Connect Firewalls to create a Chassis Cluster

Use Feature Explorer to confirm platform and release support for specific features.

Review the Platform-Specific Control Links Behavior section for notes related to your platform.

A chassis cluster is created by physically connecting two identical, cluster-supported Firewalls using a pair of Ethernet connections of the same type. These connections provide both the control link and the fabric (data) link between the two devices.

Control Links

In a chassis cluster, control links are established using specific, dedicated ports on each firewall. The interface numbering for these control links changes based on the cluster offset (cluster index).

Control link interfaces follow the naming format:

type-fpc/pic/port

For example, ge-1/0/1

In this example:

ge indicates the interface type (Gigabit Ethernet).
1 represents the cluster index, which also corresponds to the Flexible PIC Concentrator (FPC) number.
0 is the Physical Interface Card (PIC) number.
1 is the port number.

Service Processing Cards (SPCs) provide two dedicated ports—HA0 and HA1—specifically designed for connecting control links between nodes in a chassis cluster.

How to Connect Firewalls

You can view the Firewalls connected as pairs, with fabric links and control links between them.

Figure 1: Connect SRX300 Firewalls in a Chassis Cluster High-availability setup for Juniper SRX300 series with Node 0 and Node 1 connected via control ports and fabric link for data synchronization and failover.

High-availability setup for Juniper SRX300 series with Node 0 and Node 1 connected via control ports and fabric link for data synchronization and failover.

Figure 2: Connect SRX320 Firewalls in a Chassis Cluster Diagram showing two Juniper SRX320 devices labeled Node 0 and Node 1 with control ports connected by cables and a fabric link between nodes.

Diagram showing two Juniper SRX320 devices labeled Node 0 and Node 1 with control ports connected by cables and a fabric link between nodes.

Figure 3: Connect SRX340 Firewalls in a Chassis Cluster Juniper SRX340 chassis cluster setup showing connections between Node 0 and Node 1 for control and data synchronization.

Juniper SRX340 chassis cluster setup showing connections between Node 0 and Node 1 for control and data synchronization.

Figure 4: Connect SRX345 Firewalls in a Chassis Cluster Juniper SRX345 firewall cluster setup showing Node 0 and Node 1. Control ports connected by blue cable; fabric link by orange cable.

Juniper SRX345 firewall cluster setup showing Node 0 and Node 1. Control ports connected by blue cable; fabric link by orange cable.

Figure 5: Connect SRX380 Firewalls in a Chassis Cluster Network diagram with two Juniper SRX380 devices labeled Node 0 and Node 1. Blue control port cables connect nodes for management, while orange fabric links enable high-speed data transfer for redundancy.

Network diagram with two Juniper SRX380 devices labeled Node 0 and Node 1. Blue control port cables connect nodes for management, while orange fabric links enable high-speed data transfer for redundancy.

Figure 6: Connect SRX1500 Firewalls in a Chassis Cluster Juniper SRX1500 chassis cluster setup with Node 0 and Node 1 linked via blue control ports and orange fabric links.

Juniper SRX1500 chassis cluster setup with Node 0 and Node 1 linked via blue control ports and orange fabric links.

Figure 7: Connect SRX1600 Firewalls in a Chassis Cluster Network setup with Node 0 and Node 1 connected via orange fabric links for data transfer and blue control ports for management.

Network setup with Node 0 and Node 1 connected via orange fabric links for data transfer and blue control ports for management.

Figure 8: Connect SRX2300 and SRX4120 Firewalls in a Chassis Cluster Two nodes labeled Node 0 and Node 1 connected by orange fabric links for data transfer and blue control ports for management, illustrating a high-availability system configuration.

Two nodes labeled Node 0 and Node 1 connected by orange fabric links for data transfer and blue control ports for management, illustrating a high-availability system configuration.

Figure 9: Connect SRX4100 Firewalls in a Chassis Cluster chassis cluster setup with two Juniper SRX4100 devices: Node 0 and Node 1. Blue cable for control traffic; orange cable for data synchronization.

chassis cluster setup with two Juniper SRX4100 devices: Node 0 and Node 1. Blue cable for control traffic; orange cable for data synchronization.

Figure 10: Connect SRX4200 Firewalls in a Chassis Cluster Diagram of two Juniper Networks SRX4200 nodes labeled Node 0 and Node 1 with blue control port and orange fabric link connections.

Diagram of two Juniper Networks SRX4200 nodes labeled Node 0 and Node 1 with blue control port and orange fabric link connections.

Figure 11: Connect SRX4300 Firewalls in a Chassis Cluster Two nodes labeled Node 0 and Node 1 connected by orange fabric links for data transfer and blue control ports for management.

Two nodes labeled Node 0 and Node 1 connected by orange fabric links for data transfer and blue control ports for management.

Figure 12: Connect SRX4600 Firewalls in a Chassis Cluster Juniper Networks SRX4600 chassis cluster setup showing Node 0 and Node 1 connected via blue control links and orange fabric links.

Juniper Networks SRX4600 chassis cluster setup showing Node 0 and Node 1 connected via blue control links and orange fabric links.

Figure 13: Connecting SRX5800 Firewalls in a Chassis Cluster Diagram of network nodes Node 0 and Node 1 with control port connection via fiber-optic cable and separate fabric link for data transfer.

Diagram of network nodes Node 0 and Node 1 with control port connection via fiber-optic cable and separate fabric link for data transfer.

Figure 14: Connect SRX5600 Firewalls in a Chassis Cluster Juniper SRX5600 devices connected with control links in blue for synchronization and fabric links in orange for high-speed data transfer.

Juniper SRX5600 devices connected with control links in blue for synchronization and fabric links in orange for high-speed data transfer.

Figure 15: Connect SRX5400 Firewalls in a Chassis Cluster Two Juniper Networks routers connected with control ports for management communication and fabric links for high-speed data transfer.

Two Juniper Networks routers connected with control ports for management communication and fabric links for high-speed data transfer.

Platform-Specific Control Links Behavior

Use Feature Explorer to confirm platform and release support for specific features.

Use the following table to review platform-specific behaviors for your platforms

Platform	Difference
SRX Series	Firewalls that support chassis cluster, use the following ports to form the control link on the following Firewalls: For SRX300 Firewall, connect the ge-0/0/1 on node 0 to the ge-1/0/1 on node 1. For SRX320 Firewall, connect the ge-0/0/1 on node 0 to the ge-3/0/1 on node 1. For SRX340, SRX345, and SRX380 Firewalls, connect the ge-0/0/1 on node 0 to the ge-5/0/1 on node 1. For SRX1500 Firewall, connect the HA control port on node 0 to the HA control port on node 1. SRX5000 line of Firewalls do not have built-in ports, so the control link for these gateways must be the control ports on their SPCs with a slot numbering. See Additional Platform Information. When a SPC is the central point as well as hosting the control port, this creates a single point of failure. If the SPC goes down on the primary node, the node is automatically rebooted to avoid split brain. When you connect a single control link on SRX5000 line of Firewalls, the control link ports are a one-to-one mapping with the Routing Engine slot. If your Routing Engine is in slot 0, you must use control port 0 to link the Routing Engines. For SRX1500, SRX1600, SRX2300, SRX4120, and SRX4300 Firewalls, the connection that serves as the control link must be between the built-in control ports on each device. Figure 13 shows pair of SRX5800 Firewalls having single SPC card each connected with a control link. The fabric link is connected using the IOC card. Firewalls that support chassis cluster, use the following ports to form the fabric link on the following Firewalls: For SRX300 and SRX320 Firewalls, connect any interface except ge-0/0/0 and ge-0/0/1. For SRX340, SRX345, and SRX380 Firewalls, connect any interface except fxp0 and ge-0/0/1. Fabric ports are revenue ports available from any IOC card. Fabric links are connected to the same slot and port on both SRX5000 line of Firewalls. Figure 14 shows dual control links connected using two SPC3 cards and dual fabric links using IOC cards.

Platform

Difference

SRX Series

Firewalls that support chassis cluster, use the following ports to form the control link on the following Firewalls:

For SRX300 Firewall, connect the ge-0/0/1 on node 0 to the ge-1/0/1 on node 1.
For SRX320 Firewall, connect the ge-0/0/1 on node 0 to the ge-3/0/1 on node 1.
For SRX340, SRX345, and SRX380 Firewalls, connect the ge-0/0/1 on node 0 to the ge-5/0/1 on node 1.
For SRX1500 Firewall, connect the HA control port on node 0 to the HA control port on node 1.
SRX5000 line of Firewalls do not have built-in ports, so the control link for these gateways must be the control ports on their SPCs with a slot numbering. See Additional Platform Information.
When a SPC is the central point as well as hosting the control port, this creates a single point of failure. If the SPC goes down on the primary node, the node is automatically rebooted to avoid split brain.
When you connect a single control link on SRX5000 line of Firewalls, the control link ports are a one-to-one mapping with the Routing Engine slot. If your Routing Engine is in slot 0, you must use control port 0 to link the Routing Engines.
For SRX1500, SRX1600, SRX2300, SRX4120, and SRX4300 Firewalls, the connection that serves as the control link must be between the built-in control ports on each device.
Figure 13 shows pair of SRX5800 Firewalls having single SPC card each connected with a control link. The fabric link is connected using the IOC card.

Firewalls that support chassis cluster, use the following ports to form the fabric link on the following Firewalls:

For SRX300 and SRX320 Firewalls, connect any interface except ge-0/0/0 and ge-0/0/1.
For SRX340, SRX345, and SRX380 Firewalls, connect any interface except fxp0 and ge-0/0/1.
Fabric ports are revenue ports available from any IOC card. Fabric links are connected to the same slot and port on both SRX5000 line of Firewalls.

Figure 14 shows dual control links connected using two SPC3 cards and dual fabric links using IOC cards.

ON THIS PAGE

Control Links

How to Connect Firewalls

Platform-Specific Control Links Behavior

Related Documentation