 |
| SRX 340 Front Panel |
 |
| SRX 340 Back Panel |
The connection is a little different from SRX 240 and 1400. Here are some related posts:
- Configure SRX 240 cluster Step by Step
- Juniper SRX 240 Chassis Cluster (High Availability) Configuration
- Configure High End Juniper SRX 1400 as Chassis Cluster Steps
- Juniper SRX340 HA Configuraiton
Topology:
Configure Steps:
 |
| Chassis Cluster Flow Diagram (SRX300, SRX320, SRX340, SRX345, SRX550M, and SRX1500 Devices) |
1. Remove Factory Default Configuration:
1.1 Factory Default Configuration
root> show configuration ## Last commit: 2016-09-29 05:23:17 UTC by root version 15.1X49-D45; system { autoinstallation { delete-upon-commit; ## Deletes [system autoinstallation] upon change/commit traceoptions { level verbose; flag { all; } } interfaces { ge-0/0/0 { bootp; } } } name-server { 208.67.222.222; 208.67.220.220; } services { ssh; telnet; xnm-clear-text; web-management { http { interface [ fxp0.0 ge-0/0/1.0 ge-0/0/2.0 ge-0/0/3.0 ge-0/0/4.0 ge-0/0/5.0 ge-0/0/6.0 ge-0/0/7.0 ]; } https { system-generated-certificate; interface [ fxp0.0 ge-0/0/1.0 ge-0/0/2.0 ge-0/0/3.0 ge-0/0/4.0 ge-0/0/5.0 ge-0/0/6.0 ge-0/0/7.0 ]; } } dhcp { pool 192.168.2.0/24 { address-range low 192.168.2.2 high 192.168.2.254; router { 192.168.2.1; } propagate-settings ge-0/0/0.0; } pool 192.168.3.0/24 { address-range low 192.168.3.2 high 192.168.3.254; router { 192.168.3.1; } propagate-settings ge-0/0/0.0; } pool 192.168.4.0/24 { address-range low 192.168.4.2 high 192.168.4.254; router { 192.168.4.1; } propagate-settings ge-0/0/0.0; } pool 192.168.5.0/24 { address-range low 192.168.5.2 high 192.168.5.254; router { 192.168.5.1; } propagate-settings ge-0/0/0.0; } pool 192.168.6.0/24 { address-range low 192.168.6.2 high 192.168.6.254; router { 192.168.6.1; } propagate-settings ge-0/0/0.0; } pool 192.168.7.0/24 { address-range low 192.168.7.2 high 192.168.7.254; router { 192.168.7.1; } propagate-settings ge-0/0/0.0; } pool 192.168.8.0/24 { address-range low 192.168.8.2 high 192.168.8.254; router { 192.168.8.1; } propagate-settings ge-0/0/0.0; } } } syslog { archive size 100k files 3; user * { any emergency; } file messages { any critical; authorization info; } file interactive-commands { interactive-commands error; } } max-configurations-on-flash 5; max-configuration-rollbacks 5; license { autoupdate { url https://ae1.juniper.net/junos/key_retrieval; } } ## Warning: missing mandatory statement(s): 'root-authentication' } security { screen { ids-option untrust-screen { icmp { ping-death; } ip { source-route-option; tear-drop; } tcp { syn-flood { alarm-threshold 1024; attack-threshold 200; source-threshold 1024; destination-threshold 2048; timeout 20; } land; } } } nat { source { rule-set trust-to-untrust { from zone trust; to zone untrust; rule source-nat-rule { match { source-address 0.0.0.0/0; } then { source-nat { interface; } } } } } } policies { from-zone trust to-zone trust { policy trust-to-trust { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone trust to-zone untrust { policy trust-to-untrust { match { source-address any; destination-address any; application any; } then { permit; } } } } zones { security-zone trust { host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { ge-0/0/1.0; ge-0/0/2.0; ge-0/0/3.0; ge-0/0/4.0; ge-0/0/5.0; ge-0/0/6.0; ge-0/0/7.0; } } security-zone untrust { screen untrust-screen; interfaces { ge-0/0/0.0 { host-inbound-traffic { system-services { dhcp; tftp; } } } } } } } interfaces { ge-0/0/0 { unit 0; } ge-0/0/1 { unit 0 { family inet { address 192.168.2.1/24; } } } ge-0/0/2 { unit 0 { family inet { address 192.168.3.1/24; } } } ge-0/0/3 { unit 0 { family inet { address 192.168.4.1/24; } } } ge-0/0/4 { unit 0 { family inet { address 192.168.5.1/24; } } } ge-0/0/5 { unit 0 { family inet { address 192.168.6.1/24; } } } ge-0/0/6 { unit 0 { family inet { address 192.168.7.1/24; } } } ge-0/0/7 { unit 0 { family inet { address 192.168.8.1/24; } } } ge-0/0/8 { unit 0; } ge-0/0/9 { unit 0; } ge-0/0/10 { unit 0; } ge-0/0/11 { unit 0; } ge-0/0/12 { unit 0; } ge-0/0/13 { unit 0; } ge-0/0/14 { unit 0; } ge-0/0/15 { unit 0; } fxp0 { unit 0 { family inet { address 192.168.1.1/24; } } } } root>
1.2 Delete all default configuraiton
root> configure Entering configuration mode The configuration has been changed but not committed [edit] root# delete This will delete the entire configuration Delete everything under this level? [yes,no] (no) yes [edit] root# set system root-authentication plain-text-password New password: Retype new password: [edit] root# commit Oct 4 03:42:44 init: dhcp (PID 1684) exited with status=0 Normal Exit Oct 4 03:42:44 init: autoinstallation (PID 1682) exited with status=0 Normal Exit commit complete [edit] root#
2. Enable Chassis Cluster on Node0 and Node1
[edit] root# show ## Last changed: 2016-10-04 03:42:37 UTC version 15.1X49-D45; system { root-authentication { encrypted-password "$5$kUxAKKC3$v6GLhluBqbu1.oksOHHLstkMNiG1hzCWtL9uhKEKfB1"; ## SECRET-DATA } } [edit] root# exit Exiting configuration mode root> set chassis cluster cluster-id 9 node 0 reboot Successfully enabled chassis cluster. Going to reboot now. root> *** FINAL System shutdown message from root@ *** System going down IMMEDIATELY
OWaiting (max 60 seconds) for system process `vnlru' to stop...done Waiting (max 60 seconds) for system process `vnlru_mem' to stop...done Waiting (max 60 seconds) for system process `bufdaemon' to stop...done Waiting (max 60 seconds) for system process `syncer' to stop... Syncing disks, vnodes remaining...0 0 0 done syncing disks... Syncing disks, buffers remaining... 12 12 12 11 11 7 7 7 7 7 7 7 4 4 4 4 4 4 4 3 3 3 3 3 3 3 Final sync complete Uptime: 4d22h25m46s Rebooting... cpu_reset: Stopping other CPUs SPI stage 1 bootloader (Build time: May 3 2016 - 23:48:30) early_board_init: Board type: SRX_340 U-Boot 2013.07-JNPR-3.1 (Build time: May 03 2016 - 23:48:31) SRX_340 board revision major:1, minor:7, serial #: CY3216AF0293 OCTEON CN7130-AAP pass 1.2, Core clock: 1200 MHz, IO clock: 600 MHz, DDR clock: 667 MHz (1334 Mhz DDR) Base DRAM address used by u-boot: 0x10fc00000, size: 0x400000 DRAM: 4 GiB Clearing DRAM...... done Using default environment SF: Detected MX25L6405D with page size 256 Bytes, erase size 64 KiB, total 8 MiB Found valid SPI bootloader at offset: 0x90000, size: 1481840 bytes U-Boot 2013.07-JNPR-3.1 (Build time: May 03 2016 - 23:50:19) Using DRAM size from environment: 4096 MBytes checkboard siege SATA0: not available SATA1: not available SATA BIST STATUS = 0x0 SRX_340 board revision major:1, minor:7, serial #: CY3216AF0293 OCTEON CN7130-AAP pass 1.2, Core clock: 1200 MHz, IO clock: 600 MHz, DDR clock: 667 MHz (1334 Mhz DDR) Base DRAM address used by u-boot: 0x10f000000, size: .......<Omitted>
.
kern.securelevel: -1 -> 1
hw.re.gres_sync_other: 1 -> 0
Creating JAIL MFS partition...
JAIL MFS partition created
Boot media /dev/da0 has dual root support
** /dev/da0s2a
FILE SYSTEM CLEAN; SKIPPING CHECKS
clean, 1152837 free (53 frags, 144098 blocks, 0.0% fragmentation)
Tue Oct 4 03:49:59 UTC 2016
OOOOOOOOOOOOO
Amnesiac (ttyu0)
login: root
Password:
--- JUNOS 15.1X49-D45 built 2016-04-25 07:29:58 UTC
root@%
Verify Cluster Status after reboot.
{primary:node0}[edit] root# run show chassis cluster status Monitor Failure codes: CS Cold Sync monitoring FL Fabric Connection monitoring GR GRES monitoring HW Hardware monitoring IF Interface monitoring IP IP monitoring LB Loopback monitoring MB Mbuf monitoring NH Nexthop monitoring NP NPC monitoring SP SPU monitoring SM Schedule monitoring CF Config Sync monitoring Cluster ID: 9 Node Priority Status Preempt Manual Monitor-failures Redundancy group: 0 , Failover count: 1 node0 1 primary no no None node1 0 secondary no no CF
Enable Cluster on Second Node, node1
root@% cli
root>
root>
root>
root>
root> configure
Entering configuration mode
[edit]
root# delete
This will delete the entire configuration
Delete everything under this level? [yes,no] (no) yes
[edit]
root# set system root-authentication plain-text-password
New password:
Retype new password:
[edit]
root# commit and-quit
commit complete
Exiting configuration mode
root> Oct 13 22:56:58 init: mountd-service (PID 20972) exited with status=1
Oct 13 22:56:59 init: exec_command: /usr/sbin/mountd (PID 20985) started
Oct 13 22:56:59 init: mountd-service (PID 20985) started
Oct 13 22:56:59 init: gstatd (PID 20973) exited with status=1
Oct 13 22:56:59 init: exec_command: /usr/sbin/gstatd (PID 20994) started
Oct 13 22:56:59 init: gstatd (PID 20994) started
root> set chassis cluster cluster-id 9 node 1 reboot
Successfully enabled chassis cluster. Going to reboot now.
3. Basic Interfaces, Security Zones, Routes and Policies Configuration
{primary:node0}[edit]
set groups node0 system host-name fw-HA-1
set groups node0 interfaces fxp0 unit 0 family inet address 10.8.1.19/24
set groups node0 interfaces fxp0 unit 0 family inet address 10.8.1.21/24 master-only
set groups node1 system host-name fw-com-twn1-2
set groups node1 interfaces fxp0 unit 0 family inet address 10.8.1.20/24
set groups node1 interfaces fxp0 unit 0 family inet address 10.8.1.21/24 master-only
set apply-groups "${node}"
set chassis cluster reth-count 2
set chassis cluster redundancy-group 0 node 0 priority 200
set chassis cluster redundancy-group 0 node 1 priority 100
set chassis cluster redundancy-group 1 node 0 priority 200
set chassis cluster redundancy-group 1 node 1 priority 100
set interfaces fab0 fabric-options member-interfaces ge-0/0/3
set interfaces fab1 fabric-options member-interfaces ge-5/0/3
set interfaces ge-0/0/0 gigether-options redundant-parent reth0
set interfaces ge-5/0/0 gigether-options redundant-parent reth0
set interfaces ge-0/0/2 gigether-options redundant-parent reth1
set interfaces ge-5/0/2 gigether-options redundant-parent reth1
set interfaces reth0 redundant-ether-options redundancy-group 1
set interfaces reth1 redundant-ether-options redundancy-group 1
set security zones security-zone Zone1
set security zones security-zone Zone2
set security zones security-zone Zone1 host-inbound-traffic system-services all
set security zones security-zone Zone2 host-inbound-traffic system-services all
set interfaces reth0 unit 0 family inet address 10.8.2.14/24
set security zones security-zone Zone1 interfaces reth0.0
set interfaces reth1 unit 0 family inet address 10.8.3.13/24
set security zones security-zone Zone2 interfaces reth1.0
set system backup-router destination 10.0.0.0/8 10.8.1.1
set routing-options static route 0.0.0.0/0 next-hop 10.8.1.1
set security policies from-zone Zone1 to-zone Zone2 policy allow_any match source-address any
set security policies from-zone Zone1 to-zone Zone2 policy allow_any match destination-address any
set security policies from-zone Zone1 to-zone Zone2 policy allow_any match application any
set security policies from-zone Zone1 to-zone Zone2 policy allow_any then permit
set security policies from-zone Zone2 to-zone Zone1 policy allow_any match source-address any
set security policies from-zone Zone2 to-zone Zone1 policy allow_any match destination-address any
set security policies from-zone Zone2 to-zone Zone1 policy allow_any match application any
set security policies from-zone Zone2 to-zone Zone1 policy allow_any then permit
set security zones security-zone Zone2 tcp-rst
set security zones security-zone Zone1 tcp-rst
{primary:node0}[edit]
root# commit
node0:
configuration check succeeds
node1:
commit complete
Oct 4 04:11:18 init: mountd-service (PID 2418) exited with status=1
Oct 4 04:11:18 init: exec_command: /usr/sbin/mountd (PID 2423) started
Oct 4 04:11:18 init: mountd-service (PID 2423) started
Oct 4 04:11:18 init: gstatd (PID 2416) exited with status=1
Oct 4 04:11:18 init: exec_command: /usr/sbin/gstatd (PID 2427) started
Oct 4 04:11:18 init: gstatd (PID 2427) started
Oct 4 04:11:18 init: l2cpd-service (PID 2414) exited with status=0 Normal Exit
Oct 4 04:11:18 init: exec_command: /usr/sbin/l2cpd (PID 2430) started
Oct 4 04:11:18 init: l2cpd-service (PID 2430) started
node0:
commit complete
{primary:node0}[edit]
root@fw-HA-1#
4. More Configuration
4.1 group configuration
set groups node0 system backup-router 10.8.1.1
set groups node0 system backup-router destination 10.44.20.160/24
set groups node0 system services ssh max-sessions-per-connection 32
set groups node0 system syslog file default-log-messages any info
set groups node0 system syslog file default-log-messages match "(requested 'commit' operation)|(copying configuration to juniper.save)|(commit complete)|ifAdminStatus|(FRU power)|(FRU removal)|(FRU insertion)|(link UP)|transitioned|Transferred|transfer-file|(license add)|(license delete)|(package -X update)|(package -X delete)|(FRU Online)|(FRU Offline)|(plugged in)|(unplugged)|GRES"
set groups node0 system syslog file default-log-messages structured-data
set groups node0 interfaces fxp0 unit 0 family inet filter input restrict_ssh
set groups node1 system backup-router 10.8.1.1
set groups node1 system backup-router destination 10.44.20.160/24
set groups node1 system services ssh max-sessions-per-connection 32
set groups node1 system syslog file default-log-messages any info
set groups node1 system syslog file default-log-messages match "(requested 'commit' operation)|(copying configuration to juniper.save)|(commit complete)|ifAdminStatus|(FRU power)|(FRU removal)|(FRU insertion)|(link UP)|transitioned|Transferred|transfer-file|(license add)|(license delete)|(package -X update)|(package -X delete)|(FRU Online)|(FRU Offline)|(plugged in)|(unplugged)|GRES"
set groups node1 system syslog file default-log-messages structured-data
set groups node1 interfaces fxp0 unit 0 family inet filter input restrict_ssh
set apply-groups "${node}"
set firewall filter restrict_ssh term ssh-from-nsm from source-address 10.44.20.0/24
set firewall filter restrict_ssh term ssh-from-nsm from destination-address 10.8.1.19/24
set firewall filter restrict_ssh term ssh-from-nsm from destination-address 10.8.1.20/24
set firewall filter restrict_ssh term ssh-from-nsm from destination-address 10.8.1.21/24
set firewall filter restrict_ssh term ssh-from-nsm from destination-port 22
set firewall filter restrict_ssh term ssh-from-nsm then accept
set firewall filter restrict_ssh term block-all-ssh from destination-address 10.8.1.19/24
set firewall filter restrict_ssh term block-all-ssh from destination-address 10.8.1.20/24
set firewall filter restrict_ssh term block-all-ssh from destination-address 10.8.1.21/24
set firewall filter restrict_ssh term block-all-ssh from protocol tcp
set firewall filter restrict_ssh term block-all-ssh from destination-port 22
set firewall filter restrict_ssh term block-all-ssh then count bad-access
set firewall filter restrict_ssh term block-all-ssh then log
set firewall filter restrict_ssh term block-all-ssh then syslog
set firewall filter restrict_ssh term block-all-ssh then reject tcp-reset
set firewall filter restrict_ssh term default-permit then accept
4.2 SNMP Configuration
set snmp filter-duplicates
set snmp v3 usm local-engine user junosAES authentication-md5 authentication-key "$$KO.v7-Vb2ZDi4ojqm5F3SrlKxNbs2gJGre24JZkqP5QFnCp0BhyltpORSyKvWLx-ds2gJZjHlKJGUjq.hSyevL-VwoaUyls2oaiHtu0OcyX7-dwY0BEyevLXbs2oaUHkPF39q.z6/CB1-VbsoJjq5z3Dj0BREyrZUDHkP369pO16/0IEcle4aJZk."
set snmp v3 usm local-engine user junosAES privacy-aes128 privacy-key "9$bp2ZU.mTQ3624/Ctu1Idbwg4ZiHmPQFUDApuORE24oJHqfTz9Cu3nlKvWx7Ujiq.5n6ApBI3ntOBIcSwY24aUHkPfQFmPT39CB1EcyrWLxNdbYg7NqmfT3n/Ctp0IEhrvMXyrMX-dg4ZUjHP56/tB1h/9u1IhrlJGUji.z36AtO/9ev8Xbw24aGk."
set snmp v3 vacm security-to-group security-model usm security-name junosAES group readonly
set snmp v3 vacm access group readonly default-context-prefix security-model usm security-level privacy read-view view_all
set snmp engine-id local 4014
set snmp view view_all oid 1 include
set snmp client-list snmpclient 10.4.1.0/24
4.3 System , Routing-options and Routing-instance Configuration
set system backup-router 10.8.1.1 set system backup-router destination 10.0.0.0/8 set system time-zone UTC set system login class sec-read-only permissions view-configuration set system login class sec-read-only allow-commands show set system login class sec-read-only deny-commands "(clear)|(file)|(file show)|(help)|(load)|(monitor)|(op)|(request)|(save)|(set)|(start)|(test)" set system login class sec-read-only deny-configuration all set system login class super-user-cust idle-timeout 10 set system login class super-user-cust permissions all set system login user test uid 2001 set system login user test class super-user set system login user test authentication encrypted-password "$1$2po2xsGc$BUVkMEQGCf9.2CH7FCSA/" set system services ssh set system services netconf ssh set system syslog archive size 750k set system syslog archive files 2 set system syslog user * any emergency set system syslog host 10.8.128.42 any any set system syslog file messages any critical set system syslog file messages authorization info set system syslog file messages explicit-priority set system syslog file interactive-commands interactive-commands error set system syslog file traffic-create any any set system syslog file traffic-create match RT_FLOW_SESSION_CREATE set system syslog file traffic-deny any any set system syslog file traffic-deny match RT_FLOW_SESSION_DENY set system max-configurations-on-flash 10 set system max-configuration-rollbacks 30 set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval set system ntp server 10.9.16.5 set system ntp server 10.44.4.27 set routing-options static route 0.0.0.0/0 next-hop 10.8.1.1 set routing-instances def-vr instance-type virtual-router set routing-instances def-vr interface reth0.0 set routing-instances def-vr interface reth1.0 set routing-instances def-vr routing-options static route 0.0.0.0/0 next-hop 10.8.2.1
Reference:
No comments:
Post a Comment