Security

Hello all,

I gave a few question on IDP 250

1. Can the HA ports which are in state sync be connected via the switch rather than directly. The IDP are located at different racks

2. What should be the ideal failover time for HA? Should it be left as the default time of 1?

3. I am only configuring eth2 and eth3 ports in inline mode. Is there any need for for me to configure additional options like spanning tree on these ports?

4. Do I need to enable multiple virtual router support on the ACM if I just need to configure eth2 and eth3 ports? If I configure virtual Routers supported for online mode because it asks for an ip address which is optional.

5. When configuring state sync for HA can I assign any private ip address between these two HA interfaces? If the cable goes between the switch and I assign it a separate vlan, this subnet should not affect any other traffic right? Will the state sync subnet be talking to anyone else apart from these two interfaces

Thanks

 

Hi,

Based on the queries you have asked, it seems like you are using 4.1 version. I will try to answer as much as I can.

Please find my answers inline. 

---

@speedpill wrote:
Hello all,

I gave a few question on IDP 250

1. Can the HA ports which are in state sync be connected via the switch rather than directly. The IDP are located at different racks

Yes, you can do that. Please make sure you configure both the statesync interfaces in the same vlan in the switch. 

2. What should be the ideal failover time for HA? Should it be left as the default time of 1?

In 4.1 versions, if this is for third party HA, it completely depends on the third party device with regards to the fail over time. for ex, in case of spanning tree you can configure the maximum number of bpdu drops for triggering a failover. And the time depends on the switch to change the state from blocking to learning to listening to forwarding.

3. I am only configuring eth2 and eth3 ports in inline mode. Is there any need for for me to configure additional options like spanning tree on these ports?

In 5.1 you need not configure any other option in these ports, but in 4.1 if you are using a third party device to do failover you need not configure anything on these ports, but if you want the IDP to perform failover you need to enable spanning tree on the ports, check user_funcs file for enabling it and check sctop (I guess 'w' option) to check the spanning tree states. 

4. Do I need to enable multiple virtual router support on the ACM if I just need to configure eth2 and eth3 ports? If I configure virtual Routers supported for online mode because it asks for an ip address which is optional.

If you need to use only 2 ports then I guess in 4.1 you need not enable multiple vrs support. 

5. When configuring state sync for HA can I assign any private ip address between these two HA interfaces? If the cable goes between the switch and I assign it a separate vlan, this subnet should not affect any other traffic right? Will the state sync subnet be talking to anyone else apart from these two interfaces

Yes, any private ip address in the same network should be fine. If they are in same vlan they should not affect any other traffic. No, state sync subnet will not be talking to any1 else. 

Thanks

---

 

Thanks,

Easwar

Hello easwar,

Thanks for the prompt reply. I will be changing the version to 5.1 before the production starts. The IDP will be between switches.

How does 5.1 differ from the questions that I have asked?

Is third party HA the only option for online mode?

Thanks

If you are using a third party device to perform failover then there are no differences between 5.1 and 4.1 (except for the configurations).

 

But if you are using IDP to perform failovers or if you are using the two idps as active/active - load balancing pair in router mode with 4.1 version .. the same is not supported in 5.1

 

In 5.1 or 4.1 - you can have the device as stand alone in inline mode. third party ha is only an option which is upto the admin to decide whether or not he wishes to enable it. 

 

Thanks,

Easwar

Hello Easwar,

 

Thanks again for the response. It seems that I wont be upgrading after all. since they want it as version 4.1r4.

 

The two IDP's will be sitting between the switches. I want the IDP to perform failover by itself rather than a switch telling it to fail over. So if the idp will be in transparent mode, then can I  choose the standalone failover in which case do i need to perform any additional configurations on the switch or the IDP? Hopefully only the HA interfaces will need to talk to each other and exchange sync information.

 

Will state sync be enabled for stand alone mode? D I need to configure IP Addresses for the HA interface and if so as you mentioned in the earlier post, will I be able to still plug the HA interfaces via the switch?

 

in the case I need to do third party HA, for information knoweledge, what additional tasks do i need to perform on the IDP or the switch?

 

Thanks

Hello Easwar,

 

Just a read a document on Thrid Party HA and it says the following

 

A external HA configuration requires three networks: two forwarding networks and one state-sync network. The management network can use the forwarding interface that faces the protected network. The IDP Sensor connects to these networks through cables attached to one or more of its interfaces. During the Sensor configuration process, you are prompted to assign IP addresses on these networks to interfaces on the IDP Sensors:

 

Forwarding Networks and Interfaces

 

The interfaces that connect the IDP Sensor to the external network and protected network are forwarding

interfaces. Forwarding interfaces send and receive network traffic. You can choose multiple interfaces on the IDP Sensor as forwarding interfaces.

However, to increase performance, Juniper Networks recommends that you assign forwarding interfaces to those interfaces that share a network driver: Use

eth2 and eth3 as forwarding interfaces, or use eth4 and eth5 as forwarding interfaces.

 

 

The State-Sync Network and Interface (Dedicated Network)

 

The state-sync interface connects the IDP Sensors. The HA daemon uses the dedicated state-sync interface to synchronize traffic flow between the IDP Sensors. State-sync IP addresses can be any IP address, including RFC1918 nonroutable IPs.

 

 

It goes on to say that if I am configuring inline mode, then I ionly have the option of Third Party HA mode. So what extra configs do I need on the switch part to make the failover happen?

 

In 4.1 ..Please refer to page 131 in this document. 

http://www.juniper.net/techpubs/software/management/idp/idp41/idp-concepts-examples-4-1r3.pdf

 

It says that,

" In bridge mode, IDP devices can participate in STP. In transparent mode, IDP devices do not actively participate in STP but do pass BPDUs. "

 

So as per your requirement, you can only use third party HA in transparent mode.

 

In IDP - make sure you enable l2_bypass from ACM

 

In Switch - Normal spanning tree configurations, please check the configs for cisco 3500XL and Juniper EX series switches under http://www.juniper.net/techpubs/en_US/idp5.1/information-products/pathway-pages/deployment-scenarios.html#redundant-paths

 

Thanks,

Easwar

Thanks a lot Easwar!!!!! This is just what i needed..