SRX Chassis Cluster Upgrade with Minimal Downtime (v0.7)

Similar documents
Deployment Guide for SRX Series Services Gateways in Chassis Cluster Configuration

Junos Security. Chapter 11: High Availability Clustering Implementation

Cluster Upgrade. SRX Series Services Gateways for the Branch Upgrade Junos OS with Minimal Traffic Disruption and a Single Command APPLICATION NOTE

Network Configuration Example

Junos OS Release 12.1X47 Feature Guide

A. Verify that the IKE gateway proposals on the initiator and responder are the same.

Configuring the JUNOS Software to Upgrade the T1600 Router Chassis to LCC0 of a TX Matrix Plus Routing Platform

SRX Services Gateway Cluster Deployments Across Layer Two Networks. Deployment requirements for SRX cluster connectivity across layer two networks

Cisco cbr Converged Broadband Routers High Availability Configuration Guide

Lab 2. Spanning Tree Protocols. Overview. JNCIS-ENT++ Bootcamp

Network Configuration Example

J-series High Availability

Managing Switch Stacks

BRANCH SRX SERIES AND J SERIES CHASSIS CLUSTERING

Optimised redundancy for Security Gateway deployments

Switch Stacking ArubaOS Switch

Lab 5. Spanning Tree. Overview. JNCIS-ENT Bootcamp

Avaya Aura TM System Platform R6.0 Release Notes Issue 2.0

Hitless Failover and Hitless Upgrade User Guide

Stack Manager and High Availability

Question: 1 You have a Cisco UCS cluster and you must recover a lost admin password. In which order must you power cycle the fabric interconnects?

This Tech Note provides instructions on how to upgrade to ClearPass 6.7 from versions 6.5 and later.

Reimage Procedures. Firepower 2100 Series Software Reimage and Disaster Recovery

Network Configuration Example

Index. B Boot software 5-2 Bridging architecture 7-6 Broadcast filter 8-55 limiting 8-22 Buffer port 7-9 Syslog 8-17, 8-20

Configuring the Fabric Interconnects

Configuring Failover. Understanding Failover CHAPTER

Interchassis Asymmetric Routing Support for Zone-Based Firewall and NAT

Maintenance Tasks. About A/B Partition CHAPTER

Configuring Supervisor Engine Redundancy Using RPR and SSO on Supervisor Engine 6-E and Supervisor Engine 6L-E

Overview. Overview. Cisco UCS 6324 Fabric Interconnect with Cisco UCS B-Series Servers and C-Series Servers, which is. Overview 1

IT Certification Exams Provider! Weofferfreeupdateserviceforoneyear! h ps://

Overview. Overview. This chapter includes the following sections:

About Chassis Manager

Troubleshoot Firmware

Managing Switch Stacks

COMMAND. JTAC support info. request suport information. Restore factory settins

Configuring Session Manager

Cisco cbr Converged Broadband Routers High Availability Configuration Guide for Cisco IOS XE Everest

The multiple spanning-tree (MST) implementation is based on the IEEE 802.1s standard.

FortiTester Handbook VERSION FortiTester Handbook Fortinet Technologies Inc.

Configuring MST Using Cisco NX-OS

Junos Security. Rob Cameron, Brad Woodberg, Patricio Giecco, O'REILLY. Tim Eberhard, andjames Quinn INFORMATIQNSBIBLIOTHEK UNIVERSITATSBIBLIOTHEK

IDENTIFICATION OF VOLATILE AND NON-VOLATILE STORAGE AND SANITIZATION OF SYSTEM COMPONENTS JUNIPER NETWORKS SRX-SERIES SRX AP(DP)

Pulse Secure Access Cluster Upgrade

Consolidated Packages and SubPackages Management

Consolidated Packages and SubPackages Management

Software Requirement for Virtual Services Platform 9010

Upgrading or Downgrading the Cisco Nexus 3500 Series NX-OS Software

Overview. Cisco UCS Manager User Documentation

Upgrading Earlier Release Version Servers for Cisco UCS Manager Integration

The information in this document is based on the Cisco VPN 3000 Series Concentrator.

This article describes how to upgrade CS200 and CS400 series Nimble Storage arrays from 1 GigE to 10 GigE connectivity.

Network Configuration Example

The instruction in this document is applicable on Cisco FireSIGHT Management Center FS2000 and FS4000 models.

GRP Redundant Processor Support

Assigning the Switch IP Address and Default Gateway

Implementing AutoVPN Network Design Using the SRX Series with ibgp as the Dynamic Routing Protocol

Configuring Rapid PVST+ Using NX-OS

Junos Ansible Modules Documentation

C Commands. Cisco Nexus 5500 Series NX-OS System Management Command Reference 1

HP LeftHand P4500 and P GbE to 10GbE migration instructions

Server Utilities. Enabling Or Disabling Smart Access USB. This chapter includes the following sections:

Network Configuration Example

UNIVERGE SV8500 SOFTWARE UPGRADE PROCEDURE FROM S5 TO S6

Network Configuration Example

Maintenance Tasks CHAPTER

High Availability (AP SSO) Deployment Guide

Consolidated Packages and SubPackages Management

High Availability and Disaster Recovery

COMMAND LINE CHEAT SHEET

BIG-IP Systems: Upgrading Software. Version 13.0

IDENTIFICATION OF VOLATILE AND NON-VOLATILE STORAGE AND SANITIZATION OF SYSTEM COMPONENTS JUNIPER NETWORKS SRX-SERIES SRX300

The operator has activated this LED to identify this chassis. This chassis is not being identified. Fabric modules are all operational.

How to Set Up Your SRX550 High Memory Services Gateway

Recovering a Lost Password

Troubleshooting. Diagnosing Problems

INSTALLATION RUNBOOK FOR. VNF (virtual firewall) 15.1X49-D30.3. Liberty. Application Type: vsrx Version: MOS Version: 8.0. OpenStack Version:

Junos OS. 2nd edition FOR. Walter Goralski, Cathy Gadecki, and Michael Bushong. John Wiley & Sons, Inc. WILEY

Network Configuration Example

NAT Box-to-Box High-Availability Support

2.2 Cisco IOS Commands for the Catalyst 4500 Series Switches snmp ifindex clear. This command has no arguments or keywords.

Using the Cable Monitor Tool

Troubleshooting Booting

Configuring Rapid PVST+

Configuring NTP. Information About NTP NTP. This chapter describes how to configure the Network Time Protocol (NTP) on Cisco MDS 9000 Series switches.

Overview. About the Cisco UCS S3260 System

Configuring User Accounts and RBAC

Spanning-Tree Protocol

Configuring Stateful Interchassis Redundancy

802.1w Rapid Spanning Tree Protocol (RSTP) 802.1d Spanning Tree Protocol (STP)

Backing Up and Restoring the Configuration

EX2500 Ethernet Switch 3.1 Release Notes

Configuring STP. Understanding Spanning-Tree Features CHAPTER

Cisco Catalyst 2960-S FlexStack: Description, Usage, and Best Practices

Satellite nv System Commands

EXAM - JN Service Provider Routing and Switching, Specialist (JNCIS-SP) Buy Full Product.

Switch Memory and Configuration

ExpressCluster for Linux Version 3 Cluster Resource Reference

Network Configuration Example

Transcription:

SRX Chassis Cluster Upgrade with Minimal Downtime (v0.7) Assume that node0 is the primary for control plane (RG0) and data plane (RG1+) and configured with high priority than the secondary node. On the node0 1. Upload the new Junos OS image /var/tmp/junos-srx5000-12.1x46-d35-domestic.tgz On the node1 1. Upload the new Junos OS image /var/tmp/junos-srx5000-12.1x46-d35-domestic.tgz 2. Disable all physical interfaces for transit traffic on node1 (secondary node) set interfaces xe-12/0/0 disable set interfaces xe-12/3/0 disable 3. Disable TCP SYN check and sequence check set security flow tcp-session no-syn-check set security flow tcp-session no-sequence-check 4. Disable preempt for all RG1+ delete chassis cluster redundancy-group 1 preempt 5. Delete all interface-monitor and ip-monitoring delete chassis cluster redundancy-group 1 interface-monitor delete chassis cluster redundancy-group 1 ip-monitoring 6. Commit the configuration 7. Adjust control-ports (SRX5K) or physically disconnect control link (Branch SRX and SRX1K/3K), and adjust fab interfaces 7. Adjust control-ports (SRX5K) or physically disconnect control link (Branch SRX and SRX1K/3K), and adjust fab interfaces 7a. For SRX5400/5600/5800, change the control and fabric ports to non-exisitng ports. - Control ports need to be set in any SPC port on the device, which does not have a physical connection - Fabric ports can be set in any IOC slots (existing or not) on the device. A simple way is that change the fabric ports to undefined port numbers ( port 40) on the same slot. delete chassis cluster control-ports set chassis cluster control-ports fpc 10 port 0 (SPC port) set chassis cluster control-ports fpc 22 port 0 (SPC port) set interfaces fab0 fabric-options member-interfaces xe-1/3/40 set interfaces fab1 fabric-options member-interfaces xe-13/3/40 NOTE: Assume that port 40 on FPC1 and FPC13 are non-existing ports for fabric link. If configured for dual control links, you need to also include the configuration change for the second control link. 7b. For Branch SRX and SRX1400/3400/3600, the control link(s) will need to be physically disconnected. set interfaces fab0 fabric-options member-interfaces xe-1/0/40 set interfaces fab1 fabric-options member-interfaces xe-14/0/40 7b. For Branch SRX and SRX1400/3400/3600, the control link(s) will need to be physically disconnected. set interfaces fab0 fabric-options member-interfaces xe-1/0/40 set interfaces fab1 fabric-options member-interfaces xe-14/0/40 1

8. Commit the configuration 8. Commit the configuration (Branch SRX and SRX1400/3400/3600 only) NOTE: For Branch SRX and SRX1400/3400/3600, will need to be applied to both nodes independently due to loss of node communication after control link removed in step 7b. NOTE: For SRX5400/5600/5800, upon completion the following errors will be generated due to control link down. These are expected error messages. Technically speaking the candidate configuration is not converted to active configuration on node0 (you can either additional like below or in step 12), but the candidate configuration is now in active configuration on node1. So you do not need to the change on node1. You can check it using show configuration display set match "control-ports fab[01]" command on node1. e.g, root@srx5k# configuration check succeeds error: error communicating with error: remote - configuration failed on node1 error: failed error: Connection to node1 has been broken error: remote unlock- configuration failed on node1 NOTE: In case if you want to exit the configuration mode, you can execute again on node0. root@srx5k# exit The configuration has been changed but not ted Discard unted changes? [yes,no] (yes) no <<< SHOULD be "no" Exit aborted root@srx5k# and- quit complete Exiting configuration mode root@srx5k> show configuration display set match "control- ports fab[01]" set chassis cluster control- ports fpc 10 port 0 set chassis cluster control- ports fpc 22 port 0 set interfaces fab0 fabric- options member- interfaces xe- 1/3/40 set interfaces fab1 fabric- options member- interfaces xe- 13/3/40 NOTE: Before starting node1 upgrade, make sure the active configuration includes the changes on step 7 on both nodes. root@srx5k> show configuration display set match "control- ports fab[01]" set chassis cluster control- ports fpc 10 port 0 set chassis cluster control- ports fpc 22 port 0 set interfaces fab0 fabric- options member- interfaces xe- 1/3/40 set interfaces fab1 fabric- options member- interfaces xe- 13/3/40 NOTE: Before starting node1 upgrade, make sure the active configuration includes the changes on step 7 on both nodes. {disabled:node1} root@srx5k> show configuration display set match "control- ports fab[01]" set chassis cluster control- ports fpc 10 port 0 set chassis cluster control- ports fpc 22 port 0 set interfaces fab0 fabric- options member- interfaces xe- 1/3/40 set interfaces fab1 fabric- options member- interfaces xe- 13/3/40 2

### Start node1 upgrade ### 9. Upgrade Junos OS on the node1 request system software add no-copy no-validate <install-package> 10. Reboot request system reboot 11. After node1 boot with updated Junos OS, all FPCs and PICs should be online before further process (it takes 10-15 minutes depending on the number of FPCs), and node1 should be in primary state for all RGs show version show chassis fpc pic-status show chassis cluser status (node0 should be lost status) NOTE: Prioritis of RG1+ will report priority 0 as part of normal behavior. 12. Before failing over to node1, it is best to verify the configuration change will occur successfully, then - disable all physical interfaces for transit traffic on node0 - enable all physical interfaces for transit traffic on node1 root@srx5k# set interfaces reth0 description TEST root@srx5k# complete root@srx5k# rollback 1 load complete root@srx5k# complete set interfaces xe-0/0/0 disable set interfaces xe-0/3/0 disable delete interfaces xe-12/0/0 disable delete interfaces xe-12/3/0 disable 12. Before failing over to node1, it is best to verify the configuration change will occur successfully, then - disable all physical interfaces for transit traffic on node0 - enable all physical interfaces for transit traffic on node1 root@srx5k1# set interfaces reth0 description TEST root@srx5k# node1: complete root@srx5k# rollback 1 load complete root@srx5k# node1: complete set interfaces xe-0/0/0 disable set interfaces xe-0/3/0 disable delete interfaces xe-12/0/0 disable delete interfaces xe-12/3/0 disable NOTE: Enable all physical interfaces of node1 that were disabled on step 2. NOTE: Enable all physical interfaces of node1 that were disabled on step 2. NOTE: If there are any conflicts, they need to be resolved before moving to the next step. NOTE: If there are any conflicts, they need to be resolved before moving to the next step. 13. Commit the configuration simultaneously on both nodes. This will cause all of the traffic to failover to the node1 NOTE: The total number of minimum down will vary depending on swiching/routing environment. ( dynamic routing, STP, MSTP, RSTP, VSTP, edge, PortFast, and etc). 13. Commit the configuration simultaneously on both nodes. This will cause all of the traffic to failover to the node1 NOTE: The total number of minimum down will vary depending on swiching/routing environment. ( dynamic routing, STP, MSTP, RSTP, VSTP, edge, PortFast, and etc). 14. Verify traffic is passing through node1 show security flow session summary monitor interface traffic 3

### Start node0 upgrade ### 15. Upgrade Junos OS on the node0 request system software add no-validate no-copy <install-package> 16. Reboot request system reboot 17. After node0 boot with updated Junos OS, all FPCs and PICs should be online before further process (it takes 10-15 minutes depending on the number of FPCs), and node0 should be in primary state for all RGs show version show chassis fpc pic-status show chassis cluser status (node0 should be lost status) NOTE: Prioritis of RG1+ will report priority 0 as part of normal behavior. 18. Before re-configuring control-ports (SRX5K) or connecting control link (Branch SRX and SRX1K/3K) and re-configuring fab interfaces, enable interface-monitor which disabled in step 5 set chassis cluster redundancy-group 1 interface-monitor xe-0/0/0 weight 255 set chassis cluster redundancy-group 1 interface-monitor xe-0/3/0 weight 255 set chassis cluster redundancy-group 1 interface-monitor xe-12/0/0 weight 255 set chassis cluster redundancy-group 1 interface-monitor xe-12/3/0 weight 255 18. Before re-configuring control-ports (SRX5K) or connecting control link (Branch SRX and SRX1K/3K) and re-configuring fab interfaces, enable interface-monitor which disabled in step 5 set chassis cluster redundancy-group 1 interface-monitor xe-0/0/0 weight 255 set chassis cluster redundancy-group 1 interface-monitor xe-0/3/0 weight 255 set chassis cluster redundancy-group 1 interface-monitor xe-12/0/0 weight 255 set chassis cluster redundancy-group 1 interface-monitor xe-12/3/0 weight 255 NOTE: You still can configure node1 s interfaces even these are now shown on node0. NOTE: You still can configure node0 s interfaces even these are now shown on node1. 19. Commit the configuration on both nodes 19. Commit the configuration on both nodes 20. Re-configure control-ports (SRX5K) or connect control link (Branch SRX and SRX1K/3K), and re-configure fab interfaces on node0 only (You will configure the below config on node1 at step 22) 20a. For SRX5400/5600/5800, re-configure the correct control and fabric interfaces on node0 delete chassis cluster control-ports set chassis cluster control-ports fpc 11 port 0 set chassis cluster control-ports fpc 23 port 0 set interfaces fab0 fabric-options member-interfaces xe-1/3/0 set interfaces fab1 fabric-options member-interfaces xe-13/3/0 and-quit 20b. For Branch SRX and SRX1400/3400/3600, physically re-connect control link(s) and re-configure fabric interfaces on node0 set interfaces fab0 fabric-options member-interfaces xe-1/0/0 set interfaces fab1 fabric-options member-interfaces xe-14/0/0 and-quit 4

21. Make node0 in halt status by request system halt root@srx5k> request system halt warning: This command will not halt the other routing- engine. If planning to switch off power, use the both- routing- engines option. Halt the system? [yes,no] (no) yes *** FINAL System shutdown message from root@srx5k *** System going down IMMEDIATELY Shutdown NOW! [pid 2193] root@srx5k> failed to set the server tnp addresswaiting (max 60 seconds) for system process `vnlru_mem' to stop...done Waiting (max 60 seconds) for system process `vnlru' to stop...done Waiting (max 60 seconds) for system process `bufdaemon' to stop...done Waiting (max 60 seconds) for system process `syncer' to stop... Syncing disks, vnodes remaining...3 3 1 1 1 1 1 1 0 0 0 0 0 0 done syncing disks... All buffers synced. Uptime: 1h25m0s recorded reboot as normal shutdown The operating system has halted. Please press any key to reboot. NOTE: DO NOT press any key before step 22 is completed. 22. When node0 console prints out The operating system has halted., re-configure control-ports (SRX5K) or connect control link (Branch SRX and SRX1K/3K), and reconfigure fab interfaces 22a. For SRX5400/5600/5800, re-configure the correct control and fabric interfaces on node0 delete chassis cluster control-ports set chassis cluster control-ports fpc 11 port 0 set chassis cluster control-ports fpc 23 port 0 set interfaces fab0 fabric-options member-interfaces xe-1/3/0 set interfaces fab1 fabric-options member-interfaces xe-13/3/0 and-quit 22b. For Branch SRX and SRX/1400/3400/3600, re-connect control link(s) and reconfigure fabric interfaces on node0 set interfaces fab0 fabric-options member-interfaces xe-1/0/0 set interfaces fab1 fabric-options member-interfaces xe-14/0/0 and-quit NOTE: Make sure DO NOT until node0 is in halt status in step 21. NOTE: Make sure node1 is primary for all RGs (show chassis cluster status). 23. Press any key to reboot node0 24. When node0 returns to Up state, verify if it has synchronized with node1. Then enable all physical interfaces for transit traffic on node0, which was disabled in step 12 and enable TCP syn-check/ sequence-check which were disabled in step 3, 4, 5. show chassis fpc pic-status (verify all slots and pics are Online ) show security flow session summary (verify both nodes reporting similar session counts) delete interfaces xe-0/0/0 disable delete interfaces xe-0/3/0 disable delete security flow tcp-session no-syn-check 5

delete security flow tcp-session no-sequence-check 25. Verify if the RG states are back online with the correct priority show chassis cluster status 26. Enable preempt and ip-monitoring if they were configured before for RG1+ set chassis cluster redundancy-group 1 preempt and-quit 27. Optional: Failover RG groups to Node0 (in case preempt is not configured, or is used with higher priority on node1) request chassis cluster failover redundancy-group 0 node 0 request chassis cluster failover redundancy-group 1 node 0 request chassis cluster failover reset redundancy-group 0 request chassis cluster failover reset redundancy-group 1 6

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback