Juniper SRX防火牆HA配置

1、實驗環境介紹
1）vsrx 12.1X47-D20.7

2、實驗拓撲

vSRXA1與vSRXA2之間建議Chassis Cluster
ge-0/0/0爲帶外管理接口(系列默認，不可改)
ge-0/0/1爲control-link（系統配置，不可改）
ge-0/0/4爲data-link(手工配置，可改)
control-link與data-link採用背靠背的鏈接方式。

在低端的SRX防火牆帶外管理接口、控制接口、數據接口都是業務接口。
在高端的SRX防火牆管理接口、控制接口即爲專用接口，只有數據接口爲業務接口。

在HA中node1的接口序號將發生變化，在vSRX虛擬器上轉爲爲一個7槽的設備（即slot 0、一、二、三、四、五、6）
node0的接口序號爲ge-0/0/0、ge-1/0/0....ge-6/0/0
node1的接口序號爲ge-7/0/0、ge-8/0/0...ge-13/0/0

3、SRX 從單機模式到HA模式，須要重啓防火牆
vSRXA1:
set chassis cluster cluster-id 1 node 0 reboot
vSRXA2:
set chassis cluster cluster-id 1 node 1 reboot
2) vSRX重啓後自動加入HA模式
{primary:node0}
root> show chassis cluster status
Cluster ID: 1
Node Priority Status Preempt Manual Monitor-failures

Redundancy group: 0 , Failover count: 1
node0 1 primary no no None
node1 1 secondary no no None

{primary:node0}
root>

注： 低端的SRX防火牆中，control-link是預置的，只要防火牆工做於HA模式，ge-0/0/1就爲control-link。可是在高端SRX防火牆中有專門的control-link須要手工配置，特別是在SRX5K中。若是不配置control-link防火牆將不能正常啓動，SRX5K配置control-link Port命令以下:
set chassis cluster control-ports fpc 2 port 0
set chassis cluster control-ports fpc 5 port 0

4、SRX防火牆HA的配置順序以下（在master防火牆操做便可）
1）配置管理接口（node0/1的管理地址及backup-router配置）
2）配置HA防火牆data-link接口（ge-0/0/1）
3）配置HA的Redundancy groups(默認0爲控制平面，其它爲數據平面)
4）配置HA中的業務接口RETH
5）配置HA的切換參數
6）根據以上配置順序操做，便於異常的反推排查

5、SRX防火牆HA的配置步驟（在master防火牆操做便可）
1）配置管理接口及backup-router路由
{primary:node0}[edit groups]
root# show | display set
set groups node0 system host-name vSRXA1
set groups node0 system backup-router 192.168.100.254
set groups node0 system backup-router destination 192.168.100.0/24
set groups node0 interfaces fxp0 unit 0 family inet address 192.168.100.2/24
set groups node0 interfaces fxp0 unit 0 family inet address 192.168.100.1/24 master-only
set groups node1 system host-name vSRXA2
set groups node1 system backup-router 192.168.100.254
set groups node1 system backup-router destination 192.168.100.0/24
set groups node1 interfaces fxp0 unit 0 family inet address 192.168.100.3/24
set groups node1 interfaces fxp0 unit 0 family inet address 192.168.100.1/24 master-only

/調用前面配置的group node0/1，並提交配置保存 /
{primary:node0}[edit]
root# set apply-groups ${node}

{primary:node0}[edit]
root# commit
node0:
configuration check succeeds
node1:
commit complete
node0:
commit complete

{primary:node0}[edit]br/>root@vSRXA1#
/查看node0和node1的狀態/

{primary:node0}[edit]
root@vSRXA1# run show interfaces terse | match fxp0
fxp0 up up
fxp0.0 up up inet 192.168.100.1/24 (group中master-only的做用)

{primary:node0}[edit]
root@vSRXA1#

{secondary:node1}
root@vSRXA2> show interfaces terse | match fxp0
fxp0 up up
fxp0.0 up up inet 192.168.100.3/24

{secondary:node1}
root@vSRXA2>

2）配置HA的data-link，配置的關鍵字爲fab
{primary:node0}[edit]
root@vSRXA1# show interfaces | match fab | display set
set interfaces fab0 fabric-options member-interfaces ge-0/0/4
set interfaces fab1 fabric-options member-interfaces ge-7/0/4

末配置前的狀態信息：
{primary:node0}[edit]
root@vSRXA1# run show chassis cluster interfaces
Control link status: Up

Control interfaces:
Index Interface Monitored-Status Internal-SA
0 fxp1 Up Disabled

Fabric link status: Down

Fabric interfaces:
Name Child-interface Status
(Physical/Monitored)
fab0
fab0
fab1
fab1

Redundant-pseudo-interface Information:
Name Status Redundancy-group
lo0 Up 0

{primary:node0}[edit]
root@vSRXA1# run show interfaces terse | match fab
fab0 up down
fab0.0 up down inet 30.17.0.200/24
fab1 up down
fab1.0 up down inet 30.18.0.200/24

{primary:node0}[edit]
root@vSRXA1#

配置後的狀態信息：
{primary:node0}
root@vSRXA1> show chassis cluster interfaces
Control link status: Up

Control interfaces:
Index Interface Monitored-Status Internal-SA
0 fxp1 Up Disabled

Fabric link status: Up

Fabric interfaces:
Name Child-interface Status
(Physical/Monitored)
fab0 ge-0/0/4 Up / Up
fab0
fab1 ge-7/0/4 Up / Up
fab1

Redundant-pseudo-interface Information:
Name Status Redundancy-group
lo0 Up 0

{primary:node0}
root@vSRXA1> show interfaces terse | match fab
ge-0/0/4.0 up up aenet --> fab0.0
ge-7/0/4.0 up up aenet --> fab1.0
fab0 up up
fab0.0 up up inet 30.17.0.200/24
fab1 up up
fab1.0 up up inet 30.18.0.200/24

{primary:node0}
root@vSRXA1>
3）配置HA的Redundancy groups(默認只有group 0 優先級爲1，能夠手工配置)
{primary:node0}[edit chassis cluster]
root@vSRXA1# show | display set
set chassis cluster reth-count 8
set chassis cluster redundancy-group 0 node 0 priority 200
set chassis cluster redundancy-group 0 node 1 priority 100
set chassis cluster redundancy-group 1 node 0 priority 200
set chassis cluster redundancy-group 1 node 1 priority 100

查看redundant group的狀態：
{primary:node0}[edit]
root@vSRXA1# run show chassis cluster status
Monitor Failure codes:
CS Cold Sync monitoring FL Fabric Connection monitoring
GR GRES monitoring HW Hardware monitoring
IF Interface monitoring IP IP monitoring
LB Loopback monitoring MB Mbuf monitoring
NH Nexthop monitoring NP NPC monitoring
SP SPU monitoring SM Schedule monitoring
CF Config Sync monitoring

Cluster ID: 1
Node Priority Status Preempt Manual Monitor-failures

Redundancy group: 0 , Failover count: 1
node0 200 primary no no None
node1 100 secondary no no None

Redundancy group: 1 , Failover count: 1
node0 200 primary no no None
node1 100 secondary no no None

{primary:node0}[edit]
root@vSRXA1#
4）配置HA環境中下的業務接口reth（將物理接口加入到reth組中）
{primary:node0}[edit]
root@vSRXA1# show interfaces | match reth | display set
set interfaces ge-0/0/2 gigether-options redundant-parent reth0
set interfaces ge-0/0/3 gigether-options redundant-parent reth1
set interfaces ge-7/0/2 gigether-options redundant-parent reth0
set interfaces ge-7/0/3 gigether-options redundant-parent reth1

set interfaces reth0 redundant-ether-options redundancy-group 1
set interfaces reth1 redundant-ether-options redundancy-group 1
查看reth接口的狀態：
root@vSRXA1# run show interfaces terse | match reth
ge-0/0/2.32767 up up aenet --> reth0.32767
ge-0/0/3.32767 up up aenet --> reth1.32767
ge-7/0/2.32767 up up aenet --> reth0.32767
ge-7/0/3.32767 up up aenet --> reth1.32767
reth0 up up
reth0.32767 up up
reth1 up up
reth1.32767 up up

{primary:node0}[edit]
root@vSRXA1#

{primary:node0}[edit]
root@vSRXA1# run show chassis cluster interfaces | no-more
Control link status: Up

Control interfaces:
Index Interface Monitored-Status Internal-SA
0 fxp1 Up Disabled

Fabric link status: Up

Fabric interfaces:
Name Child-interface Status
(Physical/Monitored)
fab0 ge-0/0/4 Up / Up
fab0
fab1 ge-7/0/4 Up / Up
fab1

Redundant-ethernet Information:
Name Status Redundancy-group
reth0 Up 1
reth1 Up 1

Redundant-pseudo-interface Information:
Name Status Redundancy-group
lo0 Up 0

{primary:node0}[edit]
root@vSRXA1#

5）node0/1之間的切換（手工切換）
root@vSRXA1> request chassis cluster failover redundancy-group 0 node 1
root@vSRXA1> request chassis cluster failover redundancy-group 1 node 1

手工切換後的優先級會達到255，須要手工恢復。
request chassis cluster failover reset redundancy-group 1

至此，SRX Chassi Cluster就能夠正常使用了，若是須要修改其它參數請參數連接：
https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-chassis-cluster-overview.html

下文將介紹，SRX HA接口的IP配置和路由配置的方法，謝謝！