JuniperSRX防火墙HA配置-创新互联

一、实验环境介绍
1)vsrx 12.1X47-D20.7

专注于为中小企业提供成都网站制作、成都网站设计、外贸营销网站建设服务,电脑端+手机端+微信端的三站合一,更高效的管理,为中小企业惠山免费做网站提供优质的服务。我们立足成都,凝聚了一批互联网行业人才,有力地推动了上千企业的稳健成长,帮助中小企业通过网站建设实现规模扩充和转变。

二、实验拓扑
Juniper SRX防火墙HA配置

vSRXA1与vSRXA2之间建议Chassis Cluster
ge-0/0/0为带外管理接口(系列默认,不可改)
ge-0/0/1为control-link(系统配置,不可改)
ge-0/0/4为data-link(手工配置,可改)
control-link与data-link采用背靠背的连接方式。

在低端的SRX防火墙带外管理接口、控制接口、数据接口都是业务接口。
在高端的SRX防火墙管理接口、控制接口即为专用接口,只有数据接口为业务接口。

在HA中node1的接口序号将发生变化,在vSRX虚拟器上转为为一个7槽的设备(即slot 0、1、2、3、4、5、6)
node0的接口序号为ge-0/0/0、ge-1/0/0....ge-6/0/0
node1的接口序号为ge-7/0/0、ge-8/0/0...ge-13/0/0

三、SRX 从单机模式到HA模式,需要重启防火墙
vSRXA1:
set chassis cluster cluster-id 1 node 0 reboot
vSRXA2:
set chassis cluster cluster-id 1 node 1 reboot
2) vSRX重启后自动加入HA模式
{primary:node0}
root> show chassis cluster status
Cluster ID: 1
Node Priority Status Preempt Manual Monitor-failures

Redundancy group: 0 , Failover count: 1
node0 1 primary no no None
node1 1 secondary no no None

{primary:node0}
root>

注: 低端的SRX防火墙中,control-link是预置的,只要防火墙工作于HA模式,ge-0/0/1就为control-link。但是在高端SRX防火墙中有专门的control-link需要手工配置,特别是在SRX5K中。如果不配置control-link防火墙将不能正常启动,SRX5K配置control-link Port命令如下:
set chassis cluster control-ports fpc 2 port 0
set chassis cluster control-ports fpc 5 port 0

四、SRX防火墙HA的配置顺序如下(在master防火墙操作即可)
1)配置管理接口(node0/1的管理地址及backup-router配置)
2)配置HA防火墙data-link接口(ge-0/0/1)
3)配置HA的Redundancy groups(默认0为控制平面,其它为数据平面)
4)配置HA中的业务接口RETH
5)配置HA的切换参数
6)根据以上配置顺序操作,便于异常的反推排查

五、SRX防火墙HA的配置步骤(在master防火墙操作即可)
1)配置管理接口及backup-router路由
{primary:node0}[edit groups]
root# show | display set
set groups node0 system host-name vSRXA1
set groups node0 system backup-router 192.168.100.254
set groups node0 system backup-router destination 192.168.100.0/24
set groups node0 interfaces fxp0 unit 0 family inet address 192.168.100.2/24
set groups node0 interfaces fxp0 unit 0 family inet address 192.168.100.1/24 master-only
set groups node1 system host-name vSRXA2
set groups node1 system backup-router 192.168.100.254
set groups node1 system backup-router destination 192.168.100.0/24
set groups node1 interfaces fxp0 unit 0 family inet address 192.168.100.3/24
set groups node1 interfaces fxp0 unit 0 family inet address 192.168.100.1/24 master-only

/调用前面配置的group node0/1,并提交配置保存/
{primary:node0}[edit]
root# set apply-groups ${node}

{primary:node0}[edit]
root# commit
node0:
configuration check succeeds
node1:
commit complete
node0:
commit complete

{primary:node0}[edit]root@vSRXA1#
br/>root@vSRXA1#
查看node0和node1的状态/

{primary:node0}[edit]
root@vSRXA1# run show interfaces terse | match fxp0
fxp0 up up
fxp0.0 up up inet 192.168.100.1/24 (group中master-only的作用)

{primary:node0}[edit]
root@vSRXA1#

{secondary:node1}
root@vSRXA2> show interfaces terse | match fxp0
fxp0 up up
fxp0.0 up up inet 192.168.100.3/24

{secondary:node1}
root@vSRXA2>

2)配置HA的data-link,配置的关键字为fab
{primary:node0}[edit]
root@vSRXA1# show interfaces | match fab | display set
set interfaces fab0 fabric-options member-interfaces ge-0/0/4
set interfaces fab1 fabric-options member-interfaces ge-7/0/4

末配置前的状态信息:
{primary:node0}[edit]
root@vSRXA1# run show chassis cluster interfaces
Control link status: Up

Control interfaces:
Index Interface Monitored-Status Internal-SA
0 fxp1 Up Disabled

Fabric link status: Down

Fabric interfaces:
Name Child-interface Status
(Physical/Monitored)
fab0
fab0
fab1
fab1

Redundant-pseudo-interface Information:
Name Status Redundancy-group
lo0 Up 0

{primary:node0}[edit]
root@vSRXA1# run show interfaces terse | match fab
fab0 up down
fab0.0 up down inet 30.17.0.200/24
fab1 up down
fab1.0 up down inet 30.18.0.200/24

{primary:node0}[edit]
root@vSRXA1#

配置后的状态信息:
{primary:node0}
root@vSRXA1> show chassis cluster interfaces
Control link status: Up

Control interfaces:
Index Interface Monitored-Status Internal-SA
0 fxp1 Up Disabled

Fabric link status: Up

Fabric interfaces:
Name Child-interface Status
(Physical/Monitored)
fab0 ge-0/0/4 Up / Up
fab0
fab1 ge-7/0/4 Up / Up
fab1

Redundant-pseudo-interface Information:
Name Status Redundancy-group
lo0 Up 0

{primary:node0}
root@vSRXA1> show interfaces terse | match fab
ge-0/0/4.0 up up aenet --> fab0.0
ge-7/0/4.0 up up aenet --> fab1.0
fab0 up up
fab0.0 up up inet 30.17.0.200/24
fab1 up up
fab1.0 up up inet 30.18.0.200/24

{primary:node0}
root@vSRXA1>
3)配置HA的Redundancy groups(默认只有group 0 优先级为1,可以手工配置)
{primary:node0}[edit chassis cluster]
root@vSRXA1# show | display set
set chassis cluster reth-count 8
set chassis cluster redundancy-group 0 node 0 priority 200
set chassis cluster redundancy-group 0 node 1 priority 100
set chassis cluster redundancy-group 1 node 0 priority 200
set chassis cluster redundancy-group 1 node 1 priority 100

查看redundant group的状态:
{primary:node0}[edit]
root@vSRXA1# run show chassis cluster status
Monitor Failure codes:
CS Cold Sync monitoring FL Fabric Connection monitoring
GR GRES monitoring HW Hardware monitoring
IF Interface monitoring IP IP monitoring
LB Loopback monitoring MB Mbuf monitoring
NH Nexthop monitoring NP NPC monitoring
SP SPU monitoring SM Schedule monitoring
CF Config Sync monitoring

Cluster ID: 1
Node Priority Status Preempt Manual Monitor-failures

Redundancy group: 0 , Failover count: 1
node0 200 primary no no None
node1 100 secondary no no None

Redundancy group: 1 , Failover count: 1
node0 200 primary no no None
node1 100 secondary no no None

{primary:node0}[edit]
root@vSRXA1#
4)配置HA环境中下的业务接口reth(将物理接口加入到reth组中)
{primary:node0}[edit]
root@vSRXA1# show interfaces | match reth | display set
set interfaces ge-0/0/2 gigether-options redundant-parent reth0
set interfaces ge-0/0/3 gigether-options redundant-parent reth2
set interfaces ge-7/0/2 gigether-options redundant-parent reth0
set interfaces ge-7/0/3 gigether-options redundant-parent reth2

set interfaces reth0 redundant-ether-options redundancy-group 1
set interfaces reth2 redundant-ether-options redundancy-group 1
查看reth接口的状态:
root@vSRXA1# run show interfaces terse | match reth
ge-0/0/2.32767 up up aenet --> reth0.32767
ge-0/0/3.32767 up up aenet --> reth2.32767
ge-7/0/2.32767 up up aenet --> reth0.32767
ge-7/0/3.32767 up up aenet --> reth2.32767
reth0 up up
reth0.32767 up up
reth2 up up
reth2.32767 up up

{primary:node0}[edit]
root@vSRXA1#

{primary:node0}[edit]
root@vSRXA1# run show chassis cluster interfaces | no-more
Control link status: Up

Control interfaces:
Index Interface Monitored-Status Internal-SA
0 fxp1 Up Disabled

Fabric link status: Up

Fabric interfaces:
Name Child-interface Status
(Physical/Monitored)
fab0 ge-0/0/4 Up / Up
fab0
fab1 ge-7/0/4 Up / Up
fab1

Redundant-ethernet Information:
Name Status Redundancy-group
reth0 Up 1
reth2 Up 1

Redundant-pseudo-interface Information:
Name Status Redundancy-group
lo0 Up 0

{primary:node0}[edit]
root@vSRXA1#

5)node0/1之间的切换(手工切换)
root@vSRXA1> request chassis cluster failover redundancy-group 0 node 1
root@vSRXA1> request chassis cluster failover redundancy-group 1 node 1

手工切换后的优先级会达到255,需要手工恢复。
request chassis cluster failover reset redundancy-group 1

至此,SRX Chassi Cluster就可以正常使用了,如果需要修改其它参数请参数链接:
https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-chassis-cluster-overview.html

下文将介绍,SRX HA接口的IP配置和路由配置的方法,谢谢!

另外有需要云服务器可以了解下创新互联cdcxhl.cn,海内外云服务器15元起步,三天无理由+7*72小时售后在线,公司持有idc许可证,提供“云服务器、裸金属服务器、高防服务器、香港服务器、美国服务器、虚拟主机、免备案服务器”等云主机租用服务以及企业上云的综合解决方案,具有“安全稳定、简单易用、服务可用性高、性价比高”等特点与优势,专为企业上云打造定制,能够满足用户丰富、多元化的应用场景需求。


当前标题:JuniperSRX防火墙HA配置-创新互联
网页网址:http://scyanting.com/article/shshs.html