Wednesday, September 20, 2017

HA configuration for Juniper SRX340 Router


HA configuration for SRX340
-------------------------------------------------------------------------------------------------------------

Before starting configuration of my srx340 for cluster, remove some configuration items to avoid some post configuration errors.
In each srx do the followings:

First delete all logical interface which are used for control link/plane(ge-0/0/1)
& Data/fabric link/plane(ge-0/0/2).
***Note:Control link and Data link interface are varying for different Models.

delete system host-name
delete vlans
delete interfaces vlan
delete security
delete interfaces ge-0/0/1
delete interfaces ge-0/0/2
delete interfaces ge-0/0/3 unit 0 family ethernet-switching
delete interfaces ge-0/0/4 unit 0 family ethernet-switching


After this operation make sure there is no ethernet-switching left:
root@srx1# show | match ethernet-switching | count
Count: 0 lines
[edit]
root@srx1#


Then Physically connect the two devices and ensure that they are the same models.
For example,on the SRX340 Services Gateway, connect the dedicated control ports on node 0 and node 1.
***Note: For SRX300, SRX320, SRX340, and SRX345 devices, connect ge-0/0/1 on node 0 to ge-0/0/1 on node 1.

1.Set the two devices to cluster mode and reboot the devices. You must enter the following 
operational mode commands on both devices, for example:

On node 0:
---------------
user@host> set chassis cluster cluster-id 1 node 0 reboot
On node 1:
---------------
user@host> set chassis cluster cluster-id 1 node 1 reboot

#After reboot if you check the prompt of srx1, you will see the prompt changes like below:

{hold:node0}
root@srx1>
{secondary:node0}
root@srx1>
{primary:node0}
root@srx1>

#Check cluster status:

root@srx1> show chassis cluster status
Cluster ID: 1
Node                  Priority          Status    Preempt  Manual failover

Redundancy group: 0 , Failover count: 1
    node0                   1           primary        no       no
    node1                   1           secondary      no       no

***Note: After clustering occurs, For SRX340 device, the ge-0/0/1 interface on node 1 changes to ge-5/0/1.


2.Set up hostnames and management IP addresses on the first node only (srx-nd0) for each device using configuration groups.These configurations are specific to each device and are unique to its specific node.

set groups node0 system host-name srx-nd0
set groups node0 interfaces fxp0 unit 0 family inet address 192.168.33.1/24
set groups node1 system host-name srx-nd1
set groups node1 interfaces fxp0 unit 0 family inet address 192.168.33.2/24

3.Set the 'apply-groups' command so that the individual configurations for each node set by the previous commands are applied only to that node.

set apply-groups "${node}"

4.Define the interfaces used for the fab connection (data plane links for RTO sync) by using physical ports ge-0/0/2 from each node. These interfaces must be connected back-to-back. Configure fabric links on the first node only (srx-nd0):

set interfaces fab0 fabric-options member-interfaces  ge-0/0/2
set interfaces fab1 fabric-options member-interfaces  ge-5/0/2

#After commit, config should sync into srx-nd1 node as well. Now check cluster interfaces status:

root@srx1> show chassis cluster interfaces
Control link 0 name: fxp1
Control link status: Up

Fabric interfaces:
Name    Child-interface    Status
fab0       fe-0/0/5          up
fab0
fab1       fe-2/0/5          up
fab1
Fabric link status: Up



5.Set up redundancy group 0 for the Routing Engine failover properties, and set up redundancy group 1 (all interfaces are in one redundancy group in this example) to define the failover properties for the 
redundant Ethernet interfaces. A cluster without an RG is useless. Lets create a redundancy group and test it.RG0 is used for control plane and RG1 will be our service RG.
set chassis cluster reth-count 2
set chassis cluster redundancy-group 0 node 0 priority 200
set chassis cluster redundancy-group 0 node 1 priority 100
set chassis cluster redundancy-group 1 node 0 priority 200
set chassis cluster redundancy-group 1 node 1 priority 100



6.Set up interface monitoring to monitor the health of the interfaces and trigger redundancy group failover.

******Note: Juniper does not recommend Interface monitoring for redundancy group 0 because it causes the control plane to switch from one node to another node in case interface flap occurs.

set chassis cluster redundancy-group 1 interface-monitor ge-0/0/3 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-0/0/4 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-5/0/3 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-5/0/4 weight 255

***Note: Interface failover only occurs after the weight reaches 0.

#Let's check the cluster configuration:
{primary:node0}
root@SRX> show configuration chassis cluster

reth-count 2;
redundancy-group 0 {
    node 0 priority 200;
    node 1 priority 100;
}
redundancy-group 1 {
    node 0 priority 200;
    node 1 priority 100;
    preempt;
    interface-monitor {
        ge-0/0/3 weight 255;
        ge-0/0/4 weight 255;
        ge-5/0/3 weight 255;
        ge-5/0/4 weight 255;
    }
}



7.Set up the redundant Ethernet (reth) interfaces and assign the redundant interface to a zone.


set interfaces ge-0/0/3 gigether-options redundant-parent reth0
set interfaces ge-5/0/3 gigether-options redundant-parent reth0
set interfaces reth0 redundant-ether-options redundancy-group 1
set interfaces reth0 unit 0 family inet address 198.51.100.1/24

set interfaces  ge-0/0/4 gigether-options redundant-parent reth1
set interfaces  ge-5/0/4 gigether-options redundant-parent reth1
set interfaces reth1 redundant-ether-options redundancy-group 1
set interfaces reth1 unit 0 family inet address 203.0.113.233/24

set security zones security-zone Trusted
set security zones security-zone Untrusted
set security zones security-zone Trusted host-inbound-traffic system-services all
set security zones security-zone Untrusted host-inbound-traffic system-services all
set security zones security-zone Untrust interfaces reth1.0
set security zones security-zone Trust interfaces reth0.0

#If you want to create a subinterface with vlan tagging do the following(Optional)
set interfaces reth0 vlan-tagging
set interfaces reth0 unit 150 vlan-id 150
set interfaces reth0 unit 150 family inet address 192.168.150.200/24
set interfaces reth1 unit 0 family inet address 10.16.9.1/24

set security zones security-zone Trusted interfaces reth0.150
set security zones security-zone Untrusted interfaces reth1.0



Case 01:
If we deactivate interface monitor it doesn't effect on HA.


 Verification
------------------------------------------------------------------------------------------------------------

show chassis cluster status
show chassis cluster interfaces
show chassis cluster statistics
show chassis cluster control-plane statistics
show chassis cluster data-plane statistics
show chassis cluster status redundancy-group 1


show configuration
-------------------------------------------------------------------------------------------------------
root@srx# run show configuration
## Last commit: 2017-08-07 16:41:31 GMT+6 by root
version 15.1X49-D90.7;
groups {
    node0 {
        system {
            host-name srx-nd0;
        }
        interfaces {
            fxp0 {
                unit 0 {
                    family inet {
                        address 192.168.33.1/24;
                    }
                }
            }
        }
    }
    node1 {
        system {
            host-name srx-nd1;
        }
        interfaces {
            fxp0 {
                unit 0 {
                    family inet {
                        address 192.168.33.2/24;
                    }
                }
            }
        }
    }
}
apply-groups "${node}";
system {
    auto-snapshot;
    time-zone GMT+6;
    root-authentication {
        encrypted-password "$5$ZsCeZsruXu$TZ8Kvvzb/mxQOMqf8AxJkFqW.r5OZFnrdagxRl8LSH."; ## SECRET-DATA
 
    }
    services {
        ssh;
        telnet;

        }
    }
 
}
chassis {
    cluster {
        reth-count 2;
        redundancy-group 0 {
            node 0 priority 200;
            node 1 priority 100;
        }
        redundancy-group 1 {
            node 0 priority 200;
            node 1 priority 100;
            preempt;
            interface-monitor {
                ge-0/0/3 weight 255;
                ge-0/0/4 weight 255;
                ge-5/0/3 weight 255;
                ge-5/0/4 weight 255;
            }
        }
    }
}
security {
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;
                }
                land;
            }
        }
    }
    nat {
        source {
            rule-set nsw_srcnat {
                from zone Internal;
                to zone Internet;
                rule nsw-src-interface {
                    match {
                        source-address 0.0.0.0/0;
                        destination-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
    }
    policies {
        from-zone Internal to-zone Internet {
            policy All_Internal_Internet {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
    zones {
        security-zone Internal;
        security-zone Internet {
            screen untrust-screen;
        }
        security-zone Trusted {
            host-inbound-traffic {
                system-services {
                    all;
                }
            }
            interfaces {
                reth0.0;
            }
        }
        security-zone Untrusted {
            host-inbound-traffic {
                system-services {
                    all;
                }
            }
            interfaces {
                reth1.0;
            }
        }
    }
}
interfaces {
    ge-0/0/3 {
        gigether-options {
            redundant-parent reth0;
        }
    }
    ge-0/0/4 {
        gigether-options {
            redundant-parent reth1;
        }
    }
    ge-5/0/3 {
        gigether-options {
            redundant-parent reth0;
        }
    }
    ge-5/0/4 {
        gigether-options {
            redundant-parent reth1;
        }
    }
    fab0 {
        fabric-options {
            member-interfaces {
                ge-0/0/2;
            }
        }
    }
    fab1 {
        fabric-options {
            member-interfaces {
                ge-5/0/2;
            }
        }
    }
    fxp0 {
        unit 0 {
            family inet;
        }
    }
    reth0 {
   
        redundant-ether-options {
            redundancy-group 1;
        }
        unit 0 {
            family inet {
                address 198.51.100.1/24;
            }
        }
    }
    reth1 {
        redundant-ether-options {
            redundancy-group 1;
        }
        unit 0 {
            family inet {
                address 203.0.113.233/24;
            }

1 comment:

  1. how many cables need to be interconnected between two srx-340series device in order achieve HA in SRX-340

    ReplyDelete