05 FW - Cluster - JSEC - 12.a - C11 - HA - Clustering - Implementation

Junos Security
Chapter 11: High Availability

Clustering Implementation
© 2012 Juniper Networks, Inc. All rights reserved. | www.juniper.net | Worldwide Education Services
Chapter Objectives
 After successfully completing this chapter, you will be

able to:
•Describe chassis cluster operation
•Configure chassis clusters
•Monitor chassis clusters
© 2012 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 11-2
Agenda: High Availability Clustering
Implementation
Chassis Cluster Operation

 Chassis Cluster Configuration
 Chassis Cluster Monitoring
Cluster Operation: Forming a Cluster
 The first chassis to boot forms a cluster

•RG transitions from the blank state to the primary state
Cluster
RGx
reth1 reth2
First chassis
boots
Cluster Operation: Joining a Cluster
 Joining an existing cluster:

•RG of second chassis transitions from the blank state to the
secondary state
•Configurations synchronize
Cluster
RGx RGx
reth1 reth2 reth1 reth2
Second chassis
boots
Cluster Operation: Leaving a Cluster
 Leaving a cluster:
•The leave action can happen when the chassis reboots or
powers off
•The leave action can cause RG state changes from
secondary to the primary
Cluster
RGx RGx
Chassis boots
or powers off
Cluster Operation: Splitting a Cluster
 Chassis cluster split scenarios:

•Control (fxp1) or data (fab) link failure causes the secondary
node to enter the disabled state
•Simultaneous fxp1 and fabn link failures result in a split
Cluster
Primary Secondary
Primary Disabled
Cluster Operation: Merging Clusters
 Two clusters can merge into a single cluster

•Requires reboot of disabled or altered cluster
Cluster A Cluster B
RGx RGx
Cluster
RGx RGx
Active-Passive Mode
Node 0 Node 1
fab n
Cluster
Active Session
Backup Session
RTO Packet
Upstream Traffic
Downstream Traffic
Active-Active Mode (1 of 2)
fab n
Node 0 Node 1
Cluster
Forward Session
Active Session
Backup Session
RTO Packet
Upstream Traffic Switch Fabric Forwarding
Downstream Traffic Flow Forwarding
Active/Active Mode (2 of 2)
 Active/active deployment Internet
•Active/passive done twice

•Data path forwarding
•Health check for secondary Node 0
Control
Node 1
node
Data
RG 1 RG 2
Upstream
traffic
Downstream
traffic
Implementation
 Chassis Cluster Operation

Chassis Cluster Configuration
 Chassis Cluster Monitoring
Preparing a Cluster
 Physically connect two Junos security devices
•Ensure that both devices are of the same model
•Connect any two Ethernet interfaces (one per node) of the
same media type to create the fabric link
• Must be a fiber connection for high-end security platforms
•Connect control ports to create the control link
• SPCs must be in the same slots
• Use revenue port for branch security platforms (varies by device)
 Configure SPC control ports (high-end platforms only)
 Enable clustering
•Set up the cluster-id id and node id for each device
•Reboot desired primary device, then the secondary device
Enabling the Chassis Cluster
 First node:
[edit chassis cluster]
user@srx1# show
control-ports {
fpc slot port port;
fpc slot port port; Control ports
} require
configuration
[edit chassis cluster] only on high-end
user@srx1# commit and-quit security
commit complete platforms
Exiting configuration mode
user@srx1> set chassis cluster cluster-id id node id reboot

Successfully enabled chassis cluster. Going to reboot now
...
 Second node: Operational mode

command
user@srx2> set chassis cluster cluster-id id node id reboot
...
Cluster Configuration Steps
 Configure the following:

•Management interfaces
•Fabric interfaces
•Redundancy groups
•Redundant Ethernet interfaces
•Physical interface renaming for secondary node
•Cluster failover parameters
Configuring Management Interfaces
{primary:node0}
user@srx1> configure
warning: Clustering enabled; using private edit
warning: uncommitted changes will be discarded on {primary:node0}[edit]
exit user@srx1# set apply-groups “${node}”
Entering configuration mode
{primary:node0}[edit]
user@host1# edit groups
{primary:node0}[edit groups]
user@srx1# show Ensures proper group
node0 { assignment to both
system { nodes
host-name unique-name1;
}
interfaces {
fxp0 {
unit 0 {
family inet {
address ip-address1;
}
...
node1 {
system {
host-name unique-name2;
}
interfaces {
fxp0 {
unit 0 {
family inet {
address ip-address2;
…
Configuring Fabric Interfaces
user@srx1# show interfaces Interface from
fab0 { Node 0
fabric-options {
member-interfaces {
interface-name;
}
}
} Interface from
fab1 { Node 1
fabric-options {
member-interfaces {
interface-name;
}
}
}
Configuring a Redundancy Group
{primary:node0}[edit] Priorities range
user@srx1# show chassis cluster from 1–254
redundancy-group number {
node [0 | 1] priority priority-number;
node [0 | 1] priority priority-number;
preempt; Optional
gratuitous-arp-count number; command
interface-monitor {
interface-name weight number;
interface-name weight number; Default
} value is 4
}
Weights assignment for

interface monitoring
Configuring a Redundant Ethernet Interface
{primary:node0}[edit] {primary:node0}[edit]
user@srx1# show interfaces user@srx1# show chassis cluster
ge-x/y/z { reth-count number
gigether-options { ...
redundant-parent reth#;
}
...
}
ge-a/b/c {
gigether-options { Define the number
redundant-parent reth#; of reth interfaces in
} a cluster
...
}
reth# {
redundant-ether-options { Can configure
redundancy-group number; multiple logical
}
units using VLAN
unit 0 {
tagging
family inet {
address ip-address;
}
}
}
Configuring Cluster Failover Parameters
 Cluster failover parameters:

• heartbeat-interval: interval of time between
heartbeat messages that broadcast to all nodes in the
cluster
• heartbeat-threshold: number of missed heartbeats
that must be exceeded to declare the node dead
[edit]
user@srx1# show chassis cluster
...
heartbeat-interval number-in-millisec;
heartbeat-threshold number;
...
Disabling a Chassis Cluster
 Disabling the cluster:

{primary:node0}
user@srx1> set chassis cluster disable reboot
Successfully disabled chassis cluster. Going to reboot now
...
•Don’t forget to disable the other node!

{secondary:node1}
user@srx2> set chassis cluster disable reboot
Successfully disabled chassis cluster. Going to reboot now
...
•Change interface naming
Implementation
 Chassis Cluster Operation

 Chassis Cluster Configuration
Chassis Cluster Monitoring
Example: Network Diagram Prior to Issuing
the Cluster-Forming Command
host1
fxp0
.1
10.20.20.2/24
.2 Internet A
ge-0/0/2 SPC 3
port 0 5.5.5.2/24
B .2
.1
fxp0
host2
Forming a Cluster
 Cluster formation:
•First node:
[edit chassis cluster]
user@host1# show Control port
control-ports { configuration needed
fpc 3 port 0; only on high-end
fpc 15 port 0; security platforms
}
user@host1> set chassis cluster cluster-id 1 node 0 reboot

...
{primary:node0}
user@host1>
•Second node:
user@host2> set chassis cluster cluster-id 1 node 1 reboot
...
{secondary:node1}
user@host2>
Example: Network Diagram After Issuing
the Cluster-Forming Command
node0 fxp0
.1
fab 0
reth1 .2 Internet A
B 10.20.20.1/24
fxp1
5.5.5.2/24
10.20.20.2/24 .2
fab 1
.1
node1
fxp0
Cluster Status Check
{primary:node0}
user@host1> show chassis cluster status
Cluster ID: 1
Node name Priority Status Preempt Manual
failover
Redundancy group: 0 , Failover count: 1

node0 1 primary no no
node1 1 secondary no no
{primary:node0}
user@host1> show interfaces terse | match "fab|fxp1"
fab0 up down
fab0.0 up down inet 30.17.0.200/24
fab1 up down
fab1.0 up down inet 30.18.0.200/24
fxp1 up up
fxp1.0 up up inet 129.16.0.1/2
Configuring the Management Interface
{primary:node0} {primary:node0}[edit]
user@host1> configure user@host1# show apply-groups
warning: Clustering enabled; using private edit
## Last changed: 2009-01-09 14:11:09 UTC
warning: uncommitted changes will be discarded on exit
Entering configuration mode apply-groups "${node}";
{primary:node0}[edit] {primary:node0}[edit]
user@host1# edit groups user@host1# commit
node0:
{primary:node0}[edit groups]
user@host1# show configuration check succeeds
node0 { node1:
system { commit complete
host-name node0-host; node0:
}
commit complete
interfaces {
fxp0 {
unit 0 { {primary:node0}[edit]
family inet { user@node0-host#
address 10.210.11.182/28;
}
...
node1 {
system {
host-name node1-host;
}
interfaces {
fxp0 {
unit 0 {
family inet {
address 10.210.11.177/28;
...
Configuring the Fabric Interfaces
[edit]{primary:node0}
user@node0-host# show interfaces
fab0 { fab0 is for Node 0
fabric-options {
member-interfaces {
ge-0/0/2;
}
}
}
fab1 {
fabric-options { fab1 is for Node 1
member-interfaces {
ge-12/0/2;
}
}
}
{primary:node0}
user@node0-host> show interfaces terse | match fab
ge-0/0/2.0 up up aenet --> fab0.0
ge-12/0/2.0 up up aenet --> fab1.0
fab0 up up
fab0.0 up up inet 30.17.0.200/24
fab1 up up
fab1.0 up up inet 30.18.0.200/24
Configuring a Redundancy Group
{primary:node0}[edit chassis cluster]
user@node0-host# show
redundancy-group 0 {
node 0 priority 254;
node 1 priority 1;
}
redundancy-group 1 {
gratuitous-arp-count 5;
interface-monitor {
ge-1/0/0 weight 255;
}
}
Viewing Redundancy Groups
{primary:node0}
user@node0-host> show chassis cluster status
Cluster: 1, Redundancy-Group: 0
Device name Priority Status Preempt Manual failover
node0 254 Primary No No

node1 1 Secondary No No

Configuring reth Interfaces
{primary:node0}[edit] {primary:node0}
user@node0-host# show interfaces user@node0-host> show interfaces terse | match reth
ge-0/0/0 { Interface Admin Link Proto Local ...
gigether-options {
ge-0/0/0.0 up up aenet --> reth1.0
redundant-parent reth1;
} ge-12/0/0.0 up up aenet --> reth1.0
} reth0 up down
ge-12/0/0 { reth1 up up
gigether-options { reth1.0 up up inet 10.20.20.1/24
redundant-parent reth1;
}
}
reth1 {
redundant-ether-options {
redundancy-group 1;
}
unit 0 {
family inet {
address 10.20.20.1/24;
}
}
}
user@node0-host# show chassis cluster
Specify the number
reth-count 2
of reth interfaces
...
Configuring Cluster Failover Parameters
user@node0-host# show chassis cluster
...
heartbeat-interval 1200;
heartbeat-threshold 5;
...
Monitoring Cluster Statistics
{primary:node0}
user@node0-host> show chassis cluster statistics
Control link statistics:
Control link 0:
Heartbeat packets sent: 69428
Heartbeat packets received: 69404
Heartbeat packet errors: 0
Fabric link statistics:
Child link 0
Probes sent: 123832
Probes received: 123829
Child link 1
Probes sent: 0
Probes received: 0
Services Synchronized:
Service name RTOs sent RTOs received
Translation context 0 0
Incoming NAT 0 0
Resource manager 0 0
DS-LITE create 0 0
Session create 383 0
IPv6 session create 0 0
Session close 375 0
IPv6 session close 0 0
Session change 0 0
IPv6 session change 0 0
Gate create 0 0
Session ageout refresh requests 0 97
IPv6 session ageout refresh requests 0 0
Session ageout refresh replies 96 0
IPv6 session ageout refresh replies 0 0
IPSec VPN 0 0
Manual Failover (1 of 2)
 Process
•Verify status:
{primary:node0}
user@node0-host> show chassis cluster status redundancy-group 1

•Initiate failover:
{primary:node0}
user@node0-host> request chassis cluster failover redundancy-group 1 node 1
node1:
--------------------------------------------------------------------------
Initiated manual failover for redundancy group 1
{primary:node0}
node0 200 Secondary No Yes

node1 255 Primary No Yes
Manual Failover (2 of 2)
 Reset failover:
{primary:node0}
user@node0-host> request chassis cluster failover reset redundancy-group 1
node0:
--------------------------------------------------------------------------
No reset required for redundancy group 1.
node1:
--------------------------------------------------------------------------
Successfully reset manual failover for redundancy group 1
{primary:node0}

•Status does not revert unless you configure preempt for RG

Chassis Cluster Logging
 Use show log jsrpd to view cluster events:

{primary:node0}
user@node0-host> show log jsrpd | match RG-0 | match "Jan 10 15"
Jan 10 15:52:45 skipping reth creation on RG-0 secondary node
Jan 10 15:52:45 unable to set priority, for RG-0, fsm_context uninitialized
Jan 10 15:52:45 failed to read rg_info from ssam for RG-0, error 2
Jan 10 15:52:45 read the default state from kernel, state (0) failover-cnt 0 RG-0
Jan 10 15:52:45 Current threshold for rg-0 is 255. Reason: none
Jan 10 15:53:15 RG-0 hold timer, HOLD->SECONDARY
Jan 10 15:53:18 RG-0 dead timer, SECONDARY->PRIMARY
 Enable traceoptions:
{primary:node0}[edit chassis cluster]
user@node0-host# show
traceoptions {
flag cli;
flag configuration;
flag heartbeat;
}
Summary
 In this chapter, we:

•Described chassis cluster operation.
•Configured chassis clusters.
•Monitored chassis clusters.
Review Questions
1. What is the difference between active/active and

active/passive mode?
2. What log file contains chassis cluster related
events?
3. What command can you use to examine the status
of a reth interface and its child interfaces?
Lab 8: Implementing High Availability
Techniques
 Perform configuration and verification steps

associated with implementing chassis clusters.
Resources to Help You Learn More
Resource URL Description
An information experience hub that provides

Pathfinder http://pathfinder.juniper.net
centralized product information
Junos OS and ScreenOS software feature
http://www.juniper.net/techpubs/content-
Content Explorer information to find the right software release
applications/content-explorer/
and hardware platform for your network
Technical documentation for Junos OS-based
http://pathfinder.juniper.net/feature-explorer/ products by product, task, and software release,
Feature Explorer
and also downloadable documentation PDFs by
product and release
Concise tips and instructions on specific
Learning Bytes www.juniper.net/learningbytes
features and functions of Juniper technologies
Installation and Over 60 free Web-based training courses on
Configuration www.juniper.net/courses product installation and configuration (just
Courses choose eLearning under Delivery Modality)
http://forums.juniper.net/t5/Training- Training, certification, and career topics to
J-Net Forum
Certification-and/bd-p/Training_and_Certification discuss with your peers
Complete details on the Juniper Networks
Certification
www.juniper.net/certification Certification Program, including tracks, exam
Program
details, promotions, and how to get started
A complete list of instructor-led, hands-on
Courses www.juniper.net/courses
courses and self-paced, eLearning courses
Worldwide Education Services

05 FW - Cluster - JSEC - 12.a - C11 - HA - Clustering - Implementation

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

05 FW - Cluster - JSEC - 12.a - C11 - HA - Clustering - Implementation

Uploaded by

Copyright:

Available Formats

Junos Security

Chapter 11: High Availability

 After successfully completing this chapter, you will be

Chassis Cluster Operation

 The first chassis to boot forms a cluster

 Joining an existing cluster:

 Chassis cluster split scenarios:

 Two clusters can merge into a single cluster

Downstream Traffic Flow Forwarding

 Active/active deployment Internet

•Active/passive done twice

 Chassis Cluster Operation

user@srx1> set chassis cluster cluster-id id node id reboot

 Second node: Operational mode

 Configure the following:

Weights assignment for

 Cluster failover parameters:

 Disabling the cluster:

•Don’t forget to disable the other node!

•Change interface naming

 Chassis Cluster Operation

user@host1> set chassis cluster cluster-id 1 node 0 reboot

Redundancy group: 0 , Failover count: 1

node0 254 Primary No No

node0 200 Secondary No No

node0 200 Primary No No

node0 200 Secondary No Yes

node0 200 Secondary No No

•Status does not revert unless you configure preempt for RG

 Use show log jsrpd to view cluster events:

 In this chapter, we:

1. What is the difference between active/active and

 Perform configuration and verification steps

An information experience hub that provides

You might also like