Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  ISG-2000 using three HA link

    Posted 11-25-2013 01:57

    Hi everyone:

    I have ISG-2000 x 2 and setting as Cluster(active/passive), as I know I need confiurate 2 HA link for transfer control and data   message, but my customer have module failure concern, so he configurate three HA link (e2/4,e3/7,e3/8), e2/4 is for control link, e3/7 is for data link,e3/8 is for standby, I would like to know is there any impact for this confiuration? 

    In this case, if e2/4 failure, e3/7 will become control link and e3/8 will become data link??

     

     

     

    PS. all interface speed is 1000M

     

    BR

    Alvin



  • 2.  RE: ISG-2000 using three HA link

    Posted 11-25-2013 02:14

    Hi Alvinsu, 

     

    2 interfaces for NSRP are more than sufficent for both Active / Passive as well as Active / Active setups. 

     

    To address your end customer's concern, you can always use the NSRP feature of configuring " Secondary Path" . To explain more,  NSRP uses dedicated HA interface(s) to keep in contact with the peer device. In the event that this connectivity is lost (eg. an intermediate switch failure) but the NSRP devices are both still active, then both devices will become Master. This undesirable condition is called “split-brain”.

    The secondary-path option allows NSRP to poll the peer via an alternate, non-dedicated interface. The purpose of this option is only to prevent a split-brain scenario, so NSRP sync data is not carried across this link, only heart-beat messages.

     

    CLI: set nsrp secondary-path <interface>

     

    WebUI: Network -> NSRP -> Link, select the interface from the drop-down list for the “Secondary Link” field, then click “Apply”.

     

    Refer KB 4334 for additional information. 

     

    Regard

    vatsa



  • 3.  RE: ISG-2000 using three HA link

    Posted 11-27-2013 08:34

    Dear Vatsa:

    Thanks a lot for your reply, I also like to know that in my case, if my cusotmer have module failure concern, whether can I configurate one HA link(for control message) on eth2/4, the other HA link(for data message) on eth3/8, if e2/4 failure , e3/8 can transmit both control & data message, and it can instead of secondary-path solution??

     

    question 2:

    If my customer  setting three HA link(e2/4,e3/7,e3/8), is it can work properly? or is there any impact ??

     

     

    BR

    Alvin



  • 4.  RE: ISG-2000 using three HA link
    Best Answer

    Posted 11-27-2013 21:56

    Hello ,

     

    It is do able  and can work properly.

     

    You can see the following link whihc explains whihc port will become data and whihc will become control .I also covers the scenario of 3 HA interfaces 

     

    http://kb.juniper.net/InfoCenter/index?page=content&id=KB11468&actp=search&viewlocale=en_US

     

     



  • 5.  RE: ISG-2000 using three HA link

    Posted 11-27-2013 22:07

    Hi

     

    Whenever you configure more than one link for HA, the lower interface becomes a control link and the higher link becomes a data link. When we configure three HA links, I am not sure what would happen to the third link. I dont think the firewall will automatically failover NSRP to the third link. Instead the firewall might just report that the HA link eth2/4 is down and use eth 3/8 for all NSRP communications.  Moreever, please note that the firewall needs a datalink  for data forwarding only if the setup is a Active / Active cluster setup and not for a Active / Passive setup.

     

    Regards

    Vatsa



  • 6.  RE: ISG-2000 using three HA link

    Posted 12-02-2013 03:26

    Dear