SRX550 HA 以及端口绑定高可靠性尝试
2015-01-27 18:05:57
如下图所示
前端两台交换机堆叠,后端两台交换机堆叠。 中间两台防火墙用HA模式 查找资料得知
SRX系列防火墙HA采用的是JSRP协议。对应netscreen的NSRP。JSRP和NSRP之间的最大区别就是JSRP采用的是cluster,两台防火墙虚拟成一台。而NSRP一般采用的是主备模式,备机需要单独的管理。
JSRP要求两台设备的型号、版本、板卡等完全一致。
(JSRP采用的是cluster,两台防火墙虚拟成一台)看到这里欣喜若狂,这意味着在逻辑结构上,可以把这6台设备看成3台设备。保证最高可靠性的同时大大简化配置工作。
保存配置提示错误解决办法
HA management port cannot be configured
参考文章 对应SRX650
http://rtoodtoo.net/2011/04/07/srx-cluster/
防火墙配置如下
1、在A 机器上面
config 模式
delete interfaces ge-0/0/0
delete interfaces ge-0/0/1
delete interfaces ge-0/0/2
delete security zones security-zone untrust interfaces ge-0/0/0.0
cli 模式
set chassis cluster cluster-id 1 node 0 reboot
在B机器上面
config 模式
delete interfaces ge-0/0/0
delete interfaces ge-0/0/1
delete interfaces ge-0/0/2
delete security zones security-zone untrust interfaces ge-0/0/0.0
cli 模式
set chassis cluster cluster-id 1 node 0 reboot
端口聚合参考文章
http://chimera.labs.oreilly.com/books/1234000001633/ch04.html#aggregate_interfaces
1、远程管理SRX相关配置
run set date YYYYMMDDhhmm.ss /***设置系统时钟***/
set system time-zone Asia/Shanghai /***设置时区为上海***/
set system host-name SRX3400-A /***设置主机名***/
set system name-server 1.1.1.1 /***设置DNS服务器***/
set system services ftp
set system services telnet
set system services web-management http
2、设置带外管理地址
set interfaces ge-0/0/0 unit 0 family inet address 192.168.100.20/24
set interfaces ge-0/0/1 unit 0 family inet address 192.168.100.21/24
set routing-options static route 0.0.0.0/0 next-hop 192.168.100.1
3、将带外管理口加入untrustZone
set security zones security-zone untrust interfaces ge-0/0/0.0
4、在untrust zone打开允许远程登陆管理服务
set security zones security-zone untrust host-inbound-traffic system-services ping
set security zones security-zone untrust host-inbound-traffic system-services http
set security zones security-zone untrust host-inbound-traffic system-services telnet
5、设置地址组
set security zones security-zone trust address-book address AS1 172.16.40.10/32
set security zones security-zone trust address-book address AS2 172.16.40.20/32
set security zones security-zone trust address-book address Tomcat1 172.16.40.30/32
set security zones security-zone trust address-book address Tomcat2 172.16.40.40/32
set security zones security-zone trust address-book address Tomcat3 172.16.40.50/32
set security zones security-zone trust address-book address Tomcat4 172.16.40.60/32
set security zones security-zone trust address-book address RAC1 172.16.40.100/32
set security zones security-zone trust address-book address RAC1-VIP 172.16.40.101/32
set security zones security-zone trust address-book address RAC2 172.16.40.110/32
set security zones security-zone trust address-book address RAC2-VIP 172.16.40.111/32
set security zones security-zone trust address-book address RAC-Cluster 172.16.40.120/32
set security zones security-zone untrust address-book address RS1 172.16.30.10/32
set security zones security-zone untrust address-book address RS2 172.16.30.20/32
set security zones security-zone untrust address-book address Apache1 172.16.30.30/32
set security zones security-zone untrust address-book address Apache2 172.16.30.30/32
set security zones security-zone untrust address-book address Apache3 172.16.30.30/32
set security zones security-zone untrust address-book address Apache4 172.16.30.30/32
set security zones security-zone untrust address-book address-set DMZ address RS1
set security zones security-zone untrust address-book address-set DMZ address RS2
set security zones security-zone untrust address-book address-set DMZ address Apache1
set security zones security-zone untrust address-book address-set DMZ address Apache2
set security zones security-zone untrust address-book address-set DMZ address Apache3
set security zones security-zone untrust address-book address-set DMZ address Apache4
set security zones security-zone trust address-book address-set CORE AS1 172.16.40.10/32
set security zones security-zone trust address-book address-set CORE AS2 172.16.40.20/32
set security zones security-zone trust address-book address-set CORE Tomcat1 172.16.40.30/32
set security zones security-zone trust address-book address-set CORE Tomcat2 172.16.40.40/32
set security zones security-zone trust address-book address-set CORE Tomcat3 172.16.40.50/32
set security zones security-zone trust address-book address-set CORE Tomcat4 172.16.40.60/32
set security zones security-zone trust address-book address-set CORE RAC1 172.16.40.100/32
set security zones security-zone trust address-book address-set CORE RAC1-VIP 172.16.40.101/32
set security zones security-zone trust address-book address-set CORE RAC2 172.16.40.110/32
set security zones security-zone trust address-book address-set CORE RAC2-VIP 172.16.40.111/32
set security zones security-zone trust address-book address-set CORE RAC-Cluster 172.16.40.120/32
6、定义从trust 到untrust方向permit策略,允许DMZ组的源地址访问CORE地址any服务***/
set security policies from-zone trust to-zone untrust policy 001 match source-address DMZ destination-address CORE application any
set security policies from-zone trust to-zone untrust policy 001 then permit
7、对两台设备的g0/0/1、g0/0/2接口进行初始化配置,删除所有有关的原有配置
delete set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members vlan-trust
delete set interfaces ge-0/0/1unit 0 family ethernet-switching
delete set interfaces ge-0/0/1 unit 0
delete set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members vlan-trust
delete set interfaces ge-0/0/2unit 0 family ethernet-switching
delete set interfaces ge-0/0/2 unit 0
8、配置cluster-id和node-id
SRX-A>set chassis cluster cluster-id 1 node 0 reboot
SRX-B>set chassis cluster cluster-id 1 node 1 reboot
9、指定Fabric Link Port
set interfaces fab0 fabric-options member-interfaces ge-0/0/2
set interfaces fab1 fabric-options member-interfaces ge-9/0/2
10、配置HA恢复机制
set chassis cluster control-link-recovery
11、配置Redundancy Group
set chassis cluster reth-count 10 (指定整个Cluster中redundant ethernet interface最多数量)
set chassis cluster redundancy-group 0 node 0 priority 200 (高值优先,与NSRP相反)
set chassis cluster redundancy-group 0 node 1 priority 100
set chassis cluster redundancy-group 1 node 0 priority 200 (高值优先,与NSRP相反)
set chassis cluster redundancy-group 1 node 1 priority 100
12、 配置Redundant Ethernet Interface
Redundant Ethernet Interface类似ScreenOS里的redundant interface,只不过Redundant Ethernet interface是可以分布在相同或者不同的机箱上 (这一特性又类似ScreenOS 的VSI接口)
Set interface ge-0/0/3 gigether-options redundant-parent reth3 (node 1的ge-0/0/3接口)
Set interface ge-0/0/4 gigether-options redundant-parent reth3 (node 1的ge-0/0/4接口)
Set interface ge-9/0/3 gigether-options redundant-parent reth3 (node 1的ge-0/0/3接口)
Set interface ge-9/0/4 gigether-options redundant-parent reth3 (node 1的ge-0/0/4接口)
Set interface reth3 redundant-ether-options redundancy-group 3
Set interface ge-0/0/5 gigether-options redundant-parent reth5 (node 1的ge-0/0/5接口)
Set interface ge-0/0/6 gigether-options redundant-parent reth5 (node 1的ge-0/0/6接口)
Set interface ge-9/0/5 gigether-options redundant-parent reth5 (node 1的ge-0/0/5接口)
Set interface ge-9/0/6 gigether-options redundant-parent reth5 (node 1的ge-0/0/6接口)
Set interface reth5redundant-ether-options redundancy-group 5
13、配置Interface Monitoring,被监控的接口Down掉后,将自动进行主备切换(与ScreenOS类似)
Set cluster redundancy-group 3 interface-monitor ge-0/0/2 weight 255
Set cluster redundancy-group 3 interface-monitor ge-9/0/2 weight 255
Set cluster redundancy-group 3 interface-monitor ge-0/0/3 weight 255
Set cluster redundancy-group 3 interface-monitor ge-0/0/4 weight 255
Set cluster redundancy-group 3 interface-monitor ge-9/0/3 weight 255
Set cluster redundancy-group 3 interface-monitor ge-9/0/4 weight 255
Set cluster redundancy-group 5 interface-monitor ge-0/0/2 weight 255
Set cluster redundancy-group 5 interface-monitor ge-9/0/2 weight 255
Set cluster redundancy-group 5 interface-monitor ge-0/0/5 weight 255
Set cluster redundancy-group 5 interface-monitor ge-0/0/6 weight 255
Set cluster redundancy-group 5 interface-monitor ge-9/0/5 weight 255
Set cluster redundancy-group 5 interface-monitor ge-9/0/6 weight 255
JSRP维护命令
a) 手工切换JSRP Master,RG1 原backup将成为Master
root@srxa> request chassis cluster failover redundancy-group 1 node 1
b) 手工恢复JSRP状态,按照优先级重新确定主备关系(高值优先)
root@srxb> request chassis cluster failover reset redundancy-group 1
c) 查看cluster interface
root@router> show chassis cluster interfaces
d) 查看cluster 状态、节点状态、主备关系
lab@srxa# run show chassis cluster status
e) 取消cluster配置
srxa# set chassis cluster disable reboot
f) 升级JSRP软件版本
SRX目前暂不支持软件在线升级(ISSU),升级过程会中断业务。
升级步骤如下:
1.升级node 0,注意不要重启系统
2.升级node 1,注意不要重启系统.
3.同时重启两个系统
g) 恢复处于disabled状态的node
当control port或fabric link出现故障时,为避免出现双master (split-brain)现象,JSRP会把出现故障前状态为secdonary的node设为disabled状态,即除了RE,其余部件都不工作。想要恢复必须reboot该node。
三、SRX防火墙常规操作与维护
3.1 设备关机
SRX因为主控板上有大容量硬盘,为防止强行断电关机造成硬件故障,要求设备关机必须按照下面的步骤进行操作:
1. 管理终端连接SRX console口。
2. 使用具有足够权限的用户名和密码登陆CLI命令行界面。
3. 在提示符下输入下面的命令:
user@host> request system halt
…
The operating system has halted.
Please press any key to reboot(除非需要重启设备,此时不要敲任何键,否则设备将进行重启)
4. 等待console输出上面提示信息后,确认操作系统已停止运行,关闭机箱背后电源模块电源。
3.2 设备重启
SRX重启必须按照下面的步骤进行操作:
1. 管理终端连接SRX console口。
2. 使用具有足够权限的用户名和密码登陆CLI命令行界面。
3. 在提示符下输入下面的命令:
user@host> request system reboot
4. 等待console设备的输出,操作系统已经重新启动。
3.3 操作系统升级
SRX操作系统软件升级必须按照下面的步骤进行操作:
1. 管理终端连接SRX console口,便于升级过程中查看设备重启和软件加载状态。
2. SRX上开启FTP服务,并使用具有超级用户权限的非root用户通过FTP客户端将下载的升级软件介质上传到SRX上。
3. 升级前,执行下面的命令备份旧的软件及设定:
user@host> request system snapshot
4. 加载新的SRX软件:
user@host>request system software add validate filename.tgz reboot
5. 软件加载成功后, SRX将自动重启,重启完成后检查系统当前软件版本号:
user@host> show system software
3.4 密码恢复
SRX Root密码丢失,并且没有其他的超级用户权限,那么就需要执行密码恢复,该操作需要中断设备正常运行,但不会丢失配置信息,这点与ScreenOS存在区别。
要进行密码恢复,请按照下面操作进行:
1. Console口连接SRX,然后重启SRX。
2. 在启动过程中,console上出现下面的提示的时候,按空格键中断正常启动方式,然后再进入单用户状态,并输入:boot -s
Loading /boot/defaults/loader.conf
/kernel data=… … syms=[… …]
Hit [Enter] to boot immediately, or space bar for command prompt.
loader>
loader> boot -s
3. 执行密码恢复:在以下提示文字后输入recovery,设备将自动进行重启
Enter full pathname of shell or ‘recovery’ for root password recovery or RETURN for /bin/sh: recovery
4. 进入配置模式,删除root密码,并重现设置root密码:
user@host> configure
Entering configuration mode
user@host#delete system root-authentication
user@host#set system root-authentication plain-text-password
user@host#New password:
user@host#Retype new password:
user@host# commit
commit complete
3.5 常用监控维护命令
下列操作命令在操作模式下使用,或在配置模式下run show…
l show system software 查看当前软件版本号
l show system uptime 查看系统启动时间
l show chassis haredware 查看硬件板卡及序列号
l show chassis environment 查看硬件板卡当前状态
l show chassis routing-engine 查看主控板(RE)资源使用及状态
l show route 查看路由表
l show arp 查看ARP表
l show log messages 查看系统日志
l show interface terse 查看所有接口运行状态
l show interface ge-x/y/z detail 查看接口运行细节信息
l monitor interface ge-x/y/z 动态统计接口数据包转发信息
l monitor traffic interface ge-x/y/z 动态报文抓取(Tcpdump,类似ScreenOS snoop命令)
l show security flow session summary 查看当前防火墙并发会话数
l show security flow session 查看当前防火墙具体并发会话
l clear security flow session all 清除当前session
l show security alg status 检查全局ALG开启情况
l SRX对应ScreenOS debug flow basic跟踪报文处理路径的命令:
§ set security flow traceoptions flag basic-datapath 开启SRX基本报文处理Debug
§ set security flow traceoptions file filename.log 将输出信息记录到指定文件中
§ set security flow traceoptions file filename.log size 设置该文件大
小,缺省128k
§ set security flow traceoptions packet-filter filter1 destination-prefix 5.5.5.2
设置报文跟踪过滤器
§ run file show filename.log 查看该Log输出信息
l SRX对应ScreenOS get tech命令,开Case时需要抓取的信息:request support information
评论(1)
- 黄华锋 :高手。。。