SRX

folks

 

i have a standalone srx650 in production and have been asked to add another node to build a cluster

 

can anyone point me in the right direction on how to go about this

 

i've seen a few guides that require the firewall default config is deleted and then the cluster built

 

as my node is already in production i don't think i'll get the downtime to do this unless its the last option

 

thanks to anyone taking the time to read this or to reply

 

greatly appreciated

this is the guide for 650: http://kb.juniper.net/InfoCenter/index?page=content&id=KB15503 Yes to convert the node to cluster mode you are going to have to reboot the node after doing root>set chassis cluster cluster-id <ID> node <NO.></NO.></ID>

wl

 

many thanks for your reply

 

i've already read this article but i'm a bit confused and wary of setting up a cluster using a live firewall

 

the article requires i remove the default configuration using

 

delete command

 

and then reset the root password

 

do i need to backup the existing config and then restore it after the cluster is built

 

also

 

i've already used one of the interfaces as a management port, do i need to change this or can i use what ever interfaces i wish

 

apologies for the basic questions but its the first cluster i've built and its on an important link

 

thanks again for your time and patience

in standalone mode, the naming convention of the interfaces are different from what you will use in cluster mode which is why you need to run the command :

set chassis cluster cluster-id node

This will turn a standalone node to cluster mode, after running this, you will need to reboot the node for it to take effect.

You can use some parts of your configs eg the policies etc but the interfaces under the zones will be different as you will need to use reth interfaces instead.

You don't necessarily need to delete all the config and reset the root password, but its easier to start from scratch with a clean slate.

I don't think you can make this change on a live firewall, there is definitely going to be downtime and you need to prepare configs before you can go into the maintenance for sure.

There are basically couple of sections you need to take note:

groups (this will define what is unique to each node,  node0 and node1)
eg:
set groups node0 system host-name SRX1
set groups node0 interfaces fxp0 unit 0 family inet address 192.168.1.1/24
set groups node1 system host-name SRX2
set groups node1 interfaces fxp0 unit 0 family inet address 192.168.1.1/24
set apply-groups "${node}"

control interface between 2 nodes:
ref to KB this is fixed and not configurable

fabric interfaces between 2 nodes:
set interfaces fab0 fabric-options member-interfaces <INTERFACE>
set interfaces fab1 fabric-options member-interfaces <INTERFACE>

cluster/ha options (control failover monitoring and failover timer)
set chassis cluster reth-count 2
set chassis cluster redundancy-group 1 node 0 priority 100
set chassis cluster redundancy-group 1 node 1 priority 50
set chassis cluster redundancy-group 1 interface-monitor ge-0/0/0 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-3/0/0 weight 255

traffic passing interfaces:
set interfaces ge-0/0/0 gigether-options redundant-parent reth1
set interfaces ge-3/0/0 gigether-options redundant-parent reth1
set interfaces reth1 vlan-tagging
set interfaces reth1 redundant-ether-options redundancy-group 1
set interfaces reth1 unit 10 vlan-id 10
set interfaces reth1 unit 10 family inet address 192.168.2.254/24
set interfaces reth1 unit 20 vlan-id 20
set interfaces reth1 unit 20 family inet address 192.168.1.254/24
</INTERFACE></INTERFACE>

wl

 

once again many thanks for your help and patience

 

i'll start planning now!