• Juniper vSRX HA配置


    一、实验环境介绍
    1)vsrx 12.1X47-D20.7

    二、实验拓扑

    vSRXA1与vSRXA2之间配置Chassis Cluster
    ge-0/0/0为带外管理接口(系统默认,不可改)
    ge-0/0/1为control-link(系统配置,不可改)
    ge-0/0/2为data-link(手工配置,可改)
    control-link与data-link采用背靠背的连接方式。

    在低端的SRX防火墙带外管理接口、控制接口、数据接口都是业务接口。
    在高端的SRX防火墙管理接口、控制接口即为专用接口,只有数据接口为业务接口。

    在HA中node1的接口序号将发生变化,在vSRX虚拟器上转为为一个7槽的设备(即slot 0、1、2、3、4、5、6)
    node0的接口序号为ge-0/0/0、ge-1/0/0....ge-6/0/0
    node1的接口序号为ge-7/0/0、ge-8/0/0...ge-13/0/0

    三、SRX 从单机模式到HA模式,需要重启防火墙
    1、分别删除两台SRX的配置,分别在两台SRX上设置root认证密码
    vSRXA1:
    root# delete     #注意12.1X47-D20.7版本必需要先删除默认配置
    root# set system root-authentication plain-text-password
    New password:
    Retype new password:
    root# commit
    vSRXA2:
    root# delete
    root# set system root-authentication plain-text-password
    New password:
    Retype new password:
    root# commit
    2、转换SRX到HA模式
    vSRXA1:
    root> set chassis cluster cluster-id 1 node 0 reboot
    vSRXA2:
    root> set chassis cluster cluster-id 1 node 1 reboot
    3、vSRX重启后自动加入HA模式
    root> show chassis cluster status
    Cluster ID: 1
    Node Priority Status Preempt Manual Monitor-failures

    Redundancy group: 0 , Failover count: 1
    node0 1 primary no no None
    node1 1 secondary no no None

    {primary:node0}

    注: 低端的SRX防火墙中,control-link是预置的,只要防火墙工作于HA模式,ge-0/0/1就为control-link。但是在高端SRX防火墙中有专门的control-link需要手工配置,特别是在SRX5K中。如果不配置control-link防火墙将不能正常启动,SRX5K配置control-link Port命令如下:
    set chassis cluster control-ports fpc 2 port 0
    set chassis cluster control-ports fpc 5 port 0

    四、SRX防火墙HA的配置顺序如下(在master防火墙操作即可)
    1)配置管理接口(node0/1的管理地址及backup-router配置)
    2)配置HA防火墙data-link接口(ge-0/0/1)
    3)配置HA的Redundancy groups(默认0为控制平面,其它为数据平面)
    4)配置HA中的业务接口RETH
    5)配置HA的切换参数
    6)根据以上配置顺序操作,便于异常的反推排查

    五、SRX防火墙HA的配置步骤(在master防火墙操作即可)
    1、配置管理接口及backup-router路由
    root# show configuration | display set
    set groups node0 system host-name vSRXA1
    set groups node0 system backup-router 10.1.1.254
    set groups node0 system backup-router destination 10.1.1.0/24
    set groups node0 interfaces fxp0 unit 0 family inet address 10.1.1.2/24
    set groups node0 interfaces fxp0 unit 0 family inet address 10.1.1.1/24 master-only
    set groups node1 system host-name vSRXA2
    set groups node1 system backup-router 10.1.1.254
    set groups node1 system backup-router destination 10.1.1.0/24
    set groups node1 interfaces fxp0 unit 0 family inet address 10.1.1.3/24
    set groups node1 interfaces fxp0 unit 0 family inet address 10.1.1.1/24 master-only
    root# set apply-groups "${node}"        #调用前面配置的groups,node0,node1
    root# commit       #提交配置并保存
    node0:
    configuration check succeeds
    node1:
    commit complete
    node0:
    commit complete
    {primary:node0}[edit]

    2、查看node0和node1的带外管理接口状态
    root@vSRXA1# run show interfaces terse | match fxp0
    root@vSRXA2> show interfaces terse | match fxp0

    3、配置HA的data-link,配置的关键字为fab
    root@vSRXA1# show interfaces | match fab | display set
    set interfaces fab0 fabric-options member-interfaces ge-0/0/2
    set interfaces fab1 fabric-options member-interfaces ge-7/0/2
    查看fab接口状态信息:
    root@vSRXA1# run show chassis cluster interfaces
    root@vSRXA2> show interfaces terse | match fab

    4、配置HA的Redundancy groups(默认只有group 0 优先级为1,可以手工配置)
    root@vSRXA1# show chassis cluster reth-count | display set
    set chassis cluster reth-count 8   #定义集群最多支持多少个冗余组(redundancy-group),默认为0
    root@vSRXA1# show chassis cluster | display set | match priority
    set chassis cluster redundancy-group 0 node 0 priority 200
    set chassis cluster redundancy-group 0 node 1 priority 100
    set chassis cluster redundancy-group 1 node 0 priority 200
    set chassis cluster redundancy-group 1 node 1 priority 100
    查看redundant group的状态:
    root@vSRXA1# run show chassis cluster status

    5、配置HA环境中的业务接口reth(将物理接口加入到reth组中)
    root@vSRXA1# show interfaces | match reth | display set
    set interfaces ge-0/0/3 gigether-options redundant-parent reth0
    set interfaces ge-0/0/4 gigether-options redundant-parent reth1
    set interfaces ge-7/0/3 gigether-options redundant-parent reth0
    set interfaces ge-7/0/4 gigether-options redundant-parent reth1

    6、将业务接口加到redundancy-group中
    set interfaces reth0 redundant-ether-options redundancy-group 1
    set interfaces reth1 redundant-ether-options redundancy-group 1
    查看reth接口的状态:
    root@vSRXA1# run show interfaces terse | match reth
    root@vSRXA1# run show chassis cluster interfaces | no-more

    7、node0/1之间的切换(手工切换)
    root@vSRXA1> request chassis cluster failover redundancy-group 0 node 1
    root@vSRXA1> request chassis cluster failover redundancy-group 1 node 1
    root@vSRXA1> request chassis cluster failover redundancy-group 1 node 1 force
    手工切换后的优先级会达到255,需要手工恢复。
    request chassis cluster failover reset redundancy-group 1

    8、示例配置,包括cluster、端口映射(23)、nat配置(以下示例配置只需要在主设备上配)
    root@SRX1> show configuration | display set

    set version 12.1X47-D20.7
    set groups node0 system host-name SRX1
    set groups node0 system time-zone Asia/Shanghai
    set groups node0 system name-server 114.114.114.114
    set groups node0 system services web-management http interface fxp0.0
    set groups node0 system syslog file traffic-log any any
    set groups node0 system syslog file traffic-log match RT_FLOW_SESSION
    set groups node0 interfaces fxp0 unit 0 family inet address 10.1.1.1/24
    set groups node1 system host-name SRX2
    set groups node1 system time-zone Asia/Shanghai
    set groups node1 system name-server 114.114.114.114
    set groups node1 system services web-management http interface fxp0.0
    set groups node1 system syslog file traffic-log any any
    set groups node1 system syslog file traffic-log match RT_FLOW_SESSION
    set groups node1 interfaces fxp0 unit 0 family inet address 10.1.1.2/24
    set apply-groups "${node}"
    set system root-authentication plain-text-password   #交互式设置root密码
    set chassis cluster reth-count 3
    set chassis cluster redundancy-group 0 node 0 priority 200
    set chassis cluster redundancy-group 0 node 1 priority 100
    set chassis cluster redundancy-group 1 node 0 priority 200
    set chassis cluster redundancy-group 1 node 1 priority 100
    set chassis cluster redundancy-group 1 interface-monitor ge-0/0/3 weight 255
    set chassis cluster redundancy-group 1 interface-monitor ge-0/0/4 weight 255
    set chassis cluster redundancy-group 1 interface-monitor ge-0/0/5 weight 255
    set chassis cluster redundancy-group 1 interface-monitor ge-7/0/3 weight 255
    set chassis cluster redundancy-group 1 interface-monitor ge-7/0/4 weight 255
    set chassis cluster redundancy-group 1 interface-monitor ge-7/0/5 weight 255
    set chassis cluster redundancy-group 1 ip-monitoring global-threshold 2
    set chassis cluster redundancy-group 1 ip-monitoring retry-interval 3
    set chassis cluster redundancy-group 1 ip-monitoring retry-count 5
    set chassis cluster redundancy-group 1 ip-monitoring family inet 1.1.12.1 weight 255
    set chassis cluster redundancy-group 1 ip-monitoring family inet 1.1.12.1 interface reth0.0 secondary-ip-address 1.1.12.2
    set interfaces ge-0/0/3 gigether-options redundant-parent reth0
    set interfaces ge-0/0/4 gigether-options redundant-parent reth1
    set interfaces ge-0/0/5 gigether-options redundant-parent reth2
    set interfaces ge-7/0/3 gigether-options redundant-parent reth0
    set interfaces ge-7/0/4 gigether-options redundant-parent reth1
    set interfaces ge-7/0/5 gigether-options redundant-parent reth2
    set interfaces fab0 fabric-options member-interfaces ge-0/0/2
    set interfaces fab1 fabric-options member-interfaces ge-7/0/2
    set interfaces reth0 redundant-ether-options redundancy-group 1
    set interfaces reth0 unit 0 family inet address 1.1.12.2/24
    set interfaces reth1 redundant-ether-options redundancy-group 1
    set interfaces reth1 unit 0 family inet address 192.168.1.1/24
    set interfaces reth2 redundant-ether-options redundancy-group 1
    set interfaces reth2 unit 0 family inet address 172.16.1.1/24
    set routing-options static route 0.0.0.0/0 next-hop 1.1.12.1
    set security nat source rule-set dmz-to-untrust from zone DMZ
    set security nat source rule-set dmz-to-untrust to zone untrust
    set security nat source rule-set dmz-to-untrust rule dmz-to-untrust match source-address 172.16.1.0/24
    set security nat source rule-set dmz-to-untrust rule dmz-to-untrust match destination-address 0.0.0.0/0
    set security nat source rule-set dmz-to-untrust rule dmz-to-untrust then source-nat interface
    set security nat source rule-set trust-to-untrust from zone trust
    set security nat source rule-set trust-to-untrust to zone untrust
    set security nat source rule-set trust-to-untrust rule trust-to-untrust match source-address 192.168.1.0/24
    set security nat source rule-set trust-to-untrust rule trust-to-untrust match destination-address 0.0.0.0/0
    set security nat source rule-set trust-to-untrust rule trust-to-untrust then source-nat interface
    set security nat destination pool dmz-telnet address 172.16.1.2/32
    set security nat destination pool dmz-telnet address port 23
    set security nat destination pool trust-telnet address 192.168.1.2/32
    set security nat destination pool trust-telnet address port 23
    set security nat destination rule-set untrust-nat from zone untrust
    set security nat destination rule-set untrust-nat rule untrust-to-dmz-telnet match destination-address 1.1.12.2/32
    set security nat destination rule-set untrust-nat rule untrust-to-dmz-telnet match destination-port 23
    set security nat destination rule-set untrust-nat rule untrust-to-dmz-telnet then destination-nat pool dmz-telnet
    set security nat destination rule-set untrust-nat rule untrust-to-trust-telnet match destination-address 1.1.12.2/32
    set security nat destination rule-set untrust-nat rule untrust-to-trust-telnet match destination-port 2323
    set security nat destination rule-set untrust-nat rule untrust-to-trust-telnet then destination-nat pool trust-telnet
    set security policies from-zone untrust to-zone DMZ policy untrust-to-dmz-telnet match source-address any-ipv4
    set security policies from-zone untrust to-zone DMZ policy untrust-to-dmz-telnet match destination-address dmz-telnet-server
    set security policies from-zone untrust to-zone DMZ policy untrust-to-dmz-telnet match application junos-telnet
    set security policies from-zone untrust to-zone DMZ policy untrust-to-dmz-telnet match source-identity any
    set security policies from-zone untrust to-zone DMZ policy untrust-to-dmz-telnet then permit
    set security policies from-zone untrust to-zone DMZ policy untrust-to-dmz-telnet then log session-init
    set security policies from-zone untrust to-zone DMZ policy untrust-to-dmz-telnet then log session-close
    set security policies from-zone untrust to-zone trust policy untrust-to-trust-telnet match source-address any-ipv4
    set security policies from-zone untrust to-zone trust policy untrust-to-trust-telnet match destination-address trust-telnet-server
    set security policies from-zone untrust to-zone trust policy untrust-to-trust-telnet match application junos-telnet
    set security policies from-zone untrust to-zone trust policy untrust-to-trust-telnet match source-identity any
    set security policies from-zone untrust to-zone trust policy untrust-to-trust-telnet then permit
    set security policies from-zone untrust to-zone trust policy untrust-to-trust-telnet then log session-init
    set security policies from-zone untrust to-zone trust policy untrust-to-trust-telnet then log session-close
    set security policies from-zone DMZ to-zone untrust policy dmz-to-untrust-ping match source-address dmz-172.16.1.0/24
    set security policies from-zone DMZ to-zone untrust policy dmz-to-untrust-ping match destination-address any-ipv4
    set security policies from-zone DMZ to-zone untrust policy dmz-to-untrust-ping match application junos-icmp-ping
    set security policies from-zone DMZ to-zone untrust policy dmz-to-untrust-ping match source-identity any
    set security policies from-zone DMZ to-zone untrust policy dmz-to-untrust-ping then permit
    set security policies from-zone DMZ to-zone untrust policy dmz-to-untrust-telnet match source-address dmz-172.16.1.0/24
    set security policies from-zone DMZ to-zone untrust policy dmz-to-untrust-telnet match destination-address untrust-server_1.1.1.1/32
    set security policies from-zone DMZ to-zone untrust policy dmz-to-untrust-telnet match application junos-telnet
    set security policies from-zone DMZ to-zone untrust policy dmz-to-untrust-telnet match source-identity any
    set security policies from-zone DMZ to-zone untrust policy dmz-to-untrust-telnet then permit
    set security policies from-zone trust to-zone untrust policy trust-to-untrust-ping match source-address trust_192.168.1.0/24
    set security policies from-zone trust to-zone untrust policy trust-to-untrust-ping match destination-address any-ipv4
    set security policies from-zone trust to-zone untrust policy trust-to-untrust-ping match application junos-icmp-ping
    set security policies from-zone trust to-zone untrust policy trust-to-untrust-ping match source-identity any
    set security policies from-zone trust to-zone untrust policy trust-to-untrust-ping then permit
    set security policies from-zone trust to-zone untrust policy trust-to-untrust-telnet match source-address trust_192.168.1.0/24
    set security policies from-zone trust to-zone untrust policy trust-to-untrust-telnet match destination-address untrust-server_1.1.1.1/32
    set security policies from-zone trust to-zone untrust policy trust-to-untrust-telnet match application junos-telnet
    set security policies from-zone trust to-zone untrust policy trust-to-untrust-telnet match source-identity any
    set security policies from-zone trust to-zone untrust policy trust-to-untrust-telnet then permit
    set security policies from-zone trust to-zone DMZ policy trust-to-dmz-ping match source-address trust_192.168.1.0/24
    set security policies from-zone trust to-zone DMZ policy trust-to-dmz-ping match destination-address dmz-172.16.1.0/24
    set security policies from-zone trust to-zone DMZ policy trust-to-dmz-ping match application junos-icmp-ping
    set security policies from-zone trust to-zone DMZ policy trust-to-dmz-ping match source-identity any
    set security policies from-zone trust to-zone DMZ policy trust-to-dmz-ping then permit
    set security policies from-zone trust to-zone DMZ policy trust-to-dmz-telnet match source-address trust_192.168.1.0/24
    set security policies from-zone trust to-zone DMZ policy trust-to-dmz-telnet match destination-address dmz-telnet-server
    set security policies from-zone trust to-zone DMZ policy trust-to-dmz-telnet match application junos-telnet
    set security policies from-zone trust to-zone DMZ policy trust-to-dmz-telnet match source-identity any
    set security policies from-zone trust to-zone DMZ policy trust-to-dmz-telnet then permit
    set security zones security-zone untrust address-book address untrust-server_1.1.1.1/32 1.1.1.1/32
    set security zones security-zone untrust interfaces reth0.0 host-inbound-traffic system-services ping
    set security zones security-zone trust address-book address trust-telnet-server 192.168.1.2/32
    set security zones security-zone trust address-book address trust_192.168.1.0/24 192.168.1.0/24
    set security zones security-zone trust interfaces reth1.0 host-inbound-traffic system-services ping
    set security zones security-zone DMZ address-book address dmz-telnet-server 172.16.1.2/32
    set security zones security-zone DMZ address-book address dmz-172.16.1.0/24 172.16.1.0/24
    set security zones security-zone DMZ interfaces reth2.0 host-inbound-traffic system-services ping

    参考链接:
          https://blog.51cto.com/ciscosyh/2460653
          https://blog.51cto.com/wanghaiyisu/1584747

  • 相关阅读:
    终极版:Mybatis整合Spring配置
    出错: IOException parsing XML document from ServletContext resource [/cn.mgy.conig]; nested exception is java.io.FileNotFoundException: Could not open ServletContext resource [/cn.mgy.conig]
    出错:Error creating bean with name 'studentServiceImpl': Unsatisfied dependency expressed through field 'studentMapper';
    Spring出现事务代理的原因
    SpringMVC:处理静态资源
    运行maven命令的时候出现jre不正确
    spring-mybatis的整合
    [leetcode] 17. Letter Combinations of a Phone Number (medium)
    [PTA] 数据结构与算法题目集 6-12 二叉搜索树的操作集
    [PTA] 数据结构与算法题目集 6-11 先序输出叶结点
  • 原文地址:https://www.cnblogs.com/xwupiaomiao/p/12087924.html
Copyright © 2020-2023  润新知