Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Understanding Cluster Mode

The Administrator of the TOE can set up the Cluster Mode for High Availability (HA) by connecting dedicated HA control port of node0 and node1 as described in the article - https://kb.juniper.net/KB34608

The factory-default configuration does not include HA configuration. To enable HA, please remove any configurations on the physical interfaces used by HA. The two hosts constituting a chassis cluster must have identical configuration. Configure one cluster to node 0 and the other to node 1.

The TOE has a dedicated fxp0 interface for HA management. The interface for HA control link must be between the dedicated control port on each device. The Administrator can define the fabric interface. The cluster is now defined and set up by the Administrator. The two devices constituting a chassis cluster have identical cluster-id but different node ID as one host is on node 0 and the second cluster is on node 1. For SRX1500, SRX4XXX devices the ge-0/0/1 or xe-0/0/1 interface on node1 changes to ge-7/0/1 or xe-7/0/1.

The node 1 renumbers its interfaces by adding the total number of system FPCs to the original FPC number of the interface. The fabric interface remains Administrator-defined.

With L2 HA link encryption tunnel, any Security Sensitive Parameters (Critical Security Parameters) exchanged over the control link between the two chassis in cluster mode are protected using IPsec. The configuration information and IKE HA messages that pass through the chassis cluster link from the primary node to the secondary node are protected from active and passive eavesdropping by using IPsec for internal communication between nodes. An attacker cannot gain privilege access or observe traffic, without the internal IPsec key.