Monday, January 28, 2013

Chapter 9 High Availability

High Availability


Yes, this is proprietary.
Yes, it is on the exam. Something like 5-10 questions.

Ok.
So basically if you get two identical devices.
With identical memory.
With identical I/O , SPC and NPC s all in the same identical spot.

You can create a high availability cluster.
This is a big selling point, as the "proprietary" software does most of the work
for the IT manager and you can live up to the "redundant" devices creed.

This is pretty much it.




First off, the bigger devices (the non- branch) devices are usually set up with an external IP to manage them.
This IP will usually be on a separate network. Called a "management network" this is desinged so you can troubleshoot the network even when the network is under load.
Juniper calls this interface the FXP0

The second thing is configuring the Control Link.
This link will maintain the High Availability keep alive.
In the bigger devices this is done from one SPC to another SPC.
This is called the FXP1

The third thing is the DATA LINK.
This is a data link that on it will run the updates.
State and session will be sent to the "backup" device every time there is a change.
Juniper calls these objects   RTO real time object.
This is the FAB0 and FAB1

The fourth this is the RETH. This is the code name for Redundant Ethernet.
Each device that goes into the firewall cluster should have TWO links.
One per each firewall, the reason is so if one link fails the other one is still alive.
This is similar to LAG, MLAG.
The idea is you configure an interface on each chassis as a child of the RETH.
Then configure the RETH with an IP. In case of one child failing the other one still works.

The final thing to configure is the "redundancy-group".
A redundancy group allows you to set up a logical group.
That will have interfaces in it.
For example.
RG1 will have   RETH1 and RETH2.
Now you can set up one SRX0001 as the primary and the second as backup.
In RG2  you will have RETH 3 and RETH4  and in it SRX0002 is the primary.

Now the reason to use it, is so you can load balance the traffic.
Now half of my traffic  (from RETH1 and RETH2)  will flow using the resources of SRX001
The other half will flow using the resources of SRX002.

A sub part of this is that the redundant-group can monitor certain interfaces  for example (the one to ISP2)
and if that interface fails. It can move over the RETH3/4 to use the other SRX001 as their point of exit.
For example if the other guy becomes a shorter exit.
The SRXs are set up with a prioirty of 1-255  and you need to specify the word preempt
for a change in seniority to actually happen.


So let's put it in code.
> set chassis cluster cluster-id  1  node 0         up to 15 cluster ID  --- node 0 or 1 only.
reboot
Then

This is the same as ITEM 2 on my list.
You set up which ports will be the Control ports.
Then on the SRX002
> set chassis cluster cluster-id  1  node 1         this one will be node 1.
reboot.

So now you have a clustered chassis sending control from one to another.
Now
Set up the management ports FXP0

To set this up you need to use the "apply-groups"  this is the only part that uses this, so memorize it for now.


Now you can set up the ports that will send the RTO objects over the data link
basically the sessions and flow information so they can keep in sync.
FAB 0 and FAB1
set interface FAB0    fabric-options     member-interfaces    (interface from node0)
set interface FAB1    fabric-options     member-interfaces    (interface from node1)

 pretty easy no ?. The interfaces must be the same bandwidth etc.

So we have the FXP0 mangement IP on it.
The FXP1  control
The FAB0 /1   data link.


Now depending on how many devices you plan on connecting you set up the number of RETHs
you will need.
So if I will have 4 devices.
set chassis cluster  reth-cout  4

 then I can set up each reth group.
set interface ge-x/y/z   gigether-options      redundant-parent RETH1
set interface ge-x+12/y/z   gigether-options      redundant-parent RETH1
so I took one interface from one node and another from the other node and added them to RETH1

now I can give RETH1 an IP
set interface reth1  redundant-ether-options redundancy-group 1
set interface reth1  unito 0 family inet address   192.168.1.1/24

Pretty much now I have a working firewall connected to one device with two links.
If one child link dies the other one will still send data.

redundant-groups
now if you remember we talked about the redundant-group which can be used to load balance
traffic.

set chassis cluster   redundancy-group 1
set chassis cluster   redundancy-group 1   node 0 priority 250     #this one is higher so he wins
set chassis cluster   redundancy-group 1   node 1 priority 50   
set chassis cluster   redundancy-group 1    preempt         # without this command nothing will change.
set chassis cluster   redundancy-group 1   interface-monitor  ge-0/0/2 weight 250

 The last one is the weight, you set it up so if interface ge-0/0/2 fails  then the primary (in this case node 0)
will get deducted a weight of 250 which means he will not longer have the higher priority
and will then become the secondary.


to go back to normal
set chassis cluster disable reboot
I forgot if a cluster control link fails on one side, the other device will be disabled and will need to be restarted.
If BOTH links fail at the same time, then they will split into two separate devices.

Posted by at

1 comment:

  1. UnknownFebruary 4, 2013 at 7:59 PM

    Hi,
    I will do this exam in february/2013.
    I would like talk you to exchange materials.

    Please, contact me in email thiagolima037@gmail.com

    ReplyDelete

Subscribe to: Post Comments (Atom)