Mailing List

By Joining the mailing list you will be notified of site updates.

Show Your Support For
This Site By Donating:

Audience: Network Admins
Last Updated: 9/6/2013 5:32:02 PM
**All times are EST**

HOWTO - Juniper SRX Cluster Configuration

By Erik Rodriguez

Tags: Juniper SRX Cluster, JunOS cluster config, Juniper HA pair, Juniper SRX550 cluster

This article provides a step by step guide to creating an active-passive cluster between two SRX550 firewalls. This configuration will vary slightly between models, but the steps are same regardless.

Requirements

You will need conole access to both devices. Some commands will be entered on one or both firewalls which is indicated throughout the article. If you have performed any cluster configurations previously, enter the following commands on each (notice the hostnames) device via console from cli mode:


root@srx-primary> set chassis cluster cluster-id 0 node 0 reboot


root@srx-secondary> set chassis cluster cluster-id 0 node 1 reboot

Each device will reboot and once they return, enter the following from configuration mode, load the factory default configuration and set a root password:


root# load factory-default 


warning: activating factory configuration




[edit]
root# set system root-authentication plain-text-password    


New password:


Retype new password:




[edit]
root# commit 


commit complete

At this point, we should have a factory default configuration. We will need to remove some things to get the system ready for cluster configuration. We will need to delete the interfaces to be used by the cluster and any security zones, and vlans. From configuration mode:


root# delete vlans 

[edit]
root# delete interfaces vlan 

[edit]
root# delete interfaces ge-0/0/1.0 family ethernet-switching 

[edit]
root# delete interfaces ge-0/0/2.0 family ethernet-switching    

[edit]
root# delete interfaces ge-0/0/3.0 family ethernet-switching    

[edit]
root# delete interfaces ge-0/0/4.0 family ethernet-switching    

[edit]
root# delete interfaces ge-0/0/5.0 family ethernet-switching    

[edit]

root# delete interfaces ge-0/0/0    

[edit]

root# delete interfaces ge-0/0/1

[edit]

root# delete interfaces ge-0/0/2    

[edit]

root# delete security 

[edit]
root# commit 
commit complete

REMEMBER TO SWITCH YOU CONSOLE CABLE TO THE SECONDARY FIREWALL AND COMPLETE THE SAME STEPS. After you done, switch your console cable back to the primary firewall.

Since we have no interfaces configured, we can now start configuring the cluster and assigning the ports needed for cluster to communicate. I am using the SRX 550, so the interfaces used will be onboard interfaces ge-0/0/1 and ge-0/0/2. Once the devices are in cluster mode they will change.

Next, we will start the cluster configuration, your cluster-id will be 1 and your nodes will be 0 and 1 accordingly. DO NOT USE a cluster ID of 0, as it will disable clustering. Only use 1 or higher. You will need to console to each devices to issue these commands. On your primary firewall via console in cli mode but NOT configure mode:


root> set chassis cluster cluster-id 1 node 0 reboot 


Successfully enabled chassis cluster. Going to reboot now

The device will reboot, switch your console cable to your secondary firewall:


root> set chassis cluster cluster-id 1 node 1 reboot 


Successfully enabled chassis cluster. Going to reboot now

Both devices will reboot. Now look at the firewalls units, you will now notice the HA light on the front of each is now red. That is because the devices are clustered but cannot communicate with eachother. You can verify this from the primary node via console issue this command:


root> show chassis cluster status  
Cluster ID: 1 
Node                  Priority          Status    Preempt  Manual failover

Redundancy group: 0 , Failover count: 1
    node0                   1           primary        no       no  
    node1                   0           lost           n/a      n/a 

{primary:node0}

Once you plug in two cables between the firewalls (straight-through cables), your HA light should turn green. You will also see activity on ports ge-0/0/1. Run the command again:


root> show chassis cluster status   
Cluster ID: 1 
Node                  Priority          Status    Preempt  Manual failover

Redundancy group: 0 , Failover count: 1
    node0                   1           primary        no       no  
    node1                   1           secondary-hold no       no  

{primary:node0}

Next, we will set hostnames for each device, you will not need to switch the console cable any longer. The primary node will will transfer the configuration onces the cluster interfaces come up. Next we will setup the hostnames for each device and a network range for communication between the two devices. This network will only be used for communication betwee the clusters and nowhere else on your network(s).


root# set groups node0 system host-name srx.rdv-primary   
{primary:node0}[edit]

root# set groups node0 interfaces fxp0 unit 0 family inet address 192.168.168.1/24                
{primary:node0}[edit]

root# set groups node1 system host-name srx.rdv-secondary 

{primary:node0}[edit]
root# set groups node1 interfaces fxp0 unit 0 family inet address 192.168.168.2/24

{primary:node0}[edit]

root# set apply-groups "${node}"

{primary:node0}[edit]
root# commit 
node0: 
configuration check succeeds
node1: 
commit complete
node0: 
commit complete

{primary:node0}[edit]

Notice when we commit those changes the system pushes the config to each node. Now that the cluster is working, you will notice the interface names have changed. My SRX550s each have a 16-port PIM in addition to the 10 native ports. THe interfaces will be renamed as following:

The native ports ge-0/0/x (on the primary) remain the same while secondary device will change those interfaces to ge-3/0/x. The 16-port PIMs will be named ge-9/0/x (on the primary) and ge-12/0/x (on the secondary). You can view the interface names buy running the following command (some results omitted):


root@srx.rdv-primary# run show interfaces terse 
Interface               Admin Link Proto    Local                 Remote
ge-0/0/0                up    down
gr-0/0/0                up    up
ip-0/0/0                up    up
ge-0/0/1                up    up
ge-0/0/2                up    up
ge-0/0/3                up    down
ge-0/0/3.0              up    down
ge-0/0/4                up    down
ge-0/0/4.0              up    down
ge-0/0/5                up    down
ge-0/0/5.0              up    down
ge-0/0/6                up    down
ge-0/0/7                up    down
ge-0/0/8                up    down
ge-0/0/9                up    down
ge-3/0/0                up    down
---- omitted ----
ge-3/0/9                up    down
ge-3/0/10               up    down
ge-3/0/11               up    down
---- omitted ----
ge-3/0/15               up    down
ge-9/0/0                up    down
---- omitted ----
ge-9/0/9                up    down
ge-12/0/0               up    down
---- omitted ----
ge-12/0/14              up    down
ge-12/0/15              up    down

Next we will configure the fabric links for each device. You will need to speicify the correct interfaces that will be used here and they differ from model to model. I am using the SRX550 so they are ge-0/0/2 and ge-9/0/2 (from the native ports on the SRX).


root@srx.rdv-primary# set interfaces fab0 fabric-options member-interfaces ge-0/0/2   

{primary:node0}[edit]
root@srx.rdv-primary# set interfaces fab1 fabric-options member-interfaces ge-9/0/2

{primary:node0}[edit]

root@srx.rdv-primary# commit 
node0: 
configuration check succeeds
node1: 
commit complete
node0: 
commit complete

{primary:node0}[edit]

Once commited, we will view the status by running the following command:


root@srx.rdv-primary# run show chassis cluster data-plane interfaces 
fab0:

    Name               Status      
                       (Physical/Monitored)
    ge-0/0/2           Up   / Up        
fab1:

    Name               Status      
                       (Physical/Monitored)
    ge-9/0/2           Up   / Up        

{primary:node0}[edit]

NOTE: you may need to reboot both devices for this to come up correctly. Sometimes when configuring these I know the configuration is correct but they don't show as up/up. Try a reboot of the devices before troubleshooting further if needed.

Now that we have those created, we will need to some redundancy groups. You will need at least 2 of them. One will be dedicated to the control plane, and the other will serve as a host for any and all redundant interfaces.


root@srx.rdv-primary# set chassis cluster reth-count 2   

{primary:node0}[edit]
root@srx.rdv-primary# set chassis cluster redundancy-group 0 node 0 priority 100

{primary:node0}[edit]

root@srx.rdv-primary# set chassis cluster redundancy-group 0 node 1 priority 99

{primary:node0}[edit]

root@srx.rdv-primary# set chassis cluster redundancy-group 1 node 0 priority 100

{primary:node0}[edit]

root@srx.rdv-primary# set chassis cluster redundancy-group 1 node 1 priority 99

{primary:node0}[edit]

root@srx.rdv-primary# set chassis cluster redundancy-group 1 preempt

{primary:node0}[edit]

root@srx.rdv-primary# commit 
node0: 
configuration check succeeds
node1: 
commit complete
node0: 
commit complete

{primary:node0}[edit]

Let's verify our configuration using the following command:


root@srx.rdv-primary# run show configuration chassis cluster     
reth-count 2;
redundancy-group 1 {
    node 0 priority 100;
    node 1 priority 99;
    preempt;
}
redundancy-group 0 {
    node 0 priority 100;
    node 1 priority 99;
}

{primary:node0}[edit]

Now that we have the redundancy groups setup we can assign interfaces to them. We will need to create redundant intefaces (reth) and then assign regular interfaces as members of the reth. For this example I will configure the first ports on my 16-port PIM which are ge-9/0/0 and ge-12/0/0


root@srx.rdv-primary# set interfaces reth0 redundant-ether-options redundancy-group 1  

{primary:node0}[edit]

root@srx.rdv-primary# set interfaces reth0 unit 0 family inet address 172.16.0.108/16 

{primary:node0}[edit]

root@srx.rdv-primary# set interfaces ge-3/0/0 gigether-options redundant-parent reth0

{primary:node0}[edit]

root@srx.rdv-primary# set interfaces ge-12/0/0 gigether-options redundant-parent reth0

{primary:node0}[edit]
root@srx.rdv-primary# commit 
node0: 
configuration check succeeds
node1: 
commit complete
node0: 
commit complete

{primary:node0}[edit]

Now that we have a redundant interface (reth0) we can now apply that to our redundancy group as an interface monitor:


root@srx.rdv-primary# set chassis cluster redundancy-group 1 interface-monitor reth0 weight 255

{primary:node0}[edit]

root@srx.rdv-primary# commit 
node0: 
configuration check succeeds
node1: 
commit complete
node0: 
commit complete

{primary:node0}[edit]

If you don't have the interfaces connected to anything, you should now see the HA light on the firewalls turn amber. This is because the interface is configured, but not active. Once you plug them into a switch or device the HA lights will turn green again.

Repeat this process for any other redundant interfaces you wish to create. Remember to only use redundancy group 1 and NOT group 0. Apply security zones to reth interfaces just as you would with standard interface configurations.