Upload
others
View
15
Download
0
Embed Size (px)
Citation preview
Copyright © NTT Communications Corporation. All right reserved.Copyright © NTT Communications Corporation. All right reserved.
First Edition
Replacing Firewall (Brocade 5600 vRouter) and Managed Firewall with vSRX(HA Configuration)
Copyright © NTT Communications Corporation. All right reserved. 2
Update History
Updated Update edition number
2018/11/5 first edition 1
Copyright © NTT Communications Corporation. All right reserved. 2
Copyright © NTT Communications Corporation. All right reserved. 3
Prerequisites
Copyright © NTT Communications Corporation. All right reserved. 3
Copyright © NTT Communications Corporation. All right reserved. 4
Prerequisites
Copyright © NTT Communications Corporation. All right reserved. 4
* It is a method replacing Managed Firewall (M-FW) and Firewall (Brocade 5600 vRouter) (vFW) with Firewall (vSRX).*There is no change in the setting of the Internet-GW, load balancer, or web server (Routing changes, etc.).
*Load balancer is two-arm model. For one-arm configuration, please replace the terms in accordance with your environment.
*Connect M-FW and vFW networks to the vSRX.=>When switching from M-FW or vFW to vSRX, communication will be interrupted.
*Please refer to the link below for basic vSRX configuration.https://ecl.ntt.com/en/documents/tutorials/rsts/vSRX/basic/basic.html
*Configure vSRX routing settings according to your configuration.
*When creating a vSRX, the interface (Ge-0/0/0.0) is configured in the Trust zone.=>After creation, please change each interface according to your environment.
*Both vFW and vSRX use stateful inspection.=>If you use a stateless firewall, please replace it according to your environment.
Thank you.
*Perform the migration after a pre-test.
Copyright © NTT Communications Corporation. All right reserved. 5
Configuration and Migration Flow
Copyright © NTT Communications Corporation. All right reserved. 5
Copyright © NTT Communications Corporation. All right reserved. 6
Pre-migration Configuration (M-FW, vFW configuration)
172.16/10.0 24 (Server Segment)
LB-01 (M)
Web-server-011.
1/1.6
LB-02 (B)1/1.7
1/2 6 1/2 7
VRID 30VIP. 251
153. xxx.xxx.xxx/32
Internet-GW (act)
InterNet
180. xxx.xxx.xxx/32
Client
Internet-GW (stb)
VRID 1VIP. 250
249 248
192.168/30.0 24 (external segment)
vFW-01(Master)
dp0s 7.11
dp0s 4.11
vFW-02(Back up)
dp0s 4.12
dp0s 7.12VRID 40VIP. 254
Port 4.101 Port 4.102
Port 5.101 Port 5.102
M-FW-01(First unit)
M-FW-02(Second unit)
VRID 30VIP. 251
VRID 20VIP. 254
VRID 10VIP. 254
192.168/20.0 24 (FW Segment)
*M-FW rules reject all communications from external segmentsand allows HTTP/HTTPS communication only from a specific source
*Set up a virtual server inside LB.
http-vserver172.16. 100.1
https - vserver172.16. 100.2
192.168/10.0 24 (LB Segment)
Copyright © NTT Communications Corporation. All right reserved. 7
Migration Configuration 1
Step 1 vSRX SubscriptionStep 2 vSRX Configuration
1. firewall settings2. DNAT Configuration
172.16/10.0 24 (Server Segment)
LB-01 (M)
Web-server-011.
1/1.6
LB-02 (B)1/1.7
1/2 6 1/2 7
VRID 50VIP. 251
153. xxx.xxx.xxx/32
Internet-GW (act)
InterNet
180. xxx.xxx.xxx/32
Client
Internet-GW (stb)
VRID 1VIP. 250
249 248
192.168/30.0 24 (external segment)
Port 4.101 Port 4.102
Port 5.101 Port 5.102
M-FW-01(First unit)
M-FW-02(Second unit)
VRID 20VIP. 254
VRID 10VIP. 254
192.168/20.0 24 (FW Segment)
http-vserver172.16. 100.1
https - vserver172.16. 100.2
vSRX-01 vSRX-02
vFW-01(Master)
dp0s 7.11
vFW-02(Back up)
dp0s 7.12
dp0s 4.11 dp0s 4.12VRID 30VIP. 251
VRID 40VIP. 254192.168/10.0 24 (LB Segment)
Copyright © NTT Communications Corporation. All right reserved. 8
Migration Configuration 2
172.16/10.0 24 (Server Segment)
LB-01 (M)
Web-server-011.
1/1.6
LB-02 (B)1/1.7
1/2 6 1/2 7
VRID 50VIP. 251
153. xxx.xxx.xxx/32
Internet-GW (act)
InterNet
180. xxx.xxx.xxx/32
Client
Internet-GW (stb)
VRID 1VIP. 250
249 248
192.168/30.0 24 (external segment)
Port 5.101 Port 5.102
M-FW-01(First unit)
M-FW-02(Second unit)
VRID 30VIP. 251
VRID 20VIP. 254192.168/20.0 24 (FW Segment)
http-vserver172.16. 100.1
https - vserver172.16. 100.2
vSRX-01 vSRX-02
Step 3M-FW Configuration1. Disconnect IF(communication interruption)
Step 4 vFW Settings1. IF Disconnect
vFW-01(Master)
vFW-02(Back up)
dp0s 4.11 dp0s 4.12
192.168/10.0 24 (LB Segment)
Disconnection time: approximately 40 minutes (measured value)
Copyright © NTT Communications Corporation. All right reserved. 9
Migration Configuration 3
172.16/10.0 24 (Server Segment)
LB-01 (M)
Web-server-011.
1/1.6
LB-02 (B)1/1.7
1/2 6 1/2 7
VRID 50VIP. 251
153. xxx.xxx.xxx/32
Internet-GW (act)
InterNet
180. xxx.xxx.xxx/32
Client
Internet-GW (stb)
VRID 1VIP. 250
249 248
192.168/30.0 24 (external segment)
Port 5.101 Port 5.102
M-FW-01(First unit)
M-FW-02(Second unit)
VRID 30VIP. 251
VRID 20VIP. 254192.168/20.0 24 (FW Segment)
http-vserver172.16. 100.1
https - vserver172.16. 100.2
vSRX-01(Master)
vSRX-02(Back up)
vFW-01(Master)
vFW-02(Back up)
dp0s 4.11 dp0s 4.12
192.168/10.0 24 (LB Segment)
Step 5 vSRX Configuration1. IF Connection2. VRRP configuration (communication interruption
recovery)
Ge-0/0/2.11 trust zone
untrust zone
Ge-0/0/1.101 Ge-0/0/1.102
Ge-0/0/2.12
VRID 10VIP. 254
VRID 40VIP. 254
Disconnection time: approximately 40 minutes (measured value)
Copyright © NTT Communications Corporation. All right reserved. 10
Migration Complete Configuration
172.16/10.0 24 (Server Segment)
LB-01 (M)
Web-server-011.
1/1.6
LB-02 (B)1/1.7
1/2 6 1/2 7
VRID 50VIP. 251
153. xxx.xxx.xxx/32
Internet-GW (act)
InterNet
180. xxx.xxx.xxx/32
Client
Internet-GW (stb)
VRID 1VIP. 250
249 248
192.168/30.0 24 (external segment)
http-vserver172.16. 100.1
https - vserver172.16. 100.2
vSRX-01(Master)
vSRX-02(Back up)
192.168/10.0 24 (LB Segment)
Ge-0/0/2.11 trust zone
untrust zone
Ge-0/0/1.101 Ge-0/0/1.102
Ge-0/0/2.12
VRID 10VIP. 254
VRID 40VIP. 254
Port 5.101 Port 5.102
M-FW-01(First unit)
M-FW-02(Second unit)
VRID 30VIP. 251
VRID 20VIP. 254192.168/20.0 24 (FW Segment)
vFW-01(Master)
vFW-02(Back up)
dp0s 4.11 dp0s 4.12
Copyright © NTT Communications Corporation. All right reserved. 11
Step 1 vSRX Subscription
Copyright © NTT Communications Corporation. All right reserved. 11
Copyright © NTT Communications Corporation. All right reserved. 12Copyright © NTT Communications Corporation. All right reserved. 12
Please refer to the link below to apply for vSRX.https://ecl.ntt.com/en/documents/tutorials/rsts/vSRX/instance/create.html
After logging in to the control panel screen, click Cloud Computing.Click "NETWORK", "firewall", and "vSRX"
Step 1 vSRX Subscription
Copyright © NTT Communications Corporation. All right reserved. 13Copyright © NTT Communications Corporation. All right reserved. 13
Click the Create Firewall button and enter the required settings for "Details" and "interface".Enter the management IP address in the interface setting.After entering the settings, click "Create Firewall".
Step 1 vSRX Subscription
Copyright © NTT Communications Corporation. All right reserved. 14
Step 1 vSRX Subscription
Copyright © NTT Communications Corporation. All right reserved.14
Please apply for vSRX-02 using the same procedure.
Copyright © NTT Communications Corporation. All right reserved. 15
Step 2 -1 vSRX Configuration(firewall settings)
Copyright © NTT Communications Corporation. All right reserved. 15
Copyright © NTT Communications Corporation. All right reserved. 16
Step 2 -1 vSRX Configuration(firewall settings)
Copyright © NTT Communications Corporation. All right reserved. 16
See below for firewall filter settings.https://ecl.ntt.com/en/documents/tutorials/rsts/vSRX/fwfunction/zonebase/vsrx_zonebase.html
Create an area in the firewall that is logically called the "zones" and make the interface belong to a zone.The policy required for incoming packets is set on a per-zone basis, allowing the same policy to be applied to interfaces belonging to the zone.
To set up a zone-based firewall, you need "Address Group Settings" and "Application Set Settings"
Copyright © NTT Communications Corporation. All right reserved. 17
Step 2 -1 vSRX Configuration(firewall settings)
Copyright © NTT Communications Corporation. All right reserved. 17
Please set up the address group referring to the following URL.https://ecl.ntt.com/en/documents/tutorials/rsts/vSRX/fwfunction/zonebase/vsrx_address-set.html
When you configure packet filtering, you can set rules based on IP addresses, and you can assign simple names to IP addresses to set packet filtering conditions.If you want to group multiple IP addresses, create an address book for each IP address and create an address set containing multiple address books.
For reference, the vSRX-01 configuration values are:
user @ vSRX-01 # set security address-book global address CLIENT _ 01 180. xxx.xxx.xxx/32user @ vSRX-01 # set security address-book global address-set CLIENT _ GROUP address CLIENT _ 01user @ vSRX-01 # commit
Copyright © NTT Communications Corporation. All right reserved. 18
Step 2 -1 vSRX Configuration(firewall settings)
Copyright © NTT Communications Corporation. All right reserved. 18
Please set the application set referring to the following URL.https://ecl.ntt.com/en/documents/tutorials/rsts/vSRX/fwfunction/zonebase/vsrx_application-set.html
You can define applications that are pre-registered with the vSRX, or you can name them arbitrarily, to make them a condition for packet filtering.
For reference, the vSRX-01 configuration values are:
user @ vSRX-01 # set applications HTTP _ DEF protocol tcp destination-port 80user @ vSRX-01 # set applications application HTTPS _ DEF protocol tcp destination-port 443user @ vSRX-01 # set applications application-set HTTP _ HTTPS _ DEF application HTTP _ DEFuser @ vSRX-01 # set applications application-set HTTP _ HTTPS _ DEF application HTTPS _ DEFuser @ vSRX-01 # commit
Copyright © NTT Communications Corporation. All right reserved. 19Copyright © NTT Communications Corporation. All right reserved.
Allow communications that originate from the created address set and application set (packet), and block other communications (packet) with a zone-based firewall.
All communication from external segment is rejected, and only HTTP/HTTPS communication from specific source (180. xxx.xxx.xxx/32) is permitted as follows.
user @ vSRX-01 # set security policies from-zone untrust to -zone trust policy PERMIT _ GROUP match source-address CLIENT _ GROUPuser @ vSRX-01 # set security policies from-zone untrust to -zone trust policy PERMIT _ GROUP match destination-address anyuser @ vSRX-01 # set security policies from -zone untrust to -zone trust policy PERMIT _ GROUP match application HTTP _ HTTPS _ DEFuser @ vSRX-01 # set security policies from-zone untrust to -zone trust policy PERMIT _ GROUP then permituser @ vSRX-01 # commit
Step 2 -1 vSRX Configuration(firewall settings)
Copyright © NTT Communications Corporation. All right reserved. 20
Step 2 -1 vSRX Configuration(firewall settings)
Copyright © NTT Communications Corporation. All right reserved. 20
Follow the same steps to configure the vSRX-02 firewall.
Copyright © NTT Communications Corporation. All right reserved. 21
Step 2 -2 vSRX Configuration(DNAT Configuration)
Copyright © NTT Communications Corporation. All right reserved. 21
Copyright © NTT Communications Corporation. All right reserved. 22
Step 2 -2 vSRX Configuration(DNAT Configuration)
Copyright © NTT Communications Corporation. All right reserved. 22
See below for Destination NAT configuration.https://ecl.ntt.com/en/documents/tutorials/rsts/vSRX/network/nat/nat.htmlAfter logging in to the CLI,Switch to shell command mode > operation mode > configuration mode.
Converts HTTP/HTTPS communications destined for 153. xxx.xxx.xxx/32 to the load balancer Virtual Server.
For reference, the vSRX-01 configuration values are listed on the next page.
Copyright © NTT Communications Corporation. All right reserved. 23
Step 2 -2 vSRX Configuration(DNAT Configuration)
Copyright © NTT Communications Corporation. All right reserved. 23
The IP address translation settings for accessing the Virtual Server of the load balancer are as follows:
user @ vSRX-01 # set security nat destination pool POOL1 address 172.16.100.10/24 port 80user @ vSRX-01 # set security nat destination pool POOL2 address 172.16.100.20/24 port 443user @ vSRX-01 # set security nat destination rule -set RULE1 from zone untrustuser @ vSRX-01 # set security nat destination rule-set RULE1 rule RULE1 -1 match destination-address 153. xxx.xxx.xxx/32user @ vSRX-01 # set security nat destination rule-set RULE1 rule RULE1 -1 match destination-port 80user @ vSRX-01 # set security nat destination rule-set RULE1 rule RULE1 -1 then destination-nat pool POOL1user @ vSRX-01 # set security nat destination rule-set RULE1 rule RULE1 -2 match destination-address 153. xxx.xxx.xxx/32user @ vSRX-01 # set security nat destination rule-set RULE1 rule RULE1 -2 match destination-port 443user @ vSRX-01 # set security nat destination rule-set RULE1 rule RULE1 -2 then destination-nat pool POOL2user @ vSRX-01 # commit
Copyright © NTT Communications Corporation. All right reserved. 24Copyright © NTT Communications Corporation. All right reserved. 24
Follow the same steps to configure the vSRX-02 firewall.
Step 2 -2 vSRX Configuration(DNAT Configuration)
Copyright © NTT Communications Corporation. All right reserved. 25Copyright © NTT Communications Corporation. All right reserved. 25
Step 3 M-FW Configuration Change(Disconnect Interface)
Copyright © NTT Communications Corporation. All right reserved. 26
Step 3M-FW Configuration(Disconnect Interface)
Copyright © NTT Communications Corporation. All right reserved. 26
The M-FW interface can be set.https://ecl.ntt.com/en/documents/tutorials/security/rsts/security/operation/managed_firewall_utm/3110_interface_single.htmlAfter logging in to the control panel screen,Click Security, then click Operation in Managed Firewall.
Copyright © NTT Communications Corporation. All right reserved. 27Copyright © NTT Communications Corporation. All right reserved. 27
Click [Cluster Port Management]
Step 3M-FW Configuration(Disconnect Interface)
Copyright © NTT Communications Corporation. All right reserved. 28
Step 3M-FW Configuration(Disconnect Interface)
Copyright © NTT Communications Corporation. All right reserved. 28
Click to select the desired HA pair and click [Manage Interfaces].Clicking on any port number opens the same screen.
Copyright © NTT Communications Corporation. All right reserved. 29
Step 3M-FW Configuration(Disconnect Interface)
Copyright © NTT Communications Corporation. All right reserved. 29
The [Manage Interfaces] screen appears. Ports 2 and 3 do not appear on the [Manage Interfaces] screen. Click to select the port you want to configure, and then click [Edit].
Copyright © NTT Communications Corporation. All right reserved. 30
Step 3M-FW Configuration(Disconnect Interface)
Copyright © NTT Communications Corporation. All right reserved. 30
Please uncheck [Enable Port].Click [Save] Saving on this screen does not apply to the device.
Copyright © NTT Communications Corporation. All right reserved. 31
Step 3M-FW Configuration(Disconnect Interface)
Copyright © NTT Communications Corporation. All right reserved. 31
Click [Run Now] on the Manage Interfaces screen.Communication is lost.
Copyright © NTT Communications Corporation. All right reserved. 32
Step 3M-FW Configuration(Disconnect Interface)
Copyright © NTT Communications Corporation. All right reserved. 32
If you click in the area where [Status] or [MESSAGE] is displayed, the history will be displayed, showing the start time and progress of the [Manage Interfaces] process.
Copyright © NTT Communications Corporation. All right reserved. 33
Step 3M-FW Configuration(Disconnect Interface)
Copyright © NTT Communications Corporation. All right reserved. 33
If all statuses are "green", it will be successful.
Copyright © NTT Communications Corporation. All right reserved. 34
Step 4 Change vFW Settings(Disconnect Interface)
Copyright © NTT Communications Corporation. All right reserved. 34
Copyright © NTT Communications Corporation. All right reserved. 35
Step 4 Change vFW Settings(Disconnect Interface)
Copyright © NTT Communications Corporation. All right reserved. 35
Please disconnect the logical network of the firewall.After logging in to the control panel screen, click "NETWORK" and "Brocade 5600 vRouter" to select the target firewall.
Copyright © NTT Communications Corporation. All right reserved. 36
Step 4 Change vFW Settings(Disconnect Interface)
Copyright © NTT Communications Corporation. All right reserved. 36
From that interface, click "Removing Communication Settings for VRRP"
Click "Removing Communication Settings for VRRP"
Copyright © NTT Communications Corporation. All right reserved. 37
Step 4 Change vFW Settings(Disconnect Interface)
Copyright © NTT Communications Corporation. All right reserved. 37
From that interface, click "Disconnect Logical Network"
Click "Disconnect Logical Network"
Copyright © NTT Communications Corporation. All right reserved. 38
Step 4 Change vFW Settings(Disconnect Interface)
Copyright © NTT Communications Corporation. All right reserved. 38
Use the same procedure to disconnect the LB segment interface with vFW-02.
Copyright © NTT Communications Corporation. All right reserved. 39
Step 5 -1 vSRX Configuration(interface connection)
Copyright © NTT Communications Corporation. All right reserved. 39
Copyright © NTT Communications Corporation. All right reserved. 40Copyright © NTT Communications Corporation. All right reserved. 40
To configure an IP address and enable communication for an interface that is configured on the vSRX,You must configure the interface and IP address on the ECL 2.0 customer portal.
The vSRX interface is not initially configured to belong to a zone, except for ge-0/0/0.To communicate, you must belong to one of the zones of the zone-based firewall.
To allow incoming communication to the IP address of an interface, you need to configure the host to allow that communication under host-inbound-traffic.
Step 5 -1 vSRX Configuration(interface connection)
Copyright © NTT Communications Corporation. All right reserved. 41Copyright © NTT Communications Corporation. All right reserved. 41
Step 5 -1 vSRX Configuration(interface connection)
Please refer to the link below to configure the vSRX interface on the ECL 2.0 customer portal.https://ecl.ntt.com/en/documents/tutorials/rsts/vSRX/instance/update.htmlAfter logging in to the control panel screen, click Cloud Computing.Click "NETWORK", "firewall", or "vSRX"
Copyright © NTT Communications Corporation. All right reserved. 42Copyright © NTT Communications Corporation. All right reserved. 42
Click "Edit Firewall Interface" on the target vSRX.
Step 5 -1 vSRX Configuration(interface connection)
Copyright © NTT Communications Corporation. All right reserved. 43Copyright © NTT Communications Corporation. All right reserved. 43
Open the interface tab you want to edit, check "Edit this interface" and specify the logical network and static IP address you want to connect to.After entering the set value, click "Edit Firewall Interface".
Please make sure to check "Edit this interface". If unchecked, edits are not reflected.
For your information, the following are the vSRX-01 configuration values:
Step 5 -1 vSRX Configuration(interface connection)
Copyright © NTT Communications Corporation. All right reserved. 44Copyright © NTT Communications Corporation. All right reserved. 44
Refer to the link below to configure the vSRX interface using the CLI.https://ecl.ntt.com/en/documents/tutorials/rsts/vSRX/basic/basic.html#vsrx-cli-sshAfter logging in to the CLI,Switch to shell command mode > operation mode > configuration mode.
For your information, the commands you enter in the CLI are:*In this verification, ping is permitted in the host-inbound-traffic configuration.
If you have additional services or protocols that you want to allow, please refer to the link below for additional information.
Please set it accordingly.https://ecl.ntt.com/documents/tutorials/rsts/vSRX/fwfunction/zonebase/vsrx_zoneconfig.html
user @ vSRX-01 # set interfaces ge-0/ 0/1 unit 0 family inet address 192.168.30.101/24user @ vSRX-01 # set security zones security-zone untrust interfaces ge-0/0/1.0 host-invound-traffic system-services pinguser @ vSRX-01 # set interfaces ge-0/ 0/2 unit 0 family inet address 192.168.10.11/24user @ vSRX-01 # set security zones security-zone trust interfaces ge-0/0/2.0 host-invound-traffic system-services pinguser @ vSRX-01 # commit
Step 5 -1 vSRX Configuration(interface connection)
Copyright © NTT Communications Corporation. All right reserved. 45Copyright © NTT Communications Corporation. All right reserved. 45
Follow the same steps to configure the vSRX-02 interface.
Step 5 -1 vSRX Configuration(interface connection)
Copyright © NTT Communications Corporation. All right reserved. 46
Step 5 -2 vSRX Configuration(VRRP configuration)
Copyright © NTT Communications Corporation. All right reserved. 46
Copyright © NTT Communications Corporation. All right reserved. 47
Step 5 -2 vSRX Configuration(VRRP configuration)
Refer to the link below to configure VRRP for the vSRX on the ECL 2.0 customer portal.https://ecl.ntt.com/en/documents/tutorials/rsts/vSRX/network/vrrp.html
After logging in to the control panel screen, click Cloud Computing.Click "NETWORK", "firewall", or "vSRX"
Copyright © NTT Communications Corporation. All right reserved. 48
Step 5 -2 vSRX Configuration(VRRP configuration)
Click "Editing Allowed Address Pairs" on the target vSRX.
Copyright © NTT Communications Corporation. All right reserved. 49
Step 5 -2 vSRX Configuration(VRRP configuration)
Open the interface tab you want to edit and click "Add address pairs".Configure the address pair using the interface between the external segment and the FW segment.After entering the set value, click "Updating Allowed Address Pairs".
For your information, the following are the vSRX-01 configuration values:
Copyright © NTT Communications Corporation. All right reserved. 50Copyright © NTT Communications Corporation. All right reserved.
Refer to the link below for the VRRP configuration of the vSRX using the CLI.https://ecl.ntt.com/en/documents/tutorials/rsts/vSRX/network/vrrp.html#vrrp-vrrp
After logging in to the CLI,Switch to shell command mode > operation mode > configuration mode.
After configuring VRRP for all interfaces, enter commit.For reference, the vSRX-01 configuration values are listed below.
Step 5 -2 vSRX Configuration(VRRP configuration)
user @ vSRX-01 # set interfaces ge-0/0/1 unit 0 family inet address 192.168.30.101/24 vrrp-group 10 virtual-address 192.168.30.254user @ vSRX-01 # set interfaces ge-0/0/1 unit 0 family inet address 192.168.30.101/24 vrrp-group 10 priority 120user @ vSRX-01 # set interfaces ge-0/ 0/1 unit 0 family inet address 192.168.30.101/24 vrrp-group 10 preemptuser @ vSRX-01 # set interfaces ge-0/0/1 unit 0 family inet address 192.168.30.101/24 vrrp-group 10 accept-datauser @ vSRX-01 # set interfaces ge-0/0/1 unit 0 family inet address 192.168.30.101/24 vrrp-group 10 advertise-interval [Any value]user @ vSRX-01 # set interfaces ge-0/0/2 unit 0 family inet address 192.168.10.11/24 vrrp-group 40 virtual-address 192.168.10.254user @ vSRX-01 # set interfaces ge-0/0/2 unit 0 family inet address 192.168.10.11/24 vrrp-group 40 priority 120user @ vSRX-01 # set interfaces ge-0/0/2 unit 0 family inet address 192.168.10.11/24 vrrp-group 40 preemptuser @ vSRX-01 # set interfaces ge-0/0/2 unit 0 family inet address 192.168.10.11/24 vrrp-group 40 accept-datauser @ vSRX-01 # set interfaces ge-0/0/2 unit 0 family inet address 192.168.10.11/24 vrrp-group 40 advertise-interval [Any value]user @ vSRX-01 # commit
Copyright © NTT Communications Corporation. All right reserved. 51
Step 5 -2 vSRX Configuration(VRRP configuration)
Copyright © NTT Communications Corporation. All right reserved. 51
To take advantage of the VRRP feature, VRRP packets must be permitted on the zone or interface on which you have configured VRRP in a zone-based firewall configuration.
After logging in to the CLI,Switch to shell command mode > operation mode > configuration mode.Configure zone settings for all interfaces that are configured for VRRP.
For reference, the vSRX-01 configuration values are listed below.
user @ vSRX-01 # set security zones security-zone untrust interfaces ge-0/ 0/1 host-invound-traffic protocols vrpuser @ vSRX-01 # set security zones security-zone trust interfaces ge-0/ 0/2 host-invound-traffic protocols vrpuser @ vSRX-01 # commit
Once the VRRP configuration is complete, communication is restored.
You can verify the VRRP state of vSRX-01 with the following command:
user @ vSRX-01 > show vrrpInterface State Group VR State VR Mode Timer Type AddressGe-0/0/1.0 up 10 master Active A 1.151 lcl 192.168. 30.101
vip 192.168. 30.254Ge-0/0/2.0 up 40 master Active A 1.183 lcl 192.168. 10.11
vip 192.168. 10.254
Copyright © NTT Communications Corporation. All right reserved. 52Copyright © NTT Communications Corporation. All right reserved. 52
Use the same procedure to configure VRRP on the vSRX-02.
Step 5 -2 vSRX Configuration(VRRP configuration)