SRX

Hi All,

 

I've configured HA on my SRX 210 on my lab, Is there any command on CLI that I confirmed as Active/Active or Active/Passive...

 

 

Please advice

 

 

Thanks

 

Cunny

 

 

 

please check following links,

 

1) http://kb.juniper.net/KB15505

 

2) http://www.juniper.net/techpubs/software/junos-security/junos-security10.0/junos-security-swconfig-security/cc-config-verifying.html#cc-config-verifying

 

 

thanks

raheel

If you have only redundancy group 0 and redundancy group 1 and all your transit traffic interfaces are part of reth interfaces, then this is active/passive. If you have additional redundancy groups beyond just RG1 or if some of your transit traffic interfaces are not member of reth, then this is considered active/active. Basically active/active is scenario whereby traffic may need to traverse the fabric link to reach interface on other node. There is no "active/active" mode setting per se.

 

-Richard

THanks for the reply, so far used this http://kb.juniper.net/KB15505. And I think it is an Active/Pasive config, because it's only have 2 RG (RG0 and RG1). is there any config that related to Active/Active configuration?

 

You said that I need 3 minimum RG for active/active rigth? So I just Make 1 RG and bind 2 interface (RethX) on it and it will change to active/active... is it correct?

 

Please advice

 

Cunny

 

just running rg0 on node0 and rg1 on node1 is active/active... granted, you normally don't have data traffic in rg0, but you are using node0 for control/routing and node1 for data, so that is active/active. additional redundancy groups can be split between the two nodes (active/active) or you can force all redundancy groups into the same node (active/passive). the 650 cluster doesn't really care, so it really doesn't have a 'switch' to say 'active/active' or 'active/passive'.

 

based on failures, monitoring, or whatever, you can have an operational cluster switch between active/active and active/passive just as the normal run of things.

 

if you want active/passive as the standard, just program all the redundancy groups to prefer the same node over the other or use the junos scripts to have rg0 follow rg1. that way, either node will run all rg's, but rg0 will follow rg1 when it can. 

 

if you want active/active as the standard, just program the redundancy groups to run on separate nodes, and turn on preempt (well, don't preempt rg0).

 

if you really don't care, one way or the other, don't both with preempt and split up the rg's or not -- your call.

 

basically, active/active or active/passive isn't anything that really applies. operationally, the firewalls are logically viewed as the same box and there is only one control node (whatever that node is), so why care? if you are worried about overloading the fabric link with traffic, or wanting to ensure to get the best throughput, sure -- care, but that is a design issue of reth interfaces, redundancy groups, external hardware, etc. the fact the the srx cluster doesn't really care if running active/active or active/passive is just some nice frosting on the cake and you deal with the real work separately from that.

 

Hi supcourt,

 

Thanks for your explanation,  thats realy help me to understand about the concept of the HA on SRX..

 

I'll try that you suggested.

 

 

Thanks

 

 

Cunny

Type in this command

root@My-First-Firewall> show chassis cluster information

 

It will give you an output like this.

node0:
--------------------------------------------------------------------------
Redundancy mode:
    Configured mode: active-active
    Operational mode: active-active

 

I have a feeling it's alwasy gonna say active-active because of the nature of the cluster.

How can we sync both nodes in Active Active cluster with NTP?

 

Regards.

Hi,

set system ntp server 1.1.1.1

another way for configuring it :
set groups node0 system ntp server 1.1.1.1
set groups node1 system ntp server 1.1.1.1
set apply-groups "${node}"

But you don't really need the second way, because the NTP server is same for both nodes in the cluster. It's just a way to grouping (template) it .

Supcourt is incorrect. That is our Active / Passive design. 

 

Active Active is where we have RG1 and RG2 and these can be split across the cluster nodes. 

 

https://kb.juniper.net/library/CUSTOMERSERVICE/GLOBAL_JTAC/NT260/SRX_HA_Deployment_Guide.pdf

Hi Cunny,

 

 Please go through the below documentation for a proper understanding of Active-Active. 

 

https://www.juniper.net/documentation/en_US/release-independent/nce/topics/example/chassis-cluster-srx-active-active-configuring.html

 

Regards,

Anand

You have to differentiate two things, how chassis cluster is running and how it's deployed.

By default it's running as active-active cluster but can be deployed as active/active or active/backup.

You can change the mode using hidden command

#set chassis cluster redundancy-mode active-backup

To check the current mode use

>show chassis cluster information

 

Consequences of setting the mode to active-backup are that you can configure only one RG and therefore deploy only as active/backup. Another consequence is that in active-active mode when you configure PAT available ports are split in half between two nodes (even when deployed as active/backup). In active-backup mode all PAT ports are available to acrive node.

 

Regarding NTP, for it to work the NTP server has to be reachable from the backup RE. Therefore you have to use fxp0 interfaces. If the NTP server is in the same subnet as fxp0 interfaces then you configure it as usual. If it's not then you have to add backup-router statements

 

#set groups node0 system backup-router default_gateway_on_fxp0_subnet Ip_address_of_ntp_server

#set groups node1 system backup-router default_gateway_on_fxp0_subnet Ip_address_of_ntp_server

 

Also see https://kb.juniper.net/InfoCenter/index?page=content&id=KB21725

 

Regards, Wojtek