示例:使用 Junos OS 配置组配置多节点高可用性
阅读本主题,了解如何使用 Junos OS 配置组配置多节点高可用性。
在多节点高可用性中,两个 Junos OS 安全设备充当独立设备。这些设备具有唯一的主机名和 fxp0 接口上的 IP 地址。您可以使用 Junos 组语句配置多节点高可用性。为确保两台设备之间的安全配置和态势相同,可以为多节点高可用性设置配置组。多节点高可用性节点仅基于此分组方法同步配置。
当您需要配置两个节点上通用的语句时,可以使用以下方法之一:
-
您可以在一台设备上配置通用配置(如安全性),然后在另一台设备上手动复制和粘贴。或者,您可以使用一些外部工具(例如:脚本)将相同的配置片段复制到两台设备(如果适用)。
-
使用在两个节点之间同步的通用 Junos 组配置(但在一台设备上进行编辑)。该方法包括:
-
将特性/功能配置为组的一部分。通过这些配置文件,您可以创建更小、逻辑结构更强的配置文件
-
使用该
edit system commit peers-synchronize选项同步配置。 -
使用语句提及
when peers <device-name>组中的设备名称。
在多节点高可用性中的两台设备上启用配置同步(通过使用 peers-synchronize 选项)时,您在 [groups] 下的一个对等方上配置的配置设置将在执行提交作时自动同步到另一个对等方。
有关配置组的更多详细信息,请参阅使用配置组快速配置设备。
请注意,在 Security Director 或 Security Director Cloud 上,系统通过使用策略模板和共享对象来管理可重用的配置代码段,类似于 Junos 组。
-
在此示例中,我们将使用 Junos 组语句配置多节点高可用性。
提示:
| 阅读时间 |
30 分钟 |
| 配置时间 |
60 分钟 |
先决条件示例
表 2 列出了支持该配置的硬件和软件组件。
| 硬件要求 |
支持的防火墙和虚拟防火墙。 |
| 软件要求 |
我们使用 Junos OS 24.4R1 版对此示例进行了测试。有关支持 Junos OS 组和多节点高可用性的详细信息,请参阅 功能浏览器 。 防火墙上需要 Junos IKE 软件包才能进行多节点高可用性配置。此软件包可作为默认软件包或设备上的可选软件包提供。有关详细信息,请参阅 对 Junos IKE 包的支持 。 如果防火墙上默认未安装软件包,请使用以下命令进行安装: user@host> request system software add optional://junos-ike.tgz 您需要执行此步骤进行 ICL 加密。 |
| 许可要求 |
配置多节点高可用性不需要单独的许可证。IDP、应用识别、瞻博网络 ATP 云等功能所需的许可证对于每个防火墙来说都是唯一的,并且需要在每台设备上设置。许可证对于每台设备都是唯一的,不能在多节点高可用性设置中的节点之间共享。因此,您必须在两个节点上使用相同的许可证。 |
开始之前
| 了解更多 |
在多节点高可用性中使用组配置允许您创建可重用的配置块,从而简化设置。这些组可以应用于配置的不同部分,确保一致性并减少重复输入的需要。这种方法使配置文件更加简洁和逻辑结构化。组配置有助于轻松维护瞻博网络设备上的配置文件。 |
| 了解更多 |
功能概述
表 3 简要总结了此示例中部署的配置组件。
| 使用的技术 |
|
| 主要验证任务 |
|
拓扑图示
图 1 显示了此配置示例中使用的拓扑。
图 1:第 3 层网络
中的多节点高可用性
中的多节点高可用性
如拓扑所示,MNHA 中的两台 SRX 设备连接到相邻路由器(充当路由器的 vSRX 实例)。加密的逻辑机箱间链路 (ICL) 连接节点。节点通过网络使用可路由的 IP 地址(浮动 IP 地址)相互通信。在本例中,我们为 ICL 使用了 GE 端口。我们还为 ICL 路径配置了一个路由实例,以确保实现最大分段。
环路接口用于托管防火墙和路由器上的 IP 地址,每个相应节点上的环路单元上的 IP 地址用于通信。在典型的高可用性部署中,网络的北向和南向两侧有多个路由器和交换机。
在此示例中,您将在设备上创建多个配置组并同步配置。
拓扑概述
表 4 显示了此示例中使用的接口配置的详细信息。
| 设备 | 接口 | IP 地址 | 区 | 配置为 |
|---|---|---|---|---|
| SRX-01 | lo0.1 | 172.26.0.11/32 | ICL 专区 | 用于通过 ICD 链路转发数据包的本地转发地址。 |
| lo0.1 | 172.26.0.1/32 | ICL 专区 | ICL | |
| lo0.0 | 172.25.0.0/32 | 左侧区域 | 浮动 IP 地址 | |
| ge-0/0/1.39 | 10.1.39.1/24 | ICL 专区 | ICL 到节点 0 连接 | |
|
|
|
连接到上游和下游路由器。 | |
| SRX-02 | lo0.1 | 172.26.0.12/32 | ICL 专区 | 用于通过 ICD 链路转发数据包的本地转发地址。 |
| lo0.1 | 172.26.0.2/32 | ICL 专区 | ICL | |
| lo0.0 | 172.25.0.0/32 | 左侧区域 | 浮动 IP 地址 | |
| ge-0/0/1.39 | 10.1.39.2/24 | ICL 专区 | ICL 到节点 0 连接 | |
|
|
|
连接到上游和下游路由器。 |
| 的设备 | 接口 | IP 地址 | |
|---|---|---|---|
| 路由器 1 (R1) | ge-0/0/0.31 | 10.0.31.1/24 | 连接到 SRX-01 |
| ge-0/0/1.32 | 10.0.32.1/24 | 连接到 SRX-02 | |
| 路由器 2 (R2) | ge-0/0/0.33 | 10.0.33.1/24 | 连接到 SRX-01 |
| ge-0/0/1.34 | 10.0.34.1/24 | 连接到 SRX-02 |
使用 Junos 组语句配置多节点高可用性
验证
使用此 show 命令验证此示例中的功能。
| 命令 | 验证任务 |
|---|---|
| 显示机箱高可用性信息 |
显示多节点高可用性详细信息,包括状态。 |
| 显示机箱高可用性 peer-info | 显示详细信息,例如对等节点、连接详细信息以及多节点高可用性设置中对等节点的数据包统计信息。 |
| 显示机箱高可用性服务冗余组 | 显示多节点高可用性设置中的服务冗余组信息。 |
检查多节点高可用性详细信息
目的
查看并验证安全设备上配置的多节点高可用性设置的详细信息。
行动
在作模式下,在两个节点上运行以下命令:
use@vsrx-mnha-n0> show chassis high-availability information
Node failure codes:
HW Hardware monitoring LB Loopback monitoring
MB Mbuf monitoring SP SPU monitoring
CS Cold Sync monitoring SU Software Upgrade
Node Status: ONLINE
Local-id: 1
Local-IP: 172.26.0.1
Local Forwarding IP: 172.26.0.11
HA Peer Information:
Peer Id: 2 IP address: 172.26.0.2 Interface: lo0.1
Routing Instance: icl
Encrypted: YES
Conn State: UP
Configured BFD Detection Time: 3 * 1000ms
Cold Sync Status: COMPLETE
Peer Forwarding IP: 172.26.0.12 Interface: lo0.1
Peer ICD Conn State: UP
Services Redundancy Group: 0
Current State: ONLINE
Peer Information:
Peer Id: 2
SRG failure event codes:
BF BFD monitoring
IP IP monitoring
IF Interface monitoring
CP Control Plane monitoring
Services Redundancy Group: 1
Deployment Type: ROUTING
Status: BACKUP
Activeness Priority: 100
Preemption: DISABLED
Process Packet In Backup State: YES
Control Plane State: READY
System Integrity Check: COMPLETE
Failure Events: NONE
Peer Information:
Peer Id: 2
Status : ACTIVE
Health Status: HEALTHY
Failover Readiness: N/A
user@vsrx-mnha-n1# show chassis high-availability information
Node failure codes:
HW Hardware monitoring LB Loopback monitoring
MB Mbuf monitoring SP SPU monitoring
CS Cold Sync monitoring SU Software Upgrade
Node Status: ONLINE
Local-id: 2
Local-IP: 172.26.0.2
Local Forwarding IP: 172.26.0.12
HA Peer Information:
Peer Id: 1 IP address: 172.26.0.1 Interface: lo0.1
Routing Instance: icl
Encrypted: YES
Conn State: UP
Configured BFD Detection Time: 3 * 1000ms
Cold Sync Status: COMPLETE
Peer Forwarding IP: 172.26.0.11 Interface: lo0.1
Peer ICD Conn State: UP
Services Redundancy Group: 0
Current State: ONLINE
Peer Information:
Peer Id: 1
SRG failure event codes:
BF BFD monitoring
IP IP monitoring
IF Interface monitoring
CP Control Plane monitoring
Services Redundancy Group: 1
Deployment Type: ROUTING
Status: ACTIVE
Activeness Priority: 200
Preemption: DISABLED
Process Packet In Backup State: YES
Control Plane State: READY
System Integrity Check: N/A
Failure Events: NONE
Peer Information:
Peer Id: 1
Status : BACKUP
Health Status: HEALTHY
Failover Readiness: READY
意义
从命令输出中验证以下详细信息:
-
本地节点和对等节点详细信息,例如 IP 地址和 ID。
-
Node Status: ONLINE指示节点已启动。 -
Conn State: UP指示 ICL 链路已建立且可运行。 -
Peer ICD Conn State: UP指示 ICD 链路已建立且可运行。 Encrypted: YES指示 ICL 连接已加密。-
Peer Information服务冗余组指示对等节点运行正常并准备好进行故障切换。
检查多节点高可用性对等节点详细信息
目的
查看多节点高可用性设置中对等节点的详细信息。
行动
在作模式下,运行以下命令:
user@vsrx-mnha-n0> show chassis high-availability peer-info
HA Peer Information:
Peer-ID: 2 IP address: 172.26.0.2 Interface: lo0.1
Routing Instance: icl
Encrypted: YES Conn State: UP
Cold Sync Status: COMPLETE
Peer Forwarding IP: 172.26.0.12 Interface: lo0.1
Peer ICD Conn State: UP
Internal Interface: st0.16000
Internal Local-IP: 180.100.1.1
Internal Peer-IP: 180.100.1.2
Internal Routing-instance: __juniper_private1__
Packet Statistics:
Receive Error : 0 Send Error : 0
Packet-type Sent Received
SRG Status Msg 12 9
SRG Status Ack 9 9
Attribute Msg 7 4
Attribute Ack 4 4
意义
可以从命令输出中获取以下详细信息:
-
Peer ID: 2显示另一个节点的 ID。 -
Conn State: UP并Peer ICD Conn State: UP指示 ICL 和 ICD 链路均已建立。 Packet Statistics显示节点之间传输的数据包。
检查多节点高可用性服务冗余组详细信息
目的
查看并验证多节点高可用性 SRG 详细信息的详细信息。
行动
在作模式下,运行以下命令:
SRX-01 设备
user@vsrx-mnha-n0> show chassis high-availability services-redundancy-group 1
SRG failure event codes:
BF BFD monitoring
IP IP monitoring
IF Interface monitoring
CP Control Plane monitoring
Services Redundancy Group: 1
Deployment Type: ROUTING
Status: BACKUP
Activeness Priority: 100
Preemption: DISABLED
Process Packet In Backup State: YES
Control Plane State: READY
System Integrity Check: COMPLETE
Failure Events: NONE
Peer Information:
Peer Id: 2
Status : ACTIVE
Health Status: HEALTHY
Failover Readiness: N/A
Signal Route Info:
Active Signal Route:
IP: 172.24.0.1
Routing Instance: default
Status: NOT INSTALLED
Backup Signal Route:
IP: 172.24.0.0
Routing Instance: default
Status: INSTALLED
Split-brain Prevention Probe Info:
DST-IP: 10.0.30.1
SRC-IP: 172.25.0.0
Routing Instance: vr
Type: ICMP Probe
Status: NOT RUNNING
Result: N/A Reason: N/A
SRG Path Monitor Info:
SRG Monitor Status: UP
SRG Monitor Threshold: 200
SRG Monitor Weight: 0
SRG Monitor Failed Objects: NONE
Object Name: routers
Object Status: UP
Object Monitored Entries: [ BFD ]
Object Failures: [ BFD ]
Object Threshold: 200
Object Current Weight: 100
Object Name: endpoints
Object Status: UP
Object Monitored Entries: [ IP ]
Object Failures: [ IP ]
Object Threshold: 200
Object Current Weight: 100
IP SRGID Table:
SRGID IP Prefix Routing Table
1 172.25.0.0/32 vr
现在,在SRX-02设备上运行相同的命令,并注意命令输出的差异,如状态、对等方信息等。
user@vsrx-mnha-n1> show chassis high-availability services-redundancy-group 1
SRG failure event codes:
BF BFD monitoring
IP IP monitoring
IF Interface monitoring
CP Control Plane monitoring
Services Redundancy Group: 1
Deployment Type: ROUTING
Status: ACTIVE
Activeness Priority: 200
Preemption: DISABLED
Process Packet In Backup State: YES
Control Plane State: READY
System Integrity Check: COMPLETE
Failure Events: NONE
Peer Information:
Peer Id: 1
Status : BACKUP
Health Status: HEALTHY
Failover Readiness: READY
Signal Route Info:
Active Signal Route:
IP: 172.24.0.1
Routing Instance: default
Status: INSTALLED
Backup Signal Route:
IP: 172.24.0.0
Routing Instance: default
Status: NOT INSTALLED
Split-brain Prevention Probe Info:
DST-IP: 10.0.30.1
SRC-IP: 172.25.0.0
Routing Instance: vr
Type: ICMP Probe
Status: NOT RUNNING
Result: N/A Reason: N/A
SRG Path Monitor Info:
SRG Monitor Status: UP
SRG Monitor Threshold: 200
SRG Monitor Weight: 0
SRG Monitor Failed Objects: NONE
Object Name: routers
Object Status: UP
Object Monitored Entries: [ BFD ]
Object Failures: [ BFD ]
Object Threshold: 200
Object Current Weight: 100
Object Name: endpoints
Object Status: UP
Object Monitored Entries: [ IP ]
Object Failures: [ IP ]
Object Threshold: 200
Object Current Weight: 100
IP SRGID Table:
SRGID IP Prefix Routing Table
1 172.25.0.0/32 vr
意义
从命令输出中验证以下详细信息:
-
Deployment Type: ROUTING指示多节点高可用性已设置为第 3 层(路由)模式。 -
Status: BACKUP表示该节点当前作为备份节点运行。 -
Peer Information提供对等节点详细信息,例如部署类型、状态以及活动和备份信号路由。 -
输出还指示配置的监控选项和故障事件(如果有)。
在所有设备上设置命令
设备配置为活动节点 (vsrx-mnha-n0)
注意:此示例中使用的设备名称为 vsrx-mnha-n0 和 vsrx-mnha-n1。确保为此配置使用设备的主机名。
set groups mnha-sync when peers vsrx-mnha-n0 set groups mnha-sync when peers vsrx-mnha-n1 set groups mnha-sync security ike proposal ike-prop authentication-method pre-shared-keys set groups mnha-sync security ike proposal ike-prop dh-group group20 set groups mnha-sync security ike proposal ike-prop encryption-algorithm aes-256-gcm set groups mnha-sync security ike proposal ike-prop lifetime-seconds 28800 set groups mnha-sync security ike policy ike-policy proposals ike-prop set groups mnha-sync security ike policy ike-policy pre-shared-key ascii-text "$ABc123" set groups mnha-sync security ike policy icl proposals ike-prop set groups mnha-sync security ike gateway r1 ike-policy ike-policy set groups mnha-sync security ike gateway r1 address 10.0.30.1 set groups mnha-sync security ike gateway r1 dead-peer-detection probe-idle-tunnel set groups mnha-sync security ike gateway r1 dead-peer-detection interval 5 set groups mnha-sync security ike gateway r1 dead-peer-detection threshold 5 set groups mnha-sync security ike gateway r1 external-interface lo0.0 set groups mnha-sync security ike gateway r1 version v2-only set groups mnha-sync security ike gateway icl ike-policy icl set groups mnha-sync security ike gateway icl version v2-only set groups mnha-sync security ipsec proposal ipsec-prop encryption-algorithm aes-256-gcm set groups mnha-sync security ipsec proposal ipsec-prop lifetime-seconds 3600 set groups mnha-sync security ipsec policy ipsec-policy perfect-forward-secrecy keys group20 set groups mnha-sync security ipsec policy ipsec-policy proposals ipsec-prop set groups mnha-sync security ipsec vpn r1 bind-interface st0.0 set groups mnha-sync security ipsec vpn r1 ike gateway r1 set groups mnha-sync security ipsec vpn r1 ike ipsec-policy ipsec-policy set groups mnha-sync security ipsec vpn r1 traffic-selector ts1 local-ip 10.0.35.11/32 set groups mnha-sync security ipsec vpn r1 traffic-selector ts1 remote-ip 10.0.30.11/32 set groups mnha-sync security ipsec vpn r1 establish-tunnels immediately set groups mnha-sync security ipsec vpn icl ha-link-encryption set groups mnha-sync security ipsec vpn icl ike gateway icl set groups mnha-sync security ipsec vpn icl ike ipsec-policy ipsec-policy set groups mnha-sync security policies from-zone icl to-zone icl policy permit match source-address any set groups mnha-sync security policies from-zone icl to-zone icl policy permit match destination-address any set groups mnha-sync security policies from-zone icl to-zone icl policy permit match application any set groups mnha-sync security policies from-zone icl to-zone icl policy permit then permit set groups mnha-sync security policies global policy internal match source-address any set groups mnha-sync security policies global policy internal match destination-address any set groups mnha-sync security policies global policy internal match application any set groups mnha-sync security policies global policy internal match from-zone right set groups mnha-sync security policies global policy internal match from-zone vpn set groups mnha-sync security policies global policy internal match from-zone left set groups mnha-sync security policies global policy internal match to-zone left set groups mnha-sync security policies global policy internal match to-zone right set groups mnha-sync security policies global policy internal match to-zone vpn set groups mnha-sync security policies global policy internal then permit set groups mnha-sync security policies global policy internal then log session-close set groups mnha-sync security policies global policy untrust match source-address any set groups mnha-sync security policies global policy untrust match destination-address any set groups mnha-sync security policies global policy untrust match application any set groups mnha-sync security policies global policy untrust match from-zone left set groups mnha-sync security policies global policy untrust match from-zone right set groups mnha-sync security policies global policy untrust match to-zone untrust set groups mnha-sync security policies global policy untrust then permit set groups mnha-sync security zones security-zone vpn interfaces st0.0 set groups mnha-sync security zones security-zone left interfaces lo0.0 host-inbound-traffic system-services ike set groups mnha-sync security zones security-zone left interfaces lo0.0 host-inbound-traffic system-services ping set groups mnha-sync security zones security-zone left interfaces ge-0/0/3.100 host-inbound-traffic system-services ping set groups mnha-sync security zones security-zone left interfaces ge-0/0/3.100 host-inbound-traffic protocols bgp set groups mnha-sync security zones security-zone left interfaces ge-0/0/3.100 host-inbound-traffic protocols bfd set groups mnha-sync security zones security-zone right interfaces ge-0/0/4.101 host-inbound-traffic system-services ping set groups mnha-sync security zones security-zone right interfaces ge-0/0/4.101 host-inbound-traffic protocols bgp set groups mnha-sync security zones security-zone right interfaces ge-0/0/4.101 host-inbound-traffic protocols bfd set groups mnha-sync security zones security-zone untrust interfaces ge-0/0/0.102 host-inbound-traffic system-services ping set groups mnha-sync security zones security-zone untrust interfaces ge-0/0/0.102 host-inbound-traffic protocols bfd set groups mnha-sync security zones security-zone untrust interfaces ge-0/0/0.102 host-inbound-traffic protocols bgp set groups mnha-sync interfaces st0 unit 0 family inet set groups mnha-sync-icl system commit peers vsrx-mnha-n1 routing-instance icl set groups mnha-sync-icl system static-host-mapping vsrx-mnha-n1 inet 172.26.0.2 set groups icd chassis high-availability local-id local-forwarding-ip 172.26.0.11 set groups icd chassis high-availability peer-id 2 peer-forwarding-ip 172.26.0.12 set groups icd chassis high-availability peer-id 2 peer-forwarding-ip interface lo0.1 set groups icd chassis high-availability peer-id 2 peer-forwarding-ip liveness-detection minimum-interval 1000 set groups icd chassis high-availability peer-id 2 peer-forwarding-ip liveness-detection multiplier 5 set groups icd interfaces lo0 unit 1 family inet address 172.26.0.11/32 set groups monitor-simple chassis high-availability services-redundancy-group 1 monitor bfd-liveliness 10.0.31.1 src-ip 10.0.31.10 set groups monitor-simple chassis high-availability services-redundancy-group 1 monitor bfd-liveliness 10.0.31.1 routing-instance vr set groups monitor-simple chassis high-availability services-redundancy-group 1 monitor bfd-liveliness 10.0.31.1 session-type singlehop set groups monitor-simple chassis high-availability services-redundancy-group 1 monitor bfd-liveliness 10.0.31.1 interface ge-0/0/0.100 set groups monitor-simple chassis high-availability services-redundancy-group 1 monitor bfd-liveliness 10.0.33.1 src-ip 10.0.33.10 set groups monitor-simple chassis high-availability services-redundancy-group 1 monitor bfd-liveliness 10.0.33.1 routing-instance vr set groups monitor-simple chassis high-availability services-redundancy-group 1 monitor bfd-liveliness 10.0.33.1 session-type singlehop set groups monitor-simple chassis high-availability services-redundancy-group 1 monitor bfd-liveliness 10.0.33.1 interface ge-0/0/0.101 set groups monitor-simple chassis high-availability services-redundancy-group 1 monitor bfd-liveliness 10.0.38.1 src-ip 10.0.38.10 set groups monitor-simple chassis high-availability services-redundancy-group 1 monitor bfd-liveliness 10.0.38.1 routing-instance vr set groups monitor-simple chassis high-availability services-redundancy-group 1 monitor bfd-liveliness 10.0.38.1 session-type singlehop set groups monitor-simple chassis high-availability services-redundancy-group 1 monitor bfd-liveliness 10.0.38.1 interface ge-0/0/0.102 set groups monitor-simple chassis high-availability services-redundancy-group 1 monitor interface ge-0/0/0 set groups monitor-advanced chassis high-availability services-redundancy-group 1 monitor monitor-object endpoints object-threshold 200 set groups monitor-advanced chassis high-availability services-redundancy-group 1 monitor monitor-object endpoints ip threshold 100 set groups monitor-advanced chassis high-availability services-redundancy-group 1 monitor monitor-object endpoints ip destination-ip 10.0.30.10 routing-instance vr set groups monitor-advanced chassis high-availability services-redundancy-group 1 monitor monitor-object endpoints ip destination-ip 10.0.30.10 weight 50 set groups monitor-advanced chassis high-availability services-redundancy-group 1 monitor monitor-object endpoints ip destination-ip 10.0.35.10 routing-instance vr set groups monitor-advanced chassis high-availability services-redundancy-group 1 monitor monitor-object endpoints ip destination-ip 10.0.35.10 weight 50 set groups monitor-advanced chassis high-availability services-redundancy-group 1 monitor monitor-object routers object-threshold 200 set groups monitor-advanced chassis high-availability services-redundancy-group 1 monitor monitor-object routers bfd-liveliness threshold 100 set groups monitor-advanced chassis high-availability services-redundancy-group 1 monitor monitor-object routers bfd-liveliness destination-ip 10.0.31.1 src-ip 10.0.31.10 set groups monitor-advanced chassis high-availability services-redundancy-group 1 monitor monitor-object routers bfd-liveliness destination-ip 10.0.31.1 routing-instance vr set groups monitor-advanced chassis high-availability services-redundancy-group 1 monitor monitor-object routers bfd-liveliness destination-ip 10.0.31.1 session-type singlehop set groups monitor-advanced chassis high-availability services-redundancy-group 1 monitor monitor-object routers bfd-liveliness destination-ip 10.0.31.1 interface ge-0/0/3.100 set groups monitor-advanced chassis high-availability services-redundancy-group 1 monitor monitor-object routers bfd-liveliness destination-ip 10.0.31.1 weight 100 set groups monitor-advanced chassis high-availability services-redundancy-group 1 monitor monitor-object routers bfd-liveliness destination-ip 10.0.33.1 src-ip 10.0.33.10 set groups monitor-advanced chassis high-availability services-redundancy-group 1 monitor monitor-object routers bfd-liveliness destination-ip 10.0.33.1 routing-instance vr set groups monitor-advanced chassis high-availability services-redundancy-group 1 monitor monitor-object routers bfd-liveliness destination-ip 10.0.33.1 session-type singlehop set groups monitor-advanced chassis high-availability services-redundancy-group 1 monitor monitor-object routers bfd-liveliness destination-ip 10.0.33.1 interface ge-0/0/4.101 set groups monitor-advanced chassis high-availability services-redundancy-group 1 monitor monitor-object routers bfd-liveliness destination-ip 10.0.33.1 weight 100 set groups monitor-advanced chassis high-availability services-redundancy-group 1 monitor monitor-object routers bfd-liveliness destination-ip 10.0.38.1 src-ip 10.0.38.10 set groups monitor-advanced chassis high-availability services-redundancy-group 1 monitor monitor-object routers bfd-liveliness destination-ip 10.0.38.1 routing-instance vr set groups monitor-advanced chassis high-availability services-redundancy-group 1 monitor monitor-object routers bfd-liveliness destination-ip 10.0.38.1 session-type singlehop set groups monitor-advanced chassis high-availability services-redundancy-group 1 monitor monitor-object routers bfd-liveliness destination-ip 10.0.38.1 interface ge-0/0/0.102 set groups monitor-advanced chassis high-availability services-redundancy-group 1 monitor monitor-object routers bfd-liveliness destination-ip 10.0.38.1 weight 100 set groups monitor-advanced chassis high-availability services-redundancy-group 1 monitor srg-threshold 200 set apply-groups mnha-sync set apply-groups mnha-sync-icl set apply-groups monitor-advanced set apply-groups icd set system commit peers vsrx-mnha-n1 user user set system commit peers vsrx-mnha-n1 authentication "$ABC123" set chassis high-availability local-id 1 set chassis high-availability local-id local-ip 172.26.0.1 set chassis high-availability peer-id 2 peer-ip 172.26.0.2 set chassis high-availability peer-id 2 interface lo0.1 set chassis high-availability peer-id 2 routing-instance icl set chassis high-availability peer-id 2 vpn-profile icl set chassis high-availability peer-id 2 liveness-detection minimum-interval 1000 set chassis high-availability peer-id 2 liveness-detection multiplier 3 set chassis high-availability services-redundancy-group 0 peer-id 2 set chassis high-availability services-redundancy-group 1 deployment-type routing set chassis high-availability services-redundancy-group 1 peer-id 2 set chassis high-availability services-redundancy-group 1 activeness-probe dest-ip 10.0.30.1 set chassis high-availability services-redundancy-group 1 activeness-probe dest-ip src-ip 172.25.0.0 set chassis high-availability services-redundancy-group 1 activeness-probe dest-ip routing-instance vr set chassis high-availability services-redundancy-group 1 active-signal-route 172.24.0.1 set chassis high-availability services-redundancy-group 1 backup-signal-route 172.24.0.0 set chassis high-availability services-redundancy-group 1 prefix-list srg1-prefix routing-instance vr set chassis high-availability services-redundancy-group 1 managed-services ipsec set chassis high-availability services-redundancy-group 1 process-packet-on-backup set chassis high-availability services-redundancy-group 1 activeness-priority 100 set security ike proposal ike-prop authentication-method pre-shared-keys set security ike proposal ike-prop dh-group group20 set security ike proposal ike-prop encryption-algorithm aes-256-gcm set security ike proposal ike-prop lifetime-seconds 28800 set security ike policy ike-policy proposals ike-prop set security ike policy ike-policy pre-shared-key ascii-text "$ABC123" set security ike policy icl proposals ike-prop set security ike policy icl pre-shared-key ascii-text "$ABC123." set security ike gateway icl ike-policy icl set security ike gateway icl version v2-only set security ipsec proposal ipsec-prop encryption-algorithm aes-256-gcm set security ipsec proposal ipsec-prop lifetime-seconds 3600 set security ipsec policy ipsec-policy perfect-forward-secrecy keys group20 set security ipsec policy ipsec-policy proposals ipsec-prop set security ipsec vpn icl ha-link-encryption set security ipsec vpn icl ike gateway icl set security ipsec vpn icl ike ipsec-policy ipsec-policy set security zones security-zone icl interfaces ge-0/0/3.36 host-inbound-traffic system-services ping set security zones security-zone icl interfaces ge-0/0/3.36 host-inbound-traffic protocols bgp set security zones security-zone icl interfaces ge-0/0/3.36 host-inbound-traffic protocols bfd set security zones security-zone icl interfaces lo0.1 host-inbound-traffic system-services ping set security zones security-zone icl interfaces lo0.1 host-inbound-traffic system-services ike set security zones security-zone icl interfaces lo0.1 host-inbound-traffic system-services high-availability set security zones security-zone icl interfaces lo0.1 host-inbound-traffic system-services ssh set security zones security-zone icl interfaces lo0.1 host-inbound-traffic protocols bfd set security zones security-zone icl interfaces ge-0/0/1.39 host-inbound-traffic system-services ping set security zones security-zone icl interfaces ge-0/0/1.39 host-inbound-traffic protocols bgp set security zones security-zone icl interfaces ge-0/0/1.39 host-inbound-traffic protocols bfd set interfaces ge-0/0/0 description for-monitoring set interfaces ge-0/0/0 vlan-tagging set interfaces ge-0/0/0 unit 102 description vr-uplink-r2 set interfaces ge-0/0/0 unit 102 vlan-id 38 set interfaces ge-0/0/0 unit 102 family inet address 10.0.38.10/24 set interfaces ge-0/0/1 description br-lab-ha-1 set interfaces ge-0/0/1 vlan-tagging set interfaces ge-0/0/1 mtu 9000 set interfaces ge-0/0/1 unit 39 description icl-n1 set interfaces ge-0/0/1 unit 39 vlan-id 39 set interfaces ge-0/0/1 unit 39 family inet address 10.1.39.1/24 set interfaces ge-0/0/3 vlan-tagging set interfaces ge-0/0/3 unit 36 description icl-r1 set interfaces ge-0/0/3 unit 36 vlan-id 36 set interfaces ge-0/0/3 unit 36 family inet address 10.0.36.10/24 set interfaces ge-0/0/3 unit 100 description vr-left-r1 set interfaces ge-0/0/3 unit 100 vlan-id 31 set interfaces ge-0/0/3 unit 100 family inet address 10.0.31.10/24 set interfaces ge-0/0/4 vlan-tagging set interfaces ge-0/0/4 unit 101 description vr-right-r2 set interfaces ge-0/0/4 unit 101 vlan-id 33 set interfaces ge-0/0/4 unit 101 family inet address 10.0.33.10/24 set interfaces lo0 unit 0 description "Floating IP" set interfaces lo0 unit 0 family inet address 172.25.0.0/32 set interfaces lo0 unit 1 description ICL set interfaces lo0 unit 1 family inet address 172.26.0.1/32 set policy-options prefix-list export-int 0.0.0.0/0 set policy-options prefix-list export-int 172.25.0.0/32 set policy-options prefix-list export-uplink 10.0.30.0/24 set policy-options prefix-list export-uplink 10.0.35.0/24 set policy-options prefix-list srg1-prefix 172.25.0.0/32 set policy-options policy-statement export-icl-r1 term 10 from interface lo0.1 set policy-options policy-statement export-icl-r1 term 10 then accept set policy-options policy-statement export-icl-r1 term 100 then reject set policy-options policy-statement export-icl-to-n1 term 10 from interface lo0.1 set policy-options policy-statement export-icl-to-n1 term 10 then accept set policy-options policy-statement export-icl-to-n1 term 100 then reject set policy-options policy-statement export-to-int term 10 from prefix-list export-int set policy-options policy-statement export-to-int term 10 from condition srg1_backup set policy-options policy-statement export-to-int term 10 then as-path-prepend 65031 set policy-options policy-statement export-to-int term 10 then accept set policy-options policy-statement export-to-int term 20 from prefix-list export-int set policy-options policy-statement export-to-int term 20 from condition srg1_active set policy-options policy-statement export-to-int term 20 then accept set policy-options policy-statement export-to-int term 90 from prefix-list export-int set policy-options policy-statement export-to-int term 90 then as-path-prepend "65031 65031" set policy-options policy-statement export-to-int term 90 then accept set policy-options policy-statement export-to-int term 100 then reject set policy-options policy-statement export-to-uplink term 10 from prefix-list export-uplink set policy-options policy-statement export-to-uplink term 10 from condition srg1_backup set policy-options policy-statement export-to-uplink term 10 then as-path-prepend 65031 set policy-options policy-statement export-to-uplink term 10 then accept set policy-options policy-statement export-to-uplink term 20 from prefix-list export-uplink set policy-options policy-statement export-to-uplink term 20 from condition srg1_active set policy-options policy-statement export-to-uplink term 20 then accept set policy-options policy-statement export-to-uplink term 90 from prefix-list export-uplink set policy-options policy-statement export-to-uplink term 90 then as-path-prepend "65031 65031" set policy-options policy-statement export-to-uplink term 90 then accept set policy-options policy-statement export-to-uplink term 100 then reject set policy-options condition srg1_active if-route-exists 172.24.0.1/32 set policy-options condition srg1_active if-route-exists table inet.0 set policy-options condition srg1_backup if-route-exists 172.24.0.0/32 set policy-options condition srg1_backup if-route-exists table inet.0 set routing-instances icl instance-type virtual-router set routing-instances icl protocols bgp group icl neighbor 10.0.36.1 export export-icl-r1 set routing-instances icl protocols bgp group icl neighbor 10.0.36.1 peer-as 65030 set routing-instances icl protocols bgp group icl neighbor 10.1.39.2 export export-icl-to-n1 set routing-instances icl protocols bgp group icl neighbor 10.1.39.2 peer-as 65032 set routing-instances icl protocols bgp local-as 65031 set routing-instances icl protocols bgp bfd-liveness-detection minimum-interval 500 set routing-instances icl protocols bgp bfd-liveness-detection multiplier 3 set routing-instances icl interface ge-0/0/1.39 set routing-instances icl interface ge-0/0/3.36 set routing-instances icl interface lo0.1 set routing-instances vr instance-type virtual-router set routing-instances vr protocols bgp group r1 neighbor 10.0.31.1 export export-to-int set routing-instances vr protocols bgp group r1 neighbor 10.0.31.1 peer-as 65030 set routing-instances vr protocols bgp group r2 neighbor 10.0.33.1 export export-to-int set routing-instances vr protocols bgp group r2 neighbor 10.0.33.1 peer-as 65035 set routing-instances vr protocols bgp group uplink-r2 neighbor 10.0.38.1 export export-to-uplink set routing-instances vr protocols bgp group uplink-r2 neighbor 10.0.38.1 peer-as 65039 set routing-instances vr protocols bgp local-as 65031 set routing-instances vr protocols bgp bfd-liveness-detection minimum-interval 1000 set routing-instances vr protocols bgp bfd-liveness-detection multiplier 3 set routing-instances vr interface ge-0/0/0.102 set routing-instances vr interface ge-0/0/3.100 set routing-instances vr interface ge-0/0/4.101 set routing-instances vr interface lo0.0
设备配置为备份节点 (SRX-02)
注意:此示例中使用的设备名称为 vsrx-mnha-n0 和 vsrx-mnha-n1。确保为此配置使用设备的主机名。
set groups mnha-sync-icl system commit peers vsrx-mnha-n0 routing-instance icl set groups mnha-sync-icl system static-host-mapping vsrx-mnha-n0 inet 172.26.0.1 set groups mnha-sync when peers vsrx-mnha-n0 set groups mnha-sync when peers vsrx-mnha-n1 set groups mnha-sync security ike proposal ike-prop authentication-method pre-shared-keys set groups mnha-sync security ike proposal ike-prop dh-group group20 set groups mnha-sync security ike proposal ike-prop encryption-algorithm aes-256-gcm set groups mnha-sync security ike proposal ike-prop lifetime-seconds 28800 set groups mnha-sync security ike policy ike-policy proposals ike-prop set groups mnha-sync security ike policy ike-policy pre-shared-key ascii-text "$ABC123" set groups mnha-sync security ike policy icl proposals ike-prop set groups mnha-sync security ike gateway r1 ike-policy ike-policy set groups mnha-sync security ike gateway r1 address 10.0.30.1 set groups mnha-sync security ike gateway r1 dead-peer-detection probe-idle-tunnel set groups mnha-sync security ike gateway r1 dead-peer-detection interval 5 set groups mnha-sync security ike gateway r1 dead-peer-detection threshold 5 set groups mnha-sync security ike gateway r1 external-interface lo0.0 set groups mnha-sync security ike gateway r1 version v2-only set groups mnha-sync security ike gateway icl ike-policy icl set groups mnha-sync security ike gateway icl version v2-only set groups mnha-sync security ipsec proposal ipsec-prop encryption-algorithm aes-256-gcm set groups mnha-sync security ipsec proposal ipsec-prop lifetime-seconds 3600 set groups mnha-sync security ipsec policy ipsec-policy perfect-forward-secrecy keys group20 set groups mnha-sync security ipsec policy ipsec-policy proposals ipsec-prop set groups mnha-sync security ipsec vpn r1 bind-interface st0.0 set groups mnha-sync security ipsec vpn r1 ike gateway r1 set groups mnha-sync security ipsec vpn r1 ike ipsec-policy ipsec-policy set groups mnha-sync security ipsec vpn r1 traffic-selector ts1 local-ip 10.0.35.11/32 set groups mnha-sync security ipsec vpn r1 traffic-selector ts1 remote-ip 10.0.30.11/32 set groups mnha-sync security ipsec vpn r1 establish-tunnels immediately set groups mnha-sync security ipsec vpn icl ha-link-encryption set groups mnha-sync security ipsec vpn icl ike gateway icl set groups mnha-sync security ipsec vpn icl ike ipsec-policy ipsec-policy set groups mnha-sync security flow tcp-mss ipsec-vpn mss 1400 set groups mnha-sync security flow tcp-session strict-syn-check set groups mnha-sync security policies from-zone icl to-zone icl policy permit match source-address any set groups mnha-sync security policies from-zone icl to-zone icl policy permit match destination-address any set groups mnha-sync security policies from-zone icl to-zone icl policy permit match application any set groups mnha-sync security policies from-zone icl to-zone icl policy permit then permit set groups mnha-sync security policies global policy internal match source-address any set groups mnha-sync security policies global policy internal match destination-address any set groups mnha-sync security policies global policy internal match application any set groups mnha-sync security policies global policy internal match from-zone right set groups mnha-sync security policies global policy internal match from-zone vpn set groups mnha-sync security policies global policy internal match from-zone left set groups mnha-sync security policies global policy internal match to-zone left set groups mnha-sync security policies global policy internal match to-zone right set groups mnha-sync security policies global policy internal match to-zone vpn set groups mnha-sync security policies global policy internal then permit set groups mnha-sync security policies global policy internal then log session-close set groups mnha-sync security policies global policy untrust match source-address any set groups mnha-sync security policies global policy untrust match destination-address any set groups mnha-sync security policies global policy untrust match application any set groups mnha-sync security policies global policy untrust match from-zone left set groups mnha-sync security policies global policy untrust match from-zone right set groups mnha-sync security policies global policy untrust match to-zone untrust set groups mnha-sync security policies global policy untrust then permit set groups mnha-sync security zones security-zone vpn interfaces st0.0 set groups mnha-sync security zones security-zone left interfaces lo0.0 host-inbound-traffic system-services ike set groups mnha-sync security zones security-zone left interfaces lo0.0 host-inbound-traffic system-services ping set groups mnha-sync security zones security-zone left interfaces ge-0/0/3.100 host-inbound-traffic system-services ping set groups mnha-sync security zones security-zone left interfaces ge-0/0/3.100 host-inbound-traffic protocols bgp set groups mnha-sync security zones security-zone left interfaces ge-0/0/3.100 host-inbound-traffic protocols bfd set groups mnha-sync security zones security-zone right interfaces ge-0/0/4.101 host-inbound-traffic system-services ping set groups mnha-sync security zones security-zone right interfaces ge-0/0/4.101 host-inbound-traffic protocols bgp set groups mnha-sync security zones security-zone right interfaces ge-0/0/4.101 host-inbound-traffic protocols bfd set groups mnha-sync security zones security-zone untrust interfaces ge-0/0/0.102 host-inbound-traffic system-services ping set groups mnha-sync security zones security-zone untrust interfaces ge-0/0/0.102 host-inbound-traffic protocols bfd set groups mnha-sync security zones security-zone untrust interfaces ge-0/0/0.102 host-inbound-traffic protocols bgp set groups mnha-sync interfaces st0 unit 0 family inet set groups icd chassis high-availability local-id local-forwarding-ip 172.26.0.12 set groups icd chassis high-availability peer-id 1 peer-forwarding-ip 172.26.0.11 set groups icd chassis high-availability peer-id 1 peer-forwarding-ip interface lo0.1 set groups icd chassis high-availability peer-id 1 peer-forwarding-ip liveness-detection minimum-interval 1000 set groups icd chassis high-availability peer-id 1 peer-forwarding-ip liveness-detection multiplier 5 set groups icd interfaces lo0 unit 1 family inet address 172.26.0.12/32 set groups monitor-simple chassis high-availability services-redundancy-group 1 monitor bfd-liveliness 10.0.32.1 src-ip 10.0.32.10 set groups monitor-simple chassis high-availability services-redundancy-group 1 monitor bfd-liveliness 10.0.32.1 routing-instance vr set groups monitor-simple chassis high-availability services-redundancy-group 1 monitor bfd-liveliness 10.0.32.1 session-type singlehop set groups monitor-simple chassis high-availability services-redundancy-group 1 monitor bfd-liveliness 10.0.32.1 interface ge-0/0/3.100 set groups monitor-simple chassis high-availability services-redundancy-group 1 monitor bfd-liveliness 10.0.34.1 src-ip 10.0.34.10 set groups monitor-simple chassis high-availability services-redundancy-group 1 monitor bfd-liveliness 10.0.34.1 routing-instance vr set groups monitor-simple chassis high-availability services-redundancy-group 1 monitor bfd-liveliness 10.0.34.1 session-type singlehop set groups monitor-simple chassis high-availability services-redundancy-group 1 monitor bfd-liveliness 10.0.34.1 interface ge-0/0/4.101 set groups monitor-simple chassis high-availability services-redundancy-group 1 monitor bfd-liveliness 10.0.39.1 src-ip 10.0.39.10 set groups monitor-simple chassis high-availability services-redundancy-group 1 monitor bfd-liveliness 10.0.39.1 routing-instance vr set groups monitor-simple chassis high-availability services-redundancy-group 1 monitor bfd-liveliness 10.0.39.1 session-type singlehop set groups monitor-simple chassis high-availability services-redundancy-group 1 monitor bfd-liveliness 10.0.39.1 interface ge-0/0/0.102 set groups monitor-simple chassis high-availability services-redundancy-group 1 monitor interface ge-0/0/0 set groups monitor-advanced chassis high-availability services-redundancy-group 1 monitor monitor-object endpoints object-threshold 200 set groups monitor-advanced chassis high-availability services-redundancy-group 1 monitor monitor-object endpoints ip threshold 100 set groups monitor-advanced chassis high-availability services-redundancy-group 1 monitor monitor-object endpoints ip destination-ip 10.0.30.10 routing-instance vr set groups monitor-advanced chassis high-availability services-redundancy-group 1 monitor monitor-object endpoints ip destination-ip 10.0.30.10 weight 50 set groups monitor-advanced chassis high-availability services-redundancy-group 1 monitor monitor-object endpoints ip destination-ip 10.0.35.10 routing-instance vr set groups monitor-advanced chassis high-availability services-redundancy-group 1 monitor monitor-object endpoints ip destination-ip 10.0.35.10 weight 50 set groups monitor-advanced chassis high-availability services-redundancy-group 1 monitor monitor-object routers object-threshold 200 set groups monitor-advanced chassis high-availability services-redundancy-group 1 monitor monitor-object routers bfd-liveliness threshold 100 set groups monitor-advanced chassis high-availability services-redundancy-group 1 monitor monitor-object routers bfd-liveliness destination-ip 10.0.32.1 src-ip 10.0.32.10 set groups monitor-advanced chassis high-availability services-redundancy-group 1 monitor monitor-object routers bfd-liveliness destination-ip 10.0.32.1 routing-instance vr set groups monitor-advanced chassis high-availability services-redundancy-group 1 monitor monitor-object routers bfd-liveliness destination-ip 10.0.32.1 session-type singlehop set groups monitor-advanced chassis high-availability services-redundancy-group 1 monitor monitor-object routers bfd-liveliness destination-ip 10.0.32.1 interface ge-0/0/3.100 set groups monitor-advanced chassis high-availability services-redundancy-group 1 monitor monitor-object routers bfd-liveliness destination-ip 10.0.32.1 weight 100 set groups monitor-advanced chassis high-availability services-redundancy-group 1 monitor monitor-object routers bfd-liveliness destination-ip 10.0.34.1 src-ip 10.0.34.10 set groups monitor-advanced chassis high-availability services-redundancy-group 1 monitor monitor-object routers bfd-liveliness destination-ip 10.0.34.1 routing-instance vr set groups monitor-advanced chassis high-availability services-redundancy-group 1 monitor monitor-object routers bfd-liveliness destination-ip 10.0.34.1 session-type singlehop set groups monitor-advanced chassis high-availability services-redundancy-group 1 monitor monitor-object routers bfd-liveliness destination-ip 10.0.34.1 interface ge-0/0/4.101 set groups monitor-advanced chassis high-availability services-redundancy-group 1 monitor monitor-object routers bfd-liveliness destination-ip 10.0.34.1 weight 100 set groups monitor-advanced chassis high-availability services-redundancy-group 1 monitor monitor-object routers bfd-liveliness destination-ip 10.0.39.1 src-ip 10.0.39.10 set groups monitor-advanced chassis high-availability services-redundancy-group 1 monitor monitor-object routers bfd-liveliness destination-ip 10.0.39.1 routing-instance vr set groups monitor-advanced chassis high-availability services-redundancy-group 1 monitor monitor-object routers bfd-liveliness destination-ip 10.0.39.1 session-type singlehop set groups monitor-advanced chassis high-availability services-redundancy-group 1 monitor monitor-object routers bfd-liveliness destination-ip 10.0.39.1 interface ge-0/0/0.102 set groups monitor-advanced chassis high-availability services-redundancy-group 1 monitor monitor-object routers bfd-liveliness destination-ip 10.0.39.1 weight 100 set groups monitor-advanced chassis high-availability services-redundancy-group 1 monitor srg-threshold 200 set apply-groups mnha-sync set apply-groups mnha-sync-icl set apply-groups monitor-advanced set apply-groups icd set system commit peers vsrx-mnha-n0 user user set system commit peers vsrx-mnha-n0 authentication "$ABC123" set chassis high-availability local-id 2 set chassis high-availability local-id local-ip 172.26.0.2 set chassis high-availability peer-id 1 peer-ip 172.26.0.1 set chassis high-availability peer-id 1 interface lo0.1 set chassis high-availability peer-id 1 routing-instance icl set chassis high-availability peer-id 1 vpn-profile icl set chassis high-availability peer-id 1 liveness-detection minimum-interval 1000 set chassis high-availability peer-id 1 liveness-detection multiplier 3 set chassis high-availability services-redundancy-group 0 peer-id 1 set chassis high-availability services-redundancy-group 1 deployment-type routing set chassis high-availability services-redundancy-group 1 peer-id 1 set chassis high-availability services-redundancy-group 1 activeness-probe dest-ip 10.0.30.1 set chassis high-availability services-redundancy-group 1 activeness-probe dest-ip src-ip 172.25.0.0 set chassis high-availability services-redundancy-group 1 activeness-probe dest-ip routing-instance vr set chassis high-availability services-redundancy-group 1 active-signal-route 172.24.0.1 set chassis high-availability services-redundancy-group 1 backup-signal-route 172.24.0.0 set chassis high-availability services-redundancy-group 1 prefix-list srg1-prefix routing-instance vr set chassis high-availability services-redundancy-group 1 managed-services ipsec set chassis high-availability services-redundancy-group 1 process-packet-on-backup set chassis high-availability services-redundancy-group 1 activeness-priority 200 set security ike proposal ike-prop authentication-method pre-shared-keys set security ike proposal ike-prop dh-group group20 set security ike proposal ike-prop encryption-algorithm aes-256-gcm set security ike proposal ike-prop lifetime-seconds 28800 set security ike policy ike-policy proposals ike-prop set security ike policy ike-policy pre-shared-key ascii-text "$ABC123" set security ike policy icl proposals ike-prop set security ike policy icl pre-shared-key ascii-text "$ABC123" set security ike gateway icl ike-policy icl set security ike gateway icl version v2-only set security ipsec proposal ipsec-prop encryption-algorithm aes-256-gcm set security ipsec proposal ipsec-prop lifetime-seconds 3600 set security ipsec policy ipsec-policy perfect-forward-secrecy keys group20 set security ipsec policy ipsec-policy proposals ipsec-prop set security ipsec vpn icl ha-link-encryption set security ipsec vpn icl ike gateway icl set security ipsec vpn icl ike ipsec-policy ipsec-policy set security zones security-zone icl interfaces ge-0/0/3.37 host-inbound-traffic system-services ping set security zones security-zone icl interfaces ge-0/0/3.37 host-inbound-traffic protocols bgp set security zones security-zone icl interfaces ge-0/0/3.37 host-inbound-traffic protocols bfd set security zones security-zone icl interfaces lo0.1 host-inbound-traffic system-services ping set security zones security-zone icl interfaces lo0.1 host-inbound-traffic system-services ike set security zones security-zone icl interfaces lo0.1 host-inbound-traffic system-services high-availability set security zones security-zone icl interfaces lo0.1 host-inbound-traffic system-services ssh set security zones security-zone icl interfaces lo0.1 host-inbound-traffic protocols bfd set security zones security-zone icl interfaces ge-0/0/1.39 host-inbound-traffic system-services ping set security zones security-zone icl interfaces ge-0/0/1.39 host-inbound-traffic protocols bgp set security zones security-zone icl interfaces ge-0/0/1.39 host-inbound-traffic protocols bfd set interfaces ge-0/0/0 description for-monitoring set interfaces ge-0/0/0 vlan-tagging set interfaces ge-0/0/0 unit 102 description vr-uplink-r2 set interfaces ge-0/0/0 unit 102 vlan-id 39 set interfaces ge-0/0/0 unit 102 family inet address 10.0.39.10/24 set interfaces ge-0/0/1 description br-lab-ha-1 set interfaces ge-0/0/1 vlan-tagging set interfaces ge-0/0/1 mtu 9000 set interfaces ge-0/0/1 unit 39 description icl-n0 set interfaces ge-0/0/1 unit 39 vlan-id 39 set interfaces ge-0/0/1 unit 39 family inet address 10.1.39.2/24 set interfaces ge-0/0/3 vlan-tagging set interfaces ge-0/0/3 unit 37 description icl-r1 set interfaces ge-0/0/3 unit 37 vlan-id 37 set interfaces ge-0/0/3 unit 37 family inet address 10.0.37.10/24 set interfaces ge-0/0/3 unit 100 description vr-left-r1 set interfaces ge-0/0/3 unit 100 vlan-id 32 set interfaces ge-0/0/3 unit 100 family inet address 10.0.32.10/24 set interfaces ge-0/0/4 vlan-tagging set interfaces ge-0/0/4 unit 101 description vr-right-r2 set interfaces ge-0/0/4 unit 101 vlan-id 34 set interfaces ge-0/0/4 unit 101 family inet address 10.0.34.10/24 set interfaces lo0 unit 0 description "Floating IP" set interfaces lo0 unit 0 family inet address 172.25.0.0/32 set interfaces lo0 unit 1 description ICL set interfaces lo0 unit 1 family inet address 172.26.0.2/32 set policy-options prefix-list export-int 0.0.0.0/0 set policy-options prefix-list export-int 172.25.0.0/32 set policy-options prefix-list export-uplink 10.0.30.0/24 set policy-options prefix-list export-uplink 10.0.35.0/24 set policy-options prefix-list srg1-prefix 172.25.0.0/32 set policy-options policy-statement export-icl-r1 term 10 from interface lo0.1 set policy-options policy-statement export-icl-r1 term 10 then accept set policy-options policy-statement export-icl-r1 term 100 then reject set policy-options policy-statement export-icl-to-n0 term 10 from interface lo0.1 set policy-options policy-statement export-icl-to-n0 term 10 then accept set policy-options policy-statement export-icl-to-n0 term 100 then reject set policy-options policy-statement export-to-int term 10 from prefix-list export-int set policy-options policy-statement export-to-int term 10 from condition srg1_backup set policy-options policy-statement export-to-int term 10 then as-path-prepend 65032 set policy-options policy-statement export-to-int term 10 then accept set policy-options policy-statement export-to-int term 20 from prefix-list export-int set policy-options policy-statement export-to-int term 20 from condition srg1_active set policy-options policy-statement export-to-int term 20 then accept set policy-options policy-statement export-to-int term 90 from prefix-list export-int set policy-options policy-statement export-to-int term 90 then as-path-prepend "65032 65032 65032" set policy-options policy-statement export-to-int term 90 then accept set policy-options policy-statement export-to-int term 100 then reject set policy-options policy-statement export-to-uplink term 10 from prefix-list export-uplink set policy-options policy-statement export-to-uplink term 10 from condition srg1_backup set policy-options policy-statement export-to-uplink term 10 then as-path-prepend 65032 set policy-options policy-statement export-to-uplink term 10 then accept set policy-options policy-statement export-to-uplink term 20 from prefix-list export-uplink set policy-options policy-statement export-to-uplink term 20 from condition srg1_active set policy-options policy-statement export-to-uplink term 20 then accept set policy-options policy-statement export-to-uplink term 90 from prefix-list export-uplink set policy-options policy-statement export-to-uplink term 90 then as-path-prepend "65032 65032 65032" set policy-options policy-statement export-to-uplink term 90 then accept set policy-options policy-statement export-to-uplink term 100 then reject set policy-options condition srg1_active if-route-exists 172.24.0.1/32 set policy-options condition srg1_active if-route-exists table inet.0 set policy-options condition srg1_backup if-route-exists 172.24.0.0/32 set policy-options condition srg1_backup if-route-exists table inet.0 set routing-instances icl instance-type virtual-router set routing-instances icl protocols bgp group icl neighbor 10.0.37.1 export export-icl-r1 set routing-instances icl protocols bgp group icl neighbor 10.0.37.1 peer-as 65030 set routing-instances icl protocols bgp group icl neighbor 10.1.39.1 export export-icl-to-n0 set routing-instances icl protocols bgp group icl neighbor 10.1.39.1 peer-as 65031 set routing-instances icl protocols bgp local-as 65032 set routing-instances icl protocols bgp bfd-liveness-detection minimum-interval 500 set routing-instances icl protocols bgp bfd-liveness-detection multiplier 3 set routing-instances icl interface ge-0/0/1.39 set routing-instances icl interface ge-0/0/3.37 set routing-instances icl interface lo0.1 set routing-instances vr instance-type virtual-router set routing-instances vr protocols bgp group r1 neighbor 10.0.32.1 export export-to-int set routing-instances vr protocols bgp group r1 neighbor 10.0.32.1 peer-as 65030 set routing-instances vr protocols bgp group r2 neighbor 10.0.34.1 export export-to-int set routing-instances vr protocols bgp group r2 neighbor 10.0.34.1 peer-as 65035 set routing-instances vr protocols bgp group uplink-r2 neighbor 10.0.39.1 export export-to-uplink set routing-instances vr protocols bgp group uplink-r2 neighbor 10.0.39.1 peer-as 65039 set routing-instances vr protocols bgp local-as 65032 set routing-instances vr protocols bgp bfd-liveness-detection minimum-interval 1000 set routing-instances vr protocols bgp bfd-liveness-detection multiplier 3 set routing-instances vr interface ge-0/0/0.102 set routing-instances vr interface ge-0/0/3.100 set routing-instances vr interface ge-0/0/4.101 set routing-instances vr interface lo0.0
路由器 1(设备配置为路由器)
set security policies default-policy permit-all set security zones security-zone left host-inbound-traffic system-services ping set security zones security-zone left host-inbound-traffic system-services ike set security zones security-zone left host-inbound-traffic protocols bgp set security zones security-zone left host-inbound-traffic protocols bfd set security zones security-zone left interfaces ge-0/0/2.30 set security zones security-zone left interfaces ge-0/0/0.31 set security zones security-zone left interfaces ge-0/0/1.32 set security zones security-zone left interfaces st0.0 set security zones security-zone left enable-reverse-reroute set security zones security-zone icl host-inbound-traffic system-services ping set security zones security-zone icl host-inbound-traffic protocols bgp set security zones security-zone icl host-inbound-traffic protocols bfd set security zones security-zone icl interfaces ge-0/0/0.36 set security zones security-zone icl interfaces ge-0/0/1.37 set interfaces ge-0/0/0 description br-lab-1 set interfaces ge-0/0/0 vlan-tagging set interfaces ge-0/0/0 unit 31 description vr-mnha-n0 set interfaces ge-0/0/0 unit 31 vlan-id 31 set interfaces ge-0/0/0 unit 31 family inet address 10.0.31.1/24 set interfaces ge-0/0/0 unit 36 description icl-n0 set interfaces ge-0/0/0 unit 36 vlan-id 36 set interfaces ge-0/0/0 unit 36 family inet address 10.0.36.1/24 set interfaces ge-0/0/1 vlan-tagging set interfaces ge-0/0/1 unit 32 description vr-mnha-n1 set interfaces ge-0/0/1 unit 32 vlan-id 32 set interfaces ge-0/0/1 unit 32 family inet address 10.0.32.1/24 set interfaces ge-0/0/1 unit 37 description icl-n1 set interfaces ge-0/0/1 unit 37 vlan-id 37 set interfaces ge-0/0/1 unit 37 family inet address 10.0.37.1/24 set interfaces ge-0/0/2 vlan-tagging set interfaces ge-0/0/2 unit 30 description vr-linux-1 set interfaces ge-0/0/2 unit 30 vlan-id 30 set interfaces ge-0/0/2 unit 30 family inet address 10.0.30.1/24 set interfaces st0 unit 0 family inet set policy-options policy-statement export-icl-n0 term 10 from interface ge-0/0/1.37 set policy-options policy-statement export-icl-n0 term 10 then accept set policy-options policy-statement export-icl-n0 term 100 then reject set policy-options policy-statement export-icl-n1 term 10 from interface ge-0/0/0.36 set policy-options policy-statement export-icl-n1 term 10 then accept set policy-options policy-statement export-icl-n1 term 100 then reject set policy-options policy-statement export-to-mnha-fws term 10 from interface ge-0/0/2.30 set policy-options policy-statement export-to-mnha-fws term 10 then accept set policy-options policy-statement export-to-mnha-fws term 100 then reject set routing-instances icl instance-type virtual-router set routing-instances icl protocols bgp group icl local-as 65030 set routing-instances icl protocols bgp group icl bfd-liveness-detection minimum-interval 500 set routing-instances icl protocols bgp group icl bfd-liveness-detection multiplier 3 set routing-instances icl protocols bgp group icl neighbor 10.0.36.10 export export-icl-n0 set routing-instances icl protocols bgp group icl neighbor 10.0.36.10 peer-as 65031 set routing-instances icl protocols bgp group icl neighbor 10.0.37.10 export export-icl-n1 set routing-instances icl protocols bgp group icl neighbor 10.0.37.10 peer-as 65032 set routing-instances icl interface ge-0/0/0.36 set routing-instances icl interface ge-0/0/1.37 set routing-instances vr instance-type virtual-router set routing-instances vr protocols bgp group mnha-n0 neighbor 10.0.31.10 peer-as 65031 set routing-instances vr protocols bgp group mnha-n1 neighbor 10.0.32.10 peer-as 65032 set routing-instances vr protocols bgp export export-to-mnha-fws set routing-instances vr protocols bgp local-as 65030 set routing-instances vr protocols bgp bfd-liveness-detection minimum-interval 1000 set routing-instances vr protocols bgp bfd-liveness-detection multiplier 3 set routing-instances vr interface ge-0/0/0.31 set routing-instances vr interface ge-0/0/1.32 set routing-instances vr interface ge-0/0/2.30 set routing-instances vr interface st0.0
路由器 2(设备配置为路由器)
set security policies default-policy permit-all set security zones security-zone right host-inbound-traffic system-services ping set security zones security-zone right host-inbound-traffic protocols bgp set security zones security-zone right host-inbound-traffic protocols bfd set security zones security-zone right interfaces ge-0/0/0.33 set security zones security-zone right interfaces ge-0/0/1.34 set security zones security-zone right interfaces ge-0/0/2.35 set security zones security-zone right enable-reverse-reroute set security zones security-zone trust tcp-rst set security zones security-zone trust host-inbound-traffic system-services ping set security zones security-zone trust host-inbound-traffic protocols bgp set security zones security-zone trust host-inbound-traffic protocols bfd set security zones security-zone trust interfaces ge-0/0/0.39 set security zones security-zone trust interfaces ge-0/0/0.38 set interfaces ge-0/0/0 description br-lab-1 set interfaces ge-0/0/0 vlan-tagging set interfaces ge-0/0/0 unit 33 description vr-mnha-n0 set interfaces ge-0/0/0 unit 33 vlan-id 33 set interfaces ge-0/0/0 unit 33 family inet address 10.0.33.1/24 set interfaces ge-0/0/0 unit 38 description uplink-mnha-n0 set interfaces ge-0/0/0 unit 38 vlan-id 38 set interfaces ge-0/0/0 unit 38 family inet address 10.0.38.1/24 set interfaces ge-0/0/0 unit 39 description uplink-mnha-n1 set interfaces ge-0/0/0 unit 39 vlan-id 39 set interfaces ge-0/0/0 unit 39 family inet address 10.0.39.1/24 set interfaces ge-0/0/1 description br-poc-mgmt set interfaces ge-0/0/1 vlan-tagging set interfaces ge-0/0/1 unit 34 description vr-mnha-n1 set interfaces ge-0/0/1 unit 34 vlan-id 34 set interfaces ge-0/0/1 unit 34 family inet address 10.0.34.1/24 set interfaces ge-0/0/2 vlan-tagging set interfaces ge-0/0/2 unit 35 description vr-linux-2 set interfaces ge-0/0/2 unit 35 vlan-id 35 set interfaces ge-0/0/2 unit 35 family inet address 10.0.35.1/24 set policy-options policy-statement export-default term 10 from route-filter 0.0.0.0/0 exact set policy-options policy-statement export-default term 10 then accept set policy-options policy-statement export-default term 100 then reject set policy-options policy-statement export-to-mnha-fws term 10 from interface ge-0/0/0.35 set policy-options policy-statement export-to-mnha-fws term 10 then accept set policy-options policy-statement export-to-mnha-fws term 100 then reject set policy-options policy-statement import-from-n1 from neighbor 10.0.34.10 set policy-options policy-statement import-from-n1 then local-preference 1000 set routing-instances uplink instance-type virtual-router set routing-instances uplink routing-options static route 0.0.0.0/0 next-hop 172.30.192.1 set routing-instances uplink protocols bgp family inet unicast loops 1 set routing-instances uplink protocols bgp group trust export export-default set routing-instances uplink protocols bgp group trust local-as 65039 set routing-instances uplink protocols bgp group trust bfd-liveness-detection minimum-interval 1000 set routing-instances uplink protocols bgp group trust bfd-liveness-detection multiplier 3 set routing-instances uplink protocols bgp group trust neighbor 10.0.38.10 peer-as 65031 set routing-instances uplink protocols bgp group trust neighbor 10.0.39.10 peer-as 65032 set routing-instances uplink interface ge-0/0/0.38 set routing-instances uplink interface ge-0/0/0.39 set routing-instances uplink interface ge-0/0/1.0 deactivate routing-instances uplink interface ge-0/0/1.0 set routing-instances vr instance-type virtual-router set routing-instances vr protocols bgp family inet unicast loops 1 set routing-instances vr protocols bgp group mnha-n0 neighbor 10.0.33.10 peer-as 65031 set routing-instances vr protocols bgp group mnha-n1 neighbor 10.0.34.10 import import-from-n1 set routing-instances vr protocols bgp group mnha-n1 neighbor 10.0.34.10 peer-as 65032 set routing-instances vr protocols bgp export export-to-mnha-fws set routing-instances vr protocols bgp local-as 65035 set routing-instances vr protocols bgp bfd-liveness-detection minimum-interval 1000 set routing-instances vr protocols bgp bfd-liveness-detection multiplier 3 set routing-instances vr interface ge-0/0/0.33 set routing-instances vr interface ge-0/0/1.34 set routing-instances vr interface ge-0/0/2.35
Show Configuration Output
在配置模式下,输入 show high availability、 show groups和其他详细信息以确认您的配置。如果输出未显示预期的配置,请重复此示例中的配置说明进行更正。
SRX-01(活动节点)
[edit]
user@vsrx-mnha-n0# show chassis high-availability
local-id {
1;
local-ip 172.26.0.1;
}
peer-id 2 {
peer-ip 172.26.0.2;
interface lo0.1;
routing-instance icl;
vpn-profile icl;
liveness-detection {
minimum-interval 1000;
multiplier 3;
}
}
services-redundancy-group 0 {
peer-id {
2;
}
}
services-redundancy-group 1 {
deployment-type routing;
peer-id {
2;
}
activeness-probe {
dest-ip {
10.0.30.1;
src-ip 172.25.0.0;
routing-instance vr;
}
}
active-signal-route {
172.24.0.1;
}
backup-signal-route {
172.24.0.0;
}
prefix-list srg1-prefix {
routing-instance vr;
}
managed-services ipsec;
process-packet-on-backup;
activeness-priority 100;
}
[edit]
user@vsrx-mnha-n0# show groups mnha-sync
when {
peers [ vsrx-mnha-n0 vsrx-mnha-n1 ];
}
security {
ike {
proposal ike-prop {
authentication-method pre-shared-keys;
dh-group group20;
encryption-algorithm aes-256-gcm;
lifetime-seconds 28800;
}
policy ike-policy {
proposals ike-prop;
pre-shared-key ascii-text "$ABC123"; ## SECRET-DATA
}
policy icl {
proposals ike-prop;
}
gateway r1 {
ike-policy ike-policy;
address 10.0.30.1;
dead-peer-detection {
probe-idle-tunnel;
interval 5;
threshold 5;
}
external-interface lo0.0;
version v2-only;
}
gateway icl {
ike-policy icl;
version v2-only;
}
}
ipsec {
proposal ipsec-prop {
encryption-algorithm aes-256-gcm;
lifetime-seconds 3600;
}
policy ipsec-policy {
perfect-forward-secrecy {
keys group20;
}
proposals ipsec-prop;
}
vpn r1 {
bind-interface st0.0;
ike {
gateway r1;
ipsec-policy ipsec-policy;
}
traffic-selector ts1 {
local-ip 10.0.35.11/32;
remote-ip 10.0.30.11/32;
}
establish-tunnels immediately;
}
vpn icl {
ha-link-encryption;
ike {
gateway icl;
ipsec-policy ipsec-policy;
}
}
}
policies {
from-zone icl to-zone icl {
policy permit {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
global {
policy internal {
match {
source-address any;
destination-address any;
application any;
from-zone [ right vpn left ];
to-zone [ left right vpn ];
}
then {
permit;
log {
session-close;
}
}
}
policy untrust {
match {
source-address any;
destination-address any;
application any;
from-zone [ left right ];
to-zone untrust;
}
then {
permit;
}
}
}
}
zones {
security-zone vpn {
interfaces {
st0.0;
}
}
security-zone left {
interfaces {
lo0.0 {
host-inbound-traffic {
system-services {
ike;
ping;
}
}
}
ge-0/0/3.100 {
host-inbound-traffic {
system-services {
ping;
}
protocols {
bgp;
bfd;
}
}
}
}
}
security-zone right {
interfaces {
ge-0/0/4.101 {
host-inbound-traffic {
system-services {
ping;
}
protocols {
bgp;
bfd;
}
}
}
}
}
security-zone untrust {
interfaces {
ge-0/0/0.102 {
host-inbound-traffic {
system-services {
ping;
}
protocols {
bfd;
bgp;
}
}
}
}
}
}
}
interfaces {
st0 {
unit 0 {
family inet;
}
}
}
routing-instances {
vr {
interface st0.0;
}
}
[edit]
user@vsrx-mnha-n0# show groups monitor-simple
chassis {
high-availability {
services-redundancy-group 1 {
monitor {
bfd-liveliness 10.0.31.1 {
src-ip 10.0.31.10;
routing-instance vr;
session-type singlehop;
interface ge-0/0/0.100;
}
bfd-liveliness 10.0.33.1 {
src-ip 10.0.33.10;
routing-instance vr;
session-type singlehop;
interface ge-0/0/0.101;
}
bfd-liveliness 10.0.38.1 {
src-ip 10.0.38.10;
routing-instance vr;
session-type singlehop;
interface ge-0/0/0.102;
}
interface {
ge-0/0/0;
}
}
}
}
}
[edit]
user@vsrx-mnha-n0# show groups monitor-advanced
chassis {
high-availability {
services-redundancy-group 1 {
monitor {
monitor-object endpoints {
object-threshold 200;
ip {
threshold 100;
destination-ip 10.0.30.10 {
routing-instance vr;
weight 50;
}
destination-ip 10.0.35.10 {
routing-instance vr;
weight 50;
}
}
}
monitor-object routers {
object-threshold 200;
bfd-liveliness {
threshold 100;
destination-ip 10.0.31.1 {
src-ip 10.0.31.10;
routing-instance vr;
session-type singlehop;
interface ge-0/0/3.100;
weight 100;
}
destination-ip 10.0.33.1 {
src-ip 10.0.33.10;
routing-instance vr;
session-type singlehop;
interface ge-0/0/4.101;
weight 100;
}
destination-ip 10.0.38.1 {
src-ip 10.0.38.10;
routing-instance vr;
session-type singlehop;
interface ge-0/0/0.102;
weight 100;
}
}
}
srg-threshold 200;
}
}
}
}
[edit]
user@vsrx-mnha-n0# show groups mnha-sync-icl
system {
commit {
peers {
vsrx-mnha-n1 {
routing-instance icl;
}
}
}
static-host-mapping {
vsrx-mnha-n1 inet 172.26.0.2;
}
}
[edit]
user@vsrx-mnha-n0# show groups icd
chassis {
high-availability {
local-id {
local-forwarding-ip 172.26.0.11;
}
peer-id 2 {
peer-forwarding-ip {
172.26.0.12;
interface lo0.1;
liveness-detection {
minimum-interval 1000;
multiplier 5;
}
}
}
}
}
interfaces {
lo0 {
unit 1 {
family inet {
address 172.26.0.11/32;
}
}
}
}
SRX-02
[edit]
user@vsrx-mnha-n1# show chassis high-availability
local-id {
2;
local-ip 172.26.0.2;
}
peer-id 1 {
peer-ip 172.26.0.1;
interface lo0.1;
routing-instance icl;
vpn-profile icl;
liveness-detection {
minimum-interval 1000;
multiplier 3;
}
}
services-redundancy-group 0 {
peer-id {
1;
}
}
services-redundancy-group 1 {
deployment-type routing;
peer-id {
1;
}
activeness-probe {
dest-ip {
10.0.30.1;
src-ip 172.25.0.0;
routing-instance vr;
}
}
active-signal-route {
172.24.0.1;
}
backup-signal-route {
172.24.0.0;
}
prefix-list srg1-prefix {
routing-instance vr;
}
managed-services ipsec;
process-packet-on-backup;
activeness-priority 200;
}
[edit]
user@vsrx-mnha-n1# show groups mnha-sync
when {
peers [ vsrx-mnha-n0 vsrx-mnha-n1 ];
}
security {
ike {
proposal ike-prop {
authentication-method pre-shared-keys;
dh-group group20;
encryption-algorithm aes-256-gcm;
lifetime-seconds 28800;
}
policy ike-policy {
proposals ike-prop;
pre-shared-key ascii-text "$ABC123"; ## SECRET-DATA
}
policy icl {
proposals ike-prop;
}
gateway r1 {
ike-policy ike-policy;
address 10.0.30.1;
dead-peer-detection {
probe-idle-tunnel;
interval 5;
threshold 5;
}
external-interface lo0.0;
version v2-only;
}
gateway icl {
ike-policy icl;
version v2-only;
}
}
ipsec {
proposal ipsec-prop {
encryption-algorithm aes-256-gcm;
lifetime-seconds 3600;
}
policy ipsec-policy {
perfect-forward-secrecy {
keys group20;
}
proposals ipsec-prop;
}
vpn r1 {
bind-interface st0.0;
ike {
gateway r1;
ipsec-policy ipsec-policy;
}
traffic-selector ts1 {
local-ip 10.0.35.11/32;
remote-ip 10.0.30.11/32;
}
establish-tunnels immediately;
}
vpn icl {
ha-link-encryption;
ike {
gateway icl;
ipsec-policy ipsec-policy;
}
}
}
flow {
tcp-mss {
ipsec-vpn {
mss 1400;
}
}
tcp-session {
strict-syn-check;
}
}
policies {
from-zone icl to-zone icl {
policy permit {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
global {
policy internal {
match {
source-address any;
destination-address any;
application any;
from-zone [ right vpn left ];
to-zone [ left right vpn ];
}
then {
permit;
log {
session-close;
}
}
}
policy untrust {
match {
source-address any;
destination-address any;
application any;
from-zone [ left right ];
to-zone untrust;
}
then {
permit;
}
}
}
}
zones {
security-zone vpn {
interfaces {
st0.0;
}
}
security-zone left {
interfaces {
lo0.0 {
host-inbound-traffic {
system-services {
ike;
ping;
}
}
}
ge-0/0/3.100 {
host-inbound-traffic {
system-services {
ping;
}
protocols {
bgp;
bfd;
}
}
}
}
}
security-zone right {
interfaces {
ge-0/0/4.101 {
host-inbound-traffic {
system-services {
ping;
}
protocols {
bgp;
bfd;
}
}
}
}
}
security-zone untrust {
interfaces {
ge-0/0/0.102 {
host-inbound-traffic {
system-services {
ping;
}
protocols {
bfd;
bgp;
}
}
}
}
}
}
}
interfaces {
st0 {
unit 0 {
family inet;
}
}
}
routing-instances {
vr {
interface st0.0;
}
}
[edit]
user@vsrx-mnha-n1# show groups monitor-simple
chassis {
high-availability {
services-redundancy-group 1 {
monitor {
bfd-liveliness 10.0.32.1 {
src-ip 10.0.32.10;
routing-instance vr;
session-type singlehop;
interface ge-0/0/3.100;
}
bfd-liveliness 10.0.34.1 {
src-ip 10.0.34.10;
routing-instance vr;
session-type singlehop;
interface ge-0/0/4.101;
}
bfd-liveliness 10.0.39.1 {
src-ip 10.0.39.10;
routing-instance vr;
session-type singlehop;
interface ge-0/0/0.102;
}
interface {
ge-0/0/0;
}
}
}
}
}
[edit]
user@vsrx-mnha-n1# show groups monitor-advanced
chassis {
high-availability {
services-redundancy-group 1 {
monitor {
monitor-object endpoints {
object-threshold 200;
ip {
threshold 100;
destination-ip 10.0.30.10 {
routing-instance vr;
weight 50;
}
destination-ip 10.0.35.10 {
routing-instance vr;
weight 50;
}
}
}
monitor-object routers {
object-threshold 200;
bfd-liveliness {
threshold 100;
destination-ip 10.0.32.1 {
src-ip 10.0.32.10;
routing-instance vr;
session-type singlehop;
interface ge-0/0/3.100;
weight 100;
}
destination-ip 10.0.34.1 {
src-ip 10.0.34.10;
routing-instance vr;
session-type singlehop;
interface ge-0/0/4.101;
weight 100;
}
destination-ip 10.0.39.1 {
src-ip 10.0.39.10;
routing-instance vr;
session-type singlehop;
interface ge-0/0/0.102;
weight 100;
}
}
}
srg-threshold 200;
}
}
}
}
[edit]
user@vsrx-mnha-n1# show groups mnha-sync-icl
system {
commit {
peers {
vsrx-mnha-n0 {
routing-instance icl;
}
}
}
static-host-mapping {
vsrx-mnha-n0 inet 172.26.0.1;
}
}
[edit]
user@vsrx-mnha-n1# show groups icd
chassis {
high-availability {
local-id {
local-forwarding-ip 172.26.0.12;
}
peer-id 1 {
peer-forwarding-ip {
172.26.0.11;
interface lo0.1;
liveness-detection {
minimum-interval 1000;
multiplier 5;
}
}
}
}
}
interfaces {
lo0 {
unit 1 {
family inet {
address 172.26.0.12/32;
}
}
}
}