Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Configuring Inter-Chassis Stateful Synchronization for Long- Lived NAT, Stateful Firewall, and IDS Flows for Next Gen Services

 

Configuring Inter-Chassis Stateful Synchronization for Next Gen Services with non-AMS Interface

To configure stateful synchronization inter-chassis high availability for NAT, stateful firewall, and IDS flows for Next Gen Services when the services interfaces are not AMS, perform the following configuration steps on each chassis of the high availability pair.

  1. Specify the IP address of the vms- interface. This address is used by the TCP channel between the HA pairs.

    For example:

    When you configure the other chassis, this is the address you use for the redundancy-peer ipaddress.

  2. Specify the IP address of the remote services interface. This address is used by the TCP channel between the HA pairs.

    For example:

    When you configure the other chassis, this is the address you use for the redundancy-local data-address.

  3. Configure the length of time that the flow remains active for replication, in seconds.

    For example:

  4. Configure a unit other than 0, and assign it the IP address of the local services interface that you configured with the redundancy-local data-address option.

    For example:

  5. For ease of management, we recommend you create a special routing instance with instance-type vrf to host the HA synchronization traffic between the MX Series high availability pair. Then specify the name of the special routing instance to apply to the HA synchronization traffic between the high availability pair.
  6. Configure the inside and outside interface units, which are used by the next-hop service set. Use different unit numbers for the inside and outside units, and do not use 0 or the unit number used in Step 4.

    For example:

  7. Configure the next-hop service set that contains the NAT rules, stateful firewall rules, or IDS screens. The service set must be configured identically on each chassis of the high availability pair. The NAT rules, stateful firewall rules, and IDS screens must also be configured identically on each chassis.

    For example:

  8. Repeat these steps for the other chassis of the high availability pair.

Configuring Inter-Chassis Stateful Synchronization for Next Gen Services with AMS Interface

To configure stateful synchronization inter-chassis high availability for NAT, stateful firewall, and IDS flows for Next Gen Services for an AMS services interface, perform the following configuration steps on each chassis of the high availability pair.

  1. Configure a services vms- interface for every member of the AMS interface:

    1. Specify the IP address of the vms- interface. This address is used by the TCP channel between the HA pairs.

      For example:

      When you configure the other chassis, this is the address you use for the redundancy-peer ipaddress.

    2. Specify the IP address of the remote services interface. This address is used by the TCP channel between the HA pairs.

      For example:

      When you configure the other chassis, this is the address you use for the redundancy-local data-address.

    3. Configure the length of time that the flow remains active for replication, in seconds.

      For example:

    4. Configure a unit other than 0, and assign it the IP address of the local services interface that you configured with the redundancy-local data-address option.

      For example:

    5. For ease of management, we recommend you create a special routing instance with instance-type vrf to host the HA synchronization traffic between the MX Series high availability pair. Then specify the name of the special routing instance to apply to the HA synchronization traffic between the high availability pair.
  2. Create the AMS interface and add the member interfaces you configured in Step 1.

    where the interface-name is amsN, and a is the FPC slot number and b is the PIC slot number for each member interface.

    For example:

  3. Configure the inside interface for the AMS interface, which is used by the next-hop service set:
    1. Configure the family for the inside interface. Do not use 0 for the unit number.

      For example:

    2. Configure the hash key to regulate distribution for the inside interface.
  4. Configure the outside interface for the AMS interface, which is used by the next-hop service set. Do not use 0 or the same unit number that you used for the inside interface.
    1. Configure the family for the outside interface.

      For example:

    2. Configure the hash key to regulate distribution for the outside interface.
  5. Configure the next-hop service set that contains the NAT rules, stateful firewall rules, or IDS screens. The service set must be configured identically on each chassis of the high availability pair. The NAT rules, stateful firewall rule, and IDS screens must also be configured identically on each chassis.

    For example:

  6. Repeat these steps for the other chassis of the high availability pair.