Juniper SRX系列 防火墙 热备份HA 配置
一、测试环境
SRX220两台
二、配置须知
SRX 220 默认带外管理口 Ge-0/0/6 控制口:Ge-0/0/7 数据同步口:Ge-0/0/1 使用集群则集群后接口标示为:Ge-0/0/0-7; Ge-3/0/0-7 不同型号集群后接口显示不同,详情见官方文档。
三、相关设备连线接口IP
G-0/0/3:192.168.3.1/24
G-0/0/4:192.168.4.1/24
G-0/0/5:192.168..5.1/24
MGT:10.10.30.189-190/24
F0/0:192.168.4.2/24
F0/1:192.168.6.1/24 (模拟遥远互联网)
四、拓扑图
五、配置文件
(1)路由模式热备 HA
1、详细配置:
On device A:>set chassis cluster cluster-id 1 node 0 reboot
On device B:>set chassis cluster cluster-id 1 node 1 reboot On device A:
set groups node0 system host-name SRX-Primary
set groups node0 interfaces fxp0 unit 0 family inet address 10.10.30.189/24
set groups node1 system host-name SRX-Secondby
set groups node1 interfaces fxp0 unit 0 family inet address 10.10.30.190/24
set apply-groups "${node}"
set interfaces fab0 fabric-options member-interfaces ge-0/0/1
set interfaces fab1 fabric-options member-interfaces ge-3/0/1
set chassis cluster redundancy-group 0 node 0 priority 100
set chassis cluster redundancy-group 0 node 1 priority 1
set chassis cluster redundancy-group 1 node 0 priority 100
set chassis cluster redundancy-group 1 node 1 priority 1
set chassis cluster redundancy-group 1 interface-monitor ge-0/0/3 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-0/0/4 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-0/0/5 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-3/0/3 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-3/0/4 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-3/0/5 weight 255
set chassis cluster reth-count 3
set interfaces ge-0/0/3 gigether-options redundant-parent reth0 s
et interfaces ge-3/0/3 gigether-options redundant-parent reth0
set interfaces reth0 redundant-ether-options redundancy-group 1
set interfaces reth0 unit 0 family inet address 192.168.3.1/24
set interfaces ge-0/0/4 gigether-options redundant-parent reth1
set interfaces ge-3/0/4 gigether-options redundant-parent reth1
set interfaces reth1 redundant-ether-options redundancy-group 1
set interfaces reth1 unit 0 family inet address 192.168.4.1/24
set interfaces ge-0/0/5 gigether-options redundant-parent reth2
set interfaces ge-3/0/5 gigether-options redundant-parent reth2
set interfaces reth2 redundant-ether-options redundancy-group 1
set interfaces reth2 unit 0 family inet address 192.168.5.1/24
set security zones security-zone trust interfaces reth0.0
set security zones security-zone untrust interfaces reth1.0
set security zones security-zone DMZ interfaces reth2.0
2、验证:
查看双机状态
root@SRX-Primary> show chassis cluster status Cluster ID: 1
Node Priority Status Preempt Manual failover
Redundancy group: 0 , Failover count: 1
node0 100 primary no no
node1 1 secondary no no
Redundancy group: 1 , Failover count: 1
node0 100 primary no no
node1 1 secondary no no
3、测试主备切换
4、查看当前设备主备情况:
5、配置说明:
On device A: >set chassis cluster cluster-id 1 node 0 reboot
//定义 cluster-id 和 node,同一个集群 cluster-id 必须相同,取值范围为 0-15,0 代表禁用集群;node 取值范 围为 0-1,0 代表主设备
On device B: >set chassis cluster cluster-id 1 node 1 reboot
//定义 cluster-id 和 node,同一个集群 cluster-id 必须相同,取值范围为 0-15,0 代表禁用集群;node 取值范 围为 0-1,0 代表主设备
On device A:
set groups node0 system host-name SRX-Primary
set groups node0 interfaces fxp0 unit 0 family inet address 10.10.30.189/24
set groups node1 system host-name SRX-Secondby
set groups node1 interfaces fxp0 unit 0 family inet address 10.10.30.190/24
//为集群设备配置单独的名字和管理 IP 地址
set apply-groups "${node}"
//让以上的全局配置应用到每个独立的节点上
set interfaces fab0 fabric-options member-interfaces ge-0/0/1
set interfaces fab1 fabric-options member-interfaces ge-3/0/1
//定义数据面板控制口并关联端口
set chassis cluster redundancy-group 0 node 0 priority 100
set chassis cluster redundancy-group 0 node 1 priority 1
set chassis cluster redundancy-group 1 node 0 priority 100
set chassis cluster redundancy-group 1 node 1 priority 1
//设置冗余组的对不同节点的优先级,优先级范围 1-254.值越大优先级越高,一般习惯定义 2 个冗余组, redundancy-group 0 用于控制引擎,redundancy-group 1 用于控制数据引擎,当然你也可以为每组冗余端口放 在一个 redundancy-group 组中
set chassis cluster redundancy-group 1 interface-monitor ge-0/0/3 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-0/0/4 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-0/0/5 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-3/0/3 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-3/0/4 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-3/0/5 weight 255
//配置接口监控在数据冗余口,不建议配置接口监控在 redundancy-group 0,当监控到接口故障后优先级降 255, 实现数据口冗余自动切换
set chassis cluster reth-count 3
//定义集群最多支持多少组冗余接口,必须不低于当前配置的冗余口组数目,否则将有超过数量的冗余口不能正常 工作,超过冗余组的冗余接口的路由信息都不生效
set interfaces ge-0/0/3 gigether-options redundant-parent reth0
set interfaces ge-3/0/3 gigether-options redundant-parent reth0
set interfaces reth0 redundant-ether-options redundancy-group 1
//把物理端口加入到冗余接口 reth,并把接口 reth0 加入数据冗余组 redundancy-group 1
set interfaces reth0 unit 0 family inet address 192.168.3.1/24
//为冗余逻辑接口配置 IP 地址
set interfaces ge-0/0/4 gigether-options redundant-parent reth1
set interfaces ge-3/0/4 gigether-options redundant-parent reth1
set interfaces reth1 redundant-ether-options redundancy-group 1
//把物理端口加入到冗余接口 reth,并把接口 reth1 加入数据冗余组 redundancy-group 1
set interfaces reth1 unit 0 family inet address 192.168.4.1/24
//为冗余逻辑接口配置 IP 地址
set interfaces ge-0/0/5 gigether-options redundant-parent reth2
set interfaces ge-3/0/5 gigether-options redundant-parent reth2
set interfaces reth2 redundant-ether-options redundancy-group 1
//把物理端口加入到冗余接口 reth,并把接口 reth2 加入数据冗余组 redundancy-group 1
set interfaces reth2 unit 0 family inet address 192.168.5.1/24
//为冗余逻辑接口配置 IP 地址
set security zones security-zone trust interfaces reth0.0
set security zones security-zone untrust interfaces reth1.0
set security zones security-zone DMZ interfaces reth2.0
//把集群的逻辑接口关联到 ZONE
(2)透明模式热备 HA
1、详细配置:
On device A:>set chassis cluster cluster-id 1 node 0 reboot
On device B:>set chassis cluster cluster-id 1 node 1 reboot On device A:
set groups node0 system host-name SRX-Primary
set groups node0 interfaces fxp0 unit 0 family inet address 10.10.30.189/24
set groups node1 system host-name SRX-Secondby
set groups node1 interfaces fxp0 unit 0 family inet address 10.10.30.190/24
set apply-groups "${node}"
set chassis cluster reth-count 3
set chassis cluster redundancy-group 0 node 0 priority 100
set chassis cluster redundancy-group 0 node 1 priority 1
set chassis cluster redundancy-group 1 node 0 priority 100
set chassis cluster redundancy-group 1 node 1 priority 1
set chassis cluster redundancy-group 1 interface-monitor ge-0/0/3 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-3/0/3 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-0/0/4 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-3/0/4 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-0/0/5 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-3/0/5 weight 255
set interfaces ge-0/0/3 gigether-options redundant-parent reth0
set interfaces ge-0/0/4 gigether-options redundant-parent reth1
set interfaces ge-0/0/5 gigether-options redundant-parent reth2
set interfaces ge-3/0/3 gigether-options redundant-parent reth0
set interfaces ge-3/0/4 gigether-options redundant-parent reth1
set interfaces ge-3/0/5 gigether-options redundant-parent reth2
set interfaces fab0 fabric-options member-interfaces ge-0/0/1
set interfaces fab1 fabric-options member-interfaces ge-3/0/1
set interfaces reth0 redundant-ether-options redundancy-group 1
set interfaces reth0 unit 0 family bridge interface-mode access
set interfaces reth0 unit 0 family bridge vlan-id 1
set interfaces reth1 redundant-ether-options redundancy-group 1
set interfaces reth1 unit 0 family bridge interface-mode access
set interfaces reth1 unit 0 family bridge vlan-id 1
set interfaces reth2 redundant-ether-options redundancy-group 1
set interfaces reth2 unit 0 family bridge interface-mode access
set interfaces reth2 unit 0 family bridge vlan-id 1
set bridge-domains sysway domain-type bridge
set bridge-domains sysway vlan-id 1
2、验证
查看双机状态:
3、配置说明
On device A:>set chassis cluster cluster-id 1 node 0 reboot
On device B:>set chassis cluster cluster-id 1 node 1 reboot
//定义 cluster-id 和 node,同一个集群 cluster-id 必须相同,取值范围为 0-15,0 代表禁用集群;node 取值范
围为 0-1,0 代表主设备 On device A:
set groups node0 system host-name SRX-Primary
set groups node0 interfaces fxp0 unit 0 family inet address 10.10.30.189/24
set groups node1 system host-name SRX-Secondby
set groups node1 interfaces fxp0 unit 0 family inet address 10.10.30.190/24
set apply-groups "${node}"
//把以上的全局配置应用到每个独立的节点上
set chassis cluster reth-count 3
set chassis cluster redundancy-group 0 node 0 priority 100
set chassis cluster redundancy-group 0 node 1 priority 1
set chassis cluster redundancy-group 1 node 0 priority 100
set chassis cluster redundancy-group 1 node 1 priority 1
//设置冗余组数量及冗余组的不同节点的优先级
set chassis cluster redundancy-group 1 interface-monitor ge-0/0/3 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-3/0/3 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-0/0/4 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-3/0/4 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-0/0/5 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-3/0/5 weight 255
//配置接口监控在数据冗余组
set interfaces ge-0/0/3 gigether-options redundant-parent reth0
set interfaces ge-0/0/4 gigether-options redundant-parent reth1
set interfaces ge-0/0/5 gigether-options redundant-parent reth2
set interfaces ge-3/0/3 gigether-options redundant-parent reth0
set interfaces ge-3/0/4 gigether-options redundant-parent reth1
set interfaces ge-3/0/5 gigether-options redundant-parent reth2
//把物理接口关联到冗余组
set interfaces fab0 fabric-options member-interfaces ge-0/0/1
set interfaces fab1 fabric-options member-interfaces ge-3/0/1
//定义数据面板控制口并关联端口
set interfaces reth0 redundant-ether-options redundancy-group 1
//定义接口 reth0 口关联到 redundancy-group 1
set interfaces reth0 unit 0 family bridge interface-mode access
//设置逻辑接口为网桥模式并且接口类型为 access
set interfaces reth0 unit 0 family bridge vlan-id 1
//设置逻辑接口为网桥模式并允许 vlan 1 的数据包通过(建议 VLAN ID 值与直连交换机的接口属于同一个 VLAN)
set interfaces reth1 redundant-ether-options redundancy-group 1
set interfaces reth1 unit 0 family bridge interface-mode access
set interfaces reth1 unit 0 family bridge vlan-id 1
set interfaces reth2 redundant-ether-options redundancy-group 1
set interfaces reth2 unit 0 family bridge interface-mode access
set interfaces reth2 unit 0 family bridge vlan-id 1
//设置 reth1,reth2 的相关属性
set bridge-domains sysway domain-type bridge
//定义网桥域类型及网桥域名称
set bridge-domains sysway vlan-id 1
//定义网桥域的 VLAN ID 建议和 reth 接口定义的一样
(3)透明模式热备 HA(Trunk接口互连)
1、详细配置:
On device A:>set chassis cluster cluster-id 1 node 0 reboot
On device B:>set chassis cluster cluster-id 1 node 1 reboot
On device A:
set groups node0 system host-name SRX-Primary
set groups node0 interfaces fxp0 unit 0 family inet address 10.10.30.189/24
set groups node1 system host-name SRX-Secondby
set groups node1 interfaces fxp0 unit 0 family inet address 10.10.30.190/24
set apply-groups "${node}"
set chassis cluster reth-count 3
set chassis cluster redundancy-group 0 node 0 priority 100
set chassis cluster redundancy-group 0 node 1 priority 1
set chassis cluster redundancy-group 1 node 0 priority 100
set chassis cluster redundancy-group 1 node 1 priority 1
set chassis cluster redundancy-group 1 interface-monitor ge-0/0/3 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-3/0/3 weight 255
set chassis cluster redundancy-group 1 node 0 priority 100
set chassis cluster redundancy-group 1 node 1 priority 1
set chassis cluster redundancy-group 1 interface-monitor ge-0/0/4 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-3/0/4 weight 255
set chassis cluster redundancy-group 1 node 0 priority 100
set chassis cluster redundancy-group 1 node 1 priority 1
set chassis cluster redundancy-group 1 interface-monitor ge-0/0/5 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-3/0/5 weight 255
set interfaces ge-0/0/3 gigether-options redundant-parent reth0
set interfaces ge-0/0/4 gigether-options redundant-parent reth1
set interfaces ge-0/0/5 gigether-options redundant-parent reth2
set interfaces ge-3/0/3 gigether-options redundant-parent reth0
set interfaces ge-3/0/4 gigether-options redundant-parent reth1
set interfaces ge-3/0/5 gigether-options redundant-parent reth2
set interfaces fab0 fabric-options member-interfaces ge-0/0/1
set interfaces fab1 fabric-options member-interfaces ge-3/0/1
set interfaces reth0 redundant-ether-options redundancy-group 1
set interfaces reth0 vlan-tagging
set interfaces reth0 native-vlan-id 1
set interfaces reth0 unit 0 family bridge interface-mode trunk
set interfaces reth0 unit 0 family bridge vlan-id-list 1-1000
set interfaces reth1 redundant-ether-options redundancy-group 1
set interfaces reth1 vlan-tagging
set interfaces reth1 native-vlan-id 1
set interfaces reth1 unit 0 family bridge interface-mode trunk
set interfaces reth1 unit 0 family bridge vlan-id-list 1-1000
set interfaces reth2 redundant-ether-options redundancy-group 1
set interfaces reth2 vlan-tagging
set interfaces reth2 native-vlan-id 1
set interfaces reth2 unit 0 family bridge interface-mode trunk
set interfaces reth2 unit 0 family bridge vlan-id-list 1-1000
set bridge-domains sysway vlan-id-list 1-1000
2、验证
手动主备切换:
当前双机状态:
3、配置说明
On device A:>set chassis cluster cluster-id 1 node 0 reboot
On device B:>set chassis cluster cluster-id 1 node 1 reboot
//定义 cluster-id 和 node,同一个集群 cluster-id 必须相同,取值范围为 0-15,0 代表禁用集群;node 取值范 围为 0-1,0 代表主设备
On device A:
set groups node0 system host-name SRX-Primary
set groups node0 interfaces fxp0 unit 0 family inet address 10.10.30.189/24
set groups node1 system host-name SRX-Secondby
set groups node1 interfaces fxp0 unit 0 family inet address 10.10.30.190/24
set apply-groups "${node}"
//把以上的全局配置应用到每个独立的节点上
set chassis cluster reth-count 3
set chassis cluster redundancy-group 0 node 0 priority 100
set chassis cluster redundancy-group 0 node 1 priority 1
//设置冗余组数量及控制冗余组的不同节点的优先级
set chassis cluster redundancy-group 1 node 0 priority 100
set chassis cluster redundancy-group 1 node 1 priority 1
set chassis cluster redundancy-group 1 interface-monitor ge-0/0/3 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-3/0/3 weight 255
set chassis cluster redundancy-group 1 node 0 priority 100
set chassis cluster redundancy-group 1 node 1 priority 1
set chassis cluster redundancy-group 1 interface-monitor ge-0/0/4 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-3/0/4 weight 255
set chassis cluster redundancy-group 1 node 0 priority 100
set chassis cluster redundancy-group 1 node 1 priority 1
set chassis cluster redundancy-group 1 interface-monitor ge-0/0/5 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-3/0/5 weight 255
//配置接口监控在数据冗余组
set interfaces ge-0/0/3 gigether-options redundant-parent reth0
set interfaces ge-0/0/4 gigether-options redundant-parent reth1
set interfaces ge-0/0/5 gigether-options redundant-parent reth2
set interfaces ge-3/0/3 gigether-options redundant-parent reth0
set interfaces ge-3/0/4 gigether-options redundant-parent reth1
set interfaces ge-3/0/5 gigether-options redundant-parent reth2
//把物理接口关联到数据冗余组
set interfaces fab0 fabric-options member-interfaces ge-0/0/1
set interfaces fab1 fabric-options member-interfaces ge-3/0/1
//定义数据面板控制口并关联端口
set interfaces reth0 redundant-ether-options redundancy-group 1
//定义接口 reth0 口关联到 redundancy-group 1 set interfaces reth0 vlan-tagging
//开启接口支持 802.1Q
set interfaces reth0 native-vlan-id 1
//设置接口的本征 VLAN ID 为 1
set interfaces reth0 unit 0 family bridge interface-mode trunk
//设置逻辑接口的模式为中继模式
set interfaces reth0 unit 0 family bridge vlan-id-list 1-1000
//设置接口允许通过的 VLAN ID 值
set interfaces reth1 redundant-ether-options redundancy-group 1
set interfaces reth1 vlan-tagging
set interfaces reth1 native-vlan-id 1
set interfaces reth1 unit 0 family bridge interface-mode trunk
set interfaces reth1 unit 0 family bridge vlan-id-list 1-1000
set interfaces reth2 redundant-ether-options redundancy-group 1
set interfaces reth2 vlan-tagging
set interfaces reth2 native-vlan-id 1
set interfaces reth2 unit 0 family bridge interface-mode trunk
set interfaces reth2 unit 0 family bridge vlan-id-list 1-1000
//设置 reth1,reth2 的相关属性
set bridge-domains sysway vlan-id-list 1-1000
//定义网桥域及允许的 VLAN ID 建议和 reth 接口定义的一样
高版本的 Trunk 模式 HA 网桥域定义: set bridge-domains SRX650-CRM domain-type bridge vlan-id-list 1-1000 待验证!
- 点赞
- 收藏
- 关注作者
评论(0)