[j-nsp] nsrp ha link over ex4200

[Ross Vandegrift]

On Tue, Apr 28, 2009 at 11:17:04AM +0300, Yordan Boikov wrote:
> Hi,
> 
> we have two SSG 520M firewalls and two ex4200 switches
> 
> 
> [ SSG520M fw1 ][eth1/7] ----- [ge-0/0/3][ ex4200 sw1  
> ][ge-0/1/2]===trunk===[ge-0/1/2][ ex4200 sw2 ][ge-0/0/3] ----  
> [eth1/7][ SSG520M fw2 ]
> 
> I want to configure HA between fw1 and fw2
> the problem is that sw2 doesn't see fw1
> 
> sw1>show ethernet-switching table vlan ha-vlan
> Ethernet-switching table: 2 unicast entries
>   VLAN              MAC address       Type         Age Interfaces
>   ha-vlan       *                 Flood          - All-members
>   ha-vlan       00:22:83:88:38:15 Learn          0 ge-0/0/3.0
>   ha-vlan       00:22:83:88:3f:15 Learn          0 ge-0/1/2.0
> 
> sw2> show ethernet-switching table vlan ha-vlan
> Ethernet-switching table: 1 unicast entries
>   VLAN              MAC address       Type         Age Interfaces
>   ha-vlan       *                 Flood          - All-members
>   ha-vlan       00:22:83:88:3f:15 Learn          0 ge-0/0/3.0
> 
> 
> both switches have same config and same junos version.
> IGMP snooping is disable for all VLANs

Two things to check:

1) The trunk connecting ge-0/1/2.0 to ge-0/1/2 needs to permit ha-vlan
on both switches.

2) Have you renamed or changed the tag on ha-vlan on sw2?  If so,
there is a bug on the ex4200 that prevents reliable learning of MAC
addrs.  Delete ha-vlan, commit, recreate ha-vlan, and then try again.

Remember to enable active NSRP HA probing with a setup like this.
It's also useful to pick a production interface as an NSRP secondary
path.

-- 
Ross Vandegrift
ross at kallisti.us

"If the fight gets hot, the songs get hotter.  If the going gets tough,
the songs get tougher."
	--Woody Guthrie