Shulou(Shulou.com)06/01 Report--

A brief introduction, the SRX series of firewalls HA uses the JSRP protocol. The NSRP of the corresponding netscreen. The biggest difference between JSRP and NSRP is that JSRP uses cluster, and the two firewalls are virtual into one. However, NSRP generally adopts the active / standby mode, and the standby machine needs to be managed separately.

JSRP requires that the model, version, card and so on of the two devices are exactly the same.

Let's start the HA configuration of SRX550.

1. The first choice is to determine the control-link interface for HA between SRX550 firewalls. According to the official documents, it can be found that the g0swap 0 of SRX550 is the out-of-band management port, and g0Accord 1 is the fixed control-link interface. Connect the two firewalls to each other through port g0amp 0max.

2. Initialize the interfaces of the two devices, and delete all relevant original configurations.

Delete set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members vlan-trust

Delete set interfaces ge-0/0/0 unit 0 family ethernet-switching

Delete set interfaces ge-0/0/0 unit 0

Delete set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members vlan-trust

Delete set interfaces ge-0/0/1unit 0 family ethernet-switching

Delete set interfaces ge-0/0/1 unit 0

Delete set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members vlan-trust

Delete set interfaces ge-0/0/2unit 0 family ethernet-switching

Delete set interfaces ge-0/0/2 unit 0

3. Configure cluster-id and node-id

SRX-A > set chassis cluster cluster-id 1 node 0 reboot

SRX-B > set chassis cluster cluster-id 1 node 1 reboot

After the two devices are rebooted, they will find that they have logically become a firewall. You can see interfaces such as ge-9/0/0, which is the interface for the second device.

4. Specify Fabric Link Port

Set interfaces fab0 fabric-options member-interfaces ge-0/0/2

Set interfaces fab1 fabric-options member-interfaces ge-9/0/2

Control-link is mainly used for heartbeat detection and configuration synchronization between two devices. Fabric Link is used for synchronization of session.

After completing this step, use the command:

Show chassis cluster interface

Show chassis cluster status

You can see that the HA of the two devices has now been completed. There is another problem at this time.

Now there are two HA lines between the two firewalls, one control-link and one fabric-link.

1. If you disconnect the control-link, the HA will be disconnected at this time, but the main firewall is still working properly. When the control-link is restored, the HA state is still abnormal. At this time, only by manually rebooting the back wall will the HA be restored.

2. If the fabric-link is disconnected, the HA is not disconnected at this time, but the main firewall is still working normally, and the backup wall cannot synchronize the session and cannot be switched. When the fabric-link is restored, the HA state is still abnormal. At this time, only by manually rebooting the backup wall will the HA be restored.

So is there a way for the firewall to identify problems with HA lines and do the corresponding operations?

Use the following command:

Set chassis cluster control-link-recovery

If the fabric-link is disconnected and then restored, the HA state is automatically restored and the session continues to synchronize.

If the control-link is disconnected and is being restored, the backup wall will automatically restart to complete the HA.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.