一、实验环境介绍
1)vsrx 12.1X47-D20.7
二、实验拓扑
vSRXA1与vSRXA2之间配置Chassis Cluster
ge-0/0/0为带外管理接口(系统默认,不可改)
ge-0/0/1为control-link(系统配置,不可改)
ge-0/0/2为data-link(手工配置,可改)
control-link与data-link采用背靠背的连接方式。
在低端的SRX防火墙带外管理接口、控制接口、数据接口都是业务接口。
在高端的SRX防火墙管理接口、控制接口即为专用接口,只有数据接口为业务接口。
在HA中node1的接口序号将发生变化,在vSRX虚拟器上转为为一个7槽的设备(即slot 0、1、2、3、4、5、6)
node0的接口序号为ge-0/0/0、ge-1/0/0....ge-6/0/0
node1的接口序号为ge-7/0/0、ge-8/0/0...ge-13/0/0
三、SRX 从单机模式到HA模式,需要重启防火墙
1、分别删除两台SRX的配置,分别在两台SRX上设置root认证密码
vSRXA1:
root# delete #注意12.1X47-D20.7版本必需要先删除默认配置
root# set system root-authentication plain-text-password
New password:
Retype new password:
root# commit
vSRXA2:
root# delete
root# set system root-authentication plain-text-password
New password:
Retype new password:
root# commit
2、转换SRX到HA模式
vSRXA1:
root> set chassis cluster cluster-id 1 node 0 reboot
vSRXA2:
root> set chassis cluster cluster-id 1 node 1 reboot
3、vSRX重启后自动加入HA模式
root> show chassis cluster status
Cluster ID: 1
Node Priority Status Preempt Manual Monitor-failures
Redundancy group: 0 , Failover count: 1
node0 1 primary no no None
node1 1 secondary no no None
{primary:node0}
注: 低端的SRX防火墙中,control-link是预置的,只要防火墙工作于HA模式,ge-0/0/1就为control-link。但是在高端SRX防火墙中有专门的control-link需要手工配置,特别是在SRX5K中。如果不配置control-link防火墙将不能正常启动,SRX5K配置control-link Port命令如下:
set chassis cluster control-ports fpc 2 port 0
set chassis cluster control-ports fpc 5 port 0
四、SRX防火墙HA的配置顺序如下(在master防火墙操作即可)
1)配置管理接口(node0/1的管理地址及backup-router配置)
2)配置HA防火墙data-link接口(ge-0/0/1)
3)配置HA的Redundancy groups(默认0为控制平面,其它为数据平面)
4)配置HA中的业务接口RETH
5)配置HA的切换参数
6)根据以上配置顺序操作,便于异常的反推排查
五、SRX防火墙HA的配置步骤(在master防火墙操作即可)
1、配置管理接口及backup-router路由
root# show configuration | display set
set groups node0 system host-name vSRXA1
set groups node0 system backup-router 10.1.1.254
set groups node0 system backup-router destination 10.1.1.0/24
set groups node0 interfaces fxp0 unit 0 family inet address 10.1.1.2/24
set groups node0 interfaces fxp0 unit 0 family inet address 10.1.1.1/24 master-only
set groups node1 system host-name vSRXA2
set groups node1 system backup-router 10.1.1.254
set groups node1 system backup-router destination 10.1.1.0/24
set groups node1 interfaces fxp0 unit 0 family inet address 10.1.1.3/24
set groups node1 interfaces fxp0 unit 0 family inet address 10.1.1.1/24 master-only
root# set apply-groups "${node}" #调用前面配置的groups,node0,node1
root# commit #提交配置并保存
node0:
configuration check succeeds
node1:
commit complete
node0:
commit complete
{primary:node0}[edit]
2、查看node0和node1的带外管理接口状态
root@vSRXA1# run show interfaces terse | match fxp0
root@vSRXA2> show interfaces terse | match fxp0
3、配置HA的data-link,配置的关键字为fab
root@vSRXA1# show interfaces | match fab | display set
set interfaces fab0 fabric-options member-interfaces ge-0/0/2
set interfaces fab1 fabric-options member-interfaces ge-7/0/2
查看fab接口状态信息:
root@vSRXA1# run show chassis cluster interfaces
root@vSRXA2> show interfaces terse | match fab
4、配置HA的Redundancy groups(默认只有group 0 优先级为1,可以手工配置)
root@vSRXA1# show chassis cluster reth-count | display set
set chassis cluster reth-count 8 #定义集群最多支持多少个冗余组(redundancy-group),默认为0
root@vSRXA1# show chassis cluster | display set | match priority
set chassis cluster redundancy-group 0 node 0 priority 200
set chassis cluster redundancy-group 0 node 1 priority 100
set chassis cluster redundancy-group 1 node 0 priority 200
set chassis cluster redundancy-group 1 node 1 priority 100
查看redundant group的状态:
root@vSRXA1# run show chassis cluster status
5、配置HA环境中的业务接口reth(将物理接口加入到reth组中)
root@vSRXA1# show interfaces | match reth | display set
set interfaces ge-0/0/3 gigether-options redundant-parent reth0
set interfaces ge-0/0/4 gigether-options redundant-parent reth1
set interfaces ge-7/0/3 gigether-options redundant-parent reth0
set interfaces ge-7/0/4 gigether-options redundant-parent reth1
6、将业务接口加到redundancy-group中
set interfaces reth0 redundant-ether-options redundancy-group 1
set interfaces reth1 redundant-ether-options redundancy-group 1
查看reth接口的状态:
root@vSRXA1# run show interfaces terse | match reth
root@vSRXA1# run show chassis cluster interfaces | no-more
7、node0/1之间的切换(手工切换)
root@vSRXA1> request chassis cluster failover redundancy-group 0 node 1
root@vSRXA1> request chassis cluster failover redundancy-group 1 node 1
root@vSRXA1> request chassis cluster failover redundancy-group 1 node 1 force
手工切换后的优先级会达到255,需要手工恢复。
request chassis cluster failover reset redundancy-group 1
8、示例配置,包括cluster、端口映射(23)、nat配置(以下示例配置只需要在主设备上配)
root@SRX1> show configuration | display set
set version 12.1X47-D20.7
set groups node0 system host-name SRX1
set groups node0 system time-zone Asia/Shanghai
set groups node0 system name-server 114.114.114.114
set groups node0 system services web-management http interface fxp0.0
set groups node0 system syslog file traffic-log any any
set groups node0 system syslog file traffic-log match RT_FLOW_SESSION
set groups node0 interfaces fxp0 unit 0 family inet address 10.1.1.1/24
set groups node1 system host-name SRX2
set groups node1 system time-zone Asia/Shanghai
set groups node1 system name-server 114.114.114.114
set groups node1 system services web-management http interface fxp0.0
set groups node1 system syslog file traffic-log any any
set groups node1 system syslog file traffic-log match RT_FLOW_SESSION
set groups node1 interfaces fxp0 unit 0 family inet address 10.1.1.2/24
set apply-groups "${node}"
set system root-authentication plain-text-password #交互式设置root密码
set chassis cluster reth-count 3
set chassis cluster redundancy-group 0 node 0 priority 200
set chassis cluster redundancy-group 0 node 1 priority 100
set chassis cluster redundancy-group 1 node 0 priority 200
set chassis cluster redundancy-group 1 node 1 priority 100
set chassis cluster redundancy-group 1 interface-monitor ge-0/0/3 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-0/0/4 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-0/0/5 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-7/0/3 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-7/0/4 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-7/0/5 weight 255
set chassis cluster redundancy-group 1 ip-monitoring global-threshold 2
set chassis cluster redundancy-group 1 ip-monitoring retry-interval 3
set chassis cluster redundancy-group 1 ip-monitoring retry-count 5
set chassis cluster redundancy-group 1 ip-monitoring family inet 1.1.12.1 weight 255
set chassis cluster redundancy-group 1 ip-monitoring family inet 1.1.12.1 interface reth0.0 secondary-ip-address 1.1.12.2
set interfaces ge-0/0/3 gigether-options redundant-parent reth0
set interfaces ge-0/0/4 gigether-options redundant-parent reth1
set interfaces ge-0/0/5 gigether-options redundant-parent reth2
set interfaces ge-7/0/3 gigether-options redundant-parent reth0
set interfaces ge-7/0/4 gigether-options redundant-parent reth1
set interfaces ge-7/0/5 gigether-options redundant-parent reth2
set interfaces fab0 fabric-options member-interfaces ge-0/0/2
set interfaces fab1 fabric-options member-interfaces ge-7/0/2
set interfaces reth0 redundant-ether-options redundancy-group 1
set interfaces reth0 unit 0 family inet address 1.1.12.2/24
set interfaces reth1 redundant-ether-options redundancy-group 1
set interfaces reth1 unit 0 family inet address 192.168.1.1/24
set interfaces reth2 redundant-ether-options redundancy-group 1
set interfaces reth2 unit 0 family inet address 172.16.1.1/24
set routing-options static route 0.0.0.0/0 next-hop 1.1.12.1
set security nat source rule-set dmz-to-untrust from zone DMZ
set security nat source rule-set dmz-to-untrust to zone untrust
set security nat source rule-set dmz-to-untrust rule dmz-to-untrust match source-address 172.16.1.0/24
set security nat source rule-set dmz-to-untrust rule dmz-to-untrust match destination-address 0.0.0.0/0
set security nat source rule-set dmz-to-untrust rule dmz-to-untrust then source-nat interface
set security nat source rule-set trust-to-untrust from zone trust
set security nat source rule-set trust-to-untrust to zone untrust
set security nat source rule-set trust-to-untrust rule trust-to-untrust match source-address 192.168.1.0/24
set security nat source rule-set trust-to-untrust rule trust-to-untrust match destination-address 0.0.0.0/0
set security nat source rule-set trust-to-untrust rule trust-to-untrust then source-nat interface
set security nat destination pool dmz-telnet address 172.16.1.2/32
set security nat destination pool dmz-telnet address port 23
set security nat destination pool trust-telnet address 192.168.1.2/32
set security nat destination pool trust-telnet address port 23
set security nat destination rule-set untrust-nat from zone untrust
set security nat destination rule-set untrust-nat rule untrust-to-dmz-telnet match destination-address 1.1.12.2/32
set security nat destination rule-set untrust-nat rule untrust-to-dmz-telnet match destination-port 23
set security nat destination rule-set untrust-nat rule untrust-to-dmz-telnet then destination-nat pool dmz-telnet
set security nat destination rule-set untrust-nat rule untrust-to-trust-telnet match destination-address 1.1.12.2/32
set security nat destination rule-set untrust-nat rule untrust-to-trust-telnet match destination-port 2323
set security nat destination rule-set untrust-nat rule untrust-to-trust-telnet then destination-nat pool trust-telnet
set security policies from-zone untrust to-zone DMZ policy untrust-to-dmz-telnet match source-address any-ipv4
set security policies from-zone untrust to-zone DMZ policy untrust-to-dmz-telnet match destination-address dmz-telnet-server
set security policies from-zone untrust to-zone DMZ policy untrust-to-dmz-telnet match application junos-telnet
set security policies from-zone untrust to-zone DMZ policy untrust-to-dmz-telnet match source-identity any
set security policies from-zone untrust to-zone DMZ policy untrust-to-dmz-telnet then permit
set security policies from-zone untrust to-zone DMZ policy untrust-to-dmz-telnet then log session-init
set security policies from-zone untrust to-zone DMZ policy untrust-to-dmz-telnet then log session-close
set security policies from-zone untrust to-zone trust policy untrust-to-trust-telnet match source-address any-ipv4
set security policies from-zone untrust to-zone trust policy untrust-to-trust-telnet match destination-address trust-telnet-server
set security policies from-zone untrust to-zone trust policy untrust-to-trust-telnet match application junos-telnet
set security policies from-zone untrust to-zone trust policy untrust-to-trust-telnet match source-identity any
set security policies from-zone untrust to-zone trust policy untrust-to-trust-telnet then permit
set security policies from-zone untrust to-zone trust policy untrust-to-trust-telnet then log session-init
set security policies from-zone untrust to-zone trust policy untrust-to-trust-telnet then log session-close
set security policies from-zone DMZ to-zone untrust policy dmz-to-untrust-ping match source-address dmz-172.16.1.0/24
set security policies from-zone DMZ to-zone untrust policy dmz-to-untrust-ping match destination-address any-ipv4
set security policies from-zone DMZ to-zone untrust policy dmz-to-untrust-ping match application junos-icmp-ping
set security policies from-zone DMZ to-zone untrust policy dmz-to-untrust-ping match source-identity any
set security policies from-zone DMZ to-zone untrust policy dmz-to-untrust-ping then permit
set security policies from-zone DMZ to-zone untrust policy dmz-to-untrust-telnet match source-address dmz-172.16.1.0/24
set security policies from-zone DMZ to-zone untrust policy dmz-to-untrust-telnet match destination-address untrust-server_1.1.1.1/32
set security policies from-zone DMZ to-zone untrust policy dmz-to-untrust-telnet match application junos-telnet
set security policies from-zone DMZ to-zone untrust policy dmz-to-untrust-telnet match source-identity any
set security policies from-zone DMZ to-zone untrust policy dmz-to-untrust-telnet then permit
set security policies from-zone trust to-zone untrust policy trust-to-untrust-ping match source-address trust_192.168.1.0/24
set security policies from-zone trust to-zone untrust policy trust-to-untrust-ping match destination-address any-ipv4
set security policies from-zone trust to-zone untrust policy trust-to-untrust-ping match application junos-icmp-ping
set security policies from-zone trust to-zone untrust policy trust-to-untrust-ping match source-identity any
set security policies from-zone trust to-zone untrust policy trust-to-untrust-ping then permit
set security policies from-zone trust to-zone untrust policy trust-to-untrust-telnet match source-address trust_192.168.1.0/24
set security policies from-zone trust to-zone untrust policy trust-to-untrust-telnet match destination-address untrust-server_1.1.1.1/32
set security policies from-zone trust to-zone untrust policy trust-to-untrust-telnet match application junos-telnet
set security policies from-zone trust to-zone untrust policy trust-to-untrust-telnet match source-identity any
set security policies from-zone trust to-zone untrust policy trust-to-untrust-telnet then permit
set security policies from-zone trust to-zone DMZ policy trust-to-dmz-ping match source-address trust_192.168.1.0/24
set security policies from-zone trust to-zone DMZ policy trust-to-dmz-ping match destination-address dmz-172.16.1.0/24
set security policies from-zone trust to-zone DMZ policy trust-to-dmz-ping match application junos-icmp-ping
set security policies from-zone trust to-zone DMZ policy trust-to-dmz-ping match source-identity any
set security policies from-zone trust to-zone DMZ policy trust-to-dmz-ping then permit
set security policies from-zone trust to-zone DMZ policy trust-to-dmz-telnet match source-address trust_192.168.1.0/24
set security policies from-zone trust to-zone DMZ policy trust-to-dmz-telnet match destination-address dmz-telnet-server
set security policies from-zone trust to-zone DMZ policy trust-to-dmz-telnet match application junos-telnet
set security policies from-zone trust to-zone DMZ policy trust-to-dmz-telnet match source-identity any
set security policies from-zone trust to-zone DMZ policy trust-to-dmz-telnet then permit
set security zones security-zone untrust address-book address untrust-server_1.1.1.1/32 1.1.1.1/32
set security zones security-zone untrust interfaces reth0.0 host-inbound-traffic system-services ping
set security zones security-zone trust address-book address trust-telnet-server 192.168.1.2/32
set security zones security-zone trust address-book address trust_192.168.1.0/24 192.168.1.0/24
set security zones security-zone trust interfaces reth1.0 host-inbound-traffic system-services ping
set security zones security-zone DMZ address-book address dmz-telnet-server 172.16.1.2/32
set security zones security-zone DMZ address-book address dmz-172.16.1.0/24 172.16.1.0/24
set security zones security-zone DMZ interfaces reth2.0 host-inbound-traffic system-services ping
参考链接:
https://blog.51cto.com/ciscosyh/2460653
https://blog.51cto.com/wanghaiyisu/1584747