vSRX
Highlighted
vSRX

vSRX Cluster - Any Suggestions?

‎06-17-2020 06:04 PM

Hi all, 

 

I''ve done some basic testing and everything seems to be working correclty, but i was wondering if anyone could criticize my config / tell me what I could do better?

 

{primary:node1}[edit]
## Last changed: 2020-06-17 23:13:03 UTC
version 18.4R3-S2;
groups {
    node0 {
        system {
            host-name N/A;
        }
        interfaces {
            fab0 {
                fabric-options {
                    member-interfaces {
                        ge-0/0/0;
                    }
                }
            }
            fab1 {
                fabric-options {
                    member-interfaces {
                        ge-7/0/0;
                    }
                }
            }
        }
    }
    node1 {
        system {
            host-name N/A;
        }
        interfaces {
            fab0 {
                fabric-options {
                    member-interfaces {
                        ge-0/0/0;
                    }
                }
            }
            fab1 {
                fabric-options {
                    member-interfaces {
                        ge-7/0/0;
                    }
                }
            }
        }
    }
}
apply-groups node0;
system {
    }
    services {
        ssh {
            root-login allow;
        }
        web-management {
            http {
                interface fxp0.0;
            }
            https {
                system-generated-certificate;
                interface fxp0.0;
            }
        }
    }
    syslog {
        user * {
            any emergency;
        }
        file messages {
            any any;
            authorization info;
        }
        file interactive-commands {
            interactive-commands any;
        }
    }
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
}
chassis {
    cluster {
        reth-count 4;
        redundancy-group 1 {
            node 0 priority 200;
            node 1 priority 100;
        }
    }
}
security {
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    queue-size 2000; ## Warning: 'queue-size' is deprecated
                    timeout 20;
                }
                land;
            }
        }
    }
    nat {
        source {
            rule-set Global {
                from routing-instance Testing;
                to zone WAN;
                rule A {
                    match {
                        source-address 0.0.0.0/0;
                        destination-address 0.0.0.0/0;
                        application any;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
    }
    policies {
        from-zone N/A to-zone N/A {
            policy Permit-All {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone N/A to-zone N/A {
            policy Permit-All {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone N/A to-zone N/A {
            policy Permit-All {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone N/A to-zone N/A{
            policy permit-all {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone N/A to-zone N/A{
            policy Permit-All {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone N/A to-zone N/A {
            policy Permit-All {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone N/A to-zone N/A {
            policy Permit-All {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone N/A to-zone N/A {
            policy Permit-All {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone N/A to-zone N/A{
            policy Permit-All {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
    zones {
        security-zone N/A {
            interfaces {
                reth0.1066;
                reth1.1066;
            }
        }
        security-zone N/A{
            host-inbound-traffic {
                system-services {
                    ping;
                }
                protocols {
                    bgp;
                }
            }
            interfaces {
                reth0.1000;
                reth1.1000;
                reth0.660;
                reth1.670;
            }
        }
        security-zone N/A {
            host-inbound-traffic {
                system-services {
                    ping;
                }
                protocols {
                    bgp;
                }
            }
            interfaces {
                reth0.1001;
                reth1.1001;
            }
        }
        security-zone N/A {
            host-inbound-traffic {
                system-services {
                    ssh;
                    ping;
                }
            }
            interfaces {
                reth0.669;
            }
        }
        security-zone N/A {
            host-inbound-traffic {
                system-services {
                    ping;
                }
                protocols {
                    bgp;
                }
            }
            interfaces {
                reth0.1048;
                reth1.1048;
                reth2.1048;
            }
        }
        security-zone N/A {
            host-inbound-traffic {
                system-services {
                    ping;
                    ssh;
                }
            }
            interfaces {
                reth0.667;
                reth1.667;
            }
        }
    }
}
interfaces {
    ge-0/0/1 {
        gigether-options {
            redundant-parent reth0;
        }
    }
    ge-0/0/2 {
        gigether-options {
            redundant-parent reth1;
        }
    }
    ge-0/0/3 {
        gigether-options {
            redundant-parent reth2;
        }
    }
    ge-7/0/1 {
        gigether-options {
            redundant-parent reth0;
        }
    }
    ge-7/0/2 {
        gigether-options {
            redundant-parent reth1;
        }
    }
    ge-7/0/3 {
        gigether-options {
            redundant-parent reth2;
        }
    }
    reth0 {
        vlan-tagging;
        redundant-ether-options {
            redundancy-group 1;
        }
        unit 660 {
            vlan-id 660;
            family inet {
                address 
            }
        }
        unit 667 {
            vlan-id 667;
            family inet {
                address 
            }
        }
       
            }
        }
        unit 1000 {
            vlan-id 1000;
            family inet {
                address 10.100.0.1/24;
            }
        }
        unit 1001 {
            vlan-id 1001;
            family inet {
                address 10.100.1.1/24;
            }
        }
        unit 1048 {
            vlan-id 1048;
            family inet {
                address 10.100.48.1/24;
            }
        }
        unit 1066 {
            vlan-id 1066;
            family inet {
                address 10.100.66.1/24;
            }
        }
    }
    reth1 {
        vlan-tagging;
        redundant-ether-options {
            redundancy-group 1;
        }
        unit 667 {
            vlan-id 667;
            family inet {
                address 10.66.7.249/24;
            }
        }
        unit 670 {
            vlan-id 670;
            family inet {
                address 10.67.0.101/24;
            }
        }
        unit 1000 {
            vlan-id 1000;
            family inet {
                address 10.101.0.1/24;
            }
        }
        unit 1001 {
            vlan-id 1001;
            family inet {
                address 10.101.1.1/24;
            }
        }
        unit 1048 {
            vlan-id 1048;
            family inet {
                address 10.101.48.1/24;
            }
        }
        unit 1066 {
            vlan-id 1066;
            family inet {
                address 10.101.66.1/24;
            }
        }
    }
    reth2 {
        vlan-tagging;
        redundant-ether-options {
            redundancy-group 1;
        }
        unit 1048 {
            vlan-id 1048;
            family inet {
                address 172.69.241.1/24;
            }
        }
    }
}
policy-options {
    policy-statement Default {
        term A {
            from {
                instance master;
                route-filter 0.0.0.0/0 exact;
                route-filter 10.100.0.1/32 exact;
                route-filter 192.168.138.15/32 exact;
                route-filter 192.168.138.16/32 exact;
                route-filter 10.101.0.1/32 exact;
            }
            then accept;
        }
        term B {
            then reject;
        }
    }
    policy-statement N/A{
        from interface reth2.1048;
        then accept;
    }
    policy-statement N/A {
        term A {
            from {
                instance Manage;
                route-filter 0.0.0.0/0 exact;
            }
            then reject;
        }
        term B {
            from {
                instance-any;
                route-filter 10.0.0.0/8 exact;
                route-filter 172.16.0.0/12 exact;
                route-filter 192.168.0.0/16 exact;
            }
            then accept;
        }
    }
    policy-statement WAN-LoadBalance {
        then {
            load-balance per-packet;
        }
    }
}
firewall {
    policer 30mb {
        if-exceeding {
            bandwidth-limit 30m;
            burst-size-limit 625k;
        }
        then discard;
    }
}
routing-instances {
   N/A{
        instance-type virtual-router;
        interface reth0.1066;
        interface reth1.1066;
        routing-options {
            static {
                route N/A/24 next-hop N/A;
            }
            instance-import Default;
        }
        protocols {
            bgp {
                group N/A{
                    type external;
                    local-address 10.100.66.1;
                    peer-as 1066;
                    local-as 1000;
                    neighbor 10.100.66.2;
                }
                group N/A {
                    type external;
                    local-address 10.101.66.1;
                    peer-as 1066;
                    local-as 1000;
                    neighbor 10.101.66.2;
                }
            }
        }
    }
    N/A {
        instance-type virtual-router;
        interface reth0.667;
        interface reth1.667;
        routing-options {
            static {
                route 0.0.0.0/0 next-hop N/A;
            }
        }
    }
    N/A {
        instance-type virtual-router;
        interface reth0.1001;
        interface reth1.1001;
        routing-options {
            static {
                route N/A next-hop N/A;
            }
            instance-import Default;
        }
        protocols {
            bgp {
                group N/A-N0 {
                    type external;
                    local-address 10.100.1.1;
                    peer-as 1001;
                    local-as 1000;
                    neighbor 10.100.1.2;
                }
                group N/A-N1 {
                    type external;
                    local-address 10.101.1.1;
                    peer-as 1001;
                    local-as 1000;
                    neighbor 10.101.1.2;
                }
            }
        }
    }
    N/A {
        instance-type virtual-router;
        interface reth0.1048;
        interface reth1.1048;
        interface reth2.1048;
        routing-options {
            instance-import Default;
        }
        protocols {
            bgp {
                group Testing {
                    type external;
                    local-address 10.100.48.1;
                    export N/A-Resources;
                    peer-as 1048;
                    local-as 1000;
                    neighbor 10.100.48.2;
                }
                group N/A-N1 {
                    type external;
                    local-address 10.101.48.1;
                    export N/A-Resources;
                    peer-as 1048;
                    local-as 1000;
                    neighbor 10.101.48.2;
                }
            }
        }
    }
}
routing-options {
    static {
        route N/A next-hop [ N/A N/A ];
    }
    forwarding-table {
        export WAN-LoadBalance;
    }
    instance-import ToCustomer;
}

{primary:node1}[edit]
root@MLB-vSRX-C1N0#

{primary:node1}[edit]
root@MLB-vSRX-C1N0#

{primary:node1}[edit]
root@MLB-vSRX-C1N0# sw
                    ^
unknown command.
root@MLB-vSRX-C1N0# show chassis
cluster {
    reth-count 4;
    redundancy-group 1 {
        node 0 priority 200;
        node 1 priority 100;
    }
}

{primary:node1}[edit]
root@MLB-vSRX-C1N0# show interfaces
ge-0/0/1 {
    gigether-options {
        redundant-parent reth0;
    }
}
ge-0/0/2 {
    gigether-options {
        redundant-parent reth1;
    }
}
ge-0/0/3 {
    gigether-options {
        redundant-parent reth2;
    }
}
ge-7/0/1 {
    gigether-options {
        redundant-parent reth0;
    }
}
ge-7/0/2 {
    gigether-options {
        redundant-parent reth1;
    }
}
ge-7/0/3 {
    gigether-options {
        redundant-parent reth2;
    }
}
reth0 {
    vlan-tagging;
    redundant-ether-options {
        redundancy-group 1;
    }
    unit 660 {
        vlan-id 660;
        family inet {
            address 10.66.0.101/24;
        }
    }
    unit 667 {
        vlan-id 667;
        family inet {
            address 10.66.7.248/24;
        }
    }
    unit 669 {
        vlan-id 669;
        family inet {
        }
    }
    unit 1000 {
        vlan-id 1000;
        family inet {
            address 10.100.0.1/24;
        }
    }
    unit 1001 {
        vlan-id 1001;
        family inet {
            address 10.100.1.1/24;
        }
    }
    unit 1048 {
        vlan-id 1048;
        family inet {
            address 10.100.48.1/24;
        }
    }
    unit 1066 {
        vlan-id 1066;
        family inet {
            address 10.100.66.1/24;
        }
    }
}
reth1 {
    vlan-tagging;
    redundant-ether-options {
        redundancy-group 1;
    }
    unit 667 {
        vlan-id 667;
        family inet {
            address 10.66.7.249/24;
        }
    }
    unit 670 {
        vlan-id 670;
        family inet {
            address 10.67.0.101/24;
        }
    }
    unit 1000 {
        vlan-id 1000;
        family inet {
            address 10.101.0.1/24;
        }
    }
    unit 1001 {
        vlan-id 1001;
        family inet {
            address 10.101.1.1/24;
        }
    }
    unit 1048 {
        vlan-id 1048;
        family inet {
            address 10.101.48.1/24;
        }
    }
    unit 1066 {
        vlan-id 1066;
        family inet {
            address 10.101.66.1/24;
        }
    }
}
reth2 {
    vlan-tagging;
    redundant-ether-options {
        redundancy-group 1;
    }
    unit 1048 {
        vlan-id 1048;
        family inet {
            address 172.69.241.1/24;
        }
    }
}

{primary:node1}[edit]
2 REPLIES 2
Highlighted
vSRX
Solution
Accepted by topic author RoutingFrames
‎06-18-2020 06:39 AM

Re: vSRX Cluster - Any Suggestions?

‎06-17-2020 09:41 PM

 

Hi RoutingFrames,

 

 

Greetings, just a few observations:

 

 

 

unit 660 {
vlan-id 660;
family inet {
address
}
}
unit 667 {
vlan-id 667;
family inet {
address
}
There are family inet but there is no IP address, not sure if you did it on purpose and you are planning to add them later.

 

 

 

security {
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    queue-size 2000; ## Warning: 'queue-size' is deprecated
                    timeout 20;
                }


queue-size 2000; ## Warning: 'queue-size' is deprecated

This is not doing anything in your configuration as the knob is deprecated as mentioned below.

 

Other than this everything looks great plus it is working as you desire, kudos to you! 

 

 

 


If this solves your problem, please mark this post as "Accepted Solution" so we can help others too \:)/

 

Regards,

Lil Dexx
JNCIE-ENT#863, 3X JNCIP-[SP-ENT-DC], 4X JNCIA [cloud-DevOps-Junos-Design], Champions Ingenius, SSYB

Highlighted
vSRX

Re: vSRX Cluster - Any Suggestions?

‎06-18-2020 06:42 AM

Good to hear!

 

Yeah, the "security" bits are all factory config, and I started deleting IP addresses and then I stopped because i'm lazy LOL 

Feedback