juniper srx100B雙機熱備HA心得

時間 2021-08-14

標籤 node markdown app ide 接口 ast 欄目系統安全简体版

原文原文鏈接

配置SRX100 b雙機熱備HA心得：廠商指定F0/0/7-控制接口，F0/0/6-設備管理接口
一、配置 Cluster id 和 Node id
set chassis cluster cluster-id 1 node 0 reboot
set chassis cluster cluster-id 1 node 1 reboot
注：node越小，級別越高，爲主設備。另外，須要先把接口刪除，不然重啓後不能進入configure模式。node

二、配置控制接口和數據接口，數據這裏接口我這裏本身指定爲F0/0/2
控制接口系統默認指定F0/0/7，不須要配置，直接2臺設備F0/0/7互聯就行。
set interfaces fab0 fabric-options member-interfaces fe-0/0/2
set interfaces fab1 fabric-options member-interfaces fe-1/0/2
注：數據接口不用配置ipmarkdown

三、每一個機箱的個性化配置：
set groups node0 system host-name SRX-A
set groups node0 interfaces fxp0 unit 0 family inet address 192.168.100.100/24 #####主設備的管理ip
set groups node1 system host-name SRX-B
set groups node1 interfaces fxp0 unit 0 family inet address 192.168.100.101/24#####備設備的管理ip
set apply-groups "${node}"
注：2臺設備的管理ip都是fxp0，另外配置完成記得set apply-groups "${node}"，不然出現問題。app

四、配置 Redundancy Group ：RG0爲引擎切換。RG1爲數據層面切換，記得此處有開啓preemt搶佔。
set chassis cluster reth-count 8
set chassis cluster redundancy-group 0 node 0 priority 200
set chassis cluster redundancy-group 0 node 1 priority 100
set chassis cluster redundancy-group 1 node 0 priority 200
set chassis cluster redundancy-group 1 node 1 priority 100
set chassis cluster redundancy-group 1 preempt
set chassis cluster redundancy-group 1 interface-monitor fe-0/0/0 weight 255########配置接口interface-monitor
set chassis cluster redundancy-group 1 interface-monitor fe-0/0/1 weight 255########配置接口interface-monitor
set chassis cluster redundancy-group 1 interface-monitor fe-1/0/0 weight 255########配置接口interface-monitor
set chassis cluster redundancy-group 1 interface-monitor fe-1/0/1 weight 255########配置接口interface-monitoride

五、將interface-monitor加入到冗餘接口reth0 reth1，並把冗餘接口加入到RG1
set interfaces fe-0/0/0 fastether-options redundant-parent reth0
set interfaces fe-0/0/0 unit 0
set interfaces fe-0/0/1 fastether-options redundant-parent reth1
set interfaces fe-0/0/1 unit 0
set interfaces fe-1/0/0 fastether-options redundant-parent reth0
set interfaces fe-1/0/0 unit 0
set interfaces fe-1/0/1 fastether-options redundant-parent reth1
set interfaces fe-1/0/1 unit 0
set interfaces reth0 redundant-ether-options redundancy-group 1
set interfaces reth1 redundant-ether-options redundancy-group 1接口

六、給冗餘接口reth0 reth1配置ip，劃入對應的區域，及策略放通。
set interfaces reth0 unit 0 family inet address 202.100.1.10/24
set interfaces reth1 unit 0 family inet address 192.168.10.10/24
set security zones security-zone untrust interfaces reth0.0 host-inbound-traffic system-services all
set security zones security-zone untrust interfaces reth0.0 host-inbound-traffic protocols all
set security zones security-zone trust interfaces reth1.0 host-inbound-traffic system-services all
set security zones security-zone trust interfaces reth1.0 host-inbound-traffic protocols allip

set security policies from-zone untrust to-zone trust policy untrust-to-trust match source-address any
set security policies from-zone untrust to-zone trust policy untrust-to-trust match destination-address any
set security policies from-zone untrust to-zone trust policy untrust-to-trust match application any
set security policies from-zone untrust to-zone trust policy untrust-to-trust then permit
set security policies from-zone trust to-zone trust policy trust-to-trust match source-address any
set security policies from-zone trust to-zone trust policy trust-to-trust match destination-address any
set security policies from-zone trust to-zone trust policy trust-to-trust match application any
set security policies from-zone trust to-zone trust policy trust-to-trust then permitci

相關標籤/搜索

每日一句

每一个你不满意的现在，都有一个你没有努力的曾经。