juniper防火墙HA详解

Cluster-id #；1-15可选，如果=0不可以进行HA。
Group #；横向，用于数据控制。
Node id #；竖向，SRX1，SRX2. 
Fxp0；带外管理口。独立于HA，且管理口配置不会进行同步
Fxp1；控制层面心跳口。不同型号接口不一样，不做配置。    
Fab#；数据面心跳。模块类型1GE或10GE
Reth#；转发数据口，每个srx分一个接口捆绑成一个reth。虚拟mac地址。属于哪个group，配ip。

 

对于新设备而言，拆箱上架，开机，先将控制心跳线必须连接，无需做任何配置，否则，主备设备无法识别在同一个cluster-id中之后将主备设备加入同一个cluster-id中重启设备，做成HA，此后所有的操作都在主设备上配置。在操作模式下可以对配置进行变更。
>set chassis cluster cluster-id 1 node 0 reboot    主设备配置
>set chassis cluster cluster-id 1 node 1 reboot    备设备配置

设置主机名
set groups node0 system host-name DCB_NIB232_INT_FW01
set groups node1 system host-name DCB_NIB233_INT_FW02

配置管理接口fxp0的ip
set groups node0 interfaces fxp0 unit 0 family inet address 10.188.255.31/24
set groups node1 interfaces fxp0 unit 0 family inet address 10.188.255.32/24
set apply-groups "${node}"
 
配置数据接口fab0、fab1划入物理接口 
set interfaces fab0 fabric-options member-interfaces ge-0/0/9
set interfaces fab1 fabric-options member-interfaces ge-4/0/9

配置reth接口将物理接口划分到reth
set chassis cluster reth-count 10
set interfaces ge-0/0/0 gigether-options redundant-parent reth0
set interfaces ge-0/0/1 gigether-options redundant-parent reth1
set interfaces ge-4/0/0 gigether-options redundant-parent reth0
set interfaces ge-4/0/1 gigether-options redundant-parent reth1

配置reth接口ip
set interfaces reth0 unit 0 family inet address 172.254.247.4/28
set interfaces reth1 unit 0 family inet address 172.254.248.1/28

配置reth#划入到zone
set security zones security-zone trust interfaces reth0.0 
set security zones security-zone untrust interfaces reth1.0
配置reth#到group
set interfaces reth0 redundant-ether-options redundancy-group 1
set interfaces reth1 redundant-ether-options redundancy-group 1
配置node #优先级
set chassis cluster control-link-recovery  #当其中一个心跳线坏了，备会disable，自动进行reboot
set chassis cluster heartbeat-interval 1000  #ms
set chassis cluster heartbeat-threshold 3  #次
set chassis cluster redundancy-group 0 node 0 priority 200
set chassis cluster redundancy-group 0 node 1 priority 100
set chassis cluster redundancy-group 1 node 0 priority 200
set chassis cluster redundancy-group 1 node 1 priority 100
set chassis cluster redundancy-group 1 preempt 设置抢占
配置group的监控端口
set chassis cluster redundancy-group 1 interface-monitor ge-0/0/0 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-4/0/0 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-0/0/1 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-4/0/1 weight 255

状态查看

show version 
show system alarm
show chassis alarm
show chassis hardware
show chassis routing-engine
show chassis fpc detail
show chassis fpc pic-status
show chassis environmentredun
show chassis cluster status (redeundancy-group 1)
show chassis cluster information
show chassis cluster statistics
show chassis cluster interfaces 
show interfaces terse | match reth
show interfaces terse | match “fab|fxp1”

  地址转换NAT

  基于源ip的NAT

set security nat source rule-set trust-to-untrust from zone trust 
set security nat source rule-set trust-to-untrust to zone untrust 
set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 0.0.0.0/0 
set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat interface          

 Pool based Source Nat 基于地址池的源地址转换

set security nat source pool snatpool address 202.100.12.23/32 to 202.100.12.30/32       #映射后的地址池
set security nat source rule-set trust-to-untrust from zone trust
set security nat source rule-set trust-to-untrust to zone untrust
set security nat source rule-set trust-to-untrust rule 1 match source-address 192.168.0.0/22
set security nat source rule-set trust-to-untrust rule 1 then source-nat pool snatpool
set security nat proxy-arp interface ge-0/0/1.0 address 202.100.12.23/32 to 202.100.12.30/32    #只要是pool的，必须用proxy-arp

  基于目的地址池Pool-based & no port translation

set security nat destination pool a address 192.168.12.1/32 to 192.168.12.4/32  
set security nat destination rule-set 1 from zone untrust
set security nat destination rule-set 1 to zone trust
set security nat destination rule-set 1 rule 1a match destination-address 100.0.0.1/32
set security nat destination rule-set 1 rule 1a then destination-nat pool a

 Pool based Destination Nat 基于地址池的目标地址转换

set security nat destination pool srv11-3389 address 172.16.1.11/32  #映射前的目的ip
set security nat destination pool srv11-3389 address port 3389 
set security nat destination rule-set utot from zone untrust 
set security nat destination rule-set utot to zone trust 
set security nat destination rule-set utot rule u236-srv11-3389 match sourceaddress 0.0.0.0/0 
set security nat destination rule-set utot rule u236-srv11-3389 match destinationaddress 192.168.1.236/32  #映射后的目的ip
set security nat destination rule-set utot rule u236-srv11-3389 match destinationport 3389 
set security nat destination rule-set utot rule u236-srv11-3389 then destinationnat pool srv11-3389 

  Pool based Static Nat 基于地址池的静态地址转换（目的NAT转换，）

set security nat static rule-set SUTOT from zone untrust 
set security nat static rule-set SUTOT to zone trust  
set security nat static rule-set SUTOT rule U237-SRV10 match destination-address 192.168.1.237/32    #转换后的目的ip
set security nat static rule-set SUTOT rule U237-SRV10 then static-nat prefix 172.16.1.10/32  #转换前的目的ip
set security nat proxy-arp interface ge-0/0/0.0 address 192.168.1.237/32 

注意：大多数情况下，基于源做NAT目的是任意的，基于目的做NAT 源是任意的，因此任意的参数可配可不配，如果是主机地址

   NAT状态检查

run show security flow session   destination-prefix 59.46.168.212 destination-port 80  run show security zones          untrust run show security policy         from-zone untrust to-zone trust   run show security nat static rule all run show security nat destination rule all  run show security nat source rule all run show security nat source pool all run show security nat destination pool all