JNCIP-SEC [ 4 – High Availability ]

Today’s post is about high availability which is one of the topics of jncip-sec exam. This post doesn’t cover everything though as it only reflects my self studies. Let’s get started.
Test Topology

Test Platform: 2 x SRX 210 with JunOS 10.4R6.5
Before starting configuration of my srx 210s for cluster, I must remove some configuration items not to avoid some post configuration errors. In each srx do the followings;

fe-0/0/6 interface is the management (fxp0) interface and must be removed
fe-0/0/7 interface is the control interface (fxp1) and must also be removed
After this operation make sure there is no ethernet-switching left:

Looks good so far!
It is time to set cluster and reboot:

After reboot if you check the prompt of srx1, you will see the prompt changes like below;

Check cluster status:

Configure management interfaces on the first node only (srx1):

Configure fabric links on the first node only (srx1)

Pay attention: fe-0/0/5 is the 5th interface in srx1 and fe-2/0/5 is the 5th interface in srx2 in SRX210 models.
After commit, config should sync into srx2 node as well.
Now check cluster interfaces status:

REDUNDANCY GROUPS
A cluster without an RG is useless. Lets create a redundancy group and test it.
RG0 is used for control plane and RG1 and RG2 will be our service RGs.

RG1 has node 0 as the primary node since its priority is higher. We enable preempt because of which if the condition which causes failover to secondary node (node 1) is resolved, RG1 will failover back to primary node 0. We also monitor ge-0/0/0 and ge-0/0/1 therefore if any of these links fails, RG1 will failover to node 1.

Let’s see interface status once again:

I have done a test by unplugging the cable connected to ge-0/0/0 interface and immediately I have seen gratuitous ARP packets.

Manual Failover of RG:

If you need to do a manual fail over, you can use the following;

request command increases the priority of node1 to 255 and it becomes the primary node.

SESSION FLOW TEST

After I setup my lab, I started an HTTP session from PC1 towards 163.1.2.224 host and displayed session table;

Sessions are synchronized between both nodes of which the active one is node0. Packets are entering from redundancy group reth0.0 and leaving at reth1.0. Lets check these interfaces.

You can immediately see that traffic is flowing through child interface ge-0/0/0.0
Lets unplug the cable from ge-0/0/0 and look at the session table;

Unplugging cable moved both redundancy groups to node1 which is what I wanted indeed as we don’t want any asymmetric routing or so. From session table we can see that node1 has now the active sessions.

Redundant Interfaces

One thing to mention is the MAC addresses of redundant interfaces.

As it can be seen there is a particular pattern in assignment of MAC addresses.

Disable SRX Cluster
If you want to disable/remove SRX cluster once you have done with it, here is how to do it;

14 thoughts on “JNCIP-SEC [ 4 – High Availability ]

  1. Derrick S

    Great website, very informative and helped me with some test before putting this srx650 cluster into productions. Cheers!

    Reply
  2. andres

    I have configured cluster, did all the tests ok.
    Now looking at the network topology diagram, I want to know, to create trust second zone would be necessary to create a new redundancy group?

    Reply
  3. zeb

    After reading your article , i really found junos security book and CBT nugges more helpful

    Cheers and Thanks from Pakistan

    Reply
    1. rtoodtoo Post author

      Hi,
      To be honest I really don’t like QoS:) It is also one of my weak areas. Maybe in the future but it isn’t in my agenda at the moment.

      Reply
  4. layla

    Love your topics!

    How can I edit the secondary node through ssh? I tried to search everywhere but I couldn’t find anything!! I need to reboot a remote secondary node 1

    Reply
  5. hiepnh

    Excellent !
    I have tried the simulator lab on virtual device
    But when I use the command
    root> set chassis cluster cluster-id 1 node 0 reboot
    Later

    root> configure
    warning: Clustering enabled; using private edit
    error: shared configuration database modified

    Please temporarily use ‘configure shared’ to commit
    outstanding changes in the shared database, exit,
    and return to configuration mode using ‘configure’

    Do you have suggestions for this case ?
    Thank you !

    Reply
    1. rtoodtoo Post author

      Strange that you run into this issue. As advised on the output, you can try “config shared” command and then commit and see what happens.

      Reply
      1. hiepnh

        I have not used it, because it is not available on the system. simulator will not be with this topic ?

        Reply
  6. David

    Just out of curiosity, how are the Gateway device interfaces configured? On which interface is the gateway IP address 192.168.0.1 configured?

    Reply
    1. rtoodtoo Post author

      Gateway is is just normal default gateway config David e.g “set routing-options static route 0/0 next-hop 192.168.0.1”
      you don’t configure it on the interface.

      Reply

You have a feedback?