Juniper SRX防火墙HA配置

1、实验环境介绍
1）vsrx 12.1X47-D20.7

2、实验拓扑

vSRXA1与vSRXA2之间建议Chassis Cluster
ge-0/0/0为带外管理接口(系列默认，不可改)
ge-0/0/1为control-link（系统配置，不可改）
ge-0/0/4为data-link(手工配置，可改)
control-link与data-link采用背靠背的链接方式。

在低端的SRX防火墙带外管理接口、控制接口、数据接口都是业务接口。
在高端的SRX防火墙管理接口、控制接口即为专用接口，只有数据接口为业务接口。

在HA中node1的接口序号将发生变化，在vSRX虚拟器上转为为一个7槽的设备（即slot 0、一、二、三、四、五、6）
node0的接口序号为ge-0/0/0、ge-1/0/0....ge-6/0/0
node1的接口序号为ge-7/0/0、ge-8/0/0...ge-13/0/0

3、SRX 从单机模式到HA模式，须要重启防火墙
vSRXA1:
set chassis cluster cluster-id 1 node 0 reboot
vSRXA2:
set chassis cluster cluster-id 1 node 1 reboot
2) vSRX重启后自动加入HA模式
{primary:node0}
root> show chassis cluster status
Cluster ID: 1
Node Priority Status Preempt Manual Monitor-failures

Redundancy group: 0 , Failover count: 1
node0 1 primary no no None
node1 1 secondary no no None

{primary:node0}
root>

注： 低端的SRX防火墙中，control-link是预置的，只要防火墙工做于HA模式，ge-0/0/1就为control-link。可是在高端SRX防火墙中有专门的control-link须要手工配置，特别是在SRX5K中。若是不配置control-link防火墙将不能正常启动，SRX5K配置control-link Port命令以下:
set chassis cluster control-ports fpc 2 port 0
set chassis cluster control-ports fpc 5 port 0

4、SRX防火墙HA的配置顺序以下（在master防火墙操做便可）
1）配置管理接口（node0/1的管理地址及backup-router配置）
2）配置HA防火墙data-link接口（ge-0/0/1）
3）配置HA的Redundancy groups(默认0为控制平面，其它为数据平面)
4）配置HA中的业务接口RETH
5）配置HA的切换参数
6）根据以上配置顺序操做，便于异常的反推排查

5、SRX防火墙HA的配置步骤（在master防火墙操做便可）
1）配置管理接口及backup-router路由
{primary:node0}[edit groups]
root# show | display set
set groups node0 system host-name vSRXA1
set groups node0 system backup-router 192.168.100.254
set groups node0 system backup-router destination 192.168.100.0/24
set groups node0 interfaces fxp0 unit 0 family inet address 192.168.100.2/24
set groups node0 interfaces fxp0 unit 0 family inet address 192.168.100.1/24 master-only
set groups node1 system host-name vSRXA2
set groups node1 system backup-router 192.168.100.254
set groups node1 system backup-router destination 192.168.100.0/24
set groups node1 interfaces fxp0 unit 0 family inet address 192.168.100.3/24
set groups node1 interfaces fxp0 unit 0 family inet address 192.168.100.1/24 master-only

/调用前面配置的group node0/1，并提交配置保存 /
{primary:node0}[edit]
root# set apply-groups ${node}

{primary:node0}[edit]
root# commit
node0:
configuration check succeeds
node1:
commit complete
node0:
commit complete

{primary:node0}[edit]br/>root@vSRXA1#
/查看node0和node1的状态/

{primary:node0}[edit]
root@vSRXA1# run show interfaces terse | match fxp0
fxp0 up up
fxp0.0 up up inet 192.168.100.1/24 (group中master-only的做用)

{primary:node0}[edit]
root@vSRXA1#

{secondary:node1}
root@vSRXA2> show interfaces terse | match fxp0
fxp0 up up
fxp0.0 up up inet 192.168.100.3/24

{secondary:node1}
root@vSRXA2>

2）配置HA的data-link，配置的关键字为fab
{primary:node0}[edit]
root@vSRXA1# show interfaces | match fab | display set
set interfaces fab0 fabric-options member-interfaces ge-0/0/4
set interfaces fab1 fabric-options member-interfaces ge-7/0/4

末配置前的状态信息：
{primary:node0}[edit]
root@vSRXA1# run show chassis cluster interfaces
Control link status: Up

Control interfaces:
Index Interface Monitored-Status Internal-SA
0 fxp1 Up Disabled

Fabric link status: Down

Fabric interfaces:
Name Child-interface Status
(Physical/Monitored)
fab0
fab0
fab1
fab1

Redundant-pseudo-interface Information:
Name Status Redundancy-group
lo0 Up 0

{primary:node0}[edit]
root@vSRXA1# run show interfaces terse | match fab
fab0 up down
fab0.0 up down inet 30.17.0.200/24
fab1 up down
fab1.0 up down inet 30.18.0.200/24

{primary:node0}[edit]
root@vSRXA1#

配置后的状态信息：
{primary:node0}
root@vSRXA1> show chassis cluster interfaces
Control link status: Up

Control interfaces:
Index Interface Monitored-Status Internal-SA
0 fxp1 Up Disabled

Fabric link status: Up

Fabric interfaces:
Name Child-interface Status
(Physical/Monitored)
fab0 ge-0/0/4 Up / Up
fab0
fab1 ge-7/0/4 Up / Up
fab1

Redundant-pseudo-interface Information:
Name Status Redundancy-group
lo0 Up 0

{primary:node0}
root@vSRXA1> show interfaces terse | match fab
ge-0/0/4.0 up up aenet --> fab0.0
ge-7/0/4.0 up up aenet --> fab1.0
fab0 up up
fab0.0 up up inet 30.17.0.200/24
fab1 up up
fab1.0 up up inet 30.18.0.200/24

{primary:node0}
root@vSRXA1>
3）配置HA的Redundancy groups(默认只有group 0 优先级为1，能够手工配置)
{primary:node0}[edit chassis cluster]
root@vSRXA1# show | display set
set chassis cluster reth-count 8
set chassis cluster redundancy-group 0 node 0 priority 200
set chassis cluster redundancy-group 0 node 1 priority 100
set chassis cluster redundancy-group 1 node 0 priority 200
set chassis cluster redundancy-group 1 node 1 priority 100

查看redundant group的状态：
{primary:node0}[edit]
root@vSRXA1# run show chassis cluster status
Monitor Failure codes:
CS Cold Sync monitoring FL Fabric Connection monitoring
GR GRES monitoring HW Hardware monitoring
IF Interface monitoring IP IP monitoring
LB Loopback monitoring MB Mbuf monitoring
NH Nexthop monitoring NP NPC monitoring
SP SPU monitoring SM Schedule monitoring
CF Config Sync monitoring

Cluster ID: 1
Node Priority Status Preempt Manual Monitor-failures

Redundancy group: 0 , Failover count: 1
node0 200 primary no no None
node1 100 secondary no no None

Redundancy group: 1 , Failover count: 1
node0 200 primary no no None
node1 100 secondary no no None

{primary:node0}[edit]
root@vSRXA1#
4）配置HA环境中下的业务接口reth（将物理接口加入到reth组中）
{primary:node0}[edit]
root@vSRXA1# show interfaces | match reth | display set
set interfaces ge-0/0/2 gigether-options redundant-parent reth0
set interfaces ge-0/0/3 gigether-options redundant-parent reth1
set interfaces ge-7/0/2 gigether-options redundant-parent reth0
set interfaces ge-7/0/3 gigether-options redundant-parent reth1

set interfaces reth0 redundant-ether-options redundancy-group 1
set interfaces reth1 redundant-ether-options redundancy-group 1
查看reth接口的状态：
root@vSRXA1# run show interfaces terse | match reth
ge-0/0/2.32767 up up aenet --> reth0.32767
ge-0/0/3.32767 up up aenet --> reth1.32767
ge-7/0/2.32767 up up aenet --> reth0.32767
ge-7/0/3.32767 up up aenet --> reth1.32767
reth0 up up
reth0.32767 up up
reth1 up up
reth1.32767 up up

{primary:node0}[edit]
root@vSRXA1#

{primary:node0}[edit]
root@vSRXA1# run show chassis cluster interfaces | no-more
Control link status: Up

Control interfaces:
Index Interface Monitored-Status Internal-SA
0 fxp1 Up Disabled

Fabric link status: Up

Fabric interfaces:
Name Child-interface Status
(Physical/Monitored)
fab0 ge-0/0/4 Up / Up
fab0
fab1 ge-7/0/4 Up / Up
fab1

Redundant-ethernet Information:
Name Status Redundancy-group
reth0 Up 1
reth1 Up 1

Redundant-pseudo-interface Information:
Name Status Redundancy-group
lo0 Up 0

{primary:node0}[edit]
root@vSRXA1#

5）node0/1之间的切换（手工切换）
root@vSRXA1> request chassis cluster failover redundancy-group 0 node 1
root@vSRXA1> request chassis cluster failover redundancy-group 1 node 1

手工切换后的优先级会达到255，须要手工恢复。
request chassis cluster failover reset redundancy-group 1

至此，SRX Chassi Cluster就能够正常使用了，若是须要修改其它参数请参数连接：
https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-chassis-cluster-overview.html

下文将介绍，SRX HA接口的IP配置和路由配置的方法，谢谢！