1、Juniper SRX HA配置實例文檔査看須知：3測試拓撲：3一路由模式HA：4配置：4驗證：4配置解析：5二 透明模式 HA（Access接口） 6配置：6驗證：7配置解析：8三 透明模式 HA（Trunk 接口）9配置：9驗證：10配置解析：10注意點12文檔查看須知:測試環境：SRX 220H兩臺配置須知：SRX 220H默認帶外管理口 Ge-0/0/6控制口： GeT/0/7數據同步口： Ge-0/O/l 使用集群則集群后接口標示為：Ge-0/0/0-7; Ge-3/0/0-7 不同型號集群后接口顯示不同，詳情見官方文檔拓撲對應 IP:G-0/0/3： 192. 168. 3.1/2

2、4G-0/0/4： 192.16& 4.1/24G-0/0/5： 192.16& 5.1/24MGT:10.10. 30.189-190/24F0/0： 192 168. 4. 2/24F0/1： 192.16& 6.1/24 （模擬遙遠互聯網）測試拓撲：FO/1PO/OG -0/0/4G-0/0/4一路由模式HA:On device A:>setchassis cluster cluster-id 1 node 0 rebootOn device B:>setchassis cluster cluster-id 1 node 1 rebootOn devi

3、ce A:set groups nodeO system host-name SRX-Primaryset groups nodeO interfaces fxpO unit 0 family inet address 10. 10. 30. 189/24set groups nodelsystem host-name SRX-Secondbyset groups nodel interfaces fxpO unit 0 family inet address 10.10.30. 190/24 set apply-groups $node"setsetsetsetsetsetsets

4、etsetsetsetsetsetsetsetinterfaces fabO interfaces fabl chassis chassis chassis chassis chassis chassis chassis chassis chassis chassis chassiscluster cluster cluster cluster cluster cluster cluster cluster cluster cluster clusterfabric-options member-interfaces ge-0/0/1 fabric-options member-interfa

5、ces ge-3/0/1 redundancy-group redundancy-group redundancy-group redundancy-group redundancy-group redundancy-group redundancy-group redundancy-group redundancy-group redundancy-group reth-count 30011111111node node node node0101priority priority priority priority10011001interface-monitor interface-m

6、onitor interface-monitor interface-monitor interface-monitor interface-monitorge-0/0/3 weight ge-0/0/4 weight ge-0/0/5 weight ge-3/0/3 weight ge-3/0/4 weight ge-3/0/5 weight255255255255255255setsetsetsetsetsetsetsetsetsetsetinterfaces interfaces interfaces interfaces interfaces interfaces interfaces

7、 interfaces interfaces interfaces interfaces interfacesge-0/0/3 gigether-options redundant-parent rethO ge-3/0/3 gigether-options redundant-parent rethO rethO redundant-ether-options redundancy-group 1 rethO unit 0 family inet address 192.168.3.1/24 ge-0/0/4 gigether-options redundant-parent rethl g

8、e-3/0/4 gigether-options redundant-parent rethl rethl redundant-ether-options redundancy-group 1 rethl unit 0 family inet address 192 168.4 1/24 ge-0/0/5 gigether-options redundant-parent reth2 ge-3/0/5 gigether-options redundant-parent reth2 reth2 redundant-ether-options redundancy-group 1 reth2 un

9、it 0 family inet address 192.168.5 1/24setsetsecurity security securityzones security-zone trust interfaces reth0 0 zones security-zone untrust interfaces reth1 0 zones security-zone DMZ interfaces reth2 0驗證:NodePriorityStatusPreemptManual failoverRedundancy group: 0 ,Failover count:1nodeO100primary

10、nononodel1secondarynonoRedundancy group: 1 ,Failover count:1nodeO100primarynononodel1secondarynono査看雙機狀態rootSRX-Primary> show chassis cluster status Cluster ID: 1測試主備切換:正在復制丄個項目(331 GB)名稱： 從： SJ： 兎余時司:大約4分鐘20秒Check_Point_R75 40_G aia.isoR75 (192.168.3.111CheckpointR75)卓面(C:UcersVi-MiaoDesktop)兎余項

11、；1 (2.64 GB)曲： 10.8 MB/t-pool.Srx.Bridg.期肖2 2 2 29 9 9 91111 -1-sa- um 三 urni 三 jttn 厶-4m -二厶-二厶=-厶二-厶厶三厶二厶三厶=一-弋-fe-te-叱gggggRRRRRR-X -V 次卄冃亠 K -K -K -X -X -X2 2 2 可 2 2 29 oy Q- mu 9 9 9111起丄丄丄29-1681681681681651681681681681681681681681681681661681681681681681681681683.1113.1113.1113.1113.1113.111

12、3.1112.1112.1113.1113.1113.1113.1113.1113.1113.1113.1113.1113.1113.1113.1113.1113.1113.111vls22222 2 222222222222 3333333 3 3 333333333 = = = = T卄P4T卄忑F4T卄F4工工F4T卄下卄下卄下卄下卄下卄X下宀X-X.HH丈于2 2 2 2 2 23 3 3 3 3 3 =一一=-E -E -E -E -E -G -E -E -E -E -E -E -E -E -E -c -E -E 4M414J4J4J4J4J4J4J4J4J4J4J4J4JI7JJ

13、nn nn nn Du nnRnnRRnnnHMnnnnnnnnnnDn7 -5 - 7 -耳.r D D B nn B B<lns TTL=64 <lns TTL=64 =lns TTL=64 <lns TTL=64 =lns TTL=64 =lms TTL=64 =22ms TTL=64 =22m<? TTL=64 =22ms TTL=64 =22ne TTL=64 =22ne TTL=64 =22ns TTL=64 =22ns TTL=64 =22ns TTL=64 -22ns TTL-C4 -22ns TTL-64 -22ms TTL-64 -22ms TTL-

14、64=22(ns TTL=64 =22ns TTL-64 =22ns ITL=64 =22ms ITL=64 =22ms I1L=64 =22ms IIL=64査看當前設備主備情況:primary:nodeO rootSRX-primary> cluster id: 1 Nodeshow chassis cluster statusPreemptManual failoverPriorityStatusRedundancy group:0 , Failover count: 1nodeO100primarynonono del1secondarynonoRedundancy group:

15、1 , Failover count: 2nodeO0secondarynononodel1primary.；nono配置解析:On device A:>set chassis cluster cluster-id 1 node 0 reboot取值范用為0-15, 0代表禁用集群；node取值范/定義cluster-id和node,同一個集群cluster-id必須相同, 用為0-1,0代表主設備On device B:>set chassis cluster cluster-id 1 node 1 reboot/定義cluster-id和node,同一個集群cluster-id

16、必須相同,取值范圍為0-15, 0代表禁用集群:node取值范 用為0-1,0代表主設備On device A:setsetsetsetgroups groups groups groupsnodeO nodeO nodel nodelsystem host-name SRX-Primaryinterfaces fxpO unit 0 family inet address 10. 10.30. 189/24 system host-name SRX-Secondbyinterfaces fxpO unit 0 family inet address 10.10.30.190/24/為集群設備

17、配置單獨的名字和管理IP地址 set apply-groups $node"讓以上的全局配置應用到每個獨立的右點上set interfaces fabO fabric-options member-interfaces ge-0/0/1 set interfaces fabl fabric-options member-interfaces ge-3/0/1 左義數據而板控制口并關聯端口setchassisclusterredundancy-group0node0priority100setchassisclusterredundancy-group0node1priority1se

18、tchassisclusterredundancy-group1node0priority100setchassisclusterredundancy-group1node1priority1設置冗余組的對不同節點的優先級，優先級范用1-254.值越大優先級越髙，一般習慣左義2個冗余組， redundancy-group 0用于控制引縈，redundancy-group 1用于控制數據引擎，當然你也可以為每組冗余端口放在 一個 redundancy-group 組中 set set set set set setchassis chassis chassis chassis chassis c

19、hassiscluster cluster cluster cluster cluster clusterredundancy-group redundancy-group redundancy-group redundancy-group redundancy-group redundancy-group111111interface-monitor interface-monitor interface-monitor interface-monitor interface-monitor interface-monitorge-0/0/3 weight ge-0/0/4 weight g

20、e-0/0/5 weight ge-3/0/3 weight ge-3/0/4 weight ge-3/0/5 weight255255255255255255配宜接口監控在數據冗余口，不建議配置接口監控在redundancy-group 0,當監控到接口故障后優先級降255, 實現數據口冗余自動切換set chassis cluster reth-count 3上義集群最多支持多少組冗余接口，必須不低于當前配置的冗余口組數目，否則將有超過數量的冗余口不能正常 工作，超過冗余組的冗余接口的路由信息都不生效set interfaces ge-0/0/3 gigether-options redu

21、ndant-parent rethOset interfaces ge-3/0/3 gigether-options redundant-parent rethO set interfaces rethO redundant-ether-options redundancy-group 1 /把物理端口加入到冗余接口 reth»并把接口 rethO加入數據冗余組redundancy-group set interfaces rethO unit 0 family inet address 192168 3 1/24 /為冗余邏輯接口配置IP地址set interfaces ge-0/

22、0/4 gigether-options redundant-parent rethlset interfaces ge-3/0/4 gigether-options redundant-parent rethlset interfaces rethl redundant-ether-options redundancy-group 1/把物理端口加入到冗余接口 reth>并把接口 rethl加入數據冗余組redundancy-group 1 set interfaces rethl unit 0 family inet address 192 168 4 1/24/為冗余邏輯接口配置I

23、P地址set interfaces ge-0/0/5 gigether-options redundant-parent reth2set interfaces ge-3/0/5 gigether-options redundant-parent reth2set interfaces reth2 redundant-ether-options redundancy-group 1/把物理端口加入到冗余接口 reth»并把接口 reth2加入數據冗余組redundancy-group 1 set interfaces reth2 unit 0 family inet address

24、192 168 5 1/24/為冗余邏輯接口配置IP地址set security zones security-zone trust interfaces reth0 0set security zones security-zone untrust interfaces reth1 0set security zones security-zone DMZ interfaces reth2 0 把集群的邏輯接口關聯到ZONE二 透明模式HA （Access接口）On device A:>set chassis cluster cluster-id 1 node 0 rebootOn d

25、evice B:>set chassis cluster cluster-id 1 node 1 rebootOn device A:set groups nodeO set groups nodeO set groups nodel set groups nodel set apply-groupssystem host-name SRX-Primaryinterfaces fxpO unit 0 family inet address 10. 10. 30. 189/24 system host-name SRX-Secondbyinterfaces fxpO unit 0 fami

26、ly inet address 10. 10.30. 190/24 $nodset set set set set set set set set set set set set set set set set set set set set set set set set set set set set setchassis chassis chassis chassis chassis chassis chassis chassis chassis chassis chassiscluster cluster cluster cluster cluster cluster cluster

27、cluster cluster cluster clusterinterfaces interfaces interfaces interfaces interfaces interfaces interfaces interfaces interfaces interfaces interfaces interfaces interfaces interfaces interfaces interfaces interfacesreth-count 3 redundancy-group redundancy-group redundancy-group redundancy-group re

28、dundancy-group redundancy-group redundancy-group redundancy-group redundancy-group redundancy-groupge-0/0/3 ge-0/0/4 ge-0/0/5 ge-3/0/3 ge-3/0/4 ge-3/0/50011111111node node node node0101priority priority priority priority10011001gigether-options gigether-options gigether-options gigether-options gige

29、ther-options gigether-optionsinterface-monitor interface-monitor interface-monitor interface-monitor interface-monitor interface-monitor redundant-parent redundant-parent redundant-parent redundant-parent redundant-parent redundant-parentge-0/0/3 weight ge-3/0/3 weight ge-0/0/4 weight ge-3/0/4 weigh

30、t ge-0/0/5 weight ge-3/0/5 weight rethO rethl reth2 rethO rethl reth2fabO fabric-options member-interfaces ge-0/0/1 fabl fabric-options member-interfaces ge-3/0/1 rethO rethO rethO rethl rethl rethl reth2 reth2 reth2redundant-ether-options redundancy-group 1 unit 0 family bridge interface-mode acces

31、s unit 0 family bridge vlan-id 1 redundant-ether-options redundancy-group 1 unit 0 family bridge interface-mode access unit 0 family bridge vlan-id 1 redundant-ether-options redundancy-group 1 unit unitbridge-domains sysway bridge-domains sysway0 family bridge interface-mode access 0 family bridge v

32、lan-id 1 domain-type bridge vlan-id 1255255255255255255驗證:査看雙機狀態primary:nodeO rootSRX-primary> Cluster ID： 1 Nodeshow chassis cluster statusPreemptManual failoverPriorityStatusRedundancy group:0 , Failover count: 1nodeO100primarynonono del1secondarynonoRedundancy group:1 , Failover count: 3nodeO1

33、00primarynononodel0secondarynono上小配置解析:On device A:>set chassis cluster cluster-id 1 node 0 rebootOn device B:>set chassis cluster cluster-id 1 node 1 rebootgroupsgroupsgroupsgroupsnodeO nodeO nodel nodel/定義cluster-id和node.同一個集群cluster-id必須相同,取值范圍為0-15, 0代表禁用集群:node取值范 圍為0-1,0代表主設備On device A:

34、setsetsetsetsystem host-name SRX-Primaryinterfaces fxpO unit 0 family inet address 10. 10. 30. 189/24 system host-name SRX-Secondbyinterfaces fxpO unit 0 family inet address 10. 10.30. 190/24 3 （node"setchassisclusterreth-count 3setchassisclusterredundancy-group0node0priority100setchassiscluste

35、rredundancy-group0node1priority1setchassisclusterredundancy-group1node0priority100setchassisclusterredundancy-group1node1priority1apply-groups把以上的全局配置應用到每個獨立的節點上設宜冗余組數量及冗余組的不同節點的優先級111111setsetsetsetsetsetchassis chassis chassis chassis chassis chassiscluster cluster cluster cluster cluster clusterr

36、edundancy-group redundancy-group redundancy-group redundancy-group redundancy-group redundancy-groupinterface-monitor interface-monitor interface-monitor interface-monitor interface-monitor interface-monitorge-0/0/3 weight ge-3/0/3 weight ge-0/0/4 weight ge-3/0/4 weight ge-0/0/5 weight ge-3/0/5 weig

37、ht255255255255255255/配置接口監控在數據冗余組ge-0/0/3ge-0/0/4ge-0/0/5ge-3/0/3ge-3/0/4ge-3/0/5setsetsetsetsetsetinterfaces interfaces interfaces interfaces interfaces interfacesgigether-options gigether-options gigether-options gigether-optionsredundant-parent redundant-parent redundant-parent redundant-parentgi

38、gether-options redundant-parent gigether-options redundant-parentrethO rethl reth2 rethO rethl reth2set把物理接口關聯到冗余組set interfaces fabO fabric-options member-interfaces ge-0/0/1set interfaces fabl fabric-options member-interfaces ge-3/0/1定義數據而板控制口并關聯端口set interfaces rethO redundant-ether-options redun

39、dancy-group 1/泄義接口 rethO 口 關聯到 redundancy-group 1set interfaces rethO unit 0 family bridge interface-mode access/設宜邏借接口為網橋模式并且接口類型為accessset interfaces rethO unit 0 family bridge vlan-id 1interfaces interfaces interfaces interfaces interfaces interfacesrethl rethl rethl reth2 reth2 reth2redundant-et

40、her-options redundancy-group 1 unit 0 family bridge interface-mode access unit 0 family bridge vlan-id 1 redundant-ether-options redundancy-group 1 unit 0 family bridge interface-mode access unit 0 family bridge vlan-id 1設宜邏輯接口為網橋模式并允許vlan 1的數據包通過（建議VLAN ID值與直連交換機的接口屬于同一個VLAN） set set set set set se

41、t/設rethl, reth2的相關屬性set bridge-domains sysway domain-type bridge定義網橋域類型及網橋域名稱set bridge-domains sysway vlan-id 1/定義網橋域的VLAN ID建議和“th接口左義的一樣三透明模式HA（Trunk接口）配置:A:>set B:>set A:nodeO nodeO nodel nodeldevice .device device .groups groups groups groups apply-groups cluster cluster cluster cluster c

42、luster cluster cluster cluster cluster cluster cluster cluster cluster cluster clusterchassis chassis chassis chassis chassis chassis chassis chassis chassis chassis chassis chassis chassis chassis chassisinterfaces interfaces interfaces interfaces interfaces interfaces interfaces interfaces interfa

43、ces interfaces interfaces interfaces interfaces interfaces interfaces interfaces interfaces interfaces interfaces interfaces interfaces interfaces interfaceschassis cluster cluster-id 1 node 0 reboot chassis cluster cluster-id 1 node 1 rebootsystem host-name SRX-Primaryinterfaces fxpO unit 0 family

44、inet address 10. 10. 30 189/24 system host-name SRX-Secondbyinterfaces fxpO unit 0 family inet address 10.10.30.190/24 駕node少reth-count 3redundancy-group redundancy-group redundancy-group redundancy-group redundancy-group redundancy-group redundancy-group redundancy-group redundancy-group redundancy

45、-group redundancy-group redundancy-group redundancy-group redundancy-groupge-0/0/3 ge-0/0/4 ge-0/0/5 ge-3/0/3 ge-3/0/4 ge-3/0/500111111111111node node node node0101priority priority priority priority10011001gi gether-opt ions gigether-options gi gether-opt ions gigether-options gigether-options gige

46、ther-optionsinterface-monitor ge-0/0/3 weight interface-monitor ge-3/0/3 weight node 0 priority 100 node 1 priority 1 interface-monitor ge-0/0/4 weight interface-monitor ge-3/0/4 weight node 0 priority 100 node 1 priority 1 interface-monitor ge-0/0/5 weight interface-monitor ge-3/0/5 weight redundan

47、t-parent redundant-parent redundant-parent redundant-parent redundant-parent redundant-parentrethO rethl reth2 rethO rethl reth2fabO fabric-options member-interfaces ge-0/0/1 fabl fabric-options member-interfaces ge-3/0/1 rethO rethO rethO rethO rethO rethl rethl rethl rethl rethl reth2 reth2 reth2

48、reth2 reth2redundant-ether-options redundancy-group 1 vlan-taggingnative-vlan-id 1unit 0 family bridge interface-mode trunk unit 0 family bridge vlan-id-list 1-1000 redundant-ether-options redundancy-group 1 vlan-taggingnative-vlan-id 1unit 0 family bridge interface-mode trunk unit 0 family bridge v

49、lan-id-list 1-1000 redundant-ether-opt ions redundancy-group 1 vlan-taggingnative-vlan-id 1unit 0 family bridge interface-mode trunk unit 0 family bridge vlan-id-list 1-1000bridge-domains sysway vlan-id-list 1-1000255255255255255255驗證:primary:nodeO rootSRX-primary> show chassis cluster status Clu

50、ster ID： 1preemptManual failoverNodeprioritystatusRedundancy group:0 ,Failover count:1nodeO100primarynononodel1secondarynonoRedundancy group:1 ,Failover count:3noceO100primarynonoL ：Qdel0secondarynono刻戻m沖幻旺正在臭制1個項目(331 GB)£&:Check_Point_R75.40_Gaia.iso從：R75 (192.16S.3.11iChcckpointR75)5i蟲 1

51、0 (GUser5Yi-MiaoDe5ldop)瞬時越大約3分忙30衿磁皿1 (2.22 GB)注変10.9胡刃秒1jroup: 1 f Failover count: 3 1000目 192.16 R 192.168J 1V2.1GK f 192.16S f 192.165 自 192.168 § 192.168 自 192.168 IIS5:F 丄92.168 嚮：192.16& f 192.165 F 丄92.168 自 192.168 自 192.1GB H 192.16& (:192.165 F 192.168 自 192.16ft E 192.168 t

52、192.1683.1113.1113.1113.1113.1113.1113.1113.11122222222 -3-3-3=3=3w7-3 節衛F節節節衛F Fx于一Z-X-X-千r*-r 窪s:影鑿t= FBTrsTQ® 回回旦 f5T 的的的的味的的的loyH-B.百旦包c： T44.M4.H.Lq 丄勺：T引-223 TTL-64 -22ms TTb64 -22ms TTL-64TTL=64 =22(18 TTL=64 =22«3 TTL=64 -22ms TTL-64 -22n»% TTL-64.3.129的回復=無法訪間目標主機。回回回回回回回回回回回

53、-32 -32XT-328HI-zf'nl-Bln Mun<1pik -ine <lms -1 m3 -lwa <1 ms <1fiS =lms -1 mr?TTL-64TTL64TTL-64 TTL-GI rn.-(»4TTL-64TTL64TTL-64TTL-64TTL-64TTL-64當訓雙機狀態primary rootSRX cluster NodeTVJ r e m 1 di or: n PD - Ishow chassis cluster statusRedundancy group: nodeO no delRedundancy group: nodeO nodelPriority0 , Failover count:1001配置解析:1 , Failover count:01StatusPreemptprimary secondaryno nosecondary primary 丿no no2Manual failovernonononoOn device A：>set chassis cluster cluster-id 1 node 0 rebootOn