SRX防火墙cluster配置步骤
防火墙HA配置必须要按照以下步骤进行
1.首先将2台防火墙的HA控制信号端口进行直连,HA控制信号端口为厂商指定的端口 设备型号:
For SRX100 devices, connect the fe-0/0/7 port to the fe-1/0/7 port For SRX210 devices, connect the fe-0/0/7 port to the fe-2/0/7 port For SRX240 devices, connect the ge-0/0/1 port to the ge-5/0/1 port For SRX650 devices, connect the ge-0/0/1 port to the ge-9/0/1 port
2.配置root密码(2台设备配置相同的密码)
SRX-A>set system root-authentication plain-text-password SRX-B>set system root-authentication plain-text-password
3.将所有默认端口的配置进行删除 SRX-A>delete interface ge-0/0/0 SRX-B>delete interface ge-0/0/0
4.配置cluster(建议将主设备配置为node 0) SRX-A>set chassis cluster cluster-id 1 node 0 reboot
(Cluster ID 取值范围为1 – 15,当Cluster ID = 0 时将unsets the cluster) SRX-B>set chassis cluster cluster-id 1 node 1 reboot
5.以上配置完成,重启后,HA状态将同步,可以通过show命令查看状态,以后所有的操作将在一台防火墙上完成 show chassis cluster status
6.将2台防火墙的HA的控制界面端口进行直连(可以任意指定),然后进行配置
set interfaces fab0 fabric-options member-interfaces ge-0/0/2 set interfaces fab1 fabric-options member-interfaces ge-5/0/2
7.配置优先级别(node 0 为高优先级别)
RG0 固定用于主控板RE 切换,RG1 以后用于redundant interface 切换,RE 切换于接口切换
set chassis cluster reth-count 10 (指定整个Cluster 中redundant ethernet interface 最多数量)
set chassis cluster redundancy-group 0 node 0 priority 200 set chassis cluster redundancy-group 0 node 1 priority 100 set chassis cluster redundancy-group 1 node 0 priority 200 set chassis cluster redundancy-group 1 node 1 priority 100
8.配置设备名称,以及管理口(管理口也为厂商指定的端口)
set groups node0 system host-name SRX-A
set groups node0 interfaces fxp0 unit 0 family inet address 1.1.1.1/24 (带管口名称为fxp0)
set groups node1 system host-name SRX-B
set groups node1 interfaces fxp0 unit 0 family inet address 1.1.1.2/24 set apply-groups ${node} (应用上述groups 配置)
9.通过以下命令查看所有端口的信息 run show interfaces terse
10.将要配置的端口进行接线(等设置端口监控后,如果不接线会导致HA状态异常)
11.端口配置
set interface ge-0/0/8 gigether-options redundant-parent reth0 (node 0 的ge-0/0/8 接口)
set interface ge-5/0/8 gigether-options redundant-parent reth0 (node 1 的ge-0/0/8 接口)
set interface reth0 redundant-ether-options redundancy-group 1 (reth0 属于RG1) set interface reth0 unit 0 family inet address 192.168.0.1/24
12.端口监控
set chassis cluster redundancy-group 1 interface-monitor ge-0/0/3 weight 255 set chassis cluster redundancy-group 1 interface-monitor ge-0/0/4 weight 255 set chassis cluster redundancy-group 1 interface-monitor ge-5/0/3 weight 255 set chassis cluster redundancy-group 1 interface-monitor ge-5/0/4 weight 255
13.如果在配置过程中,需要进行出厂值恢复 A.关闭cluster,并且重启设备
SRX-A>set chassis cluster disable reboot SRX-B>set chassis cluster disable reboot
B.出厂值恢复
SRX-A>Load factory-default
SRX-A>set system root-authentication plain-text-password SRX-A>commit
SRX-B>Load factory-default
SRX-B>set system root-authentication plain-text-password SRX-B>commit
