[j-nsp] SRX vs J-Series for HA over Layer2
Pierre-Yves Maunier
j-nsp at maunier.org
Wed Mar 9 03:38:29 EST 2011
In my lab it worked with the port tagged in vlan 4094...
On the production firewalls it didn't. When I put the ports back in access
mode, it worked. So I guess, as you say, any vlan can work.
Pierre-Yves
2011/3/8 Ben Dale <bdale at comlinx.com.au>
> No - the fabric link is untagged, so you can drop it into any VLAN on the
> switch side - just remember to adjust MTU as necessary.
>
> Cheers,
>
> Ben
>
> On 08/03/2011, at 8:50 PM, Pierre-Yves Maunier wrote:
>
> Hello,
>
> thanks for the infos,
>
> I was trying to find out which vlan to us in the first link Laurens gave me
> but the infos is not in the document.
> My first tests was with igmp snooping disabled but with the switch ports in
> access mode in a standard vlan.
>
> Using trunk mode with vlan 4094 now works well for the control link, thanks
> again for the tip.
>
> Is there any specific vlan for the fabric link or any standard vlan will
> work (using access mode) ?
>
> Regards,
>
> --
> Pierre-Yves
>
>
> 2011/3/8 Ben Dale <bdale at comlinx.com.au>
>
>> Almost forgot - make sure IGMP snooping is turned off on both VLANs as
>> well.
>>
>> On 08/03/2011, at 7:32 PM, Ben Dale wrote:
>>
>> > Hi Pierre,
>> >
>> > Yes this can be done - control link traffic on the branch SRXs is
>> actually sent 802.1Q tagged in VLAN 4094, so you'll need to make the
>> interface you plug into the control link a trunk on your EX.
>> >
>> > I would also recommend that you increase the MTU size of both your
>> fabric links (and the transport network in between the SRXs), as you'll need
>> to be able to carry the largest frame your revenue interfaces can receive
>> wrapped in a header (if traffic ingresses via one SRX and needs to egress
>> the other). So if you're just using 1500 byte MTUs on your revenue ports,
>> you'll need a PMTU of 1632 over the links in between.
>> >
>> > I'm sure in reality it's a lot less that this (132 bytes for a header
>> seems excessive), but these are what Juniper recommend right now.
>> >
>> > Actually a quick google brings up this document which is quite
>> comprehensive:
>> >
>> >
>> http://kb.juniper.net/library/CUSTOMERSERVICE/GLOBAL_JTAC/technotes/3500165-EN.pdf
>> >
>> > Cheers,
>> >
>> > Ben
>> >
>> > On 08/03/2011, at 3:42 AM, Pierre-Yves Maunier wrote:
>> >
>> >> Hello all,
>> >>
>> >> I've been able to setup HA between two J2320 having the control and
>> fabric
>> >> link in two separate vlans over EX switches and it works fine. It's
>> even
>> >> told in the documentation : "Define the interfaces used for the FAB
>> >> connection. These interfaces must be connected back to back, or through
>> a
>> >> Layer 2 infrastructure, as shown in Figure 2".
>> >>
>> >> I tried to do the same with a pair of SRX-240 without any success
>> (tested in
>> >> 10.3R2.11 and 10.3R3.7). The interfaces must be connected back-to-back.
>> >>
>> >> Anybody already succeded in doing control/fabric link over a layer 2
>> >> infrastructure with SRX hardware ? How did you do it ?
>> >>
>> >> Thanks.
>> >>
>> >> Regards,
>> >>
>> >> --
>> >> Pierre-Yves Maunier
>> >> _______________________________________________
>> >> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> >> https://puck.nether.net/mailman/listinfo/juniper-nsp
>> >>
>> >
>>
>>
>
>
More information about the juniper-nsp
mailing list