I build SRX clusters pretty often and thought i'll documenting the process. I have typed up this article (not tested yet), but am confident it covers all the steps needed to build a cluster on the SRX platform.
The "how to" or Step by Step" Juniper SRX300, 320, 340, 345 clustering guide.
Minimum Junos Version: 12.1X47-D10
- SRX300 Control Ports: Connect ge-0/0/1 on node 0 to ge-0/0/1 on node 1. < -- Becomes the fxp0 interfaces
- SRX300 Fabric Ports: Connect ge-0/0/0 on node 0 to ge-0/0/0 on node 1. < -- Becomes the fab0/1 interfaces
Depending on your SRX model this will be the port re-numbering scheme applied:
- SRX300 : ge-0/0/1 interface on node 1 changes to ge-1/0/1
- SRX320 : ge-0/0/1 interface on node 1 changes to ge-3/0/1
- SRX340/345 : ge-0/0/1 interface on node 1 changes to ge-5/0/1
General Notes:
- Interconnect the control interfaces: connect interface srx0 ge-0/0/1 to srx1 ge-0/0/1
- Interconnect the fabric interfaces: connect interface srx0 ge-0/0/2 to srx1 ge-0/0/2
- Connect the physical interfaces you intend to send network traffic over directly to the same switch initially.
- Connect Network Interfaces to the switch: connect interface ge-0/0/3 and ge-0/0/4 to your switch for both srx0 and srx1.
- !! Do not put the switch ports into any kind of LAG configuration !!
- Configure the switch ports as access ports (no vlanning) to simplify initial trouble shooting, once the cluster and ports are functional you can switch ports to trunk and pass multiple vlans.
- All configurations are done via the SRX direct or usb-to-serial management port.
On srx0 and srx1:
Clear the config on both devices and set the root password.
set system root authentication plaintext-password
set protocols l2-learning global-mode switching
commit
On srx0:
set chassis cluster cluster-id 1 node 0 reboot
On srx1:
set chassis cluster cluster-id 1 node 1 reboot
Review:
run show chassis cluster status
Cluster ID: 1
Node Priority Status Preempt Manual failover
Redundancy group: 0 , Failover count: 1
node0 100 primary no no
node1 1 secondary no no
Redundancy group: 1 , Failover count: 1
node0 0 primary no no
node1 0 secondary no no
After the cluster is built configure management:
set groups node0 system host-name srx300-node0
set groups node0 interfaces fxp0 unit 0 family inet address 10.1.1.1/24
set groups node1 system host-name srx300-node1
set groups node1 interfaces fxp0 unit 0 family inet address 10.1.1.2/24
set apply-groups "${node}"
commit
Review:
run show interfaces terse | match fxp0
fxp0 up up
fxp0.0 up up inet 10.1.1.1/24
Configure the chassis cluster fabric:
set interfaces fab0 fabric-options member-interfaces ge-0/0/2
set interfaces fab1 fabric-options member-interfaces ge-1/0/2
commit
Review:
run show interfaces terse | match fab
ge-0/0/2.0 up up aenet --> fab0.0
ge-1/0/2.0 up up aenet --> fab1.0
fab0 up up
fab0.0 up up inet 30.17.0.200/24
fab1 up up
fab1.0 up up inet 30.18.0.200/24
run show chassis cluster data-plane interfaces
fab0:
Name Status
ge-0/0/2 up
fab1:
Name Status
ge-1/0/2 up
Verification:
run show chassis cluster data-plane statistics
Services Synchronized:
Service name RTOs sent RTOs received
Translation context 0 0
Incoming NAT 0 0
Resource manager 0 0
DS-LITE create 0 0
Session create 1428919 0
IPv6 session create 0 0
Session close 537639 0
IPv6 session close 0 0
Session change 130005 0
IPv6 session change 0 0
ALG Support Library 121 0
Gate create 0 0
Session ageout refresh requests 0 10241
IPv6 session ageout refresh requests 0 0
Session ageout refresh replies 9513 0
IPv6 session ageout refresh replies 0 0
IPSec VPN 9 0
Firewall user authentication 0 0
MGCP ALG 0 0
H323 ALG 0 0
SIP ALG 0 0
SCCP ALG 0 0
PPTP ALG 0 0
JSF PPTP ALG 0 0
RPC ALG 0 0
RTSP ALG 0 0
RAS ALG 0 0
MAC address learning 0 0
GPRS GTP 0 0
GPRS SCTP 0 0
GPRS FRAMEWORK 0 0
JSF RTSP ALG 0 0
JSF SUNRPC MAP 0 0
JSF MSRPC MAP 0 0
DS-LITE delete 0 0
JSF SLB 0 0
APPID 0 0
JSF MGCP MAP 0 0
JSF H323 ALG 0 0
JSF RAS ALG 0 0
JSF SCCP MAP 0 0
JSF SIP MAP 0 0
PST_NAT_CREATE 0 0
PST_NAT_CLOSE 0 0
PST_NAT_UPDATE 0 0
JSF TCP STACK 0 0
JSF IKE ALG 0 0
Clear stats if needed:
run clear chassis cluster data-plane statistics
Configure the chassis cluster interfaces:
set chassis cluster redundancy-group 0 node 0 priority 100
set chassis cluster redundancy-group 0 node 1 priority 1
set chassis cluster redundancy-group 1 node 0 priority 100
set chassis cluster redundancy-group 1 node 1 priority 1
set chassis cluster redundancy-group 1 interface-monitor ge-0/0/3 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-0/0/4 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-1/0/3 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-1/0/4 weight 255
set chassis cluster reth-count 2
commit
Configure redundant interfaces:
set interfaces ge-0/0/3 gigether-options redundant-parent reth0
set interfaces ge-1/0/3 gigether-options redundant-parent reth0
*******************************************************************
Access Port Mode:
set interfaces reth0 redundant-ether-options redundancy-group 1
set interfaces reth0 unit 0 family inet address 172.30.111.254/24
OR
Trunk Port Mode:
set interfaces reth0 vlan-tagging
set interfaces reth0 redundant-ether-options redundancy-group 1
set interfaces reth0 unit 903 family inet address 172.30.111.254/24
Or
Trunk Port Mode Multiple Sub Interfaces:
set interfaces reth0 vlan-tagging
set interfaces reth0 unit 903 family inet address 172.30.111.254/24
set interfaces reth0 unit 904 family inet address 172.16.1.254/24
*******************************************************************
set interfaces ge-0/0/4 gigether-options redundant-parent reth1
set interfaces ge-1/0/4 gigether-options redundant-parent reth1
set interfaces reth1 redundant-ether-options redundancy-group 1
set interfaces reth1 unit 0 family inet address 172.16.1.254/24
commit
*******************************************************************
Same Applies for Access/Trunk or Mutliple Sub Interfaces as above.
The rest of this configuartion is built around access interfaces.
*******************************************************************
Add the interfaces to the security zone:
set security zones security-zone trust host-inbound-traffic system-services ping
set security zones security-zone trust interfaces reth0.0
set security zones security-zone untrust host-inbound-traffic system-services ping
set security zones security-zone untrust interfaces reth1.0
commit
Verification:
run show chassis cluster status
Cluster ID: 1
Node Priority Status Preempt Manual failover
Redundancy group: 0 , Failover count: 1
node0 100 primary no no
node1 1 secondary no no
Redundancy group: 1 , Failover count: 1
node0 0 primary no no
node1 0 secondary no no
#run show chassis cluster interfaces
Control link name: em0
Redundant-ethernet Information:
Name Status Redundancy-group
reth0 Up 1
reth1 Up 1
Interface Monitoring:
Interface Weight Status Redundancy-group
ge-0/0/3 255 Up 1
ge-0/0/4 255 Up 1
ge-1/0/3 255 Up 1
ge-1/0/4 255 Up 1
Verification:
run show chassis cluster statistics
Control link statistics:
Control link 0:
Heartbeat packets sent: 2276
Heartbeat packets received: 2280
Heartbeat packets errors: 0
Fabric link statistics:
Child link 0
Probes sent: 2272
Probes received: 597
Services Synchronized:
Service name RTOs sent RTOs received
Translation context 0 0
Incoming NAT 0 0
Resource manager 6 0
Session create 161 0
Session close 148 0
Session change 0 0
Gate create 0 0
Session ageout refresh requests 0 0
Session ageout refresh replies 0 0
IPSec VPN 0 0
Firewall user authentication 0 0
MGCP ALG 0 0
H323 ALG 0 0
SIP ALG 0 0
SCCP ALG 0 0
PPTP ALG 0 0
RPC ALG 0 0
RTSP ALG 0 0
RAS ALG 0 0
MAC address learning 0 0
GPRS GTP 0 0
Verification:
run show chassis cluster control-plane statistics
Control link statistics:
Control link 0:
Heartbeat packets sent: 2294
Heartbeat packets received: 2298
Heartbeat packets errors: 0
Fabric link statistics:
Child link 0
Probes sent: 2290
Probes received: 615
Verification:
run show chassis cluster status redundancy-group 1
Cluster ID: 1
Node Priority Status Preempt Manual failover
Redundancy group: 1, Failover count: 1
node0 100 primary no no
node1 50 secondary no no
Create a test policy:
!! NOTE You need to delete/disable this before going into production !!
set security policies global policy FullAccessTest match source-address any
set security policies global policy FullAccessTest match destination-address any
set security policies global policy FullAccessTest match application any
set security policies global policy FullAccessTest then permit
Troubleshooting logs:
run show log jsrpd
run show log chassisd
run show log messages
run show log dcd
Still to complete:
1) Configure security policies to allow traffic between zones.
2) Configuring NAT'ting if required.
3) Configure routing-options.
4) Configure untrust zone screening
Hopefully that works for you 🙂