一、Juniper SRX接口類型
gr:GRE隧道接口
ip:IP-over-IP接口
fe:快速以太網接口
ge:千兆以太網接口
ae:聚合以太網接口
as:聚合SONET/SDH接口
Fxp0:帶外管理口。獨立於HA,且管理口配置不會進行同步
Fxp1:控制層面心跳口。不同型號接口不一樣,不做配置。
Fab:數據面心跳接口(control-link)。模塊類型1GE或10GE
Reth:轉發數據接口(data-link),每個SRX分一個接口捆綁成一個reth
二、配置HA步驟
1、刪除兩台設備的配置:
delete all
2、配置設備用戶密碼:
set system root-authentication plain-text-password
3、設置主機名:
set system host-name SRX-A
4、連接control-link接口,設置主備機配置
set chassis cluster cluster-id 1 node 0 reboot
set chassis cluster cluster-id 1 node 1 reboot
5、重啟查看HA狀態
show chassis cluster status
6、指定數據傳輸端口,並連接數據傳輸接口
set interface fab0 fabric-options member-interface ge-0/0/0
set interface fab1 fabric-options member-interface ge-1/0/0
三、Juniper SRX650 HA配置示例
1、定義cluster-id和node,同一個集群cluster-id必須相同,取值范圍為0-15,0代表禁用集群,node取值范圍為0-1,0代表主設備
root@SRX-A> set chassis cluster cluster-id 1 node 0 reboot
root@SRX-B> set chassis cluster cluster-id 1 node 1 reboot
2、為集群設備配置主機名和管理IP
root@SRX-A# set groups node0 system host-name SRX-A
root@SRX-A# set groups node0 interfaces fxp0 unit 0 family inet address 10.1.1.1/24
root@SRX-A# set groups node1 system host-name SRX-B
root@SRX-A# set groups node1 interfaces fxp0 unit 0 family inet address 10.1.1.2/24
root@SRX-A# set apply-groups "${node}" #把以上的配置應用到每個獨立的節點上
root@SRX-A# commit
3、定義數據面板控制口並關聯到端口
set interfaces fab0 fabric-options member-interfaces ge-0/0/1
set interfaces fab1 fabric-options member-interfaces ge-3/0/1
4、設置冗余組的對不同節點的優先級,優先級范圍1-254,值越大優先級越高,一般定義2個冗余組,redundancy-group 0用於控制引擎,redundancy-group 1用於數據引擎
set chassis cluster redundancy-group 0 node 0 priority 100
set chassis cluster redundancy-group 0 node 1 priority 1
set chassis cluster redundancy-group 1 node 0 priority 100
set chassis cluster redundancy-group 1 node 1 priority 1
5、在數據冗余口配置接口監控,不建議在redundancy-group 0上配置接口監控,當監控到接口故障后優先級降255,實現數據口冗余自動切換
set chassis cluster redundancy-group 1 interface-monitor ge-0/0/3 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-0/0/4 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-0/0/5 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-3/0/3 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-3/0/4 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-3/0/5 weight 255
6、定義集群最多支持多少個冗余組(redundancy-group),必須不低於當前配置的冗余組數目,否則將有超過數量的冗余口不能正常工作,超過冗余組冗余接口的路由信息都不生效
set chassis cluster reth-count 3
7、把物理端口加入到冗余接口reth0,並把接口reth0加入數據冗余組redundancy-group 1
set interfaces ge-0/0/3 gigether-options redundant-parent reth0
set interfaces ge-3/0/3 gigether-options redundant-parent reth0
set interfaces reth0 redundant-ether-iptions redundancy-group 1
8、為冗余邏輯接口配置IP地址
set interfaces reth0 unit 0 family inet address 202.106.115.6/30
9、把物理端口加入到冗余接口reth1 並把接口reth1加入到數據冗余組reedundancy-group 1
set interfaces ge-0/0/4 gigether-options redundant-parent reth1
set interfaces ge-3/0/4 gigether-options redundant-parent reth1
set interfaces reth1 redundant-ether-iptions redundancy-group 1
10、為冗余接口reth配置IP地址
set interfaces reth1 unit 0 family inet address 192.168.1.1/24
11、把物理端口加入到冗余接口reth2,並把reth2接口加入數據冗余組redundancy-group 1
set interfaces ge-0/0/5 gigether-options redundant-parent reth2
set interfaces ge-3/0/5 gigether-options redundant-parent reth2
set interfaces reth2 redundant-ether-iptions redundancy-group 1
12、為冗余邏輯接口reth2配置IP地址
set interfaces reth2 unit 0 family inet address 172.16.1.1/24
13、把集群的邏輯接口關聯到ZONE
set security zones security-zone trust interfaces reth0.0
set security zones security-zone untrust interfaces reth1.0
set security zones security-zone DMZ interfaces reth2.0
14、juniper SRX cluster手動切換
控制層面切換主備
request chassis cluster failover reset redundancy-group 0
request chassis cluster failover reset redundancy-group 0 node 0
數據層面切換主備
request chassis cluster failover reset redundancy-group 1
request chassis cluster failover redundancy-group 1 node 0 force
查看cluster狀態
show chassis cluster status
15、如果需要恢復到遠程的獨立使用狀態
#首先關閉集群后重啟
set chassis cluster disable reboot
#使用load factory-default恢復至出廠設置
load factory-default
set system root-authentication plain-text-password
commit
16、juniper SRX記錄會話日志配置(不建議所有日志都開啟會話日志記錄)
set groups node0 system syslog file traffic-log any any #開啟會話日志記錄,日志文件traffic-log
set groups node0 system syslog file traffic-log match RT_FLOW_SESSION #只把包含RT_FLOW_SESSION字段的日志記錄到traffic-log文件
策略中要開啟session-init或session-close \ couunt
show log traffic-log #查看會話日志
參考鏈接:
http://blog.sina.com.cn/s/blog_8d795a0f0102w7h0.html
https://blog.csdn.net/qq_22193519/article/details/83343307
https://www.juniper.net/documentation/en_US/junos/information-products/pathway-pages/security/security-chassis-cluster.html
https://www.cnblogs.com/id404/p/11947081.html #juniper syslog日志記錄
https://apps.juniper.net/syslog-explorer/#view=explore #juniper syslog字段詳解