多厂商防火墙系列之十四:Juniper SRX系列 HA【包含路由模式与透明模式HA部署】 | 网络之路博客(公众号同名)(其他平台网络之路Blog)
登录
  • 欢迎网络之路博客网站,分享有用的知识点,公众号:网络之路博客,B站:网络之路Blog
  • 如果您觉得本站对您有帮助,那么赶紧使用Ctrl+D 收藏吧,支持我们下
  • 远程技术支持的淘宝店铺已经开张了哦,传送门:需要的朋友可以点击查看

多厂商防火墙系列之十四:Juniper SRX系列 HA【包含路由模式与透明模式HA部署】

防火墙系列 公众号:网络之路博客(其他平台网络之路Blog) 11956次浏览 已收录 0个评论 扫描二维码

【汇总】多厂商防火墙系列

文档帖子汇总学习视频Book与实验手册学习必备软件
    博主也只是业余时间写写技术文档,请大家见谅,大家觉得不错的话,可以推荐给朋友哦,博主会努力推出更好的系列文档的。如果大家有任何疑问或者文中有错误跟疏忽的地方,欢迎大家留言指出,博主看到后会第一时间修改,谢谢大家的支持,更多技术文章尽在网络之路博客,http://ccieh3c.com

文档查看须知

测试环境:SRX 220H两台

配置须知:SRX 220H默认带外管理口Ge-0/0/6控制口:Ge-0/0/7数据同步口:Ge-0/0/1
使用集群则集群后接口标示为:Ge-0/0/0-7; Ge-3/0/0-7
不同型号集群后接口显示不同,详情见官方文档

拓扑对应IP:G-0/0/3:192.168.3.1/24
G-0/0/4:192.168.4.1/24
G-0/0/5:192.168..5.1/24
MGT:10.10.30.189-190/24
F0/0:192.168.4.2/24
F0/1:192.168.6.1/24 (模拟遥远互联网)

测试拓扑

image001.png

路由模式HA

配置:
On device A:>set chassis cluster cluster-id 1 node 0 reboot
On device B:>set chassis cluster cluster-id 1 node 1 reboot
On device A:
set groups node0 system host-name SRX-Primary
set groups node0 interfaces fxp0 unit 0 family inet address 10.10.30.189/24
set groups node1 system host-name SRX-Secondby
set groups node1 interfaces fxp0 unit 0 family inet address 10.10.30.190/24
set apply-groups “${node}”
set interfaces fab0 fabric-options member-interfaces ge-0/0/1
set interfaces fab1 fabric-options member-interfaces ge-3/0/1
set chassis cluster redundancy-group 0 node 0 priority 100
set chassis cluster redundancy-group 0 node 1 priority 1
set chassis cluster redundancy-group 1 node 0 priority 100
set chassis cluster redundancy-group 1 node 1 priority 1
set chassis cluster redundancy-group 1 interface-monitor ge-0/0/3 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-0/0/4 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-0/0/5 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-3/0/3 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-3/0/4 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-3/0/5 weight 255
set chassis cluster reth-count 3
set interfaces ge-0/0/3 gigether-options redundant-parent reth0
set interfaces ge-3/0/3 gigether-options redundant-parent reth0
set interfaces reth0 redundant-ether-options redundancy-group 1
set interfaces reth0 unit 0 family inet address 192.168.3.1/24
set interfaces ge-0/0/4 gigether-options redundant-parent reth1
set interfaces ge-3/0/4 gigether-options redundant-parent reth1
set interfaces reth1 redundant-ether-options redundancy-group 1
set interfaces reth1 unit 0 family inet address 192.168.4.1/24
set interfaces ge-0/0/5 gigether-options redundant-parent reth2
set interfaces ge-3/0/5 gigether-options redundant-parent reth2
set interfaces reth2 redundant-ether-options redundancy-group 1
set interfaces reth2 unit 0 family inet address 192.168.5.1/24
set security zones security-zone trust interfaces reth0.0
set security zones security-zone untrust interfaces reth1.0
set security zones security-zone DMZ interfaces reth2.0

验证:
查看双机状态
root@SRX-Primary> show chassis cluster status
Cluster ID: 1
Node Priority Status Preempt Manual failover

Redundancy group: 0 , Failover count: 1
node0 100 primary no no
node1 1 secondary no no

Redundancy group: 1 , Failover count: 1
node0 100 primary no no
node1 1 secondary no no
测试主备切换;
image003.png

查看当前设备主备情况;

image005.png

配置解析:
On device A: >set chassis cluster cluster-id 1 node 0 reboot
//定义cluster-id和node,同一个集群cluster-id必须相同,取值范围为0-15,0代表禁用集群;node取值范围为0-1,0代表主设备
On device B: >set chassis cluster cluster-id 1 node 1 reboot
//定义cluster-id和node,同一个集群cluster-id必须相同,取值范围为0-15,0代表禁用集群;node取值范围为0-1,0代表主设备
On device A:
set groups node0 system host-name SRX-Primary
set groups node0 interfaces fxp0 unit 0 family inet address 10.10.30.189/24
set groups node1 system host-name SRX-Secondby
set groups node1 interfaces fxp0 unit 0 family inet address 10.10.30.190/24
//为集群设备配置单独的名字和管理IP地址
set apply-groups “${node}”
//让以上的全局配置应用到每个独立的节点上
set interfaces fab0 fabric-options member-interfaces ge-0/0/1
set interfaces fab1 fabric-options member-interfaces ge-3/0/1
//定义数据面板控制口并关联端口
set chassis cluster redundancy-group 0 node 0 priority 100
set chassis cluster redundancy-group 0 node 1 priority 1
set chassis cluster redundancy-group 1 node 0 priority 100
set chassis cluster redundancy-group 1 node 1 priority 1
//设置冗余组的对不同节点的优先级,优先级范围1-254.值越大优先级越高,一般习惯定义2个冗余组,redundancy-group 0用于控制引擎,redundancy-group 1用于控制数据引擎,当然你也可以为每组冗余端口放在一个redundancy-group组中
set chassis cluster redundancy-group 1 interface-monitor ge-0/0/3 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-0/0/4 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-0/0/5 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-3/0/3 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-3/0/4 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-3/0/5 weight 255
//配置接口监控在数据冗余口,不建议配置接口监控在redundancy-group 0,当监控到接口故障后优先级降255,实现数据口冗余自动切换
set chassis cluster reth-count 3
//定义集群最多支持多少组冗余接口,必须不低于当前配置的冗余口组数目,否则将有超过数量的冗余口不能正常工作,超过冗余组的冗余接口的路由信息都不生效
set interfaces ge-0/0/3 gigether-options redundant-parent reth0
set interfaces ge-3/0/3 gigether-options redundant-parent reth0
set interfaces reth0 redundant-ether-options redundancy-group 1
//把物理端口加入到冗余接口reth,并把接口reth0加入数据冗余组redundancy-group 1
set interfaces reth0 unit 0 family inet address 192.168.3.1/24
//为冗余逻辑接口配置IP地址
set interfaces ge-0/0/4 gigether-options redundant-parent reth1
set interfaces ge-3/0/4 gigether-options redundant-parent reth1
set interfaces reth1 redundant-ether-options redundancy-group 1
//把物理端口加入到冗余接口reth,并把接口reth1加入数据冗余组redundancy-group 1
set interfaces reth1 unit 0 family inet address 192.168.4.1/24
//为冗余逻辑接口配置IP地址
set interfaces ge-0/0/5 gigether-options redundant-parent reth2
set interfaces ge-3/0/5 gigether-options redundant-parent reth2
set interfaces reth2 redundant-ether-options redundancy-group 1
//把物理端口加入到冗余接口reth,并把接口reth2加入数据冗余组redundancy-group 1
set interfaces reth2 unit 0 family inet address 192.168.5.1/24
//为冗余逻辑接口配置IP地址
set security zones security-zone trust interfaces reth0.0
set security zones security-zone untrust interfaces reth1.0
set security zones security-zone DMZ interfaces reth2.0
//把集群的逻辑接口关联到ZONE

透明模式HA(Access接口);

配置:
On device A:>set chassis cluster cluster-id 1 node 0 reboot
On device B:>set chassis cluster cluster-id 1 node 1 reboot
On device A:
set groups node0 system host-name SRX-Primary
set groups node0 interfaces fxp0 unit 0 family inet address 10.10.30.189/24
set groups node1 system host-name SRX-Secondby
set groups node1 interfaces fxp0 unit 0 family inet address 10.10.30.190/24
set apply-groups “${node}”
set chassis cluster reth-count 3
set chassis cluster redundancy-group 0 node 0 priority 100
set chassis cluster redundancy-group 0 node 1 priority 1
set chassis cluster redundancy-group 1 node 0 priority 100
set chassis cluster redundancy-group 1 node 1 priority 1
set chassis cluster redundancy-group 1 interface-monitor ge-0/0/3 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-3/0/3 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-0/0/4 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-3/0/4 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-0/0/5 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-3/0/5 weight 255
set interfaces ge-0/0/3 gigether-options redundant-parent reth0
set interfaces ge-0/0/4 gigether-options redundant-parent reth1
set interfaces ge-0/0/5 gigether-options redundant-parent reth2
set interfaces ge-3/0/3 gigether-options redundant-parent reth0
set interfaces ge-3/0/4 gigether-options redundant-parent reth1
set interfaces ge-3/0/5 gigether-options redundant-parent reth2
set interfaces fab0 fabric-options member-interfaces ge-0/0/1
set interfaces fab1 fabric-options member-interfaces ge-3/0/1
set interfaces reth0 redundant-ether-options redundancy-group 1
set interfaces reth0 unit 0 family bridge interface-mode access
set interfaces reth0 unit 0 family bridge vlan-id 1
set interfaces reth1 redundant-ether-options redundancy-group 1
set interfaces reth1 unit 0 family bridge interface-mode access
set interfaces reth1 unit 0 family bridge vlan-id 1
set interfaces reth2 redundant-ether-options redundancy-group 1
set interfaces reth2 unit 0 family bridge interface-mode access
set interfaces reth2 unit 0 family bridge vlan-id 1
set bridge-domains sysway domain-type bridge
set bridge-domains sysway vlan-id 1


验证:
查看双机状态

image007.png

配置解析:
On device A:>set chassis cluster cluster-id 1 node 0 reboot
On device B:>set chassis cluster cluster-id 1 node 1 reboot
//定义cluster-id和node,同一个集群cluster-id必须相同,取值范围为0-15,0代表禁用集群;node取值范围为0-1,0代表主设备
On device A:
set groups node0 system host-name SRX-Primary
set groups node0 interfaces fxp0 unit 0 family inet address 10.10.30.189/24
set groups node1 system host-name SRX-Secondby
set groups node1 interfaces fxp0 unit 0 family inet address 10.10.30.190/24
set apply-groups “${node}”
//把以上的全局配置应用到每个独立的节点上
set chassis cluster reth-count 3
set chassis cluster redundancy-group 0 node 0 priority 100
set chassis cluster redundancy-group 0 node 1 priority 1
set chassis cluster redundancy-group 1 node 0 priority 100
set chassis cluster redundancy-group 1 node 1 priority 1
//设置冗余组数量及冗余组的不同节点的优先级
set chassis cluster redundancy-group 1 interface-monitor ge-0/0/3 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-3/0/3 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-0/0/4 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-3/0/4 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-0/0/5 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-3/0/5 weight 255
//配置接口监控在数据冗余组
set interfaces ge-0/0/3 gigether-options redundant-parent reth0
set interfaces ge-0/0/4 gigether-options redundant-parent reth1
set interfaces ge-0/0/5 gigether-options redundant-parent reth2
set interfaces ge-3/0/3 gigether-options redundant-parent reth0
set interfaces ge-3/0/4 gigether-options redundant-parent reth1
set interfaces ge-3/0/5 gigether-options redundant-parent reth2
//把物理接口关联到冗余组
set interfaces fab0 fabric-options member-interfaces ge-0/0/1
set interfaces fab1 fabric-options member-interfaces ge-3/0/1
//定义数据面板控制口并关联端口
set interfaces reth0 redundant-ether-options redundancy-group 1
//定义接口reth0口关联到redundancy-group 1
set interfaces reth0 unit 0 family bridge interface-mode access
//设置逻辑接口为网桥模式并且接口类型为access
set interfaces reth0 unit 0 family bridge vlan-id 1
//设置逻辑接口为网桥模式并允许vlan 1的数据包通过(建议VLAN ID值与直连交换机的接口属于同一个VLAN)
set interfaces reth1 redundant-ether-options redundancy-group 1
set interfaces reth1 unit 0 family bridge interface-mode access
set interfaces reth1 unit 0 family bridge vlan-id 1
set interfaces reth2 redundant-ether-options redundancy-group 1
set interfaces reth2 unit 0 family bridge interface-mode access
set interfaces reth2 unit 0 family bridge vlan-id 1
//设置reth1,reth2的相关属性
set bridge-domains sysway domain-type bridge
//定义网桥域类型及网桥域名称
set bridge-domains sysway vlan-id 1
//定义网桥域的VLAN ID 建议和reth接口定义的一样

透明模式HA(Trunk接口)

配置:
On device A:>set chassis cluster cluster-id 1 node 0 reboot
On device B:>set chassis cluster cluster-id 1 node 1 reboot
On device A:
set groups node0 system host-name SRX-Primary
set groups node0 interfaces fxp0 unit 0 family inet address 10.10.30.189/24
set groups node1 system host-name SRX-Secondby
set groups node1 interfaces fxp0 unit 0 family inet address 10.10.30.190/24
set apply-groups “${node}”
set chassis cluster reth-count 3
set chassis cluster redundancy-group 0 node 0 priority 100
set chassis cluster redundancy-group 0 node 1 priority 1
set chassis cluster redundancy-group 1 node 0 priority 100
set chassis cluster redundancy-group 1 node 1 priority 1
set chassis cluster redundancy-group 1 interface-monitor ge-0/0/3 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-3/0/3 weight 255
set chassis cluster redundancy-group 1 node 0 priority 100
set chassis cluster redundancy-group 1 node 1 priority 1
set chassis cluster redundancy-group 1 interface-monitor ge-0/0/4 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-3/0/4 weight 255
set chassis cluster redundancy-group 1 node 0 priority 100
set chassis cluster redundancy-group 1 node 1 priority 1
set chassis cluster redundancy-group 1 interface-monitor ge-0/0/5 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-3/0/5 weight 255
set interfaces ge-0/0/3 gigether-options redundant-parent reth0
set interfaces ge-0/0/4 gigether-options redundant-parent reth1
set interfaces ge-0/0/5 gigether-options redundant-parent reth2
set interfaces ge-3/0/3 gigether-options redundant-parent reth0
set interfaces ge-3/0/4 gigether-options redundant-parent reth1
set interfaces ge-3/0/5 gigether-options redundant-parent reth2
set interfaces fab0 fabric-options member-interfaces ge-0/0/1
set interfaces fab1 fabric-options member-interfaces ge-3/0/1
set interfaces reth0 redundant-ether-options redundancy-group 1
set interfaces reth0 vlan-tagging
set interfaces reth0 native-vlan-id 1
set interfaces reth0 unit 0 family bridge interface-mode trunk
set interfaces reth0 unit 0 family bridge vlan-id-list 1-1000
set interfaces reth1 redundant-ether-options redundancy-group 1
set interfaces reth1 vlan-tagging
set interfaces reth1 native-vlan-id 1
set interfaces reth1 unit 0 family bridge interface-mode trunk
set interfaces reth1 unit 0 family bridge vlan-id-list 1-1000
set interfaces reth2 redundant-ether-options redundancy-group 1
set interfaces reth2 vlan-tagging
set interfaces reth2 native-vlan-id 1
set interfaces reth2 unit 0 family bridge interface-mode trunk
set interfaces reth2 unit 0 family bridge vlan-id-list 1-1000
set bridge-domains sysway vlan-id-list 1-1000

验证:
image007.png
image011.png

当前双机状态

image013.png

配置解析:
On device A:>set chassis cluster cluster-id 1 node 0 reboot
On device B:>set chassis cluster cluster-id 1 node 1 reboot
//定义cluster-id和node,同一个集群cluster-id必须相同,取值范围为0-15,0代表禁用集群;node取值范围为0-1,0代表主设备
On device A:
set groups node0 system host-name SRX-Primary
set groups node0 interfaces fxp0 unit 0 family inet address 10.10.30.189/24
set groups node1 system host-name SRX-Secondby
set groups node1 interfaces fxp0 unit 0 family inet address 10.10.30.190/24
set apply-groups “${node}”
//把以上的全局配置应用到每个独立的节点上
set chassis cluster reth-count 3
set chassis cluster redundancy-group 0 node 0 priority 100
set chassis cluster redundancy-group 0 node 1 priority 1
//设置冗余组数量及控制冗余组的不同节点的优先级
set chassis cluster redundancy-group 1 node 0 priority 100
set chassis cluster redundancy-group 1 node 1 priority 1
set chassis cluster redundancy-group 1 interface-monitor ge-0/0/3 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-3/0/3 weight 255
set chassis cluster redundancy-group 1 node 0 priority 100
set chassis cluster redundancy-group 1 node 1 priority 1
set chassis cluster redundancy-group 1 interface-monitor ge-0/0/4 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-3/0/4 weight 255
set chassis cluster redundancy-group 1 node 0 priority 100
set chassis cluster redundancy-group 1 node 1 priority 1
set chassis cluster redundancy-group 1 interface-monitor ge-0/0/5 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-3/0/5 weight 255
//配置接口监控在数据冗余组
set interfaces ge-0/0/3 gigether-options redundant-parent reth0
set interfaces ge-0/0/4 gigether-options redundant-parent reth1
set interfaces ge-0/0/5 gigether-options redundant-parent reth2
set interfaces ge-3/0/3 gigether-options redundant-parent reth0
set interfaces ge-3/0/4 gigether-options redundant-parent reth1
set interfaces ge-3/0/5 gigether-options redundant-parent reth2
//把物理接口关联到数据冗余组
set interfaces fab0 fabric-options member-interfaces ge-0/0/1
set interfaces fab1 fabric-options member-interfaces ge-3/0/1
//定义数据面板控制口并关联端口
set interfaces reth0 redundant-ether-options redundancy-group 1
//定义接口reth0口关联到redundancy-group 1
set interfaces reth0 vlan-tagging
//开启接口支持802.1Q
set interfaces reth0 native-vlan-id 1
//设置接口的本征VLAN ID为1
set interfaces reth0 unit 0 family bridge interface-mode trunk
//设置逻辑接口的模式为中继模式
set interfaces reth0 unit 0 family bridge vlan-id-list 1-1000
//设置接口允许通过的VLAN ID值
set interfaces reth1 redundant-ether-options redundancy-group 1
set interfaces reth1 vlan-tagging
set interfaces reth1 native-vlan-id 1
set interfaces reth1 unit 0 family bridge interface-mode trunk
set interfaces reth1 unit 0 family bridge vlan-id-list 1-1000
set interfaces reth2 redundant-ether-options redundancy-group 1
set interfaces reth2 vlan-tagging
set interfaces reth2 native-vlan-id 1
set interfaces reth2 unit 0 family bridge interface-mode trunk
set interfaces reth2 unit 0 family bridge vlan-id-list 1-1000
//设置reth1,reth2的相关属性
set bridge-domains sysway vlan-id-list 1-1000
//定义网桥域及允许的VLAN ID 建议和reth接口定义的一样
高版本的Trunk模式HA网桥域定义: set bridge-domains SRX650-CRM domain-type bridge vlan-id-list 1-1000 待验证!

注意点

1. 桥接域(Bridge Domains):属于同一泛洪或广播域的一组逻辑接口。在同一个Vlan里,桥接域可以跨越多个设备的一个或多个接口。默认情况下,每个桥接域都维护着自己的MAC地址转发表,从属于本桥接域的接口接受的数据包。在桥接域里转发的数据包,必须是一个已经被打上Vlan ID的数据包,并且这个Vlan ID 是属于这个桥接域的。
2. SRX不支持路由与透明模式同时运行,初始时是运行在路由模式下,当配置成透明时必须要重启设备。
3. 桥接模式,layer2接口模式有2种模式:trunk和access。
4. Irb接口:irb接口类似原来在screenOS平台下的vlan 1 接口,起一个桥接模式下的接口管理的作用。irb接口必须是在桥接域配置为单个vlan ID才能配置。当桥接域里配置是vlan-id-list时,irb是不能配置的。
5. 当control port 或fabric link 出现故障时,为避免出现双master (split-brain)现象,JSRP 会把出现故障前状态为secdonary 的node 设为disabled 状态,即除了RE,其余部件都不工作。想要恢复必须reboot该node。
6.SRX透明模式下HA,STP在防火墙破除,这样使得SRX在透明模式HA,可实现无缝切换
7.防火墙存在接口类型为以太网的则不支持配置集群,如果防火墙有以太网接口则当配置开启集群重启后不能进入配置模式,必须先删除以太网接口再开启集群功能
8 通过测试可知:Juniper SRX透明模式下HA,支持无缝切换,环路在Juniper SRX设备上破除没有通过直连防火墙的交换机破除STP,所以透明墙切换不会中断业务(待验证!!!)

下载地址

百度盘地址
如果下载地址失效,请联系博主或者在下面留言,谢谢。

关于博客资源下载说明

首先,感谢大家对网络之路博客的支持,本站所有资源都是开放下载,不做任何限制,资源都是上传在百度盘,分为两种类型:
(1)第一种是书籍PDF与视频类,全部放在博客分享,觉得对大家学习有帮助的博主会收集好、然后以博主的经验整理分类后排序好分享出来。
(2)第二种是技术性文章与视频,全部放在公众号(网络之路博客)/B站(网络之路Blog)发布,以博主原创为主,主要分享系列为主,由浅入深的带大家了解工作中常用到的一些网络技术,当然也会分享一些比较经典的案例。
(3)分享资源有涉及到您的利益以及版权问题,请联系博主,24小时候内删除。
想第一时间收到最新更新内容吗,点击获取~~~

点击查看详情
学习必备软件(模拟器等)
学习视频系列(总有您想要的)
Book与实验手册(从初级到高级)
数通系列(路由交换 无线、防火墙VPN等)
实战系列(最贴近企业需求的案例)
想第一时间收到最新更新内容吗,点击获取~~~

(广告)博主自主原创最新实战课程

点击查看详情

(广告)远程技术支持(设备调试),有搞不定的找我,价格实惠,为您解决实际工作上的问题

远程技术调试与技术支持,点击查看详情

原创与收集的内容,允许转载,转载时请务必以超链接形式标明文章原始出处,博客地址http://ccieh3c.com。

喜欢 (0)
[]
分享 (0)
公众号:网络之路博客(其他平台网络之路Blog)
关于作者:
分享一些自己懂的技术知识点,希望对大家有帮助。
发表我的评论
取消评论
表情 贴图 加粗 删除线 居中 斜体 签到

Hi,您需要填写昵称和邮箱!

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址