SRX

HI ALL ,

 

REALLY A HELP FROM ANY OF YOU , I WILL LIKE SET UP A  HA  ACTIVE ACTIVE ON MY SRX 210 , I TRY TO FIND THE GUIDE ON JUNIPER SUPPORT SIDE , ALL I HAVE FOUND IS ONLI ACTIVE PASSIVE .

APPRECIATE IF ANY BODY CAN SEND ME A GUIDE OR GIVE ME SOME IDEA FOR IT .

 

THANKS

YIHHOW

Active/Active is exactly the same as Active/Passive, it's just done twice 😉

All you really need are two separate redundancy groups, for example rg1 and rg2 and make sure that one device is the master for rg1 while the other is the master for rg2. Then you will need to create your reth interfaces (at least two for an A/A setup, where the first reth is tied to rg1 and the second reth is tied to rg2.

hi sfouant

 

can you please help to verified the config for the ha a/a on srx 210 , this is from what i think out base on the information that provided by you .

 

thanks

yihhow

 

set device to cluster mode

first device  > set chassis cluster cluster-id 1 node 0 reboot
second device > set chassis cluster cluster-id 1 node 1 reboot

setting up hostname n management interface

# set group node0 system host-name srxmaster-node0
# set group node0 interfaces fxp0 unit 0 family inet address 192.168.3.2/24 ( first device anagement ip )
# set group node0 system host-name srxbackup-node1
# set group node0 interfaces fxp0 unit 0 family inet address 192.168.4.2/24 ( second device management ip )
# set apply-groups ${node}


fabric link

# set interfaces fab0 fabric-options member-interfaces ge-0/0/1 ( first device )
# set interfaces fab0 fabric-options member-interfaces ge-2/0/1 ( second device )


grouping

# set chassis cluster redundancy-group 0 node 0 priority 100
# set chassis cluster redundancy-group 0 node 1 priority 1
# set chassis cluster redundancy-group 1 node 0 priority 100
# set chassis cluster redundancy-group 1 node 1 priority 1
# set chassis cluster redundancy-group 2 node 0 priority 1
# set chassis cluster redundancy-group 2 node 1 priority 100


monitor

# set chassis cluster redundancy-group 1 interface-monitor ge-0/0/0 weight 255
# set chassis cluster redundancy-group 1 interface-monitor fe-0/0/2 weight 255
# set chassis cluster redundancy-group 1 interface-monitor ge-2/0/0 weight 255
# set chassis cluster redundancy-group 1 interface-monitor fe-2/0/2 weight 255
# set chassis cluster redundancy-group 2 interface-monitor ge-0/0/0 weight 255
# set chassis cluster redundancy-group 2 interface-monitor fe-0/0/2 weight 255
# set chassis cluster redundancy-group 2 interface-monitor ge-2/0/0 weight 255
# set chassis cluster redundancy-group 2 interface-monitor fe-2/0/2 weight 255


setup redundant ethernet interface


# set chassis cluster reth-count 2
# set interfaces fe-0/0/2 fastether-options redundant-parent reth1
# set interfaces fe-2/0/2 fastether-options redundant-parent reth1
# set interfaces fe-0/0/2 fastether-options redundant-parent reth2
# set interfaces fe-2/0/2 fastether-options redundant-parent reth2
# set interfaces reth1 redundant-ether-options redundancy-group 1
# set interfaces reth2 redundant-ether-options redundancy-group 2
# set interfaces reth1 unit 0 family inet address 192.168.1.1/24  ( untrusted ip for first device )
# set interfaces reth2 unit 0 family inet address 192.168.2.1/24  ( untrusted ip for second device )
# set interfaces ge-0/0/0 gigether-options redundant-parent reth3
# set interfaces ge-2/0/0 gigether-options redundant-parent reth3
# set interfaces ge-0/0/0 gigether-options redundant-parent reth4
# set interfaces ge-2/0/0 gigether-options redundant-parent reth4
# set interfaces reth3 redundant-ether-options redundancy-group 1
# set interfaces reth4 redundant-ether-options redundancy-group 2
# set interfaces reth3 unit 0 family inet address 192.168.3.1/24 ( trusted ip for first device )
# set interfaces reth4 unit 0 family inet address 192.168.4.1/24 ( trusted ip for second device )
# set security zones security-zone untrust interfaces reth1.0 ( untrusted interface for first device )
# set security zones security-zone untrust interfaces reth2.0 ( untrusted interface for second device )
# set security zones security-zone trust interfaces reth3.0  ( trust interface for first device )
# set security zones security-zone trust interfaces reth4.0  ( trust interface for second device )

default route to my nxt hope

# set routing-options static route 0.0.0.0/0 next-hop 192.168.1.254 preference 254

reboot to take effect

> set chassis cluster cluster-id 1 node 0 reboot
> set chassis cluster clucter-id 1 node 1 reboot

Please see the corrected configs below:

---

@yihhow wrote:

set device to cluster mode

first device  > set chassis cluster cluster-id 1 node 0 reboot
second device > set chassis cluster cluster-id 1 node 1 reboot

setting up hostname n management interface

# set group node0 system host-name srxmaster-node0
# set group node0 interfaces fxp0 unit 0 family inet address 192.168.3.2/24 ( first device anagement ip )
# set group node0 system host-name srxbackup-node1
# set group node0 interfaces fxp0 unit 0 family inet address 192.168.4.2/24 ( second device management ip )
# set apply-groups ${node}

---

You need to specify the second node as node1, so it should look like this:

 

# set group node0 system host-name srxmaster-node0
# set group node0 interfaces fxp0 unit 0 family inet address 192.168.3.2/24 ( first device anagement ip )
# set group node1 system host-name srxbackup-node1
# set group node1 interfaces fxp0 unit 0 family inet address 192.168.4.2/24 ( second device management ip )
# set apply-groups ${node}

---

@yihhow wrote:

setup redundant ethernet interface

# set chassis cluster reth-count 2
# set interfaces fe-0/0/2 fastether-options redundant-parent reth1
# set interfaces fe-2/0/2 fastether-options redundant-parent reth1
# set interfaces fe-0/0/2 fastether-options redundant-parent reth2
# set interfaces fe-2/0/2 fastether-options redundant-parent reth2
# set interfaces reth1 redundant-ether-options redundancy-group 1
# set interfaces reth2 redundant-ether-options redundancy-group 2
# set interfaces reth1 unit 0 family inet address 192.168.1.1/24  ( untrusted ip for first device )
# set interfaces reth2 unit 0 family inet address 192.168.2.1/24  ( untrusted ip for second device )
# set interfaces ge-0/0/0 gigether-options redundant-parent reth3
# set interfaces ge-2/0/0 gigether-options redundant-parent reth3
# set interfaces ge-0/0/0 gigether-options redundant-parent reth4
# set interfaces ge-2/0/0 gigether-options redundant-parent reth4
# set interfaces reth3 redundant-ether-options redundancy-group 1
# set interfaces reth4 redundant-ether-options redundancy-group 2
# set interfaces reth3 unit 0 family inet address 192.168.3.1/24 ( trusted ip for first device )
# set interfaces reth4 unit 0 family inet address 192.168.4.1/24 ( trusted ip for second device )
# set security zones security-zone untrust interfaces reth1.0 ( untrusted interface for first device )
# set security zones security-zone untrust interfaces reth2.0 ( untrusted interface for second device )
# set security zones security-zone trust interfaces reth3.0  ( trust interface for first device )
# set security zones security-zone trust interfaces reth4.0  ( trust interface for second device )

---

You don't put the same underlying physical interfaces into different reth interfaces.  You have the same physicals going into reth1, reth2, reth3 and reth4 which will give you an error.  Also, you need more than a reth-count of 2 to support this many reth interfaces.  Otherwise the rest of your config looks good...

 

should looks something like:

 

# set chassis cluster reth-count 4
# set interfaces fe-0/0/2 fastether-options redundant-parent reth1
# set interfaces fe-2/0/2 fastether-options redundant-parent reth1
# set interfaces fe-0/0/3 fastether-options redundant-parent reth2
# set interfaces fe-2/0/3 fastether-options redundant-parent reth2
# set interfaces reth1 redundant-ether-options redundancy-group 1
# set interfaces reth2 redundant-ether-options redundancy-group 2
# set interfaces reth1 unit 0 family inet address 192.168.1.1/24  ( untrusted ip for first device )
# set interfaces reth2 unit 0 family inet address 192.168.2.1/24  ( untrusted ip for second device )
# set interfaces ge-0/0/4 gigether-options redundant-parent reth3
# set interfaces ge-2/0/4 gigether-options redundant-parent reth3
# set interfaces ge-0/0/5 gigether-options redundant-parent reth4
# set interfaces ge-2/0/5 gigether-options redundant-parent reth4
# set interfaces reth3 redundant-ether-options redundancy-group 1
# set interfaces reth4 redundant-ether-options redundancy-group 2
# set interfaces reth3 unit 0 family inet address 192.168.3.1/24 ( trusted ip for first device )
# set interfaces reth4 unit 0 family inet address 192.168.4.1/24 ( trusted ip for second device )
# set security zones security-zone untrust interfaces reth1.0 ( untrusted interface for first device )
# set security zones security-zone untrust interfaces reth2.0 ( untrusted interface for second device )
# set security zones security-zone trust interfaces reth3.0  ( trust interface for first device )
# set security zones security-zone trust interfaces reth4.0  ( trust interface for second device )

---

@yihhow wrote:

> set chassis cluster cluster-id 1 node 0 reboot

> set chassis cluster clucter-id 1 node 1 reboot

reboot to take effect

---

A second reboot is not necessary once you've enabled the cluster.

 

HTHs.

hi sfouant ,

 

thanks for ur correction and time to spend with me  , i will try a testing later ...

 

thanks

yihhow

You are very welcome. Please do let us know how it works out!

Hi sfouant,

 

Can this config works?

 

Same like other firewall brand, only 1 trust and 1 untrust interface will be use on each firewall.

The reason being was core switch only points to a single virtual firewall gateway IP.

 

Each firewall be will the master for each individual redundancy group.

In this case, traffic from core swicth will flow to FW1 and FW2 via RG1 and RG2 respectively.

            

 

 

# set chassis cluster redundancy-group 0 node 0 priority 100
# set chassis cluster redundancy-group 0 node 1 priority 1
# set chassis cluster redundancy-group 1 node 0 priority 100
# set chassis cluster redundancy-group 1 node 1 priority 1
# set chassis cluster redundancy-group 2 node 0 priority 1
# set chassis cluster redundancy-group 2 node 1 priority 100

 

 

 

# set chassis cluster reth-count 2
# set interfaces fe-0/0/2 fastether-options redundant-parent reth1
# set interfaces fe-2/0/2 fastether-options redundant-parent reth1
# set interfaces fe-0/0/3 fastether-options redundant-parent reth2
# set interfaces fe-2/0/3 fastether-options redundant-parent reth2
# set interfaces reth1 redundant-ether-options redundancy-group 1
# set interfaces reth2 redundant-ether-options redundancy-group 2
# set interfaces reth1 unit 0 family inet address 192.168.1.1/24  ( untrusted ip for first device )
# set interfaces reth2 unit 0 family inet address 192.168.2.1/24  ( untrusted ip for second device )

# set security zones security-zone untrust interfaces reth1.0 ( untrusted interface for first device )
# set security zones security-zone untrust interfaces reth2.0 ( untrusted interface for second device )

Hi,

 

Sorry i mess up the config or i think the config is wrong.

 

But the objective is core switch will be pointing to a single firewall ip.

Both firewall will do the traffic processing.

Not the 2 ip design.

 

So how do i configure the active-active in this design??

 

Thanks!!!

 

 

Hi Mr.Fouant,

 

I attached a design use in this scenario. Can you pls advise on the correct config?

Problem faced:

1)I was unable to bind ge interface to multiple reth (ex:ge-0/0/0 map to reth1, reth2)

2)I was unable to bind 2 redundancy group to single reth (ex:redundancy group 1 map to reth1 & redundancy group 2 map to reth1 at the same time)

 

Pls advise! the objective is to achieve HA A-A using single ip.Can this be done??

 

---

deepoce@yahoo.com wrote:

Hi Mr.Fouant,

 

I attached a design use in this scenario. Can you pls advise on the correct config?

Problem faced:

1)I was unable to bind ge interface to multiple reth (ex:ge-0/0/0 map to reth1, reth2)

2)I was unable to bind 2 redundancy group to single reth (ex:redundancy group 1 map to reth1 & redundancy group 2 map to reth1 at the same time)

 

Pls advise! the objective is to achieve HA A-A using single ip.Can this be done??

 

---

Hi Deepoce,

 

You should open a separate thread instead of hijacking this one 🙂  Can you please open new thread and I will comment.

 

Thanks!

Hi,

 

Sorry I forgot to mention that me & Yihhow(the originator) we are frm the same company & working on the same project. I am helping him to solve the issue. Basically we have run active -passive with success. The issue nw is "how to configure & design Active-active".

 

Does the core switch point to single or dual ip for AA? Appreciate yr great help!! Thanks!!

 

 

---

deepoce@yahoo.com wrote:

 

Does the core switch point to single or dual ip for AA? Appreciate yr great help!! Thanks!!

 

 

---

So for A/A to work properly, you will require downstream devices to essentially load balance to the addresses assigned to the two different reths (which are tied to unique redundancy groups).  So if you have two reths, where reth1 is tied to rg1 and reth2 is tied to rg2, then you will need to make sure that some of your flows go to the IP address associated with reth1 while other flows go to the IP address associated with reth2.

hi sfouant

 

after look in to the configuration that you correct for me ...

 

# set chassis cluster reth-count 4
# set interfaces fe-0/0/2 fastether-options redundant-parent reth1
# set interfaces fe-2/0/2 fastether-options redundant-parent reth1
# set interfaces fe-0/0/3 fastether-options redundant-parent reth2
# set interfaces fe-2/0/3 fastether-options redundant-parent reth2
# set interfaces reth1 redundant-ether-options redundancy-group 1
# set interfaces reth2 redundant-ether-options redundancy-group 2
# set interfaces reth1 unit 0 family inet address 192.168.1.1/24  ( untrusted ip for first device )
# set interfaces reth2 unit 0 family inet address 192.168.2.1/24  ( untrusted ip for second device )
# set interfaces ge-0/0/4 gigether-options redundant-parent reth3
# set interfaces ge-2/0/4 gigether-options redundant-parent reth3
# set interfaces ge-0/0/5 gigether-options redundant-parent reth4
# set interfaces ge-2/0/5 gigether-options redundant-parent reth4
# set interfaces reth3 redundant-ether-options redundancy-group 1
# set interfaces reth4 redundant-ether-options redundancy-group 2
# set interfaces reth3 unit 0 family inet address 192.168.3.1/24 ( trusted ip for first device )
# set interfaces reth4 unit 0 family inet address 192.168.4.1/24 ( trusted ip for second device )
# set security zones security-zone untrust interfaces reth1.0 ( untrusted interface for first device )
# set security zones security-zone untrust interfaces reth2.0 ( untrusted interface for second device )
# set security zones security-zone trust interfaces reth3.0  ( trust interface for first device )
# set security zones security-zone trust interfaces reth4.0  ( trust interface for second device )

 

 

each reth tied to two interface for trust and untrust , each device will have 2 reth = 2 trust n 2 untrust zone ,

now the problem is my customer do not wan to have so many interface to use on ha a/a

 

as he wanted is 2 reth that mean reth0 for trust n reth1 for untrust , i uderstand this methd is on active/pasive .

is there any more solution .

 

 

thanks

yihhow

kindly please corect me if the config is wrong

 

thanks

 

yihhow

Hi bro,

 

Active-passive also need to create 2 redunancy group, 1 and 2.So what is the difference??

 

Look at this from juniper forum for active-passive config.

http://kb.juniper.net/InfoCenter/index?page=content&id=KB15505

 

btw do u hv any diagram & config exmaple.

That would be very very helpful..appreciate that bro!

 

Thanks!!!

---

deepoce@yahoo.com wrote:

Hi bro,

 

Active-passive also need to create 2 redunancy group, 1 and 2.So what is the difference??

 

Look at this from juniper forum for active-passive config.

http://kb.juniper.net/InfoCenter/index?page=content&id=KB15505

---

Hi,

 

In that example, you see redundancy group 0 and redundancy group 1.  Redundancy Group 0 is always reserved for control plane redundancy (which is always Active/Passive).  So it is only used to determine which one of the two SRX devices will maintain control of the configuration, establish protocol adjacencies, etc.

 

Redundancy Groups 1-255 are used for Data Plane Redundancy.  So in the case of A/P you will most likely see just a single data plane redundancy group - RG1.  In Active/Active setups, you need at least two Data Plane redundancy groups, so you will likely see at least RG1 and RG2.  This is obviously in addition to RG0 which again is only used for the Control Plane.

 

HTHs.

That mean each device need tied to each trust n untrust zone.

Hi,

Base on ur solution provided ,total how many reth i need be use

Thanks
Yihhow

Hi,

 

I attached two design. Can it worked for Active-active?? This is basically single and dual ip. One core swicth.

 

 

Bare minimum, if you want to load balance on Trust and Untrust in A/A setup, you would need 4 reth interfaces... 2 reths (one trust and one untrust tied to rg1), and 2 reths (one trust and one untrust tied to rg2).

 

HTHs.