Configure High Availability Cluster in Juniper SRX

The post Configure High Availability Cluster in Juniper SRX appeared first on MustBeGeek.

Juniper SRX series firewall provides high availability options for continuous service operation. There are different ways of configuring high availability cluster in Juniper SRX. It is easy to configure high availability cluster in Juniper SRX. But before configuring cluster you must understand some basics of SRX cluster and concepts.

Configure High Availability Cluster in Juniper SRX

Before typing commands for SRX cluster. There are some few important things that is to be done.

1. Upgrade all the SRX devices to latest Juniper recommended JunOS.
2. Backup and delete existing SRX configurations.

So, let’s get started. There are different modes for SRX cluster deployments. Most popular is, active/active and active/passive. In this post, I will show active/passive configuration. Steps to configure active/passive configuration are: -

1. Cluster ID and Node ID: Cluster ID is an identifier which identifies members in a cluster. For example, cluster 1 can have two nodes or members. Node ID identifies or represents each member device in a cluster. For example, Node 0 is primary and Node 1 is secondary device in a cluster.
2. Control link and Data link: Control link and data link are two important links in SRX cluster. Nodes in cluster use these link to talk with each other about status of cluster and other traffic information. Control link is path to configure devices in a cluster. Data link allows session synchronization between nodes. Different SRX models have different control port set up. Table below shows dedicated control ports.
   
3. Redundancy Groups: Redundancy groups or simply RG defines resources that are grouped from both nodes to be active or passive.
4. Interfaces: Interfaces can be Reth (Redundant Ethernet) or local interfaces. Reth interfaces is created in cluster to configure redundant links. You can’t use local interfaces in redundancy groups.

The diagram below shows our basic network scenario. We will configure SRX 240 cluster in active – passive mode.

Step 1: Enable Chassis Cluster (Configure Cluster ID and Node ID)

To enable chassis cluster in Node 0 type the following command.

You can configure cluster ID from 0 to 15 in Juniper SRX. Similarly, enter following command in SRXB to enable cluster.

After the reboot you will see a little change in the command prompt of both device. You will see following prompt in node 0.

So the cluster is enabled. To view the cluster status, type show chassis cluster status.

Step 2: Configure Control Link and Data Link

Now let’s configure control link and data link. Control link is configured by default. You just need to plug in the cables to ports of both nodes. For SRX 240 control ports are ge-0/0/1 and ge-5/0/1. Plug in the cable in these ports and reboot node 1. After the reboot type show chassis cluster status command. You will see primary and secondary for node 0 and node 1 devices respectively.

Data link can be configured on any remaining ports of the device. Here, I will configure data link on port ge-0/0/2 and ge-5/0/2. To configure data link ports, special type of aggregated interface is configured. This special interface is called fab0 and fab1 for node 0 and node 1 respectively. To make these interfaces as data link type following commands in [edit interface] hierarchy.

Commit the configuration and plug the cables in these ports.

Step 3:  Configure Redundancy Groups

Redundancy groups are most vital part of SRX clusters. Redundancy groups define resources to be active or passive. Redundancy groups contain interfaces of both nodes. Interface of primary node 0 is the interface that pass the traffic. Redundancy group 0 is created by default after cluster is configured. Similarly, control ports are assigned in redundancy group 0 by default. You can create up to maximum of 129 redundancy groups in SRX cluster. Here we will create another redundancy group called redundancy group 1 making total of two redundancy groups in our SRX 240 cluster. Each redundancy group (RG) is configured with priority. Higher priority takes precedence over lower priority. If you do not configure priority for redundancy group then priority of 1 is created by default for primary node 0.

At first, let’s configure priority for default redundancy group 0. Type following commands to configure priority for RG 0.

Now, to create new redundancy group 1, type following command.

{primary:node0}[edit chassis cluster]
root@SRXA# set redundancy-group 1 node 0 priority 254
{primary:node0}[edit chassis cluster]
root@SRXA# set redundancy-group 1 node 1 priority 1

Step 4: Configure Interfaces

We need to create Reth interfaces to configure redundant interfaces. Before creating Reth interfaces we need to define number of reth interface to be created. As you can see in our scenario diagram, we will create Reth0 and Reth1 interfaces. So type following commands to configure reth interfaces.

Defining number of Reth interfaces

Configure Reth interfaces

You can view interfaces by typing following commands.

This is how you can configure high availability in Juniper SRX devices.

The post Configure High Availability Cluster in Juniper SRX appeared first on MustBeGeek.