Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Inter-Chassis High Availability for MS-MIC and MS-MPC (Release 15.1 and earlier)

Note:

This topic applies to Junos OS release 15.1 and earlier. (For Junos OS release 16.1 and higher, see Inter-Chassis Stateful Synchronization for Long Lived NAT and Stateful Firewall Flows (MS-MPC, MS-MIC) Overview (Release 16.1 and later).)

Inter-chassis high availability supports stateful synchronization of services using a switchover to a backup services PIC on a different chassis. This topic applies to Junos OS release 15.1 and earlier. (For Junos OS release 16.1 and higher, see Inter-Chassis Stateful Synchronization for Long Lived NAT and Stateful Firewall Flows (MS-MPC, MS-MIC) Overview (Release 16.1 and later).) The feature is described in the following topics:

Inter-Chassis High Availability for Stateful Firewall and NAPT44 Overview (MS-MIC, MS-MPC)

Carrier-grade NAT (CGN) deployments can use dual-chassis implementations to provide a redundant data path and redundancy for key components in the router. Although intra-chassis high availability can be used in dual-chassis environments, it deals only with service PIC failures. If traffic is switched to a backup router due to some other failure in the router, state is lost. Inter-chassis high availability preserves state and provides redundancy using fewer service PICs than intra-chassis high availability. Only long-lived flows are synchronized between the primary and backup chassis in the high availability pair. The service PICs do not replicate state until an explicit CLI command, request services redundancy (synchronize | no-synchronize), is issued to start or stop the state replication. Stateful firewall, NAPT44, and APP state information can be synchronized.

Note:

When both the primary and backup PICs are up, replication starts immediately when the request services redundancy command is issued.

In order to use Inter-chassis high availability, you must use service sets configured for next-hop service interfaces. Inter-chassis high availability works with ms- service interfaces configured on MS-MIC or MS-MPC interface cards. A unit other than unit 0 must be configured with the ip-address-owner service-plane option.

The following restrictions apply:

  • NAPT44 is the only translation type supported.

  • Checkpointing is not supported for ALGs, PBA port block allocation (PBA), endpoint- independent mapping (EIM), or endpoint- independent filters (EIF).

Figure 1 shows the inter-chassis high availability topology.

Figure 1: Inter-Chassis High Availability TopologyInter-Chassis High Availability Topology

Configuring Inter-Chassis High Availability for Stateful Firewall and NAPT44 (MS-MPC, MS-MIC)

To configure inter-chassis availability for stateful firewall and NAPT44 on MS-MIC or MS-MPC service PICS, perform the following configuration steps on each chassis of the high availability pair:

  1. At the [edit interfaces interface-name redundancy-options] hierarchy level, set the ipaddress for the redundancy-peer. This IPv4 address specifies one of the hosted IP addresses of the remote PIC. This address is used by the TCP channel between the HA pairs.
    Note:

    When you enable or disable high availability of MS-MICs or MS-MPCs by configuring or removing the primary and backup adaptive services PICs by using the redundancy-options redundancy-peer ipaddress address statement at the [edit interfaces interface-name] hierarchy level, the configuration change is treated as a catastrophic event for each service-set that refers to the affected interface at the [edit services service-set name interface-service service-interface interface-name] hierarchy level. A catastrophic event at the service-set level has the effect of deactivating the service set, applying the change, and then reactivating the service set.

  2. Specify the name of a special routing instance, or VRF, you want applied to the HA synchronization traffic between the high availability pair.
  3. For the service set defining an interface that is a member of the high availability pair, configure the service replication options using the replicate-services option.

Example: Inter-Chassis Stateful High Availability for NAT and Stateful Firewall (MS-MIC, MS-MPC)

This example shows how to configure inter-chassis high availability for stateful firewall and NAT services.

Requirements

This example uses the following hardware and software components:

  • Two MX480 routers with MS-MPC line cards

  • Junos OS Release 13.3 or later

Overview

Two MX 3D routers are identically configured to facilitate stateful failover for firewall and NAT services in case of a chassis failure.

Configuration

To configure inter-chassis high availability for this example, perform these tasks:

CLI Quick Configuration

To quickly configure this example on the routers, copy the following commands and paste them into the router terminal window after removing line breaks and substituting interface information specific to your site.

Note:

The following configuration is for chassis 1.

Note:

The following configuration is for chassis 2. The NAT, stateful firewall, and service-set information must be identical for chassis 1 and 2.

Configuring Interfaces for Chassis 1.

Step-by-Step Procedure

The interfaces for each of the HA pair of routers are configured identically with the exception of the following service PIC options:

  • redundancy-options redundancy-peer ipaddress address

  • unit unit-number family inet address address of a unit, other than 0, that contains the ip-address-owner service-plane option

To configure interfaces:

  1. Configure the redundant service PIC on chassis 1.

  2. Configure the interfaces for chassis 1 that are used as interchassis links for synchronization traffic.

  3. Configure remaining interfaces as needed.

Results

Configure Routing Information for Chassis 1

Step-by-Step Procedure

Detailed routing configuration is not included for this example. A routing instance is required for the HA synchronization traffic between the chassis as follows:

  • Configure routing instances for Chassis 1.

Results

Configuring NAT and Stateful Firewall for Chassis 1

Step-by-Step Procedure

Configure NAT and stateful firewall identically on both routers. To configure NAT and stateful firewall:

  1. Configure NAT as needed.

  2. Configure stateful firewall as needed.

Results

Configuring the Service Set

Step-by-Step Procedure

Configure the the service set identically on both routers. To configure the service set:

  1. Configure the service set replication options.

  2. Configure references to NAT and stateful firewall rules for the service set.

  3. Configure next-hop service interface on the MS-PIC.

  4. Configure desired logging options.

Results

Configuring Interfaces for Chassis 2

Step-by-Step Procedure

The interfaces for each of the HA pair of routers are configured identically with the exception of the following service PIC options:

  • redundancy-options redundancy-peer ipaddress address

  • unit unit-number family inet address address of a unit, other than 0, that contains the ip-address-owner service-plane option

  1. Configure the redundant service PIC on chassis 2.

    The redundancy-peer ipaddress points to the address of the unit (unit 10) on ms-4/0/0 on chassis on chassis 1 that contains the ip-address-owner service-plane statement.

  2. Configure the interfaces for chassis 2 that are used as interchassis links for synchronization traffic

  3. Configure remaining interfaces for chassis 2 as needed.

Results

Configure Routing Information for Chassis 2

Step-by-Step Procedure

Detailed routing configuration is not included for this example. A routing instance is required for the HA synchronization traffic between the two chassis and is included here.

  • Configure routing instances for chassis 2.

    Note:

    The following configuration steps are identical to the steps shown for chassis 1.

    • Configuring NAT and Stateful Firewall

    • Configuring the Service Set

Results