Shulou(Shulou.com)06/01 Report--

I. introduction of the experimental environment

1) vsrx 12.1X47-D20.7

2. Experimental topology

Chassis Cluster is recommended between vSRXA1 and vSRXA2

Ge-0/0/0 is an out-of-band management interface (series default, cannot be changed)

Ge-0/0/1 is control-link (system configuration, cannot be changed)

Ge-0/0/4 is data-link (manually configured and can be changed)

Control-link and data-link are connected in a back-to-back manner.

The out-of-band management interface, control interface and data interface of the low-end SRX firewall are all business interfaces.

In the high-end SRX firewall management interface, control interface is the special interface, only the data interface is the business interface.

The interface serial number of node1 in HA will change to a 7-slot device on the vSRX virtualizer (that is, slot 0, 1, 2, 3, 4, 5, 6)

The interface serial numbers of node0 are ge-0/0/0 and ge-1/0/0....ge-6/0/0.

The interface serial numbers of node1 are ge-7/0/0 and ge-8/0/0...ge-13/0/0.

3. From stand-alone mode to HA mode, SRX needs to restart the firewall.

VSRXA1:

Set chassis cluster cluster-id 1 node 0 reboot

VSRXA2:

Set chassis cluster cluster-id 1 node 1 reboot

2) automatically join HA mode after vSRX restart

{primary:node0}

Root > show chassis cluster status

Cluster ID: 1

Node Priority Status Preempt Manual Monitor-failures

Redundancy group: 0, Failover count: 1

Node0 1 primary no no None

Node1 1 secondary no no None

{primary:node0}

Root >

Note: in the low-end SRX firewall, control-link is preset. As long as the firewall works in HA mode, ge-0/0/1 is control-link. But there is a special control-link in the high-end SRX firewall that needs to be manually configured, especially in SRX5K. If you do not configure control-link Firewall, you will not be able to start properly. The SRX5K configuration control-link Port command is as follows:

Set chassis cluster control-ports fpc 2 port 0

Set chassis cluster control-ports fpc 5 port 0

4. The configuration order of SRX firewall HA is as follows (you can operate in master firewall)

1) configuration management interface (node0/1 management address and backup-router configuration)

2) configure HA firewall data-link interface (ge-0/0/1)

3) configure Redundancy groups of HA (default 0 is control plane, others are data plane)

4) configure the business interface RETH in HA

5) configure the switching parameters of HA

6) operate according to the above configuration order to facilitate the backstepping and troubleshooting of anomalies.

5. Configuration steps of SRX firewall HA (you can operate in master firewall)

1) configure management interface and backup-router routing

{primary:node0} [edit groups]

Root# show | display set

Set groups node0 system host-name vSRXA1

Set groups node0 system backup-router 192.168.100.254

Set groups node0 system backup-router destination 192.168.100.0/24

Set groups node0 interfaces fxp0 unit 0 family inet address 192.168.100.2/24

Set groups node0 interfaces fxp0 unit 0 family inet address 192.168.100.1/24 master-only

Set groups node1 system host-name vSRXA2

Set groups node1 system backup-router 192.168.100.254

Set groups node1 system backup-router destination 192.168.100.0/24

Set groups node1 interfaces fxp0 unit 0 family inet address 192.168.100.3/24

Set groups node1 interfaces fxp0 unit 0 family inet address 192.168.100.1/24 master-only

/ call the previously configured group node0/1 and submit the configuration to save /

{primary:node0} [edit]

Root# set apply-groups ${node}

{primary:node0} [edit]

Root# commit

Node0:

Configuration check succeeds

Node1:

Commit complete

Node0:

Commit complete

{primary:node0} [edit] root@vSRXA1#br/ > root@vSRXA1#

Check the status of node0 and node1 /

{primary:node0} [edit]

Root@vSRXA1# run show interfaces terse | match fxp0

Fxp0 up up

Fxp0.0 up up inet 192.168.100.1 master-only 24 (role of master-only in group)

{primary:node0} [edit]

Root@vSRXA1#

{secondary:node1}

Root@vSRXA2 > show interfaces terse | match fxp0

Fxp0 up up

Fxp0.0 up up inet 192.168.100.3/24

{secondary:node1}

Root@vSRXA2 >

2) configure data-link of HA, and the keyword configured is fab

{primary:node0} [edit]

Root@vSRXA1# show interfaces | match fab | display set

Set interfaces fab0 fabric-options member-interfaces ge-0/0/4

Set interfaces fab1 fabric-options member-interfaces ge-7/0/4

Status information before final configuration:

{primary:node0} [edit]

Root@vSRXA1# run show chassis cluster interfaces

Control link status: Up

Control interfaces:

Index Interface Monitored-Status Internal-SA

0 fxp1 Up Disabled

Fabric link status: Down

Fabric interfaces:

Name Child-interface Status

(Physical/Monitored)

Fab0

Fab0

Fab1

Fab1

Redundant-pseudo-interface Information:

Name Status Redundancy-group

Lo0 Up 0

{primary:node0} [edit]

Root@vSRXA1# run show interfaces terse | match fab

Fab0 up down

Fab0.0 up down inet 30.17.0.200/24

Fab1 up down

Fab1.0 up down inet 30.18.0.200/24

{primary:node0} [edit]

Root@vSRXA1#

Status information after configuration:

{primary:node0}

Root@vSRXA1 > show chassis cluster interfaces

Control link status: Up

Control interfaces:

Index Interface Monitored-Status Internal-SA

0 fxp1 Up Disabled

Fabric link status: Up

Fabric interfaces:

Name Child-interface Status

(Physical/Monitored)

Fab0 ge-0/0/4 Up / Up

Fab0

Fab1 ge-7/0/4 Up / Up

Fab1

Redundant-pseudo-interface Information:

Name Status Redundancy-group

Lo0 Up 0

{primary:node0}

Root@vSRXA1 > show interfaces terse | match fab

Ge-0/0/4.0 up up aenet-- > fab0.0

Ge-7/0/4.0 up up aenet-- > fab1.0

Fab0 up up

Fab0.0 up up inet 30.17.0.200/24

Fab1 up up

Fab1.0 up up inet 30.18.0.200/24

{primary:node0}

Root@vSRXA1 >

3) configure Redundancy groups of HA (only group 0 priority is 1 by default, which can be configured manually)

{primary:node0} [edit chassis cluster]

Root@vSRXA1# show | display set

Set chassis cluster reth-count 8

Set chassis cluster redundancy-group 0 node 0 priority 200

Set chassis cluster redundancy-group 0 node 1 priority 100

Set chassis cluster redundancy-group 1 node 0 priority 200

Set chassis cluster redundancy-group 1 node 1 priority 100

View the status of redundant group:

{primary:node0} [edit]

Root@vSRXA1# run show chassis cluster status

Monitor Failure codes:

CS Cold Sync monitoring FL Fabric Connection monitoring

GR GRES monitoring HW Hardware monitoring

IF Interface monitoring IP IP monitoring

LB Loopback monitoring MB Mbuf monitoring

NH Nexthop monitoring NP NPC monitoring

SP SPU monitoring SM Schedule monitoring

CF Config Sync monitoring

Cluster ID: 1

Node Priority Status Preempt Manual Monitor-failures

Redundancy group: 0, Failover count: 1

Node0 200 primary no no None

Node1 100 secondary no no None

Redundancy group: 1, Failover count: 1

Node0 200 primary no no None

Node1 100 secondary no no None

{primary:node0} [edit]

Root@vSRXA1#

4) configure the business interface reth in the HA environment (add the physical interface to the reth group)

{primary:node0} [edit]

Root@vSRXA1# show interfaces | match reth | display set

Set interfaces ge-0/0/2 gigether-options redundant-parent reth0

Set interfaces ge-0/0/3 gigether-options redundant-parent reth2

Set interfaces ge-7/0/2 gigether-options redundant-parent reth0

Set interfaces ge-7/0/3 gigether-options redundant-parent reth2

Set interfaces reth0 redundant-ether-options redundancy-group 1

Set interfaces reth2 redundant-ether-options redundancy-group 1

View the status of the reth interface:

Root@vSRXA1# run show interfaces terse | match reth

Ge-0/0/2.32767 up up aenet-- > reth0.32767

Ge-0/0/3.32767 up up aenet-- > reth2.32767

Ge-7/0/2.32767 up up aenet-- > reth0.32767

Ge-7/0/3.32767 up up aenet-- > reth2.32767

Reth0 up up

Reth0.32767 up up

Reth2 up up

Reth2.32767 up up

{primary:node0} [edit]

Root@vSRXA1#

{primary:node0} [edit]

Root@vSRXA1# run show chassis cluster interfaces | no-more

Control link status: Up

Control interfaces:

Index Interface Monitored-Status Internal-SA

0 fxp1 Up Disabled

Fabric link status: Up

Fabric interfaces:

Name Child-interface Status

(Physical/Monitored)

Fab0 ge-0/0/4 Up / Up

Fab0

Fab1 ge-7/0/4 Up / Up

Fab1

Redundant-ethernet Information:

Name Status Redundancy-group

Reth0 Up 1

Reth2 Up 1

Redundant-pseudo-interface Information:

Name Status Redundancy-group

Lo0 Up 0

{primary:node0} [edit]

Root@vSRXA1#

5) handover between node0/1 (manual switching)

Root@vSRXA1 > request chassis cluster failover redundancy-group 0 node 1

Root@vSRXA1 > request chassis cluster failover redundancy-group 1 node 1

After manual switching, the priority will reach 255, which needs to be restored manually.

Request chassis cluster failover reset redundancy-group 1

At this point, SRX Chassi Cluster can be used normally. If you need to modify other parameters, please link to the parameters:

Https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-chassis-cluster-overview.html

The following will introduce the method of IP configuration and routing configuration of SRX HA interface, thank you!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.