elasticsearch入門系列">elasticsearch入門系列
1074
2022-05-30
Juniper SRX系列 防火墻 熱備份HA 配置(juniper是什么品牌)
一、測試環境
SRX220兩臺
二、配置須知
SRX 220 默認帶外管理口 Ge-0/0/6 控制口:Ge-0/0/7 數據同步口:Ge-0/0/1 使用集群則集群后接口標示為:Ge-0/0/0-7; Ge-3/0/0-7 不同型號集群后接口顯示不同,詳情見官方文檔。
三、相關設備連線接口IP
G-0/0/3:192.168.3.1/24
G-0/0/4:192.168.4.1/24
G-0/0/5:192.168..5.1/24
MGT:10.10.30.189-190/24
F0/0:192.168.4.2/24
F0/1:192.168.6.1/24 (模擬遙遠互聯網)
四、拓撲圖
五、配置文件
(1)路由模式熱備 HA
1、詳細配置:
On device A:>set chassis cluster cluster-id 1 node 0 reboot
On device B:>set chassis cluster cluster-id 1 node 1 reboot On device A:
set groups node0 system host-name SRX-Primary
set groups node0 interfaces fxp0 unit 0 family inet address 10.10.30.189/24
set groups node1 system host-name SRX-Secondby
set groups node1 interfaces fxp0 unit 0 family inet address 10.10.30.190/24
set apply-groups "${node}"
set interfaces fab0 fabric-options member-interfaces ge-0/0/1
set interfaces fab1 fabric-options member-interfaces ge-3/0/1
set chassis cluster redundancy-group 0 node 0 priority 100
set chassis cluster redundancy-group 0 node 1 priority 1
set chassis cluster redundancy-group 1 node 0 priority 100
set chassis cluster redundancy-group 1 node 1 priority 1
set chassis cluster redundancy-group 1 interface-monitor ge-0/0/3 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-0/0/4 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-0/0/5 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-3/0/3 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-3/0/4 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-3/0/5 weight 255
set chassis cluster reth-count 3
set interfaces ge-0/0/3 gigether-options redundant-parent reth0 s
et interfaces ge-3/0/3 gigether-options redundant-parent reth0
set interfaces reth0 redundant-ether-options redundancy-group 1
set interfaces reth0 unit 0 family inet address 192.168.3.1/24
set interfaces ge-0/0/4 gigether-options redundant-parent reth1
set interfaces ge-3/0/4 gigether-options redundant-parent reth1
set interfaces reth1 redundant-ether-options redundancy-group 1
set interfaces reth1 unit 0 family inet address 192.168.4.1/24
set interfaces ge-0/0/5 gigether-options redundant-parent reth2
set interfaces ge-3/0/5 gigether-options redundant-parent reth2
set interfaces reth2 redundant-ether-options redundancy-group 1
set interfaces reth2 unit 0 family inet address 192.168.5.1/24
set security zones security-zone trust interfaces reth0.0
set security zones security-zone untrust interfaces reth1.0
set security zones security-zone DMZ interfaces reth2.0
2、驗證:
查看雙機狀態
root@SRX-Primary> show chassis cluster status Cluster ID: 1
Node Priority Status Preempt Manual failover
Redundancy group: 0 , Failover count: 1
node0 100 primary no no
node1 1 secondary no no
Redundancy group: 1 , Failover count: 1
node0 100 primary no no
node1 1 secondary no no
3、測試主備切換
4、查看當前設備主備情況:
5、配置說明:
On device A: >set chassis cluster cluster-id 1 node 0 reboot
//定義 cluster-id 和 node,同一個集群 cluster-id 必須相同,取值范圍為 0-15,0 代表禁用集群;node 取值范 圍為 0-1,0 代表主設備
On device B: >set chassis cluster cluster-id 1 node 1 reboot
//定義 cluster-id 和 node,同一個集群 cluster-id 必須相同,取值范圍為 0-15,0 代表禁用集群;node 取值范 圍為 0-1,0 代表主設備
On device A:
set groups node0 system host-name SRX-Primary
set groups node0 interfaces fxp0 unit 0 family inet address 10.10.30.189/24
set groups node1 system host-name SRX-Secondby
set groups node1 interfaces fxp0 unit 0 family inet address 10.10.30.190/24
//為集群設備配置單獨的名字和管理 IP 地址
set apply-groups "${node}"
//讓以上的全局配置應用到每個獨立的節點上
set interfaces fab0 fabric-options member-interfaces ge-0/0/1
set interfaces fab1 fabric-options member-interfaces ge-3/0/1
//定義數據面板控制口并關聯端口
set chassis cluster redundancy-group 0 node 0 priority 100
set chassis cluster redundancy-group 0 node 1 priority 1
set chassis cluster redundancy-group 1 node 0 priority 100
set chassis cluster redundancy-group 1 node 1 priority 1
//設置冗余組的對不同節點的優先級,優先級范圍 1-254.值越大優先級越高,一般習慣定義 2 個冗余組, redundancy-group 0 用于控制引擎,redundancy-group 1 用于控制數據引擎,當然你也可以為每組冗余端口放 在一個 redundancy-group 組中
set chassis cluster redundancy-group 1 interface-monitor ge-0/0/3 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-0/0/4 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-0/0/5 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-3/0/3 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-3/0/4 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-3/0/5 weight 255
//配置接口監控在數據冗余口,不建議配置接口監控在 redundancy-group 0,當監控到接口故障后優先級降 255, 實現數據口冗余自動切換
set chassis cluster reth-count 3
//定義集群最多支持多少組冗余接口,必須不低于當前配置的冗余口組數目,否則將有超過數量的冗余口不能正常 工作,超過冗余組的冗余接口的路由信息都不生效
set interfaces ge-0/0/3 gigether-options redundant-parent reth0
set interfaces ge-3/0/3 gigether-options redundant-parent reth0
set interfaces reth0 redundant-ether-options redundancy-group 1
//把物理端口加入到冗余接口 reth,并把接口 reth0 加入數據冗余組 redundancy-group 1
set interfaces reth0 unit 0 family inet address 192.168.3.1/24
//為冗余邏輯接口配置 IP 地址
set interfaces ge-0/0/4 gigether-options redundant-parent reth1
set interfaces ge-3/0/4 gigether-options redundant-parent reth1
set interfaces reth1 redundant-ether-options redundancy-group 1
//把物理端口加入到冗余接口 reth,并把接口 reth1 加入數據冗余組 redundancy-group 1
set interfaces reth1 unit 0 family inet address 192.168.4.1/24
//為冗余邏輯接口配置 IP 地址
set interfaces ge-0/0/5 gigether-options redundant-parent reth2
set interfaces ge-3/0/5 gigether-options redundant-parent reth2
set interfaces reth2 redundant-ether-options redundancy-group 1
//把物理端口加入到冗余接口 reth,并把接口 reth2 加入數據冗余組 redundancy-group 1
set interfaces reth2 unit 0 family inet address 192.168.5.1/24
//為冗余邏輯接口配置 IP 地址
set security zones security-zone trust interfaces reth0.0
set security zones security-zone untrust interfaces reth1.0
set security zones security-zone DMZ interfaces reth2.0
//把集群的邏輯接口關聯到 ZONE
(2)透明模式熱備 HA
1、詳細配置:
On device A:>set chassis cluster cluster-id 1 node 0 reboot
On device B:>set chassis cluster cluster-id 1 node 1 reboot On device A:
set groups node0 system host-name SRX-Primary
set groups node0 interfaces fxp0 unit 0 family inet address 10.10.30.189/24
set groups node1 system host-name SRX-Secondby
set groups node1 interfaces fxp0 unit 0 family inet address 10.10.30.190/24
set apply-groups "${node}"
set chassis cluster reth-count 3
set chassis cluster redundancy-group 0 node 0 priority 100
set chassis cluster redundancy-group 0 node 1 priority 1
set chassis cluster redundancy-group 1 node 0 priority 100
set chassis cluster redundancy-group 1 node 1 priority 1
set chassis cluster redundancy-group 1 interface-monitor ge-0/0/3 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-3/0/3 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-0/0/4 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-3/0/4 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-0/0/5 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-3/0/5 weight 255
set interfaces ge-0/0/3 gigether-options redundant-parent reth0
set interfaces ge-0/0/4 gigether-options redundant-parent reth1
set interfaces ge-0/0/5 gigether-options redundant-parent reth2
set interfaces ge-3/0/3 gigether-options redundant-parent reth0
set interfaces ge-3/0/4 gigether-options redundant-parent reth1
set interfaces ge-3/0/5 gigether-options redundant-parent reth2
set interfaces fab0 fabric-options member-interfaces ge-0/0/1
set interfaces fab1 fabric-options member-interfaces ge-3/0/1
set interfaces reth0 redundant-ether-options redundancy-group 1
set interfaces reth0 unit 0 family bridge interface-mode access
set interfaces reth0 unit 0 family bridge vlan-id 1
set interfaces reth1 redundant-ether-options redundancy-group 1
set interfaces reth1 unit 0 family bridge interface-mode access
set interfaces reth1 unit 0 family bridge vlan-id 1
set interfaces reth2 redundant-ether-options redundancy-group 1
set interfaces reth2 unit 0 family bridge interface-mode access
set interfaces reth2 unit 0 family bridge vlan-id 1
set bridge-domains sysway domain-type bridge
set bridge-domains sysway vlan-id 1
2、驗證
查看雙機狀態:
3、配置說明
On device A:>set chassis cluster cluster-id 1 node 0 reboot
On device B:>set chassis cluster cluster-id 1 node 1 reboot
//定義 cluster-id 和 node,同一個集群 cluster-id 必須相同,取值范圍為 0-15,0 代表禁用集群;node 取值范
圍為 0-1,0 代表主設備 On device A:
set groups node0 system host-name SRX-Primary
set groups node0 interfaces fxp0 unit 0 family inet address 10.10.30.189/24
set groups node1 system host-name SRX-Secondby
set groups node1 interfaces fxp0 unit 0 family inet address 10.10.30.190/24
set apply-groups "${node}"
//把以上的全局配置應用到每個獨立的節點上
set chassis cluster reth-count 3
set chassis cluster redundancy-group 0 node 0 priority 100
set chassis cluster redundancy-group 0 node 1 priority 1
set chassis cluster redundancy-group 1 node 0 priority 100
set chassis cluster redundancy-group 1 node 1 priority 1
//設置冗余組數量及冗余組的不同節點的優先級
set chassis cluster redundancy-group 1 interface-monitor ge-0/0/3 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-3/0/3 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-0/0/4 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-3/0/4 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-0/0/5 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-3/0/5 weight 255
//配置接口監控在數據冗余組
set interfaces ge-0/0/3 gigether-options redundant-parent reth0
set interfaces ge-0/0/4 gigether-options redundant-parent reth1
set interfaces ge-0/0/5 gigether-options redundant-parent reth2
set interfaces ge-3/0/3 gigether-options redundant-parent reth0
set interfaces ge-3/0/4 gigether-options redundant-parent reth1
set interfaces ge-3/0/5 gigether-options redundant-parent reth2
//把物理接口關聯到冗余組
set interfaces fab0 fabric-options member-interfaces ge-0/0/1
set interfaces fab1 fabric-options member-interfaces ge-3/0/1
//定義數據面板控制口并關聯端口
set interfaces reth0 redundant-ether-options redundancy-group 1
//定義接口 reth0 口關聯到 redundancy-group 1
set interfaces reth0 unit 0 family bridge interface-mode access
//設置邏輯接口為網橋模式并且接口類型為 access
set interfaces reth0 unit 0 family bridge vlan-id 1
//設置邏輯接口為網橋模式并允許 vlan 1 的數據包通過(建議 VLAN ID 值與直連交換機的接口屬于同一個 VLAN)
set interfaces reth1 redundant-ether-options redundancy-group 1
set interfaces reth1 unit 0 family bridge interface-mode access
set interfaces reth1 unit 0 family bridge vlan-id 1
set interfaces reth2 redundant-ether-options redundancy-group 1
set interfaces reth2 unit 0 family bridge interface-mode access
set interfaces reth2 unit 0 family bridge vlan-id 1
//設置 reth1,reth2 的相關屬性
set bridge-domains sysway domain-type bridge
//定義網橋域類型及網橋域名稱
set bridge-domains sysway vlan-id 1
//定義網橋域的 VLAN ID 建議和 reth 接口定義的一樣
(3)透明模式熱備 HA(Trunk接口互連)
1、詳細配置:
On device A:>set chassis cluster cluster-id 1 node 0 reboot
On device B:>set chassis cluster cluster-id 1 node 1 reboot
On device A:
set groups node0 system host-name SRX-Primary
set groups node0 interfaces fxp0 unit 0 family inet address 10.10.30.189/24
set groups node1 system host-name SRX-Secondby
set groups node1 interfaces fxp0 unit 0 family inet address 10.10.30.190/24
set apply-groups "${node}"
set chassis cluster reth-count 3
set chassis cluster redundancy-group 0 node 0 priority 100
set chassis cluster redundancy-group 0 node 1 priority 1
set chassis cluster redundancy-group 1 node 0 priority 100
set chassis cluster redundancy-group 1 node 1 priority 1
set chassis cluster redundancy-group 1 interface-monitor ge-0/0/3 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-3/0/3 weight 255
set chassis cluster redundancy-group 1 node 0 priority 100
set chassis cluster redundancy-group 1 node 1 priority 1
set chassis cluster redundancy-group 1 interface-monitor ge-0/0/4 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-3/0/4 weight 255
set chassis cluster redundancy-group 1 node 0 priority 100
set chassis cluster redundancy-group 1 node 1 priority 1
set chassis cluster redundancy-group 1 interface-monitor ge-0/0/5 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-3/0/5 weight 255
set interfaces ge-0/0/3 gigether-options redundant-parent reth0
set interfaces ge-0/0/4 gigether-options redundant-parent reth1
set interfaces ge-0/0/5 gigether-options redundant-parent reth2
set interfaces ge-3/0/3 gigether-options redundant-parent reth0
set interfaces ge-3/0/4 gigether-options redundant-parent reth1
set interfaces ge-3/0/5 gigether-options redundant-parent reth2
set interfaces fab0 fabric-options member-interfaces ge-0/0/1
set interfaces fab1 fabric-options member-interfaces ge-3/0/1
set interfaces reth0 redundant-ether-options redundancy-group 1
set interfaces reth0 vlan-tagging
set interfaces reth0 native-vlan-id 1
set interfaces reth0 unit 0 family bridge interface-mode trunk
set interfaces reth0 unit 0 family bridge vlan-id-list 1-1000
set interfaces reth1 redundant-ether-options redundancy-group 1
set interfaces reth1 vlan-tagging
set interfaces reth1 native-vlan-id 1
set interfaces reth1 unit 0 family bridge interface-mode trunk
set interfaces reth1 unit 0 family bridge vlan-id-list 1-1000
set interfaces reth2 redundant-ether-options redundancy-group 1
set interfaces reth2 vlan-tagging
set interfaces reth2 native-vlan-id 1
set interfaces reth2 unit 0 family bridge interface-mode trunk
set interfaces reth2 unit 0 family bridge vlan-id-list 1-1000
set bridge-domains sysway vlan-id-list 1-1000
2、驗證
手動主備切換:
當前雙機狀態:
3、配置說明
On device A:>set chassis cluster cluster-id 1 node 0 reboot
On device B:>set chassis cluster cluster-id 1 node 1 reboot
//定義 cluster-id 和 node,同一個集群 cluster-id 必須相同,取值范圍為 0-15,0 代表禁用集群;node 取值范 圍為 0-1,0 代表主設備
On device A:
set groups node0 system host-name SRX-Primary
set groups node0 interfaces fxp0 unit 0 family inet address 10.10.30.189/24
set groups node1 system host-name SRX-Secondby
set groups node1 interfaces fxp0 unit 0 family inet address 10.10.30.190/24
set apply-groups "${node}"
//把以上的全局配置應用到每個獨立的節點上
set chassis cluster reth-count 3
set chassis cluster redundancy-group 0 node 0 priority 100
set chassis cluster redundancy-group 0 node 1 priority 1
//設置冗余組數量及控制冗余組的不同節點的優先級
set chassis cluster redundancy-group 1 node 0 priority 100
set chassis cluster redundancy-group 1 node 1 priority 1
set chassis cluster redundancy-group 1 interface-monitor ge-0/0/3 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-3/0/3 weight 255
set chassis cluster redundancy-group 1 node 0 priority 100
set chassis cluster redundancy-group 1 node 1 priority 1
set chassis cluster redundancy-group 1 interface-monitor ge-0/0/4 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-3/0/4 weight 255
set chassis cluster redundancy-group 1 node 0 priority 100
set chassis cluster redundancy-group 1 node 1 priority 1
set chassis cluster redundancy-group 1 interface-monitor ge-0/0/5 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-3/0/5 weight 255
//配置接口監控在數據冗余組
set interfaces ge-0/0/3 gigether-options redundant-parent reth0
set interfaces ge-0/0/4 gigether-options redundant-parent reth1
set interfaces ge-0/0/5 gigether-options redundant-parent reth2
set interfaces ge-3/0/3 gigether-options redundant-parent reth0
set interfaces ge-3/0/4 gigether-options redundant-parent reth1
set interfaces ge-3/0/5 gigether-options redundant-parent reth2
//把物理接口關聯到數據冗余組
set interfaces fab0 fabric-options member-interfaces ge-0/0/1
set interfaces fab1 fabric-options member-interfaces ge-3/0/1
//定義數據面板控制口并關聯端口
set interfaces reth0 redundant-ether-options redundancy-group 1
//定義接口 reth0 口關聯到 redundancy-group 1 set interfaces reth0 vlan-tagging
//開啟接口支持 802.1Q
set interfaces reth0 native-vlan-id 1
//設置接口的本征 VLAN ID 為 1
set interfaces reth0 unit 0 family bridge interface-mode trunk
//設置邏輯接口的模式為中繼模式
set interfaces reth0 unit 0 family bridge vlan-id-list 1-1000
//設置接口允許通過的 VLAN ID 值
set interfaces reth1 redundant-ether-options redundancy-group 1
set interfaces reth1 vlan-tagging
set interfaces reth1 native-vlan-id 1
set interfaces reth1 unit 0 family bridge interface-mode trunk
set interfaces reth1 unit 0 family bridge vlan-id-list 1-1000
set interfaces reth2 redundant-ether-options redundancy-group 1
set interfaces reth2 vlan-tagging
set interfaces reth2 native-vlan-id 1
set interfaces reth2 unit 0 family bridge interface-mode trunk
set interfaces reth2 unit 0 family bridge vlan-id-list 1-1000
//設置 reth1,reth2 的相關屬性
set bridge-domains sysway vlan-id-list 1-1000
//定義網橋域及允許的 VLAN ID 建議和 reth 接口定義的一樣
高版本的 Trunk 模式 HA 網橋域定義: set bridge-domains SRX650-CRM domain-type bridge vlan-id-list 1-1000 待驗證!
Web應用防火墻 WAF
版權聲明:本文內容由網絡用戶投稿,版權歸原作者所有,本站不擁有其著作權,亦不承擔相應法律責任。如果您發現本站中有涉嫌抄襲或描述失實的內容,請聯系我們jiasou666@gmail.com 處理,核實后本網站將在24小時內刪除侵權內容。
相關文章
