SRX-HA(JSRP)配置

Click to edit Master title style,Click to edit Master text styles,Second level,Third level,Fourth level,Fifth level,#,Copyright,2009 Juniper Networks,I,SRX JSRP config,课程目标,JSRP,介绍,JSRP,配置,JSRP,维护,JSRP,基本介绍,Jsrp vs nsrp,JSRP,和,NSRP,最大的区别在于,JSRP,是完全意义上的,Cluster,概念，两台设备完全当作一台设备来看待，两台设备的接口板卡顺序编号、运维变更将对两台设备同时进行操作，无需额外执行,ScreenOS,的配置和会话同步等操作，而,ScreenOS NSRP,可看作在同步配置和动态对象（,session,）基础上独立运行的两台单独设备。,JSRP,要求两台设备在软件版本、硬件型号、板卡数量、插槽位置及端口使用方面严格一一对应。,转发与控制层面完全分裂架构，,JSRP,需要控制层面,(,配置同步,),和数据层面,(Session,同步,),两个平面的互联,3K5K,建议控制和数据层面互联链路使用光纤链路直连（部分平台强制要求光纤链路直连）,指定控制端口,必须使用下面设备指定端口来作为,HA,控制信号端口进行互连,设备型号,:,For SRX100 devices,connect the fe-0/0/7 port to the fe-1/0/7 port,For SRX210 devices,connect the fe-0/0/7 port to the fe-2/0/7 port,For SRX240 devices,connect the ge-0/0/1 port to the ge-5/0/1 port,For SRX650 devices,connect the ge-0/0/1 port to the ge-9/0/1 port,SRX650SRX650,平台如果需要部署,HA,结构,则必须增加数据接口板卡,SRX240,SRX650SRX650,平台如果需要部署,HA,结构,则必须增加数据接口板卡,SRX240,SRX240,SRX210,SRX210,SRX100,SRX100,SRX Branch,系列接口规范,JSRP,配置,JSRP,配置步骤,整个,JSRP,配置过程包括如下,7,个步骤,1,、,配置,Cluster id,和,Node id(,对应,ScreenOS NSRP,的,cluster id,并需手工指定设备使用节点,id,）,2,、,指定,Control Port,（指定控制层面使用接口，用于配置同步及心跳）,3,、,指定,Fabric Link Port,（指定数据层面使用接口，主要,session,等,RTO,同步）,4,、,配置,Redundancy Group,（类似,NSRP,的,VSD group,，优先级与抢占等配置）,5,、,每个机箱的个性化配置,（单机无需同步的个性化配置，如主机名、带外管理口,IP,地址等）,6,、,配置,Redundant Ethernet Interface,（类似,NSRP,的,Redundant,冗余接口）,7,、,配置,Interface Monitoring,（类似,NSRP interface monitor,，是,RG,数据层面切换依据）,1,、,配置,Cluster id,和,Node id,JSRP,配置样例,：,配置,Cluster id,和,Node id,SRX-A,set chassis cluster cluster-id 1 node 0 reboot,（注意该命令需在,operational,模式下输入，,Cluster ID,取值范围为,1 15,，当,Cluster ID=0,时将,unsets the cluster,）,SRX-Bset chassis cluster cluster-id 1 node 1 reboot,2,、,指定,Control,Port,指定,Fabric Link Port,指定,Control Port,（,SRX Branch,系列，则无需指定,默认规定采用某一个接口作为控制接口，参考上一节）：,指定,Fabric Link Port,set interfaces fab0 fabric-options member-interfaces ge-0/0/2,set interfaces fab1 fabric-options member-interfaces ge-5/0/2,注：,Fabric Link,中的,Fab0,固定用于,node 0,，,Fab1,固定用于,node 1,3,、,配置,Redundancy Group,RG0,固定用于主控板,RE,切换，,RG1,以后用于,redundant interface,切换，,RE,切换独立于接口切换,set chassis cluster reth-count 10,（指定整个,Cluster,中,redundant ethernet interface,最多数量）,set chassis cluster redundancy-group 0 node 0 priority 200,（高值优先，与,NSRP,相反）,set chassis cluster redundancy-group 0 node 1 priority 100,set chassis cluster redundancy-group 1 node 0 priority 200,（高值优先，与,NSRP,相反）,set chassis cluster redundancy-group 1 node 1 priority 100,4,、,个性化,配置,便于对两台设备的区分与管理,set groups node0 system host-name SRX-A,set groups node0 interfaces fxp0 unit 0 family inet address 1.1.1.1/24,（带外网管口名称为,fxp0,，区别,ScreenOS,的,MGT,口）,set groups node1 system host-name SRX-B,set groups node1 interfaces fxp0 unit 0 family inet address 1.1.1.2/24,set apply-groups$node,（应用上述,groups,配置）,5,、,配置,Redundant Ethernet Interface,Redundant Ethernet Interface,类似,ScreenOS,里的,redundant interface,，只不过,Redundant Ethernet interface,是分布在不同的机箱上,(,这一特性又类似,ScreenOS,的,VSI,接口,),。,Set interface ge-0/0/8 gigether-options redundant-parent reth0,（,node 0,的,ge-0/0/8,接口）,Set interface ge-5/0/8 gigether-options redundant-parent reth0,（,node 1,的,ge-0/0/8,接口）,Set interface reth0 redundant-ether-options redundancy-group 1,（,reth0,属于,RG1,）,Set interface reth0 unit 0 family inet address 192.168.0.1/24,6,、,配置,Interface Monitoring,配置,Interface Monitoring,，被监控的接口,Down,掉后，,RG1,将自动进行主备切换（与,ScreenOS,类似），,Set cluster redundancy-group 1 interface-monitor ge-0/0/0 weight 255,Set cluster redundancy-group 1 interface-monitor ge-0/0/1 weight 255,Set cluster redundancy-group 1 interface-monitor ge-13/0/0 weight 255,Set cluster redundancy-group 1 interface-monitor ge-13/0/1 weight 255,JSRP,维护,维护命令,手工切换,JSRP Master,，,RG1,原,backup,将成为,Master,rootsrx240a request chassis cluster failover redundancy-group 1 node 1,手工恢复,JSRP,状态，按照优先级重新确定主备关系（高值优先）,rootsrx240b request chassis cluster failover reset redundancy-group 1,查看,cluster interface,rootrouter show chassis cluster interfaces,查看,cluster,状态、节点状态、主备关系,lab240a#run show chassis cluster status,取消,cluster,配置,labSrx240a#set chassis cluster disable reboot,维护命令,升级,JSRP,软件版本,SRX,目前暂不支持软件在线升级（,ISSU,），升级过程会中断业务,。,升级步骤如下：,1.,升级,node 0,，注意不要重启系统,2.,升级,node 1,，注意不要重启系统,.,3.,同时重启两个系统,恢复处于,disabled,状态的,node,当,control port,或,fabric link,出现故障时，为避免出现双,master(split-brain),现象，,JSRP,会把出现故障前状态为,secdonary,的,node,设为,disabled,状态，即除了,RE,，其余部件都不工作。想要恢复必须,reboot,该,node,。,透明模式,Configuring Bridge,Domains,To configure bridge domains:,userhost#set bridge-domains bd1 domain-type bridge vlan-id-list 1,10,userhost#set bridge-domains bd2 domain-type bridge vlan-id 2,To limit the number of MAC addresses learned on all logical interfaces on the device:,userhost#set protocols l2-learning global-mac-limit 64000 packet-action drop,Configuring Layer 2 Logical,Interfaces,To configure a Layer 2 logical interface as a trunk port:,userhost#set interfaces ge-3/0/0 unit 0 family bridge interface-mode trunk,vlan-id-list 110,To configure a VLAN identifier for untagged packets received on a physical interf