溫馨提示×

溫馨提示×

您好,登錄后才能下訂單哦!

密碼登錄×
登錄注冊×
其他方式登錄
點擊 登錄注冊 即表示同意《億速云用戶服務條款》

Juniper SRX防火墻HA配置

發(fā)布時間:2020-06-29 15:50:42 來源:網(wǎng)絡 閱讀:683 作者:大寫的七 欄目:安全技術

一、實驗環(huán)境介紹
1)vsrx 12.1X47-D20.7

二、實驗拓撲
Juniper SRX防火墻HA配置

vSRXA1與vSRXA2之間建議Chassis Cluster
ge-0/0/0為帶外管理接口(系列默認,不可改)
ge-0/0/1為control-link(系統(tǒng)配置,不可改)
ge-0/0/4為data-link(手工配置,可改)
control-link與data-link采用背靠背的連接方式。

在低端的SRX防火墻帶外管理接口、控制接口、數(shù)據(jù)接口都是業(yè)務接口。
在高端的SRX防火墻管理接口、控制接口即為專用接口,只有數(shù)據(jù)接口為業(yè)務接口。

在HA中node1的接口序號將發(fā)生變化,在vSRX虛擬器上轉(zhuǎn)為為一個7槽的設備(即slot 0、1、2、3、4、5、6)
node0的接口序號為ge-0/0/0、ge-1/0/0....ge-6/0/0
node1的接口序號為ge-7/0/0、ge-8/0/0...ge-13/0/0

三、SRX 從單機模式到HA模式,需要重啟防火墻
vSRXA1:
set chassis cluster cluster-id 1 node 0 reboot
vSRXA2:
set chassis cluster cluster-id 1 node 1 reboot
2) vSRX重啟后自動加入HA模式
{primary:node0}
root> show chassis cluster status
Cluster ID: 1
Node Priority Status Preempt Manual Monitor-failures

Redundancy group: 0 , Failover count: 1
node0 1 primary no no None
node1 1 secondary no no None

{primary:node0}
root>

注: 低端的SRX防火墻中,control-link是預置的,只要防火墻工作于HA模式,ge-0/0/1就為control-link。但是在高端SRX防火墻中有專門的control-link需要手工配置,特別是在SRX5K中。如果不配置control-link防火墻將不能正常啟動,SRX5K配置control-link Port命令如下:
set chassis cluster control-ports fpc 2 port 0
set chassis cluster control-ports fpc 5 port 0

四、SRX防火墻HA的配置順序如下(在master防火墻操作即可)
1)配置管理接口(node0/1的管理地址及backup-router配置)
2)配置HA防火墻data-link接口(ge-0/0/1)
3)配置HA的Redundancy groups(默認0為控制平面,其它為數(shù)據(jù)平面)
4)配置HA中的業(yè)務接口RETH
5)配置HA的切換參數(shù)
6)根據(jù)以上配置順序操作,便于異常的反推排查

五、SRX防火墻HA的配置步驟(在master防火墻操作即可)
1)配置管理接口及backup-router路由
{primary:node0}[edit groups]
root# show | display set
set groups node0 system host-name vSRXA1
set groups node0 system backup-router 192.168.100.254
set groups node0 system backup-router destination 192.168.100.0/24
set groups node0 interfaces fxp0 unit 0 family inet address 192.168.100.2/24
set groups node0 interfaces fxp0 unit 0 family inet address 192.168.100.1/24 master-only
set groups node1 system host-name vSRXA2
set groups node1 system backup-router 192.168.100.254
set groups node1 system backup-router destination 192.168.100.0/24
set groups node1 interfaces fxp0 unit 0 family inet address 192.168.100.3/24
set groups node1 interfaces fxp0 unit 0 family inet address 192.168.100.1/24 master-only

/調(diào)用前面配置的group node0/1,并提交配置保存 /
{primary:node0}[edit]
root# set apply-groups ${node}

{primary:node0}[edit]
root# commit
node0:
configuration check succeeds
node1:
commit complete
node0:
commit complete

{primary:node0}[edit]root@vSRXA1#
br/>root@vSRXA1#
查看node0和node1的狀態(tài)/

{primary:node0}[edit]
root@vSRXA1# run show interfaces terse | match fxp0
fxp0 up up
fxp0.0 up up inet 192.168.100.1/24 (group中master-only的作用)

{primary:node0}[edit]
root@vSRXA1#

{secondary:node1}
root@vSRXA2> show interfaces terse | match fxp0
fxp0 up up
fxp0.0 up up inet 192.168.100.3/24

{secondary:node1}
root@vSRXA2>

2)配置HA的data-link,配置的關鍵字為fab
{primary:node0}[edit]
root@vSRXA1# show interfaces | match fab | display set
set interfaces fab0 fabric-options member-interfaces ge-0/0/4
set interfaces fab1 fabric-options member-interfaces ge-7/0/4

末配置前的狀態(tài)信息:
{primary:node0}[edit]
root@vSRXA1# run show chassis cluster interfaces
Control link status: Up

Control interfaces:
Index Interface Monitored-Status Internal-SA
0 fxp1 Up Disabled

Fabric link status: Down

Fabric interfaces:
Name Child-interface Status
(Physical/Monitored)
fab0
fab0
fab1
fab1

Redundant-pseudo-interface Information:
Name Status Redundancy-group
lo0 Up 0

{primary:node0}[edit]
root@vSRXA1# run show interfaces terse | match fab
fab0 up down
fab0.0 up down inet 30.17.0.200/24
fab1 up down
fab1.0 up down inet 30.18.0.200/24

{primary:node0}[edit]
root@vSRXA1#

配置后的狀態(tài)信息:
{primary:node0}
root@vSRXA1> show chassis cluster interfaces
Control link status: Up

Control interfaces:
Index Interface Monitored-Status Internal-SA
0 fxp1 Up Disabled

Fabric link status: Up

Fabric interfaces:
Name Child-interface Status
(Physical/Monitored)
fab0 ge-0/0/4 Up / Up
fab0
fab1 ge-7/0/4 Up / Up
fab1

Redundant-pseudo-interface Information:
Name Status Redundancy-group
lo0 Up 0

{primary:node0}
root@vSRXA1> show interfaces terse | match fab
ge-0/0/4.0 up up aenet --> fab0.0
ge-7/0/4.0 up up aenet --> fab1.0
fab0 up up
fab0.0 up up inet 30.17.0.200/24
fab1 up up
fab1.0 up up inet 30.18.0.200/24

{primary:node0}
root@vSRXA1>
3)配置HA的Redundancy groups(默認只有group 0 優(yōu)先級為1,可以手工配置)
{primary:node0}[edit chassis cluster]
root@vSRXA1# show | display set
set chassis cluster reth-count 8
set chassis cluster redundancy-group 0 node 0 priority 200
set chassis cluster redundancy-group 0 node 1 priority 100
set chassis cluster redundancy-group 1 node 0 priority 200
set chassis cluster redundancy-group 1 node 1 priority 100

查看redundant group的狀態(tài):
{primary:node0}[edit]
root@vSRXA1# run show chassis cluster status
Monitor Failure codes:
CS Cold Sync monitoring FL Fabric Connection monitoring
GR GRES monitoring HW Hardware monitoring
IF Interface monitoring IP IP monitoring
LB Loopback monitoring MB Mbuf monitoring
NH Nexthop monitoring NP NPC monitoring
SP SPU monitoring SM Schedule monitoring
CF Config Sync monitoring

Cluster ID: 1
Node Priority Status Preempt Manual Monitor-failures

Redundancy group: 0 , Failover count: 1
node0 200 primary no no None
node1 100 secondary no no None

Redundancy group: 1 , Failover count: 1
node0 200 primary no no None
node1 100 secondary no no None

{primary:node0}[edit]
root@vSRXA1#
4)配置HA環(huán)境中下的業(yè)務接口reth(將物理接口加入到reth組中)
{primary:node0}[edit]
root@vSRXA1# show interfaces | match reth | display set
set interfaces ge-0/0/2 gigether-options redundant-parent reth0
set interfaces ge-0/0/3 gigether-options redundant-parent reth2
set interfaces ge-7/0/2 gigether-options redundant-parent reth0
set interfaces ge-7/0/3 gigether-options redundant-parent reth2

set interfaces reth0 redundant-ether-options redundancy-group 1
set interfaces reth2 redundant-ether-options redundancy-group 1
查看reth接口的狀態(tài):
root@vSRXA1# run show interfaces terse | match reth
ge-0/0/2.32767 up up aenet --> reth0.32767
ge-0/0/3.32767 up up aenet --> reth2.32767
ge-7/0/2.32767 up up aenet --> reth0.32767
ge-7/0/3.32767 up up aenet --> reth2.32767
reth0 up up
reth0.32767 up up
reth2 up up
reth2.32767 up up

{primary:node0}[edit]
root@vSRXA1#

{primary:node0}[edit]
root@vSRXA1# run show chassis cluster interfaces | no-more
Control link status: Up

Control interfaces:
Index Interface Monitored-Status Internal-SA
0 fxp1 Up Disabled

Fabric link status: Up

Fabric interfaces:
Name Child-interface Status
(Physical/Monitored)
fab0 ge-0/0/4 Up / Up
fab0
fab1 ge-7/0/4 Up / Up
fab1

Redundant-ethernet Information:
Name Status Redundancy-group
reth0 Up 1
reth2 Up 1

Redundant-pseudo-interface Information:
Name Status Redundancy-group
lo0 Up 0

{primary:node0}[edit]
root@vSRXA1#

5)node0/1之間的切換(手工切換)
root@vSRXA1> request chassis cluster failover redundancy-group 0 node 1
root@vSRXA1> request chassis cluster failover redundancy-group 1 node 1

手工切換后的優(yōu)先級會達到255,需要手工恢復。
request chassis cluster failover reset redundancy-group 1

至此,SRX Chassi Cluster就可以正常使用了,如果需要修改其它參數(shù)請參數(shù)鏈接:
https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-chassis-cluster-overview.html

下文將介紹,SRX HA接口的IP配置和路由配置的方法,謝謝!

向AI問一下細節(jié)

免責聲明:本站發(fā)布的內(nèi)容(圖片、視頻和文字)以原創(chuàng)、轉(zhuǎn)載和分享為主,文章觀點不代表本網(wǎng)站立場,如果涉及侵權請聯(lián)系站長郵箱:is@yisu.com進行舉報,并提供相關證據(jù),一經(jīng)查實,將立刻刪除涉嫌侵權內(nèi)容。

AI