一、實驗環境介紹
1)vsrx 12.1X47-D20.7
二、實驗拓撲
vSRXA1與vSRXA2之間配置Chassis Cluster
ge-0/0/0為帶外管理接口(系統默認,不可改)
ge-0/0/1為control-link(系統配置,不可改)
ge-0/0/2為data-link(手工配置,可改)
control-link與data-link采用背靠背的連接方式。
在低端的SRX防火牆帶外管理接口、控制接口、數據接口都是業務接口。
在高端的SRX防火牆管理接口、控制接口即為專用接口,只有數據接口為業務接口。
在HA中node1的接口序號將發生變化,在vSRX虛擬器上轉為為一個7槽的設備(即slot 0、1、2、3、4、5、6)
node0的接口序號為ge-0/0/0、ge-1/0/0....ge-6/0/0
node1的接口序號為ge-7/0/0、ge-8/0/0...ge-13/0/0
三、SRX 從單機模式到HA模式,需要重啟防火牆
1、分別刪除兩台SRX的配置,分別在兩台SRX上設置root認證密碼
vSRXA1:
root# delete #注意12.1X47-D20.7版本必需要先刪除默認配置
root# set system root-authentication plain-text-password
New password:
Retype new password:
root# commit
vSRXA2:
root# delete
root# set system root-authentication plain-text-password
New password:
Retype new password:
root# commit
2、轉換SRX到HA模式
vSRXA1:
root> set chassis cluster cluster-id 1 node 0 reboot
vSRXA2:
root> set chassis cluster cluster-id 1 node 1 reboot
3、vSRX重啟后自動加入HA模式
root> show chassis cluster status
Cluster ID: 1
Node Priority Status Preempt Manual Monitor-failures
Redundancy group: 0 , Failover count: 1
node0 1 primary no no None
node1 1 secondary no no None
{primary:node0}
注: 低端的SRX防火牆中,control-link是預置的,只要防火牆工作於HA模式,ge-0/0/1就為control-link。但是在高端SRX防火牆中有專門的control-link需要手工配置,特別是在SRX5K中。如果不配置control-link防火牆將不能正常啟動,SRX5K配置control-link Port命令如下:
set chassis cluster control-ports fpc 2 port 0
set chassis cluster control-ports fpc 5 port 0
四、SRX防火牆HA的配置順序如下(在master防火牆操作即可)
1)配置管理接口(node0/1的管理地址及backup-router配置)
2)配置HA防火牆data-link接口(ge-0/0/1)
3)配置HA的Redundancy groups(默認0為控制平面,其它為數據平面)
4)配置HA中的業務接口RETH
5)配置HA的切換參數
6)根據以上配置順序操作,便於異常的反推排查
五、SRX防火牆HA的配置步驟(在master防火牆操作即可)
1、配置管理接口及backup-router路由
root# show configuration | display set
set groups node0 system host-name vSRXA1
set groups node0 system backup-router 10.1.1.254
set groups node0 system backup-router destination 10.1.1.0/24
set groups node0 interfaces fxp0 unit 0 family inet address 10.1.1.2/24
set groups node0 interfaces fxp0 unit 0 family inet address 10.1.1.1/24 master-only
set groups node1 system host-name vSRXA2
set groups node1 system backup-router 10.1.1.254
set groups node1 system backup-router destination 10.1.1.0/24
set groups node1 interfaces fxp0 unit 0 family inet address 10.1.1.3/24
set groups node1 interfaces fxp0 unit 0 family inet address 10.1.1.1/24 master-only
root# set apply-groups "${node}" #調用前面配置的groups,node0,node1
root# commit #提交配置並保存
node0:
configuration check succeeds
node1:
commit complete
node0:
commit complete
{primary:node0}[edit]
2、查看node0和node1的帶外管理接口狀態
root@vSRXA1# run show interfaces terse | match fxp0
root@vSRXA2> show interfaces terse | match fxp0
3、配置HA的data-link,配置的關鍵字為fab
root@vSRXA1# show interfaces | match fab | display set
set interfaces fab0 fabric-options member-interfaces ge-0/0/2
set interfaces fab1 fabric-options member-interfaces ge-7/0/2
查看fab接口狀態信息:
root@vSRXA1# run show chassis cluster interfaces
root@vSRXA2> show interfaces terse | match fab
4、配置HA的Redundancy groups(默認只有group 0 優先級為1,可以手工配置)
root@vSRXA1# show chassis cluster reth-count | display set
set chassis cluster reth-count 8 #定義集群最多支持多少個冗余組(redundancy-group),默認為0
root@vSRXA1# show chassis cluster | display set | match priority
set chassis cluster redundancy-group 0 node 0 priority 200
set chassis cluster redundancy-group 0 node 1 priority 100
set chassis cluster redundancy-group 1 node 0 priority 200
set chassis cluster redundancy-group 1 node 1 priority 100
查看redundant group的狀態:
root@vSRXA1# run show chassis cluster status
5、配置HA環境中的業務接口reth(將物理接口加入到reth組中)
root@vSRXA1# show interfaces | match reth | display set
set interfaces ge-0/0/3 gigether-options redundant-parent reth0
set interfaces ge-0/0/4 gigether-options redundant-parent reth1
set interfaces ge-7/0/3 gigether-options redundant-parent reth0
set interfaces ge-7/0/4 gigether-options redundant-parent reth1
6、將業務接口加到redundancy-group中
set interfaces reth0 redundant-ether-options redundancy-group 1
set interfaces reth1 redundant-ether-options redundancy-group 1
查看reth接口的狀態:
root@vSRXA1# run show interfaces terse | match reth
root@vSRXA1# run show chassis cluster interfaces | no-more
7、node0/1之間的切換(手工切換)
root@vSRXA1> request chassis cluster failover redundancy-group 0 node 1
root@vSRXA1> request chassis cluster failover redundancy-group 1 node 1
root@vSRXA1> request chassis cluster failover redundancy-group 1 node 1 force
手工切換后的優先級會達到255,需要手工恢復。
request chassis cluster failover reset redundancy-group 1
8、示例配置,包括cluster、端口映射(23)、nat配置(以下示例配置只需要在主設備上配)
root@SRX1> show configuration | display set
set version 12.1X47-D20.7 set groups node0 system host-name SRX1 set groups node0 system time-zone Asia/Shanghai set groups node0 system name-server 114.114.114.114 set groups node0 system services web-management http interface fxp0.0 set groups node0 system syslog file traffic-log any any set groups node0 system syslog file traffic-log match RT_FLOW_SESSION set groups node0 interfaces fxp0 unit 0 family inet address 10.1.1.1/24 set groups node1 system host-name SRX2 set groups node1 system time-zone Asia/Shanghai set groups node1 system name-server 114.114.114.114 set groups node1 system services web-management http interface fxp0.0 set groups node1 system syslog file traffic-log any any set groups node1 system syslog file traffic-log match RT_FLOW_SESSION set groups node1 interfaces fxp0 unit 0 family inet address 10.1.1.2/24 set apply-groups "${node}" set system root-authentication plain-text-password #交互式設置root密碼 set chassis cluster reth-count 3 set chassis cluster redundancy-group 0 node 0 priority 200 set chassis cluster redundancy-group 0 node 1 priority 100 set chassis cluster redundancy-group 1 node 0 priority 200 set chassis cluster redundancy-group 1 node 1 priority 100 set chassis cluster redundancy-group 1 interface-monitor ge-0/0/3 weight 255 set chassis cluster redundancy-group 1 interface-monitor ge-0/0/4 weight 255 set chassis cluster redundancy-group 1 interface-monitor ge-0/0/5 weight 255 set chassis cluster redundancy-group 1 interface-monitor ge-7/0/3 weight 255 set chassis cluster redundancy-group 1 interface-monitor ge-7/0/4 weight 255 set chassis cluster redundancy-group 1 interface-monitor ge-7/0/5 weight 255 set chassis cluster redundancy-group 1 ip-monitoring global-threshold 2 set chassis cluster redundancy-group 1 ip-monitoring retry-interval 3 set chassis cluster redundancy-group 1 ip-monitoring retry-count 5 set chassis cluster redundancy-group 1 ip-monitoring family inet 1.1.12.1 weight 255 set chassis cluster redundancy-group 1 ip-monitoring family inet 1.1.12.1 interface reth0.0 secondary-ip-address 1.1.12.2 set interfaces ge-0/0/3 gigether-options redundant-parent reth0 set interfaces ge-0/0/4 gigether-options redundant-parent reth1 set interfaces ge-0/0/5 gigether-options redundant-parent reth2 set interfaces ge-7/0/3 gigether-options redundant-parent reth0 set interfaces ge-7/0/4 gigether-options redundant-parent reth1 set interfaces ge-7/0/5 gigether-options redundant-parent reth2 set interfaces fab0 fabric-options member-interfaces ge-0/0/2 set interfaces fab1 fabric-options member-interfaces ge-7/0/2 set interfaces reth0 redundant-ether-options redundancy-group 1 set interfaces reth0 unit 0 family inet address 1.1.12.2/24 set interfaces reth1 redundant-ether-options redundancy-group 1 set interfaces reth1 unit 0 family inet address 192.168.1.1/24 set interfaces reth2 redundant-ether-options redundancy-group 1 set interfaces reth2 unit 0 family inet address 172.16.1.1/24 set routing-options static route 0.0.0.0/0 next-hop 1.1.12.1 set security nat source rule-set dmz-to-untrust from zone DMZ set security nat source rule-set dmz-to-untrust to zone untrust set security nat source rule-set dmz-to-untrust rule dmz-to-untrust match source-address 172.16.1.0/24 set security nat source rule-set dmz-to-untrust rule dmz-to-untrust match destination-address 0.0.0.0/0 set security nat source rule-set dmz-to-untrust rule dmz-to-untrust then source-nat interface set security nat source rule-set trust-to-untrust from zone trust set security nat source rule-set trust-to-untrust to zone untrust set security nat source rule-set trust-to-untrust rule trust-to-untrust match source-address 192.168.1.0/24 set security nat source rule-set trust-to-untrust rule trust-to-untrust match destination-address 0.0.0.0/0 set security nat source rule-set trust-to-untrust rule trust-to-untrust then source-nat interface set security nat destination pool dmz-telnet address 172.16.1.2/32 set security nat destination pool dmz-telnet address port 23 set security nat destination pool trust-telnet address 192.168.1.2/32 set security nat destination pool trust-telnet address port 23 set security nat destination rule-set untrust-nat from zone untrust set security nat destination rule-set untrust-nat rule untrust-to-dmz-telnet match destination-address 1.1.12.2/32 set security nat destination rule-set untrust-nat rule untrust-to-dmz-telnet match destination-port 23 set security nat destination rule-set untrust-nat rule untrust-to-dmz-telnet then destination-nat pool dmz-telnet set security nat destination rule-set untrust-nat rule untrust-to-trust-telnet match destination-address 1.1.12.2/32 set security nat destination rule-set untrust-nat rule untrust-to-trust-telnet match destination-port 2323 set security nat destination rule-set untrust-nat rule untrust-to-trust-telnet then destination-nat pool trust-telnet set security policies from-zone untrust to-zone DMZ policy untrust-to-dmz-telnet match source-address any-ipv4 set security policies from-zone untrust to-zone DMZ policy untrust-to-dmz-telnet match destination-address dmz-telnet-server set security policies from-zone untrust to-zone DMZ policy untrust-to-dmz-telnet match application junos-telnet set security policies from-zone untrust to-zone DMZ policy untrust-to-dmz-telnet match source-identity any set security policies from-zone untrust to-zone DMZ policy untrust-to-dmz-telnet then permit set security policies from-zone untrust to-zone DMZ policy untrust-to-dmz-telnet then log session-init set security policies from-zone untrust to-zone DMZ policy untrust-to-dmz-telnet then log session-close set security policies from-zone untrust to-zone trust policy untrust-to-trust-telnet match source-address any-ipv4 set security policies from-zone untrust to-zone trust policy untrust-to-trust-telnet match destination-address trust-telnet-server set security policies from-zone untrust to-zone trust policy untrust-to-trust-telnet match application junos-telnet set security policies from-zone untrust to-zone trust policy untrust-to-trust-telnet match source-identity any set security policies from-zone untrust to-zone trust policy untrust-to-trust-telnet then permit set security policies from-zone untrust to-zone trust policy untrust-to-trust-telnet then log session-init set security policies from-zone untrust to-zone trust policy untrust-to-trust-telnet then log session-close set security policies from-zone DMZ to-zone untrust policy dmz-to-untrust-ping match source-address dmz-172.16.1.0/24 set security policies from-zone DMZ to-zone untrust policy dmz-to-untrust-ping match destination-address any-ipv4 set security policies from-zone DMZ to-zone untrust policy dmz-to-untrust-ping match application junos-icmp-ping set security policies from-zone DMZ to-zone untrust policy dmz-to-untrust-ping match source-identity any set security policies from-zone DMZ to-zone untrust policy dmz-to-untrust-ping then permit set security policies from-zone DMZ to-zone untrust policy dmz-to-untrust-telnet match source-address dmz-172.16.1.0/24 set security policies from-zone DMZ to-zone untrust policy dmz-to-untrust-telnet match destination-address untrust-server_1.1.1.1/32 set security policies from-zone DMZ to-zone untrust policy dmz-to-untrust-telnet match application junos-telnet set security policies from-zone DMZ to-zone untrust policy dmz-to-untrust-telnet match source-identity any set security policies from-zone DMZ to-zone untrust policy dmz-to-untrust-telnet then permit set security policies from-zone trust to-zone untrust policy trust-to-untrust-ping match source-address trust_192.168.1.0/24 set security policies from-zone trust to-zone untrust policy trust-to-untrust-ping match destination-address any-ipv4 set security policies from-zone trust to-zone untrust policy trust-to-untrust-ping match application junos-icmp-ping set security policies from-zone trust to-zone untrust policy trust-to-untrust-ping match source-identity any set security policies from-zone trust to-zone untrust policy trust-to-untrust-ping then permit set security policies from-zone trust to-zone untrust policy trust-to-untrust-telnet match source-address trust_192.168.1.0/24 set security policies from-zone trust to-zone untrust policy trust-to-untrust-telnet match destination-address untrust-server_1.1.1.1/32 set security policies from-zone trust to-zone untrust policy trust-to-untrust-telnet match application junos-telnet set security policies from-zone trust to-zone untrust policy trust-to-untrust-telnet match source-identity any set security policies from-zone trust to-zone untrust policy trust-to-untrust-telnet then permit set security policies from-zone trust to-zone DMZ policy trust-to-dmz-ping match source-address trust_192.168.1.0/24 set security policies from-zone trust to-zone DMZ policy trust-to-dmz-ping match destination-address dmz-172.16.1.0/24 set security policies from-zone trust to-zone DMZ policy trust-to-dmz-ping match application junos-icmp-ping set security policies from-zone trust to-zone DMZ policy trust-to-dmz-ping match source-identity any set security policies from-zone trust to-zone DMZ policy trust-to-dmz-ping then permit set security policies from-zone trust to-zone DMZ policy trust-to-dmz-telnet match source-address trust_192.168.1.0/24 set security policies from-zone trust to-zone DMZ policy trust-to-dmz-telnet match destination-address dmz-telnet-server set security policies from-zone trust to-zone DMZ policy trust-to-dmz-telnet match application junos-telnet set security policies from-zone trust to-zone DMZ policy trust-to-dmz-telnet match source-identity any set security policies from-zone trust to-zone DMZ policy trust-to-dmz-telnet then permit set security zones security-zone untrust address-book address untrust-server_1.1.1.1/32 1.1.1.1/32 set security zones security-zone untrust interfaces reth0.0 host-inbound-traffic system-services ping set security zones security-zone trust address-book address trust-telnet-server 192.168.1.2/32 set security zones security-zone trust address-book address trust_192.168.1.0/24 192.168.1.0/24 set security zones security-zone trust interfaces reth1.0 host-inbound-traffic system-services ping set security zones security-zone DMZ address-book address dmz-telnet-server 172.16.1.2/32 set security zones security-zone DMZ address-book address dmz-172.16.1.0/24 172.16.1.0/24 set security zones security-zone DMZ interfaces reth2.0 host-inbound-traffic system-services ping
參考鏈接:
https://blog.51cto.com/ciscosyh/2460653
https://blog.51cto.com/wanghaiyisu/1584747