Juniper SRX – High Availability (Active / Passive Simple)

The Juniper SRX offers 4 types of High Availability (HA) deployment,

  • Active/Passive Simple
  • Active/Passive Full Mesh
  • Active/Active Deployment
  • Active/Passive Transparent Mode

Within this article we will look at Active/Passive Simple upon a SRX 240 series device.

Summary

Active/Passive is the most common type of HA deployment and consists of 2 firewall members. Whilst one node actively processes the traffic and the other (backup) node awaits ready to take over in the event of the active node failing.

As the names suggests, Active / Passive Full Mesh rather then Simple ensures that there is no single point of failure (i.e untrust interfaces for both nodes connected to a single switch) within the network.

Overview

Ok, so how do you configure Active / Passive Simple ?  Before we look at the configuration steps there are a few points that you will need to know,

  • Both nodes require the same code version.
  • Both nodes (within the Branch series) can have difference PIMs (Physical Interface Modules)
  • Both nodes within the cluster share the same configuration.
  • JSRP (Juniper Services Redundancy Protocol) is the software daemon responsibly for providing chassis clustering.
  • Chassis Clustering does not support layer 2 ethernet switching. This configuration should be removed before chassis clustering is enabled.
  • The redundant interface MAC address is formed using the Cluster ID and the reth number.
  • In the event of failover the backup node will send by default 4 GARPs to ensure the neighbouring ARP cache(s) are updated accordingly.

Terms / Concepts

Below provides a description of some of the key terms and concepts of chassis clustering.

NAMEDESCRIPTION
Cluster IDThe Cluster ID represents a collection of cluster nodes. 
Cluster Node IDThe Cluster Node ID is a numerical value that presents the firewall member.
Redundant InterfaceA redundant interface (rethx.x) represents a collection of interfaces.
Redundancy Group   A redundancy group represents a collection of redundant interfaces.
FXP0FXP0 represents the management interface and is configured on fe0/0/6.
FXP1

FXP1 represents the control link and is responsible for control plane communication between the nodes.
FXP1 is configured on fe0/0/7. Both nodes should be directly connected.

FAB

FAB represents the Fabric interface. It is used by the PFE* to transmit transit traffic and sync data plane states.
FAB is configured on ge0/0/1.

 *Packet Forwarding Engine

 

Configuration Steps

There are a number of steps required in configuring Active / Passive Simple on a SRX device, however there is one point that I should point out. Once chassis clustering has been enabled the system will automatically renumber some of the interfaces, i.e FAB is renumbered to ge-2/0/1 instead of ge-0/0/1.

To help with the following configuration steps below shows a visual representation of our setup,

 

 

Enable Chassis Clustering

First of all Chassis Clustering is enabled on each of the nodes. This is the only point during the configuration that each of the nodes will require a reboot.

#set groups node0 system host-name SRX-A
#set groups node0 interfaces fxp0 unit 0 family inet address 172.16.1.1/24
#set groups node1 system host-name SRX-B
#set groups node1 interfaces fxp0 unit 0 family inet address 172.16.1.2/24
#set apply-groups "${node}"

Configure Fabric Interfaces

Next the fabric (dataplane link) is configured.

#set chassis cluster redundancy-group 0 node 0 priority 100
#set chassis cluster redundancy-group 0 node 1 priority 1

#set chassis cluster redundancy-group 1 node 0 priority 100
#set chassis cluster redundancy-group 1 node 1 priority 1

Interface Monitoring

Each interface that should be monitored is then configured and placed into the redundancy-group.

#set chassis cluster reth-count 2
#set interfaces fe-0/0/2 fastether-options redundant-parent reth0
#set interfaces fe-2/0/2 fastether-options redundant-parent reth0
#set interfaces reth0 redundant-ether-options redundancy-group 1
#set interfaces reth0 unit 0 family inet address 192.168.1.1/24

#set interfaces ge-0/0/0 fastether-options redundant-parent reth0
#set interfaces ge-2/0/2 fastether-options redundant-parent reth0
#set interfaces reth1 redundant-ether-options redundancy-group 1
#set interfaces reth1 unit 0 family inet address 82.1.1.1/24

Assign Security Zones

Finally each redundant interface is assigned to its security zone.

#set security zones security-zone trust interfaces reth0.0
#set security zones security-zone untrust interfaces reth1.0
#commit

 

Rick Donato

Want to become an IT Security expert?

Here is our hand-picked selection of the best courses you can find online:
Internet Security Deep Dive course
Complete Cyber Security Course – Hackers Exposed
CompTIA Security+ (SY0-601) Certification Complete course
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial