Juniper Hidden Command : set chassis cluster control-link-vlan enable - NETSEC

Latest

Learning, Sharing, Creating

Cybersecurity Memo

Wednesday, January 29, 2014

Juniper Hidden Command : set chassis cluster control-link-vlan enable

set chassis cluster control-link-vlan enable

Explanation:

[SRX] How to enable or disable VLAN tagging on the chassis cluster control port


SUMMARY:
This article provides information on how to enable and disable VLAN tagging on the chassis cluster control port.
PROBLEM OR GOAL:
  • One Node is upgraded from a version that is prior to or from Junos OS 10.2R2 to 10.4 or later.

  • By default, the VLAN tag on the control port will be in the enabled state.

  • The node on which RE has been replaced was downgraded/upgraded from a version after Junos OS 10.2R2 to the same version as the other node and does not join the cluster and goes into split brain; that is, the nodes do not see each other.


Sample Output on NODE-0:

{primary:node0}
root@> show chassis cluster information detail 
node0:
--------------------------------------------------------------------------
Redundancy mode:
    Configured mode: active-active
    Operational mode: active-active

Redundancy group: 0, Threshold: 255, Monitoring failures: none
    Events:
        Aug  5 16:51:18.773 : hold->secondary, reason: Hold timer expired
        Aug  5 16:51:34.789 : secondary->primary, reason: Only node present
Control link statistics:
    Control link 0:
        Heartbeat packets sent: 63115
        Heartbeat packets received: 0
        Heartbeat packet errors: 0
        Duplicate heartbeat packets received: 0
    Control recovery packet count: 0
    Sequence number of last heartbeat packet sent: 63114
    Sequence number of last heartbeat packet received: 0
Fabric link statistics:
    Probes sent: 63114
    Probes received: 0
    Probe errors: 0
    Probes not processed: 0             
    Probes dropped due to control link down: 0
    Probes dropped due to fabric link down: 0
    Sequence number of last probe sent: 63114
    Sequence number of last probe received: 0
Chassis cluster LED information:
    Current LED color: Red
    Last LED change reason: Peer node: node1 is not present
Control port tagging:
    Enabled 


{primary:node0}
root> show chassis cluster status
Cluster ID: 1
Node    Priority   Status  Preempt  Manual  failover
Redundancy group: 0,Failover count: 1
node0       1        primary  no  no
node1       0        lost     n/a n/a

Sample Output on NODE-1:

{primary:node1}
root> show chassis cluster information detail 
node1:
--------------------------------------------------------------------------
Redundancy mode:
    Configured mode: active-active
    Operational mode: active-active

Redundancy group: 0, Threshold: 255, Monitoring failures: none
    Events:
        Aug  5 16:50:52.904 : hold->secondary, reason: Hold timer expired
        Aug  5 16:56:38.711 : secondary->primary, reason: Remote yield (1/0)
Control link statistics:
    Control link 0:
        Heartbeat packets sent: 64212
        Heartbeat packets received: 337
        Heartbeat packet errors: 0
        Duplicate heartbeat packets received: 0
    Control recovery packet count: 0
    Sequence number of last heartbeat packet sent: 64210
    Sequence number of last heartbeat packet received: 361
Fabric link statistics:
    Probes sent: 64210
    Probes received: 0
    Probe errors: 0
    Probes not processed: 0             
    Probes dropped due to control link down: 0
    Probes dropped due to fabric link down: 0
    Sequence number of last probe sent: 64210
    Sequence number of last probe received: 0
Chassis cluster LED information:
    Current LED color: Red
    Last LED change reason: Peer node: node0 is not present
Control port tagging:
    Disabled

{primary:node1}
root> show chassis cluster status    
Cluster ID: 1 
Node    Priority   Status  Preempt  Manual failover 

Redundancy group: 0 , Failover count: 1    
node0       0         lost    n/a  n/a     
node1       1         primary no   no  
  


CAUSE:
One device is sending a tagged heartbeat and the other is sending a untagged heartbeat, as VLAN tagging is enabled on one node and disabled on the other node.
SOLUTION:
Prior to Junos OS 10.2R3, in the chassis cluster, VLAN tagging was enabled by default on the control port. From Junos OS 10.2R3 onwards, by default VLAN tagging is not enabled on the control port.
To check the control port tagging status, execute the show chassis cluster information detail command and look for Control port tagging:
admin@host> show chassis cluster information detail
.
Control port tagging:
Disabled
On one node, it is enabled and on the other node, it is disabled.
It is also possible to check by taking the packet capture of the control port from both of the nodes. In one node,  the packet will be tagged with vlan-id 4096 and the other packet will not have any tagging. VLAN tagging on the control port can be enabled or disabled by using the following command:
admin@host> set chassis cluster control-link-vlan enable/disable
Note: control-link-vlan is a hidden command on the SRX platform. Users must manually configure this command.
As VLAN tagging is disabled on the control port in versions that are later than Junos OS 10.2R2, it is recommended to disable tagging on both of the nodes.
PURPOSE:
Configuration
Implementation
Installation
Troubleshooting
RELATED LINKS: 

No comments:

Post a Comment