Junos Security. Chapter 11: High Availability Clustering Implementation

Transcription

1 Junos Security Chapter 11: High Availability Clustering Implementation 2012 Juniper Networks, Inc. All rights reserved. Worldwide Education Services

2 Chapter Objectives After successfully completing this chapter, you will be able to: Describe chassis cluster operation Configure chassis clusters Monitor chassis clusters

3 Agenda: High Availability Clustering Implementation Chassis Cluster Operation Chassis Cluster Configuration Chassis Cluster Monitoring

4 Cluster Operation: Forming a Cluster The first chassis to boot forms a cluster RG transitions from the blank state to the primary state RGx Cluster reth1 reth2 First chassis boots

5 Cluster Operation: Joining a Cluster Joining an existing cluster: RG of second chassis transitions from the blank state to the secondary state Configurations synchronize Cluster RGx RGx reth1 reth2 reth1 reth2 Second chassis boots

6 Cluster Operation: Leaving a Cluster Leaving a cluster: The leave action can happen when the chassis reboots or powers off The leave action can cause RG state changes from secondary to the primary Cluster RGx RGx reth1 reth2 reth1 reth2 Chassis boots or powers off

7 Cluster Operation: Splitting a Cluster Chassis cluster split scenarios: Control (fxp1) or data (fab) link failure causes the secondary node to enter the disabled state Simultaneous fxp1 and fabn link failures result in a split Primary Cluster Secondary reth1 reth2 reth1 reth2 Primary Disabled reth1 reth2 reth1 reth

8 Cluster Operation: Merging Clusters Two clusters can merge into a single cluster Requires reboot of disabled or altered cluster Cluster A RGx Cluster B RGx reth1 reth2 reth1 reth2 RGx Cluster RGx reth1 reth2 reth1 reth

9 Active-Passive Mode Node 0 Node 1 fab n Cluster Active Session Backup Session RTO Packet Upstream Traffic Downstream Traffic

10 Active-Active Mode (1 of 2) Forward Session Active Session Backup Session fab n Node 0 Node 1 Cluster RTO Packet Upstream Traffic Downstream Traffic Switch Fabric Forwarding Flow Forwarding

11 Active/Active Mode (2 of 2) Active/active deployment Active/passive done twice Data path forwarding Health check for secondary node Internet Node 0 Node 1 Control Data RG 1 RG 2 Upstream traffic Downstream traffic

12 Agenda: High Availability Clustering Implementation Chassis Cluster Operation Chassis Cluster Configuration Chassis Cluster Monitoring

13 Preparing a Cluster Physically connect two Junos security devices Ensure that both devices are of the same model Connect any two Ethernet interfaces (one per node) of the same media type to create the fabric link Must be a fiber connection for high-end security platforms Connect control ports to create the control link SPCs must be in the same slots Use revenue port for branch security platforms (varies by device) Configure SPC control ports (high-end platforms only) Enable clustering Set up the cluster-id id and node id for each device Reboot desired primary device, then the secondary device

14 Enabling the Chassis Cluster First node: [edit chassis cluster] show control-ports { fpc slot port port; fpc slot port port; [edit chassis cluster] user@srx1# commit and-quit commit complete Exiting configuration mode user@srx1> set chassis cluster cluster-id id node id reboot Successfully enabled chassis cluster. Going to reboot now... Second node: user@srx2> set chassis cluster cluster-id id node id reboot Successfully enabled chassis cluster. Going to reboot now... Control ports require configuration only on high-end security platforms Operational mode command

15 Cluster Configuration Steps Configure the following: Management interfaces Fabric interfaces Redundancy groups Redundant Ethernet interfaces Physical interface renaming for secondary node Cluster failover parameters

16 Configuring Management Interfaces {primary:node0 configure warning: Clustering enabled; using private edit warning: uncommitted changes will be discarded on exit Entering configuration mode {primary:node0[edit] set apply-groups ${node {primary:node0[edit] edit groups {primary:node0[edit groups] show node0 { system { host-name unique-name1; interfaces { fxp0 { unit 0 { family inet { address ip-address1;... node1 { system { host-name unique-name2; interfaces { fxp0 { unit 0 { family inet { address ip-address2; Ensures proper group assignment to both nodes

17 Configuring Fabric Interfaces {primary:node0[edit] show interfaces fab0 { fabric-options { member-interfaces { interface-name; fab1 { fabric-options { member-interfaces { interface-name; Interface from Node 0 Interface from Node

18 Configuring a Redundancy Group {primary:node0[edit] user@srx1# show chassis cluster redundancy-group number { node [0 1] priority priority-number; node [0 1] priority priority-number; preempt; gratuitous-arp-count number; interface-monitor { interface-name weight number; interface-name weight number; Priorities range from Optional command Default value is 4 Weights assignment for interface monitoring

19 Configuring a Redundant Ethernet Interface {primary:node0[edit] user@srx1# show interfaces ge-x/y/z { gigether-options { redundant-parent reth#;... ge-a/b/c { gigether-options { redundant-parent reth#;... reth# { redundant-ether-options { redundancy-group number; unit 0 { family inet { address ip-address; {primary:node0[edit] user@srx1# show chassis cluster reth-count number... Can configure multiple logical units using VLAN tagging Define the number of reth interfaces in a cluster

20 Configuring Cluster Failover Parameters Cluster failover parameters: heartbeat-interval: interval of time between heartbeat messages that broadcast to all nodes in the cluster heartbeat-threshold: number of missed heartbeats that must be exceeded to declare the node dead [edit] show chassis cluster... heartbeat-interval number-in-millisec; heartbeat-threshold number;

21 Disabling a Chassis Cluster Disabling the cluster: {primary:node0 user@srx1> set chassis cluster disable reboot Successfully disabled chassis cluster. Going to reboot now... Don t forget to disable the other node! {secondary:node1 user@srx2> set chassis cluster disable reboot Successfully disabled chassis cluster. Going to reboot now... Change interface naming

22 Agenda: High Availability Clustering Implementation Chassis Cluster Operation Chassis Cluster Configuration Chassis Cluster Monitoring

23 Example: Network Diagram Prior to Issuing the Cluster-Forming Command host1 fxp /24 B ge-0/0/2.1 SPC 3 port Internet A /24 host2 fxp

24 Forming a Cluster Cluster formation: First node: [edit chassis cluster] user@host1# show control-ports { fpc 3 port 0; fpc 15 port 0; Control port configuration needed only on high-end security platforms user@host1> set chassis cluster cluster-id 1 node 0 reboot Successfully enabled chassis cluster. Going to reboot now... {primary:node0 user@host1> Second node: user@host2> set chassis cluster cluster-id 1 node 1 reboot Successfully enabled chassis cluster. Going to reboot now... {secondary:node1 user@host2>

25 Example: Network Diagram After Issuing the Cluster-Forming Command node0 fxp0 B /24 reth /24 fab 0.1 fxp1.2.2 Internet A /24 fab 1.1 node1 fxp

26 Cluster Status Check {primary:node0 show chassis cluster status Cluster ID: 1 Node name Priority Status Preempt Manual failover Redundancy group: 0, Failover count: 1 node0 1 primary no no node1 1 secondary no no {primary:node0 user@host1> show interfaces terse match "fab fxp1" fab0 up down fab0.0 up down inet /24 fab1 up down fab1.0 up down inet /24 fxp1 up up fxp1.0 up up inet /

27 Configuring the Management Interface {primary:node0 configure warning: Clustering enabled; using private edit warning: uncommitted changes will be discarded on exit Entering configuration mode {primary:node0[edit] show apply-groups ## Last changed: :11:09 UTC apply-groups "${node"; {primary:node0[edit] edit groups {primary:node0[edit] commit node0: configuration check succeeds node1: commit complete node0: commit complete {primary:node0[edit groups] show node0 { system { host-name node0-host; interfaces { fxp0 { unit 0 { {primary:node0[edit] family inet { user@node0-host# address /28;... node1 { system { host-name node1-host; interfaces { fxp0 { unit 0 { family inet { address /28;

28 Configuring the Fabric Interfaces [edit]{primary:node0 show interfaces fab0 { fabric-options { member-interfaces { ge-0/0/2; fab1 { fabric-options { member-interfaces { ge-12/0/2; fab0 is for Node 0 fab1 is for Node 1 {primary:node0 user@node0-host> show interfaces terse match fab ge-0/0/2.0 up up aenet --> fab0.0 ge-12/0/2.0 up up aenet --> fab1.0 fab0 up up fab0.0 up up inet /24 fab1 up up fab1.0 up up inet /

29 Configuring a Redundancy Group {primary:node0[edit chassis cluster] user@node0-host# show redundancy-group 0 { node 0 priority 254; node 1 priority 1; redundancy-group 1 { node 0 priority 200; node 1 priority 100; gratuitous-arp-count 5; interface-monitor { ge-1/0/0 weight 255;

30 Viewing Redundancy Groups {primary:node0 show chassis cluster status Cluster: 1, Redundancy-Group: 0 Device name Priority Status Preempt Manual failover node0 254 Primary No No node1 1 Secondary No No Cluster: 1, Redundancy-Group: 1 Device name Priority Status Preempt Manual failover node0 200 Secondary No No node1 100 Primary No No

31 Configuring reth Interfaces {primary:node0[edit] show interfaces ge-0/0/0 { gigether-options { redundant-parent reth1; ge-12/0/0 { gigether-options { redundant-parent reth1; reth1 { redundant-ether-options { redundancy-group 1; unit 0 { family inet { address /24; {primary:node0 user@node0-host> show interfaces terse match reth Interface Admin Link Proto Local... ge-0/0/0.0 up up aenet --> reth1.0 ge-12/0/0.0 up up aenet --> reth1.0 reth0 up down reth1 up up reth1.0 up up inet /24 {primary:node0[edit] user@node0-host# show chassis cluster reth-count 2... Specify the number of reth interfaces

32 Configuring Cluster Failover Parameters {primary:node0[edit] show chassis cluster... heartbeat-interval 1200; heartbeat-threshold 5;

33 Monitoring Cluster Statistics {primary:node0 show chassis cluster statistics Control link statistics: Control link 0: Heartbeat packets sent: Heartbeat packets received: Heartbeat packet errors: 0 Fabric link statistics: Child link 0 Probes sent: Probes received: Child link 1 Probes sent: 0 Probes received: 0 Services Synchronized: Service name RTOs sent RTOs received Translation context 0 0 Incoming NAT 0 0 Resource manager 0 0 DS-LITE create 0 0 Session create IPv6 session create 0 0 Session close IPv6 session close 0 0 Session change 0 0 IPv6 session change 0 0 Gate create 0 0 Session ageout refresh requests 0 97 IPv6 session ageout refresh requests 0 0 Session ageout refresh replies 96 0 IPv6 session ageout refresh replies 0 0 IPSec VPN

34 Manual Failover (1 of 2) Process Verify status: {primary:node0 show chassis cluster status redundancy-group 1 Cluster: 1, Redundancy-Group: 1 Device name Priority Status Preempt Manual failover node0 200 Primary No No node1 100 Secondary No No Initiate failover: {primary:node0 user@node0-host> request chassis cluster failover redundancy-group 1 node 1 node1: Initiated manual failover for redundancy group 1 {primary:node0 user@node0-host> show chassis cluster status redundancy-group 1 Cluster: 1, Redundancy-Group: 1 Device name Priority Status Preempt Manual failover node0 200 Secondary No Yes node1 255 Primary No Yes

35 Manual Failover (2 of 2) Reset failover: {primary:node0 request chassis cluster failover reset redundancy-group 1 node0: No reset required for redundancy group 1. node1: Successfully reset manual failover for redundancy group 1 {primary:node0 user@node0-host> show chassis cluster status redundancy-group 1 Cluster: 1, Redundancy-Group: 1 Device name Priority Status Preempt Manual failover node0 200 Secondary No No node1 100 Primary No No Status does not revert unless you configure preempt for RG

36 Chassis Cluster Logging Use show log jsrpd to view cluster events: {primary:node0 show log jsrpd match RG-0 match "Jan 10 15" Jan 10 15:52:45 skipping reth creation on RG-0 secondary node Jan 10 15:52:45 unable to set priority, for RG-0, fsm_context uninitialized Jan 10 15:52:45 failed to read rg_info from ssam for RG-0, error 2 Jan 10 15:52:45 read the default state from kernel, state (0) failover-cnt 0 RG-0 Jan 10 15:52:45 Current threshold for rg-0 is 255. Reason: none Jan 10 15:53:15 RG-0 hold timer, HOLD->SECONDARY Jan 10 15:53:18 RG-0 dead timer, SECONDARY->PRIMARY Enable traceoptions: {primary:node0[edit chassis cluster] user@node0-host# show traceoptions { flag cli; flag configuration; flag heartbeat;

37 Summary In this chapter, we: Described chassis cluster operation. Configured chassis clusters. Monitored chassis clusters

38 Review Questions 1. What is the difference between active/active and active/passive mode? 2. What log file contains chassis cluster related events? 3. What command can you use to examine the status of a reth interface and its child interfaces?

39 Lab 8: Implementing High Availability Techniques Perform configuration and verification steps associated with implementing chassis clusters

40 Resources to Help You Learn More Resource URL Description Pathfinder Content Explorer Feature Explorer Learning Bytes Installation and Configuration Courses J-Net Forum Certification Program Courses Certification-and/bd-p/Training_and_Certification An information experience hub that provides centralized product information Junos OS and ScreenOS software feature information to find the right software release and hardware platform for your network Technical documentation for Junos OS-based products by product, task, and software release, and also downloadable documentation PDFs by product and release Concise tips and instructions on specific features and functions of Juniper technologies Over 60 free Web-based training courses on product installation and configuration (just choose elearning under Delivery Modality) Training, certification, and career topics to discuss with your peers Complete details on the Juniper Networks Certification Program, including tracks, exam details, promotions, and how to get started A complete list of instructor-led, hands-on courses and self-paced, elearning courses

41 Worldwide Education Services