Juniper SRX 240 Chassis Cluster (High Availability) Configuration - NETSEC

Latest

Learning, Sharing, Creating

Cybersecurity Memo

Tuesday, January 3, 2012

Juniper SRX 240 Chassis Cluster (High Availability) Configuration

Working on Juniper SRX 240 Chassis Cluster Configuration. Here will list all steps what I have done from the first step. Refer to Juniper KB15504
Warning, before finish your configuration, do not try to connect SRX240 into your production environment. It will make your production network down since all interfaces except ge-0/0/0 are pre-configured into one vlan. 

1. Power On Devices and Connect Console Cable 

2. Login with root username, no password

3. CLI into command line

4. Change root user password
root@host# set system root-authentication plain-text-password

5. Delete all vlan configuration such as security zones (trust, untrust), security policies interface range, vlan settings, etc. Commit changes.

6. Connect SRX-A ge-0/0/1 with SRX-B ge-0/0/1 directly with a cable. Warning , switch can not be used.

7. Connect SRX-A ge-0/0/2 with SRX-B ge-0/0/2 directly with a cable. Not sure if switch can be used.

8. After commit your configuration. At operational mode , enable cluster on both SRX-A and SRX-B
on SRX-A > set chassis cluster cluster-id 1 node 0 reboot
on SRX-B > set chassis cluster cluster-id 1 node 1 reboot

9. 
After both of system boots up, get into configuration mode on SRX-A, no need to do configuration on SRX-B anymore from now. Also Set up the device specific configurations such as host names and management IP addresses, this is specific to each device and is the only part of the configuration that is unique to its specific node.  This is done by entering the following commands (all on the primary node):
# set group node0 system host-name SRX-A
# set group node1 system host-name SRX-B
# set group node0 interface fxp0 unit 0 family inet address 100.1.1.1/24
# set group node1 interface fxp0 unit 1 family inet address 100.1.1.2/24

The following command is to apply the individual configs for each node.
# set apply-groups "${node}"

Create FAB links (data plane links for RTO sync, etc).
# set interfaces fab0 fabric-options member-interfaces ge-0/0/2
# set interfaces fab1 fabric-options member-interfaces ge-5/0/2
# commit and-quit

11.Setup your max number of redundant interfaces:

set chassis cluster reth-count 10

Set up the Redundancy Group 0 for the Routing Engine failover properties.  Also setup Redundancy Group 1 (all the interfaces will be in one Redundancy Group in this example) to define the failover properties for the Reth interfaces
set chassis cluster redundancy-group 0 node 0 priority 50
set chassis cluster redundancy-group 0 node 1 priority 1
set chassis cluster redundancy-group 1 node 0 priority 50
set chassis cluster redundancy-group 1 node 1 priority 1
set chassis cluster redundancy-group 1 preempt

Set up the Interface monitoring.  Monitoring the health of the interfaces is one way to trigger Redundancy group failover. Note: interface monitoring is not recommended for redundancy-group 0.
set chassis cluster redundancy-group 1 interface-monitor ge-0/0/8 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-0/0/9 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-0/0/10 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-0/0/11 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-0/0/12 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-0/0/13 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-5/0/13 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-5/0/12 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-5/0/11 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-5/0/10 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-5/0/9 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-5/0/8 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-0/0/14 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-5/0/14 weight 255

12.  Setup the Redundant Ethernet interfaces (Reth interface). 

set interfaces ge-0/0/8 gigether-options redundant-parent reth0
set interfaces ge-0/0/9 gigether-options redundant-parent reth1
set interfaces ge-0/0/10 gigether-options redundant-parent reth2
set interfaces ge-0/0/11 gigether-options redundant-parent reth3
set interfaces ge-0/0/12 gigether-options redundant-parent reth4
set interfaces ge-0/0/13 gigether-options redundant-parent reth5
set interfaces ge-0/0/14 gigether-options redundant-parent reth6
set interfaces ge-0/0/15 gigether-options redundant-parent reth7
set interfaces ge-5/0/8 gigether-options redundant-parent reth0
set interfaces ge-5/0/9 gigether-options redundant-parent reth1
set interfaces ge-5/0/10 gigether-options redundant-parent reth2
set interfaces ge-5/0/11 gigether-options redundant-parent reth3
set interfaces ge-5/0/12 gigether-options redundant-parent reth4
set interfaces ge-5/0/13 gigether-options redundant-parent reth5
set interfaces ge-5/0/14 gigether-options redundant-parent reth6
set interfaces ge-5/0/15 gigether-options redundant-parent reth7
set interfaces reth0 redundant-ether-options redundancy-group 1
set interfaces reth0 unit 0 family inet address 100.199.132.1/24
set interfaces reth1 redundant-ether-options redundancy-group 1
set interfaces reth1 unit 0 family inet address 100.199.130.1/24
set interfaces reth2 redundant-ether-options redundancy-group 1
set interfaces reth2 unit 0 family inet address 100.199.128.1/24
set interfaces reth3 redundant-ether-options redundancy-group 1
set interfaces reth3 unit 0 family inet address 100.199.134.1/24
set interfaces reth4 redundant-ether-options redundancy-group 1
set interfaces reth4 unit 0 family inet address 100.199.2.1/24
set interfaces reth5 redundant-ether-options redundancy-group 1
set interfaces reth5 unit 0 family inet address 100.199.1.1/24
set interfaces reth6 redundant-ether-options redundancy-group 1
set interfaces reth6 unit 0 family inet address 100.199.136.1/24
set interfaces reth7 redundant-ether-options redundancy-group 1
set interfaces reth7 unit 0 family inet address 100.199.138.1/24


13.  Assign the Redundant interface to a zone.
set security zones security-zone Data host-inbound-traffic system-services all
set security zones security-zone Data interfaces reth0.0

set security zones security-zone Client host-inbound-traffic system-services all
set security zones security-zone Client interfaces reth1.0

set security zones security-zone Internal host-inbound-traffic system-services all
set security zones security-zone Internal interfaces reth2.0

set security zones security-zone Pop host-inbound-traffic system-services all
set security zones security-zone Pop interfaces reth3.0

set security zones security-zone Office host-inbound-traffic system-services all
set security zones security-zone Office interfaces reth4.0

set security zones security-zone Tokyo host-inbound-traffic system-services all
set security zones security-zone Tokyo interfaces reth5.0

set security zones security-zone Beijin host-inbound-traffic system-services all
set security zones security-zone Beijin interfaces reth6.0

set security zones security-zone DMZ host-inbound-traffic system-services all
set security zones security-zone DMZ interfaces reth7.0

14. Commit and changes will be copied over to the Secondary Node, Device B.
    On device A:
    {primary:node0}# commit
This will prepare the basic clustering setting for both the devices.

No comments:

Post a Comment