SRX

Did anyone try the Active / Active setup on JUNOS branch firewalls here?

Can you share some insights?

    -Failover testing scenarios

    -Sample HA config

    -How many redundancy groups are created / recommended

Thanks.

Hi dwayne ,

Active/Active mode allows both firewalls to process traffic providing a load sharing HA scenario.

In this mode, there can be more than two "Redundancy Groups (RG).

The first one is RG0 which is for the "Control Plane", and the other RG's are for the "Data Plane".

RE is always part for RG0, and on whichever node RG0 is primary, that node is the Primary node.

Only the data plane can work in Active/Active mode because the RE is part of RG0 and only one RE can be active at any given point.

Following KB article will help configuring Cluster.

Configuring more than 1 RG 1 groups and make it active on both Nodes is active active cluster.

it will work on Branch Platfom.

http://kb.juniper.net/InfoCenter/index?page=content&id=KB15650

Regards
rparthi
 

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too

Hi dwayne ,

Active/Active mode allows both firewalls to process traffic providing a load sharing HA scenario.

In this mode, there can be more than two "Redundancy Groups (RG).

The first one is RG0 which is for the "Control Plane", and the other RG's are for the "Data Plane".

RE is always part for RG0, and on whichever node RG0 is primary, that node is the Primary node.

Only the data plane can work in Active/Active mode because the RE is part of RG0 and only one RE can be active at any given point.

Following KB article will help configuring Cluster.

Configuring more than 1 RG 1 groups and make it active on both Nodes is active active cluster.

it will work on Branch Platfom.

http://kb.juniper.net/InfoCenter/index?page=content&id=KB15650

Sample HA output showing active active setup:

root@srx240> show chassis cluster status

Cluster ID: 1
Node                  Priority          Status    Preempt  Manual failover

Redundancy group: 0 , Failover count: 3
    node0                   254         primary        no       no
    node1                   20          secondary      no       no

Redundancy group: 1 , Failover count: 3
    node0                   254         primary        no       no
    node1                   20          secondary      no       no

Redundancy group: 2 , Failover count: 3
    node0                   200        secondary      no       no
    node1                   20         primary        no       no

+++++++++++++++++++++++++++++++++++++

chassis {
    cluster {
        control-link-recovery;
        reth-count 10;
        redundancy-group 0 {
            node 0 priority 200;
            node 1 priority 20;
        }
        redundancy-group 1 {
            node 1 priority 20;
            node 0 priority 200;
            interface-monitor {
                xe-1/0/0 weight 255;
                xe-1/0/1 weight 255;
                xe-2/0/1 weight 255;
                xe-2/0/0 weight 255;
                xe-14/0/0 weight 255;
                xe-14/0/1 weight 255;
                xe-15/0/1 weight 255;
                xe-15/0/0 weight 255;
            }
        }
        redundancy-group 2 {
            node 1 priority 20;
            node 0 priority 200;
            interface-monitor {
                ge-0/0/2 weight 255;
                ge-0/0/3 weight 255;
                ge-0/0/4 weight 255;
                ge-0/0/5 weight 255;
                ge-13/0/4 weight 255;
                ge-13/0/5 weight 255;
                ge-13/0/3 weight 255;
                ge-13/0/2 weight 255;
            }
        }
    }
}

By Placing RG1 group primary on Node0 and RG2 on Node1 will be active active setup.

Regards
rparthi
 

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too

thanks rparthi. the only difference with my setup is i will not be doing any interface monitoring thus a manual  or device is at fault to trigger the cluster failover...

about their hostnames; correct me if im wrong with the analysis, since the cluster -active / active is running under a single RE, hostnames should stay like what below look like? same as active / passive..

{primary:node0}
root@SRX-1>

{secondary:node1}
root@SRXl-2>

Im kinda assuming since the setup is active / active : hostnames should look like :

{primary:node0}
root@SRX-1>

{primaryy:node1}
root@SRXl-2>

----------------------------------------------

My output below in my lab looks like this;

root@SRX-1> show chassis cluster information
node0:
--------------------------------------------------------------------------
Redundancy mode:
    Configured mode: active-active
    Operational mode: active-active

node1:
--------------------------------------------------------------------------
Redundancy mode:
    Configured mode: active-active
    Operational mode: active-active

----------------------------------------------------------------------------

Redundancy Groups

show configuration |match redundancy-group |display set
set chassis cluster redundancy-group 0 node 0 priority 200
set chassis cluster redundancy-group 0 node 1 priority 50
set chassis cluster redundancy-group 1 node 0 priority 100
set chassis cluster redundancy-group 1 node 1 priority 50
set chassis cluster redundancy-group 2 node 0 priority 100
set chassis cluster redundancy-group 2 node 1 priority 50
set interfaces reth0 redundant-ether-options redundancy-group 1
set interfaces reth1 redundant-ether-options redundancy-group 2
set interfaces reth2 redundant-ether-options redundancy-group 2

Hello

You can have upto 255 redundancy groups.

When you have more than one data objects(RG1 and above), then it is Active/Active cluster.

Number of RG groups creation depends on your requirement and it varies in different deployment scenarios.

In my experience, mostly used scenario that I have seen is to have one control plane redundancy (RG0) and two data object redundany(RG1 and RG2).

Below diagram should give you idea about Active/Active cluster.

thanks raveen. the only difference with my setup is i will not be doing any interface monitoring thus a manual  or device is at fault to trigger the cluster failover...

about their hostnames; correct me if im wrong with the analysis, since the cluster -active / active is running under a single RE, hostnames should stay like what below look like? same as active / passive..

{primary:node0}
root@SRX-1>

{secondary:node1}
root@SRXl-2>

Im kinda assuming since the setup is active / active : hostnames should look like :

{primary:node0}
root@SRX-1>

{primaryy:node1}
root@SRXl-2>

----------------------------------------------

My output below in my lab looks like this;

root@SRX-1> show chassis cluster information
node0:
--------------------------------------------------------------------------
Redundancy mode:
    Configured mode: active-active
    Operational mode: active-active

node1:
--------------------------------------------------------------------------
Redundancy mode:
    Configured mode: active-active
    Operational mode: active-active

----------------------------------------------------------------------------

Redundancy Groups

show configuration |match redundancy-group |display set
set chassis cluster redundancy-group 0 node 0 priority 200
set chassis cluster redundancy-group 0 node 1 priority 50
set chassis cluster redundancy-group 1 node 0 priority 100
set chassis cluster redundancy-group 1 node 1 priority 50
set chassis cluster redundancy-group 2 node 0 priority 100
set chassis cluster redundancy-group 2 node 1 priority 50
set interfaces reth0 redundant-ether-options redundancy-group 1
set interfaces reth1 redundant-ether-options redundancy-group 2
set interfaces reth2 redundant-ether-options redundancy-group 2

Hi

Following configuration will add separate hostname for each node irrespectively of what role each node is:

groups {
    node0 {
        system {
            host-name SRX-01;
        }
    node1 {
        system {
            host-name SRX-02;
        }

apply-groups [ ${node} ]

it will look like the following:

{primary:node0}
root@SRX-01>

{secondary:node1}
root@SRX-02>

Regards
rparthi

Kudos are Appreciated Always....