HA configuration for SRX340
-------------------------------------------------------------------------------------------------------------
Before starting configuration of my srx340 for cluster, remove some configuration items to avoid some post configuration errors.
In each srx do the followings:
First delete all logical interface which are used for control link/plane(ge-0/0/1)
& Data/fabric link/plane(ge-0/0/2).
***Note:Control link and Data link interface are varying for different Models.
delete system host-name
delete vlans
delete interfaces vlan
delete security
delete interfaces ge-0/0/1
delete interfaces ge-0/0/2
delete interfaces ge-0/0/3 unit 0 family ethernet-switching
delete interfaces ge-0/0/4 unit 0 family ethernet-switching
After this operation make sure there is no ethernet-switching left:
root@srx1# show | match ethernet-switching | count
Count: 0 lines
[edit]
root@srx1#
Then Physically connect the two devices and ensure that they are the same models.
For example,on the SRX340 Services Gateway, connect the dedicated control ports on node 0 and node 1.
***Note: For SRX300, SRX320, SRX340, and SRX345 devices, connect ge-0/0/1 on node 0 to ge-0/0/1 on node 1.
1.Set the two devices to cluster mode and reboot the devices. You must enter the following
operational mode commands on both devices, for example:
On node 0:
---------------
user@host> set chassis cluster cluster-id 1 node 0 reboot
On node 1:
---------------
user@host> set chassis cluster cluster-id 1 node 1 reboot
#After reboot if you check the prompt of srx1, you will see the prompt changes like below:
{hold:node0}
root@srx1>
{secondary:node0}
root@srx1>
{primary:node0}
root@srx1>
#Check cluster status:
root@srx1> show chassis cluster status
Cluster ID: 1
Node Priority Status Preempt Manual failover
Redundancy group: 0 , Failover count: 1
node0 1 primary no no
node1 1 secondary no no
***Note: After clustering occurs, For SRX340 device, the ge-0/0/1 interface on node 1 changes to ge-5/0/1.
2.Set up hostnames and management IP addresses on the first node only (srx-nd0) for each device using configuration groups.These configurations are specific to each device and are unique to its specific node.
set groups node0 system host-name srx-nd0
set groups node0 interfaces fxp0 unit 0 family inet address 192.168.33.1/24
set groups node1 system host-name srx-nd1
set groups node1 interfaces fxp0 unit 0 family inet address 192.168.33.2/24
3.Set the 'apply-groups' command so that the individual configurations for each node set by the previous commands are applied only to that node.
set apply-groups "${node}"
4.Define the interfaces used for the fab connection (data plane links for RTO sync) by using physical ports ge-0/0/2 from each node. These interfaces must be connected back-to-back. Configure fabric links on the first node only (srx-nd0):
set interfaces fab0 fabric-options member-interfaces ge-0/0/2
set interfaces fab1 fabric-options member-interfaces ge-5/0/2
#After commit, config should sync into srx-nd1 node as well. Now check cluster interfaces status:
root@srx1> show chassis cluster interfaces
Control link 0 name: fxp1
Control link status: Up
Fabric interfaces:
Name Child-interface Status
fab0 fe-0/0/5 up
fab0
fab1 fe-2/0/5 up
fab1
Fabric link status: Up
5.Set up redundancy group 0 for the Routing Engine failover properties, and set up redundancy group 1 (all interfaces are in one redundancy group in this example) to define the failover properties for the
redundant Ethernet interfaces. A cluster without an RG is useless. Lets create a redundancy group and test it.RG0 is used for control plane and RG1 will be our service RG.
set chassis cluster reth-count 2
set chassis cluster redundancy-group 0 node 0 priority 200
set chassis cluster redundancy-group 0 node 1 priority 100
set chassis cluster redundancy-group 1 node 0 priority 200
set chassis cluster redundancy-group 1 node 1 priority 100
6.Set up interface monitoring to monitor the health of the interfaces and trigger redundancy group failover.
******Note: Juniper does not recommend Interface monitoring for redundancy group 0 because it causes the control plane to switch from one node to another node in case interface flap occurs.
set chassis cluster redundancy-group 1 interface-monitor ge-0/0/3 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-0/0/4 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-5/0/3 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-5/0/4 weight 255
***Note: Interface failover only occurs after the weight reaches 0.
#Let's check the cluster configuration:
{primary:node0}
root@SRX> show configuration chassis cluster
reth-count 2;
redundancy-group 0 {
node 0 priority 200;
node 1 priority 100;
}
redundancy-group 1 {
node 0 priority 200;
node 1 priority 100;
preempt;
interface-monitor {
ge-0/0/3 weight 255;
ge-0/0/4 weight 255;
ge-5/0/3 weight 255;
ge-5/0/4 weight 255;
}
}
7.Set up the redundant Ethernet (reth) interfaces and assign the redundant interface to a zone.
set interfaces ge-0/0/3 gigether-options redundant-parent reth0
set interfaces ge-5/0/3 gigether-options redundant-parent reth0
set interfaces reth0 redundant-ether-options redundancy-group 1
set interfaces reth0 unit 0 family inet address 198.51.100.1/24
set interfaces ge-0/0/4 gigether-options redundant-parent reth1
set interfaces ge-5/0/4 gigether-options redundant-parent reth1
set interfaces reth1 redundant-ether-options redundancy-group 1
set interfaces reth1 unit 0 family inet address 203.0.113.233/24
set security zones security-zone Trusted
set security zones security-zone Untrusted
set security zones security-zone Trusted host-inbound-traffic system-services all
set security zones security-zone Untrusted host-inbound-traffic system-services all
set security zones security-zone Untrust interfaces reth1.0
set security zones security-zone Trust interfaces reth0.0
#If you want to create a subinterface with vlan tagging do the following(Optional)
set interfaces reth0 vlan-tagging
set interfaces reth0 unit 150 vlan-id 150
set interfaces reth0 unit 150 family inet address 192.168.150.200/24
set interfaces reth1 unit 0 family inet address 10.16.9.1/24
set security zones security-zone Trusted interfaces reth0.150
set security zones security-zone Untrusted interfaces reth1.0
Case 01:
If we deactivate interface monitor it doesn't effect on HA.
Verification
------------------------------------------------------------------------------------------------------------
show chassis cluster status
show chassis cluster interfaces
show chassis cluster statistics
show chassis cluster control-plane statistics
show chassis cluster data-plane statistics
show chassis cluster status redundancy-group 1
show configuration
-------------------------------------------------------------------------------------------------------
root@srx# run show configuration## Last commit: 2017-08-07 16:41:31 GMT+6 by root
version 15.1X49-D90.7;
groups {
node0 {
system {
host-name srx-nd0;
}
interfaces {
fxp0 {
unit 0 {
family inet {
address 192.168.33.1/24;
}
}
}
}
}
node1 {
system {
host-name srx-nd1;
}
interfaces {
fxp0 {
unit 0 {
family inet {
address 192.168.33.2/24;
}
}
}
}
}
}
apply-groups "${node}";
system {
auto-snapshot;
time-zone GMT+6;
root-authentication {
encrypted-password "$5$ZsCeZsruXu$TZ8Kvvzb/mxQOMqf8AxJkFqW.r5OZFnrdagxRl8LSH."; ## SECRET-DATA
}
services {
ssh;
telnet;
}
}
}
chassis {
cluster {
reth-count 2;
redundancy-group 0 {
node 0 priority 200;
node 1 priority 100;
}
redundancy-group 1 {
node 0 priority 200;
node 1 priority 100;
preempt;
interface-monitor {
ge-0/0/3 weight 255;
ge-0/0/4 weight 255;
ge-5/0/3 weight 255;
ge-5/0/4 weight 255;
}
}
}
}
security {
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set nsw_srcnat {
from zone Internal;
to zone Internet;
rule nsw-src-interface {
match {
source-address 0.0.0.0/0;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}
policies {
from-zone Internal to-zone Internet {
policy All_Internal_Internet {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone Internal;
security-zone Internet {
screen untrust-screen;
}
security-zone Trusted {
host-inbound-traffic {
system-services {
all;
}
}
interfaces {
reth0.0;
}
}
security-zone Untrusted {
host-inbound-traffic {
system-services {
all;
}
}
interfaces {
reth1.0;
}
}
}
}
interfaces {
ge-0/0/3 {
gigether-options {
redundant-parent reth0;
}
}
ge-0/0/4 {
gigether-options {
redundant-parent reth1;
}
}
ge-5/0/3 {
gigether-options {
redundant-parent reth0;
}
}
ge-5/0/4 {
gigether-options {
redundant-parent reth1;
}
}
fab0 {
fabric-options {
member-interfaces {
ge-0/0/2;
}
}
}
fab1 {
fabric-options {
member-interfaces {
ge-5/0/2;
}
}
}
fxp0 {
unit 0 {
family inet;
}
}
reth0 {
redundant-ether-options {
redundancy-group 1;
}
unit 0 {
family inet {
address 198.51.100.1/24;
}
}
}
reth1 {
redundant-ether-options {
redundancy-group 1;
}
unit 0 {
family inet {
address 203.0.113.233/24;
}
how many cables need to be interconnected between two srx-340series device in order achieve HA in SRX-340
ReplyDelete