一、实验环境介绍
1)vsrx 12.1X47-D20.7
二、实验拓扑
vSRXA1与vSRXA2之间建议Chassis Cluster
ge-0/0/0为带外管理接口(系列默认,不可改)
ge-0/0/1为control-link(系统配置,不可改)
ge-0/0/4为data-link(手工配置,可改)
control-link与data-link采用背靠背的连接方式。
在低端的SRX防火墙带外管理接口、控制接口、数据接口都是业务接口。
在高端的SRX防火墙管理接口、控制接口即为专用接口,只有数据接口为业务接口。
在HA中node1的接口序号将发生变化,在vSRX虚拟器上转为为一个7槽的设备(即slot 0、1、2、3、4、5、6)
node0的接口序号为ge-0/0/0、ge-1/0/0....ge-6/0/0
node1的接口序号为ge-7/0/0、ge-8/0/0...ge-13/0/0
三、SRX 从单机模式到HA模式,需要重启防火墙
vSRXA1:
set chassis cluster cluster-id 1 node 0 reboot
vSRXA2:
set chassis cluster cluster-id 1 node 1 reboot
vSRX重启后自动加入HA模式
{primary:node0}
root> show chassis cluster status
Cluster ID: 1
Node Priority Status Preempt Manual Monitor-failures
Redundancy group: 0 , Failover count: 1
node0 1 primary no no None
node1 1 secondary no no None
{primary:node0}
注: 低端的SRX防火墙中,control-link是预置的,只要防火墙工作于HA模式,ge-0/0/1就为control-link。但是在高端SRX防火墙中有专门的control-link需要手工配置,特别是在SRX5K中。如果不配置control-link防火墙将不能正常启动,SRX5K配置control-link Port命令如下:
set chassis cluster control-ports fpc 2 port 0
set chassis cluster control-ports fpc 5 port 0
四、SRX防火墙HA的配置顺序如下(在master防火墙操作即可)
1)配置管理接口(node0/1的管理地址及backup-router配置)
2)配置HA防火墙data-link接口(ge-0/0/1)
3)配置HA的Redundancy groups(默认0为控制平面,其它为数据平面)
4)配置HA中的业务接口RETH
5)配置HA的切换参数
6)根据以上配置顺序操作,便于异常的反推排查
五、SRX防火墙HA的配置步骤(在master防火墙操作即可)
1、配置管理接口及backup-router路由
root# show | display set
set groups node0 system host-name vSRXA1
set groups node0 system backup-router 192.168.100.254
set groups node0 system backup-router destination 192.168.100.0/24
set groups node0 interfaces fxp0 unit 0 family inet address 192.168.100.2/24
set groups node0 interfaces fxp0 unit 0 family inet address 192.168.100.1/24 master-only
set groups node1 system host-name vSRXA2
set groups node1 system backup-router 192.168.100.254
set groups node1 system backup-router destination 192.168.100.0/24
set groups node1 interfaces fxp0 unit 0 family inet address 192.168.100.3/24
set groups node1 interfaces fxp0 unit 0 family inet address 192.168.100.1/24 master-only
{primary:node0}[edit]
root# set apply-groups ${node} #调用前面配置的group node0/1,并提交配置保存
{primary:node0}[edit]
root# commit
node0:
configuration check succeeds
node1:
commit complete
node0:
commit complete
{primary:node0}[edit]
2、查看node0和node1的带外管理接口状态
root@vSRXA1# run show interfaces terse | match fxp0
root@vSRXA2> show interfaces terse | match fxp0
3、配置HA的data-link,配置的关键字为fab
root@vSRXA1# show interfaces | match fab | display set
set interfaces fab0 fabric-options member-interfaces ge-0/0/4
set interfaces fab1 fabric-options member-interfaces ge-7/0/4
查看fab接口状态信息:
root@vSRXA1# run show chassis cluster interfaces
root@vSRXA1> show interfaces terse | match fab
4、配置HA的Redundancy groups(默认只有group 0 优先级为1,可以手工配置)
root@vSRXA1# show | display set
set chassis cluster reth-count 8
set chassis cluster redundancy-group 0 node 0 priority 200
set chassis cluster redundancy-group 0 node 1 priority 100
set chassis cluster redundancy-group 1 node 0 priority 200
set chassis cluster redundancy-group 1 node 1 priority 100
查看redundant group的状态:
root@vSRXA1# run show chassis cluster status
5、配置HA环境中下的业务接口reth(将物理接口加入到reth组中)
root@vSRXA1# show interfaces | match reth | display set
set interfaces ge-0/0/2 gigether-options redundant-parent reth0
set interfaces ge-0/0/3 gigether-options redundant-parent reth1
set interfaces ge-7/0/2 gigether-options redundant-parent reth0
set interfaces ge-7/0/3 gigether-options redundant-parent reth1
set interfaces reth0 redundant-ether-options redundancy-group 1
set interfaces reth1 redundant-ether-options redundancy-group 1
查看reth接口的状态:
root@vSRXA1# run show interfaces terse | match reth
root@vSRXA1# run show chassis cluster interfaces | no-more
6、node0/1之间的切换(手工切换)
root@vSRXA1> request chassis cluster failover redundancy-group 0 node 1
root@vSRXA1> request chassis cluster failover redundancy-group 1 node 1
root@vSRXA1> request chassis cluster failover redundancy-group 1 node 1 force
手工切换后的优先级会达到255,需要手工恢复。
request chassis cluster failover reset redundancy-group 1
参考链接:
https://blog.51cto.com/ciscosyh/2460653
https://blog.51cto.com/wanghaiyisu/1584747