Chapter 11: High Availability Clustering Implementationluk.kis.p.lodz.pl/KSBG/wyklad/v2017/05 FW.cluster - JSEC... · 2017-05-20 · Worldwide Education Services | 11-13 Preparing

© 2012 Juniper Networks, Inc. All rights reserved. | www.juniper.net | Worldwide Education Services

Chapter 11: High Availability

Clustering Implementation

Junos Security

© 2012 Juniper Networks, Inc. All rights reserved. www.juniper.net | 11-2Worldwide Education Services

Chapter Objectives

After successfully completing this chapter, you will be

able to:

•Describe chassis cluster operation

•Configure chassis clusters

•Monitor chassis clusters


Agenda: High Availability Clustering

Implementation

Chassis Cluster Operation

Chassis Cluster Configuration

Chassis Cluster Monitoring


Cluster Operation: Forming a Cluster

The first chassis to boot forms a cluster

•RG transitions from the blank state to the primary state

reth2reth1

RGx

Cluster

First chassis

boots


Cluster Operation: Joining a Cluster

Joining an existing cluster:

•RG of second chassis transitions from the blank state to the

secondary state

•Configurations synchronize

reth2reth1

RGx

Cluster

reth2reth1

RGx

Second chassis

boots


Cluster Operation: Leaving a Cluster

Leaving a cluster:

•The leave action can happen when the chassis reboots or

powers off

•The leave action can cause RG state changes from

secondary to the primary

reth2reth1

RGx

Cluster

reth2reth1

RGx

Chassis boots

or powers off


Chassis cluster split scenarios:

•Control (fxp1) or data (fab) link failure causes the secondary

node to enter the disabled state

•Simultaneous fxp1 and fabn link failures result in a split

Cluster Operation: Splitting a Cluster

reth2reth1

Primary

Cluster

reth2reth1

Secondary

reth2reth1

Primary

reth2reth1

Disabled


reth1

RGx

Cluster Operation: Merging Clusters

Two clusters can merge into a single cluster

•Requires reboot of disabled or altered cluster

reth2reth1

RGx

Cluster A

reth2reth1

RGx

Cluster B

Cluster

reth2reth1

RGx

reth2


Active-Passive Mode

fab nNode 0 Node 1

Active Session

Backup Session

Downstream Traffic

Upstream Traffic

RTO Packet

Cluster


Active-Active Mode (1 of 2)

Node 0 Node 1

Active Session

Backup Session

Downstream Traffic

Upstream TrafficSwitch Fabric Forwarding

Flow Forwarding

RTO Packet

Forward Session

Cluster

fab n


RG 2 RG 1

Active/Active Mode (2 of 2)

Active/active deployment

•Active/passive done twice

•Data path forwarding

•Health check for secondary

node

Internet

Control

Data

Upstream

traffic

Downstream

traffic

Node 0 Node 1



Implementation





Preparing a Cluster

Physically connect two Junos security devices•Ensure that both devices are of the same model

•Connect any two Ethernet interfaces (one per node) of the same media type to create the fabric link

• Must be a fiber connection for high-end security platforms

•Connect control ports to create the control link• SPCs must be in the same slots

• Use revenue port for branch security platforms (varies by device)

Configure SPC control ports (high-end platforms only)

Enable clustering•Set up the cluster-id id and node id for each device

•Reboot desired primary device, then the secondary device


[edit chassis cluster]

user@srx1# show

control-ports {

fpc slot port port;

fpc slot port port;

}


user@srx1# commit and-quit

commit complete

Exiting configuration mode

user@srx1> set chassis cluster cluster-id id node id reboot

Successfully enabled chassis cluster. Going to reboot now

...

Enabling the Chassis Cluster

First node:

Second node:

user@srx2> set chassis cluster cluster-id id node id reboot


...

Operational mode

command

Control ports

require

configuration

only on high-end

security

platforms


Cluster Configuration Steps

Configure the following:

•Management interfaces

•Fabric interfaces

•Redundancy groups

•Redundant Ethernet interfaces

•Physical interface renaming for secondary node

•Cluster failover parameters


{primary:node0}

user@srx1> configure

warning: Clustering enabled; using private edit

warning: uncommitted changes will be discarded on

exit

Entering configuration mode

{primary:node0}[edit]

user@host1# edit groups

{primary:node0}[edit groups]

user@srx1# show

node0 {

system {

host-name unique-name1;

}

interfaces {

fxp0 {

unit 0 {

family inet {

address ip-address1;

}

...node1 {

system {

host-name unique-name2;

}

interfaces {

fxp0 {

unit 0 {

family inet {

address ip-address2;

…


user@srx1# set apply-groups “${node}”

Ensures proper group

assignment to both

nodes

Configuring Management Interfaces


Configuring Fabric Interfaces


user@srx1# show interfaces

fab0 {

fabric-options {

member-interfaces {

interface-name;

}

}

}

fab1 {

fabric-options {

member-interfaces {

interface-name;

}

}

}

Interface from

Node 0

Interface from

Node 1


Configuring a Redundancy Group


user@srx1# show chassis cluster

redundancy-group number {

node [0 | 1] priority priority-number;

node [0 | 1] priority priority-number;

preempt;

gratuitous-arp-count number;

interface-monitor {

interface-name weight number;

interface-name weight number;

}

}

Priorities range

from 1–254

Optional

command

Weights assignment for

interface monitoring

Default

value is 4



user@srx1# show interfaces

ge-x/y/z {

gigether-options {

redundant-parent reth#;

}

...

}

ge-a/b/c {

gigether-options {

redundant-parent reth#;

}

...

}

reth# {

redundant-ether-options {

redundancy-group number;

}

unit 0 {

family inet {

address ip-address;

}

}

}



reth-count number

...

Configuring a Redundant Ethernet Interface

Define the number

of reth interfaces in

a cluster

Can configure

multiple logical

units using VLAN

tagging


Configuring Cluster Failover Parameters

[edit]


...

heartbeat-interval number-in-millisec;

heartbeat-threshold number;

...

Cluster failover parameters:

•heartbeat-interval: interval of time between

heartbeat messages that broadcast to all nodes in the

cluster

•heartbeat-threshold: number of missed heartbeats

that must be exceeded to declare the node dead


Disabling a Chassis Cluster

Disabling the cluster:

•Don’t forget to disable the other node!

•Change interface naming

{primary:node0}

user@srx1> set chassis cluster disable reboot

Successfully disabled chassis cluster. Going to reboot now

...

{secondary:node1}

user@srx2> set chassis cluster disable reboot

Successfully disabled chassis cluster. Going to reboot now

...



Implementation





Example: Network Diagram Prior to Issuing

the Cluster-Forming Command

10.20.20.2/24

B

fxp0

host1

host2

.1

.1

.2

.25.5.5.2/24

fxp0

SPC 3

port 0ge-0/0/2

AInternet



user@host1# show

control-ports {

fpc 3 port 0;

fpc 15 port 0;

}

user@host1> set chassis cluster cluster-id 1 node 0 reboot


...

{primary:node0}

user@host1>

Forming a Cluster

user@host2> set chassis cluster cluster-id 1 node 1 reboot


...

{secondary:node1}

user@host2>

Cluster formation:

•First node:

•Second node:

Control port

configuration needed

only on high-end

security platforms


fxp0

Example: Network Diagram After Issuing

the Cluster-Forming Command

10.20.20.2/24

fxp1

fab 1

fxp0

node0

node1

reth1

10.20.20.1/24

.1

.1

.2

.25.5.5.2/24

fab 0AInternet

B


Cluster Status Check

{primary:node0}

user@host1> show chassis cluster status

Cluster ID: 1

Node name Priority Status Preempt Manual

failover

Redundancy group: 0 , Failover count: 1

node0 1 primary no no

node1 1 secondary no no

{primary:node0}

user@host1> show interfaces terse | match "fab|fxp1"

fab0 up down

fab0.0 up down inet 30.17.0.200/24

fab1 up down

fab1.0 up down inet 30.18.0.200/24

fxp1 up up

fxp1.0 up up inet 129.16.0.1/2


Configuring the Management Interface{primary:node0}

user@host1> configure

warning: Clustering enabled; using private edit

warning: uncommitted changes will be discarded on exit

Entering configuration mode


user@host1# edit groups

{primary:node0}[edit groups]

user@host1# show

node0 {

system {

host-name node0-host;

}

interfaces {

fxp0 {

unit 0 {

family inet {

address 10.210.11.182/28;

}

...

node1 {

system {

host-name node1-host;

}

interfaces {

fxp0 {

unit 0 {

family inet {

address 10.210.11.177/28;

...


user@host1# show apply-groups

## Last changed: 2009-01-09 14:11:09 UTC

apply-groups "${node}";


user@host1# commit

node0:

configuration check succeeds

node1:

commit complete

node0:

commit complete


user@node0-host#


[edit]{primary:node0}

user@node0-host# show interfaces

fab0 {

fabric-options {

member-interfaces {

ge-0/0/2;

}

}

}

fab1 {

fabric-options {

member-interfaces {

ge-12/0/2;

}

}

}

Configuring the Fabric Interfaces

fab0 is for Node 0

fab1 is for Node 1

{primary:node0}

user@node0-host> show interfaces terse | match fab

ge-0/0/2.0 up up aenet --> fab0.0

ge-12/0/2.0 up up aenet --> fab1.0

fab0 up up

fab0.0 up up inet 30.17.0.200/24

fab1 up up

fab1.0 up up inet 30.18.0.200/24


Configuring a Redundancy Group

{primary:node0}[edit chassis cluster]

user@node0-host# show

redundancy-group 0 {

node 0 priority 254;

node 1 priority 1;

}

redundancy-group 1 {



gratuitous-arp-count 5;

interface-monitor {

ge-1/0/0 weight 255;

}

}


Viewing Redundancy Groups

{primary:node0}

user@node0-host> show chassis cluster status

Cluster: 1, Redundancy-Group: 0

Device name Priority Status Preempt Manual failover

node0 254 Primary No No

node1 1 Secondary No No






Configuring reth Interfaces


user@node0-host# show interfaces

ge-0/0/0 {

gigether-options {

redundant-parent reth1;

}

}

ge-12/0/0 {

gigether-options {

redundant-parent reth1;

}

}

reth1 {

redundant-ether-options {

redundancy-group 1;

}

unit 0 {

family inet {

address 10.20.20.1/24;

}

}

}


user@node0-host# show chassis cluster

reth-count 2

...

Specify the number

of reth interfaces

{primary:node0}

user@node0-host> show interfaces terse | match reth

Interface Admin Link Proto Local ...

ge-0/0/0.0 up up aenet --> reth1.0

ge-12/0/0.0 up up aenet --> reth1.0

reth0 up down

reth1 up up

reth1.0 up up inet 10.20.20.1/24


Configuring Cluster Failover Parameters


user@node0-host# show chassis cluster

...

heartbeat-interval 1200;

heartbeat-threshold 5;

...


Monitoring Cluster Statistics{primary:node0}

user@node0-host> show chassis cluster statistics

Control link statistics:

Control link 0:

Heartbeat packets sent: 69428

Heartbeat packets received: 69404

Heartbeat packet errors: 0

Fabric link statistics:

Child link 0

Probes sent: 123832

Probes received: 123829

Child link 1

Probes sent: 0

Probes received: 0

Services Synchronized:

Service name RTOs sent RTOs received

Translation context 0 0

Incoming NAT 0 0

Resource manager 0 0

DS-LITE create 0 0

Session create 383 0

IPv6 session create 0 0

Session close 375 0

IPv6 session close 0 0

Session change 0 0

IPv6 session change 0 0

Gate create 0 0

Session ageout refresh requests 0 97

IPv6 session ageout refresh requests 0 0

Session ageout refresh replies 96 0

IPv6 session ageout refresh replies 0 0

IPSec VPN 0 0


Process

•Verify status:

•Initiate failover:

Manual Failover (1 of 2)

{primary:node0}

user@node0-host> show chassis cluster status redundancy-group 1





{primary:node0}

user@node0-host> request chassis cluster failover redundancy-group 1 node 1

node1:

--------------------------------------------------------------------------

Initiated manual failover for redundancy group 1

{primary:node0}




node0 200 Secondary No Yes

node1 255 Primary No Yes


Manual Failover (2 of 2)

Reset failover:

•Status does not revert unless you configure preempt for RG

{primary:node0}

user@node0-host> request chassis cluster failover reset redundancy-group 1

node0:

--------------------------------------------------------------------------

No reset required for redundancy group 1.

node1:

--------------------------------------------------------------------------

Successfully reset manual failover for redundancy group 1

{primary:node0}







Chassis Cluster Logging

Use show log jsrpd to view cluster events:

Enable traceoptions:

{primary:node0}

user@node0-host> show log jsrpd | match RG-0 | match "Jan 10 15"

Jan 10 15:52:45 skipping reth creation on RG-0 secondary node

Jan 10 15:52:45 unable to set priority, for RG-0, fsm_context uninitialized

Jan 10 15:52:45 failed to read rg_info from ssam for RG-0, error 2

Jan 10 15:52:45 read the default state from kernel, state (0) failover-cnt 0 RG-0

Jan 10 15:52:45 Current threshold for rg-0 is 255. Reason: none

Jan 10 15:53:15 RG-0 hold timer, HOLD->SECONDARY

Jan 10 15:53:18 RG-0 dead timer, SECONDARY->PRIMARY

{primary:node0}[edit chassis cluster]

user@node0-host# show

traceoptions {

flag cli;

flag configuration;

flag heartbeat;

}


Summary

In this chapter, we:

•Described chassis cluster operation.

•Configured chassis clusters.

•Monitored chassis clusters.


Review Questions

1. What is the difference between active/active and

active/passive mode?

2. What log file contains chassis cluster related

events?

3. What command can you use to examine the status

of a reth interface and its child interfaces?


Lab 8: Implementing High Availability

Techniques

Perform configuration and verification steps

associated with implementing chassis clusters.


Resources to Help You Learn MoreResource URL Description

Pathfinder http://pathfinder.juniper.netAn information experience hub that provides

centralized product information

Content Explorerhttp://www.juniper.net/techpubs/content-

applications/content-explorer/

Junos OS and ScreenOS software feature

information to find the right software release

and hardware platform for your network

Feature Explorerhttp://pathfinder.juniper.net/feature-explorer/

Technical documentation for Junos OS-based

products by product, task, and software release,

and also downloadable documentation PDFs by

product and release

Learning Bytes www.juniper.net/learningbytesConcise tips and instructions on specific

features and functions of Juniper technologies

Installation and

Configuration

Courses

www.juniper.net/courses

Over 60 free Web-based training courses on

product installation and configuration (just

choose eLearning under Delivery Modality)

J-Net Forumhttp://forums.juniper.net/t5/Training-

Certification-and/bd-p/Training_and_Certification

Training, certification, and career topics to

discuss with your peers

Certification

Programwww.juniper.net/certification

Complete details on the Juniper Networks

Certification Program, including tracks, exam

details, promotions, and how to get started

Courses www.juniper.net/coursesA complete list of instructor-led, hands-on

courses and self-paced, eLearning courses

http://pathfinder.juniper.net/

http://www.juniper.net/techpubs/content-applications/content-explorer/

http://pathfinder.juniper.net/feature-explorer/

http://www.juniper.net/learningbytes

http://www.juniper.net/courses

http://forums.juniper.net/t5/Training-Certification-and/bd-p/Training_and_Certification

http://www.juniper.net/certification

http://www.juniper.net/courses

Worldwide Education Services

Documents

Chapter 11: High Availability Clustering Implementationluk.kis.p.lodz.pl/KSBG/wyklad/v2017/05 FW.cluster - JSEC... · 2017-05-20 · Worldwide Education Services | 11-13 Preparing