Search This Blog

Friday, October 23, 2015

Juniper SRX Cluster

This post I will show how to configure Juniper SRX (650) in cluster for HA mode.
In this scenario there are two ISP’s, where I need to peer with each other using BGP.

This is the network topology:



First remove any interface or configuration from the device:

root@% cli
root> configure
Entering configuration mode

[edit]
root# delete
This will delete the entire configuration
Delete everything under this level? [yes,no] (no) yes

[edit]
root# set system root-authentication plain-text-password
New password:
Retype new password:

[edit]
root# commit
commit complete

root# run show configuration
## Last commit: 2015-10-20 01:14:22 UTC by root
version 12.1X44-D35.5;
system {
    root-authentication {
        encrypted-password "fVsds%xw#7NYGHN3VFDS#|EGH6bjuS"; ## SECRET-DATA
    }
}

[edit]

Control link: 

On the SRX650 device, connect ge-0/0/1 on device A to ge-0/0/1 on device B.
The ge-0/0/1 interface on device B will change to ge-9/0/1 after clustering is enabled in step 2. Note: It is strongly recommended that the interfaces used for the control link are connected directly with a cable (instead of a switch).

Fabric (Data) link: 

On the SRX650 device, connect ge-0/0/2 on device A to ge-0/0/2 on device B.
The ge-0/0/2 interface on device B will change to ge-9/0/2 after clustering is enabled in step 2.  
Step 1 - enable chassis cluster:

Note that this is done in the operational mode and not in the configuration mode

root@SRX-A> set chassis cluster cluster-id 1 node 0 reboot


root@SRX-B> set chassis cluster cluster-id 1 node 1 reboot

After that the device will reboot and the interface numbering will change.

Step 2 – set device specific configuration:

{primary:node0}
#DEVICE A host-name
set groups node0 system host-name SRX-A
#Device A's management IP address on fxp0 interface
set groups node0 interfaces fxp0 unit 0 family inet address <ip address/mask> 
#Device B's host name
set groups node1 system host-name SRX-B
#Device B's management IP address on fxp0 interface
set groups node1 interfaces fxp0 unit 0 family inet address <ip address/mask  

Step 3 – configure control and data links:

{primary:node0}
set interfaces fab0 fabric-options member-interfaces ge-0/0/2
set interfaces fab1 fabric-options member-interfaces ge-9/0/2

Note that control link is configured automatically without any settings, the control and data links are vary from each model.

Step 4 – configure redundancy groups:

In my case I will need 4 different redundancy groups:
Reth0 for the control plan – no interfaces are associated with this group.
Reth1 for LAN side connectivity using VLAN tagging.
Reth2 and Reth3 for each WAN link – hence 2x ISP BGP peer

set chassis cluster reth-count 4
set chassis cluster redundancy-group 0 node 0 priority 100
set chassis cluster redundancy-group 0 node 1 priority 1
set chassis cluster redundancy-group 1 node 0 priority 100
set chassis cluster redundancy-group 1 node 1 priority 1
set chassis cluster redundancy-group 1 interface-monitor ge-2/0/20 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-11/0/20 weight 255
set chassis cluster redundancy-group 2 node 0 priority 100
set chassis cluster redundancy-group 2 node 1 priority 1
set chassis cluster redundancy-group 3 interface-monitor ge-2/0/0 weight 255
set chassis cluster redundancy-group 3 interface-monitor ge-11/0/0 weight 255
set chassis cluster redundancy-group 3 node 0 priority 100
set chassis cluster redundancy-group 3 node 1 priority 1
set chassis cluster redundancy-group 3 interface-monitor ge-2/0/3 weight 255
set chassis cluster redundancy-group 3 interface-monitor ge-11/0/3 weight 255

Step 6 – configure interfaces:

set interfaces ge-2/0/0 gigether-options redundant-parent reth2
set interfaces ge-2/0/3 gigether-options redundant-parent reth3
set interfaces ge-2/0/20 gigether-options redundant-parent reth1
set interfaces ge-11/0/0 gigether-options redundant-parent reth2
set interfaces ge-11/0/3 gigether-options redundant-parent reth3
set interfaces ge-11/0/20 gigether-options redundant-parent reth1
set interfaces fab0 fabric-options member-interfaces ge-0/0/2
set interfaces fab1 fabric-options member-interfaces ge-9/0/2
set interfaces reth1 vlan-tagging
set interfaces reth1 redundant-ether-options redundancy-group 1
set interfaces reth1 unit 100 description LAN
set interfaces reth1 unit 100 vlan-id 100
set interfaces reth1 unit 100 family inet address 192.168.100.1/24
set interfaces reth1 unit 101 description LAN
set interfaces reth1 unit 101 vlan-id 101
set interfaces reth1 unit 101 family inet address 192.168.101.1/24
set interfaces reth2 description EXTERNAL-PRIMARY
set interfaces reth2 redundant-ether-options redundancy-group 2
set interfaces reth2 unit 0 family inet address 1.1.1.1/29
set interfaces reth3 description EXTERNAL-SECONDARY
set interfaces reth3 redundant-ether-options redundancy-group 3
set interfaces reth3 unit 0 family inet address 2.2.2.1/29

Step 7 – set security parameters:

set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone LAN interfaces reth1.100
set security zones security-zone LAN interfaces reth1.101
set security zones security-zone EXTERNAL host-inbound-traffic system-services ssh
set security zones security-zone EXTERNAL host-inbound-traffic system-services https
set security zones security-zone EXTERNAL host-inbound-traffic protocols all
set security zones security-zone EXTERNAL interfaces reth3.0
set security zones security-zone EXTERNAL interfaces reth2.0

Step 8 – commit changes:

{primary:node0}
commit

Few notes regarding Juniper SRX clustering:

When you activate clustering on Juniper SRX, each node has its own data plan but only one control plan which is the active member.
You can’t connect more then one device to each node, in the same redundancy group, that’s because the node aggregate all connected interfaces in this group.

So working with tringles in this setup simply won’t work!

The only way to connect more then one link from switch to the node is using link-aggregation (LACP, 802.3ad, etherchannel)

Also note redundancy group configuration which can be with VLAN tagging (as Cisco routers sub-interfaces with encapsulation) or as L3 interface.

Next posts will be on BGP, firewall filters and security policies.






No comments:

Post a Comment