HA configuration for SRX340:
---------------------------------------------
Before starting configuration of my srx340 for cluster, remove some configuration items to avoid some post configuration errors.
In each srx do the followings:
First delete all logical interface which are used for control link/plane(ge-0/0/1)
& Data/fabric link/plane(ge-0/0/2) and also which you need under the reth (ge-0/0/3 & ge-0/0/4) for both routers.
***Note:Control link and Data link interface are varying for different Models.
delete system host-name
delete security
delete interfaces ge-0/0/1
delete interfaces ge-0/0/2
delete interfaces ge-0/0/3
delete interfaces ge-0/0/4
After this operation make sure there is no ethernet-switching left:
root@srx1# show | match ethernet-switching | count
Count: 0 lines
[edit]
root@srx1#
Then Physically connect the two devices (Both control & fabric ports) and ensure that they are the same models and OS version also.
For example,on the SRX340 Services Gateway, connect the dedicated control & fabric ports on node 0 and node 1.
***Note: For SRX300, SRX320, SRX340, and SRX345 devices, connect ge-0/0/1 on node 0 to ge-0/0/1 on node 1.
1.Set the two devices to cluster mode and reboot the devices. You must enter the following
operational mode commands on both devices, for example:
On node 0:
---------------
user@host> set chassis cluster cluster-id 1 node 0 reboot
On node 1:
---------------
user@host> set chassis cluster cluster-id 1 node 1 reboot
#After reboot if you check the prompt of srx1, you will see the prompt changes like below:
{hold:node0}
root@srx1>
{secondary:node0}
root@srx1>
{primary:node0}
root@srx1>
#Check cluster status:
root@srx1> show chassis cluster status
Cluster ID: 1
Node Priority Status Preempt Manual failover
Redundancy group: 0 , Failover count: 1
node0 1 primary no no
node1 1 secondary no no
***Note: After clustering occurs, For SRX340 device, the ge-0/0/1 interface on node 1 changes to ge-5/0/1.
2.Set up hostnames and management IP addresses on the first node only (srx-nd0) for each device using configuration groups.These configurations are specific to each device and are unique to its specific node.
set groups node0 system host-name srx-nd0
set groups node0 interfaces fxp0 unit 0 family inet address 192.168.33.1/24
set groups node1 system host-name srx-nd1
set groups node1 interfaces fxp0 unit 0 family inet address 192.168.33.2/24
3.Set the 'apply-groups' command so that the individual configurations for each node set by the previous
commands are applied only to that node.
set apply-groups "${node}"
4.Define the interfaces used for the fab connection (data plane links for RTO sync) by using physical ports ge-0/0/2
from each node. These interfaces must be connected back-to-back, or through a Layer 2 infrastructure.
Configure fabric links on the first node only (srx-nd0):
set interfaces fab0 fabric-options member-interfaces ge-0/0/2
set interfaces fab1 fabric-options member-interfaces ge-5/0/2
#After commit, config should sync into srx-nd1 node as well. Now check cluster interfaces status:
root@srx1> show chassis cluster interfaces
Control link 0 name: fxp1
Control link status: Up
Fabric interfaces:
Name Child-interface Status
fab0 fe-0/0/5 up
fab0
fab1 fe-2/0/5 up
fab1
Fabric link status: Up
5.Set up redundancy group 0 for the Routing Engine failover properties, and set up redundancy group 1 (all interfaces are in one redundancy group in this example) to define the failover properties for the
redundant Ethernet interfaces. A cluster without an RG is useless. Lets create a redundancy group and test it. RG0 is used for control plane and RG1 will be our service RG.
set chassis cluster reth-count 2
set chassis cluster redundancy-group 0 node 0 priority 200
set chassis cluster redundancy-group 0 node 1 priority 100
set chassis cluster redundancy-group 1 node 0 priority 200
set chassis cluster redundancy-group 1 node 1 priority 100
6.Set up interface monitoring to monitor the health of the interfaces and trigger redundancy group failover.
******Note: Juniper does not recommend Interface monitoring for redundancy group 0 because it causes the control plane to switch from one node to another node in case interface flap occurs.
set chassis cluster redundancy-group 1 interface-monitor ge-0/0/3 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-0/0/4 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-5/0/3 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-5/0/4 weight 255
***Note: Interface failover only occurs after the weight reaches 0.
#Let's check the cluster configuration:
{primary:node0}
root@srx1> show configuration chassis cluster
reth-count 2;
redundancy-group 0 {
node 0 priority 200;
node 1 priority 100;
}
redundancy-group 1 {
node 0 priority 200;
node 1 priority 100;
preempt;
interface-monitor {
ge-0/0/3 weight 255;
ge-0/0/4 weight 255;
ge-5/0/3 weight 255;
ge-5/0/4 weight 255;
}
}
7.Set up the redundant Ethernet (reth) interfaces and assign the redundant interface to a zone.
set interfaces ge-0/0/3 gigether-options redundant-parent reth0
set interfaces ge-5/0/3 gigether-options redundant-parent reth0
set interfaces reth0 redundant-ether-options redundancy-group 1
set interfaces reth0 redundant-ether-options lacp active
set interfaces reth0 unit 0 family inet address 198.51.100.1/24
set interfaces ge-0/0/4 gigether-options redundant-parent reth1
set interfaces ge-5/0/4 gigether-options redundant-parent reth1
set interfaces reth1 redundant-ether-options redundancy-group 1
set interfaces reth1 redundant-ether-options lacp active
set interfaces reth1 unit 0 family inet address 203.0.113.233/24
8. Finally create the zone, allow services & protocols and put the reth interfaces into the zone. You must create policies for each zones otherwise you can't get reach-ability.
set security zones security-zone Trusted
set security zones security-zone Untrusted
set security zones security-zone Trusted host-inbound-traffic system-services all
set security zones security-zone Trusted host-inbound-traffic protocols all
set security zones security-zone Untrusted host-inbound-traffic system-services all
set security zones security-zone Untrusted host-inbound-traffic protocols all
set security zones security-zone Untrusted interfaces reth1.0
set security zones security-zone Trusted interfaces reth0.0
set security policies from-zone Trusted to-zone Trusted policy any-to-any match source-address any
set security policies from-zone Trusted to-zone Trusted policy any-to-any match destination-address any
set security policies from-zone Trusted to-zone Trusted policy any-to-any match application any
set security policies from-zone Trusted to-zone Trusted policy any-to-any then permit
set security policies from-zone Trusted to-zone Untrusted policy any-to-any match source-address any
set security policies from-zone Trusted to-zone Untrusted policy any-to-any match destination-address any
set security policies from-zone Trusted to-zone Untrusted policy any-to-any match application any
set security policies from-zone Trusted to-zone Untrusted policy any-to-any then permit
#If you want to create a subinterface with vlan tagging do the following(Optional)
set interfaces reth0 vlan-tagging
set interfaces reth0 unit 150 vlan-id 150
set interfaces reth0 unit 150 family inet address 192.168.150.200/24
set interfaces reth1 unit 0 family inet address 10.16.9.1/24
set security zones security-zone Trusted interfaces reth0.150
set security zones security-zone Untrusted interfaces reth1.0
Case 01:
If we deactivate interface monitor it doesn't effect on HA.
#Verification
show chassis cluster status
show chassis cluster interfaces
show chassis cluster statistics
show chassis cluster control-plane statistics
show chassis cluster data-plane statistics
show chassis cluster status redundancy-group 1
show security flow statistics node all
show security flow status node all
LAG Configuration for both EX3300:
-----------------------------------------------------
1. First, We have to remove the logical unit configuration from the interfaces that are to be bundled, as logical units are not allowed on aggregated links:
delete interfaces ge-0/0/46 unit 0
delete interfaces ge-1/0/46 unit 0
2.The next step is to specify the number of aggregated links on the switch. This command is to specify number of bundle (aggregated interface) you want to create.:
set chassis aggregated-devices ethernet device-count 1
3.Next, set the interfaces to use LACP (802.3ad) and to be members of a logical aggregated ethernet port (ports begin with ae).
To associate physical interface with an aggregated Ethernet interface, hit the following command:
set interfaces ge-0/0/46 ether-options 802.3ad ae0
set interfaces ge-1/0/46 ether-options 802.3ad ae0
4.Then we need to set the LACP mode for our new aggregated interface. We’ll make the Juniper side Active, so that it initiates the transmissison of LACP packets:
set interfaces ae0 aggregated-ether-options lacp active
Thanks for this! Really helpful information.
ReplyDeleteI'm able to stand up SRX in HA cluster connected to a Cisco switch which is then port-channeled back to a RETH interface on the SRX. I followed creating a sub-interface with vlan tagging on the SRX.
Cool and that i have a swell offer: kitchen reno near me
ReplyDelete