transitory. After the transition, you have a chassis cluster with both the primary and secondary control links connected to the SCB port.

Control Links illustrates the process for transitioning from SPC control links to SCB control links.

Figure 3: Control Links Transition StagesControl Links Transition StagesControl Links Transition StagesControl Links Transition Stages

The starting state of the chassis cluster before transition is displayed on the top. Two SPC control ports are used to form the cluster. In the middle, the transition state has one SPC control port and one SCB control port simultaneously connected. After transition, the ending state of the chassis cluster is displayed to the bottom. The chassis cluster operates with two SCB control links after removing the original SPC control links.

Transition Procedure: SPC to SCB with Dual Control Links

Procedure

To transition from SPC to SCB dual control links on the primary node (node 0):

  1. Select the preferred transition approach. Refer to Transition Options. In this example, select the primary SPC link with a secondary SCB link as shown in Control Links.

  2. Delete the SPC secondary control link configuration. This configuration change deletes both ends of the secondary SPC control links in the chassis cluster.

  3. Disconnect the SPC secondary control link cable before proceeding.

  4. Configure the SCB secondary control link and commit. The same SCB1 control port is used at both ends of the cluster. This single configuration statement applies to both node 0 and node 1.

  5. Connect the SCB secondary control link cable. At this time, the chassis cluster is in a transitional state.

  6. Before continuing the transition, you verify that the chassis cluster is operational and that the dual control links are in a healthy state. Use the show chassis cluster interfaces command.

    In the preceding output, the ixlv0 and igb0 interfaces are used to send cluster control traffic and keepalive traffic.

    The chassis cluster control link reports up status. The remote node's cards (SPC and PIC) are reported as Online. The outputs confirm that the chassis cluster remains operational.

  7. Delete the SPC primary control link. The command deletes any remaining SPC control ports on both nodes.

  8. Disconnect the SPC primary control link cable before proceeding.

  9. Configure the SCB primary control link.

  10. Connect the SCB primary control link cable.

  11. Verify that the chassis cluster remains operational, using the show chassis cluster interfaces command.

    The chassis cluster control link reports an up status and the remote node's cards SPC and PIC are reported as Online.

Transition from SCB to SPC with Dual Control Links

This example provides steps for a control link transition from an SCB to an SPC dual control link concurrently.

Requirements

Before you begin:

Configuration

Procedure

To transition from SCB to SPC control links concurrently:

  1. Delete the SCB secondary control link configuration.

  2. Disconnect the SCB secondary control link cable.

  3. Connect the SPC secondary control link cable.

  4. Configure the SPC secondary control link, and commit.

  5. Verify that both the primary and secondary control interfaces are up on both nodes.

    In operational mode, enter the show chassis cluster interfaces command to confirm that the chassis cluster is functioning properly.

  6. Delete the SCB primary control link.

  7. Disconnect the SCB primary control link cable.

  8. Connect the SPC primary control link cable.

  9. Configure the SPC primary control link.

  10. Verify that both the primary and secondary control interfaces are up on both nodes, using the show chassis cluster interfaces command.