Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Overview

    The Juniper Networks SRX3600 is deployed in this solution as the edge firewall and provides perimeter security for the virtualized data center network residing between the edge router and core switch. The SRX3600 is configured in active/backup chassis cluster mode. Active/backup high availability is the most common type of high availability firewall deployment and consists of two firewall members of a cluster, one of which actively provides routing, firewall, NAT, VPN, and security services, along with maintaining control of the chassis cluster. In case of chassis cluster failover, the backup firewall will become the active firewall and the active firewall will become the backup.

    Configuring Chassis Clustering

    Configuring chassis cluster requires a minimum of two devices. Here, we are using SRX3600, which has similar hardware and Junos OS software version. Since we only have a single cluster, the solution uses only cluster-id 1 SRX 3600-1 acting as node 0. SRX 3600-2 is configured as node 1. These commands are the only commands where it matters which chassis member you apply them to because the setting is stored in the NVRAM rather than in the configuration itself. The command will also cause the cluster member to reboot, which is common to all current versions of Junos OS.

    To configure chassis clustering, you must first configure the cluster-id and node ID on each cluster member as shown in the following steps:

    1. Configure SRX 3600-1.
      set chassis cluster cluster-id 1 node 0 reboot
    2. Configure SRX 3600-2.
      set chassis cluster cluster-id 1 node 1 reboot

      Note: This set of commands must be run as an operational command and not in configuration mode.

      Control port configuration: Once the chassis members have rebooted, the SRX3600 uses two designated, labeled ports as control ports.

    Configure Chassis Clustering Data Fabric

    Once the SRX3600s are configured as a chassis cluster and control ports have been assigned, the fabric (data) ports of the cluster must be configured. These fabric ports are used to pass real-time objects (RTOs) in Active/Passive mode. RTOs are messages that the nodes use to synchronize information between chassis members of a chassis cluster.

    To configure the data fabric, you must configure two fabric interfaces (one on each chassis) as shown in the following steps. These interfaces are connected to each other to form the fabric link.

    1. Configure SRX 3600-1.
      set interfaces fab0 fabric-options member-interfaces ge-5/0/15
    2. Configure SRX 3600-2.
      set interfaces fab1 fabric-options member-interfaces ge-18/0/15

    Configuring Chassis Clustering Groups

    Since the SRX cluster configuration is held within a single common configuration, we need a way to assign some elements of the configuration to a specific member only. This is done in Junos OS with the node-specific configuration method called groups. The last command uses the node variable to define how the groups are applied to the nodes (each node will recognize its number and accept the configuration accordingly).We also configure out-of-band management on the fxp0 interface of the SRX with separate IP addresses for the individual control planes of the cluster. Node-specific configuration is covered in the next configuration example.

    To configure chassis clustering groups, including the host name, backup-router, and interface addressing, follow these steps:

    1. Configure SRX 3600-1.
      set groups node0 system host-name vdc-edge-fw01-n0set groups node0 system backup-router 10.94.47.62set groups node0 interfaces fxp0 unit 0 family inet address 10.94.47.33/27
    2. Configure SRX 3600-2.
      set groups node1 system host-name vdc-edge-fw01-n1set groups node1 system backup-router 10.94.47.62set groups node1 interfaces fxp0 unit 0 family inet address 10.94.47.34/27
    3. Configure apply groups
      set groups nodeset apply-groups "${node}"

    Configuring Chassis Clustering Redundancy Groups

    The next step in configuring chassis clustering is to configure redundancy groups. Redundancy Group 0 is always for the control plane, while redundancy group 1+ is always for the data plane ports. Because active/backup mode allows only one chassis member to be active at a time, we only define Redundancy Groups 0 and 1. We must also configure how many redundant Ethernet groups we will have active on the device (so that the system can allocate the appropriate resources for it). This is similar to aggregated Ethernet.

    We will also need to define which device has priority (in JSRP, high priority is preferred) for the control plane, as well as which device is preferred to be active for the data plane. Remember that the control plane can be active on a different chassis than the data plane in active/passive (there isn’t anything wrong with this from a technical standpoint, but many administrators prefer having both the control plane and data plane active on the same chassis member).

    To configure redundancy groups and priority, see the following example:

    1. Configure redundancy groups and priority.
      set chassis cluster reth-count 2set chassis cluster redundancy-group 0 node 0 priority 129set chassis cluster redundancy-group 0 node 1 priority 128set chassis cluster redundancy-group 1 node 0 priority 129set chassis cluster redundancy-group 1 node 1 priority 128

    Configuring Chassis Clustering Data Interfaces

    The next step in chassis cluster configuration is to define the actual data interfaces on the platform so that in the event of a data plane failover, the other chassis member will be able to take over the connection seamlessly. This configuration involves defining the membership information of the member interfaces to the RETH interface, defining which redundancy group the RETH interface will be a member of (in Active/Passive it will always be 1,) and finally defining the RETH interface information, such as the IP address of the interface.

    Note: Redundant Ethernet interface LAGs are configured toward the edge firewall and core switch.

    To configure redundant data interfaces on the chassis cluster, follow these steps:

    1. Configure redundant Ethernet LAG interface reth0 toward core switches used as the trust interface.
      [edit] set interfaces reth0 description "Trust Zone toward POD"set interfaces reth0 vlan-taggingset interfaces reth0 redundant-ether-options redundancy-group 1set interfaces reth0 redundant-ether-options minimum-links 1set interfaces reth0 redundant-ether-options lacp activeset interfaces reth0 redundant-ether-options lacp periodic fastset interfaces reth0 unit 0 vlan-id 10set interfaces reth0 unit 0 family inet address 192.168.25.3/24
    2. Configure member links for the reth0 from node 0. (Once the chassis cluster is configured, everything can be configured from the primary node as the cluster behaves as a single, physical chassis.)
      [edit]set interfaces xe-3/0/0 gigether-options redundant-parent reth0set interfaces xe-3/0/1 gigether-options redundant-parent reth0set interfaces xe-4/0/0 gigether-options redundant-parent reth0set interfaces xe-4/0/1 gigether-options redundant-parent reth0
      ….
      set interfaces xe-16/0/0 gigether-options redundant-parent reth0set interfaces xe-16/0/1 gigether-options redundant-parent reth0set interfaces xe-17/0/0 gigether-options redundant-parent reth0set interfaces xe-17/0/1 gigether-options redundant-parent reth0
    3. Configure redundant Ethernet LAG interface reth1 toward edge routers used as the untrust interface.
      [edit]set interfaces reth1 description "Untrust Zone toward Edge-routers"set interfaces reth1 vlan-taggingset interfaces reth1 redundant-ether-options redundancy-group 1set interfaces reth1 redundant-ether-options minimum-links 1set interfaces reth1 redundant-ether-options lacp activeset interfaces reth1 redundant-ether-options lacp periodic fastset interfaces reth1 unit 0 vlan-id 11set interfaces reth1 unit 0 family inet address 192.168.26.3/24set interfaces reth1 unit 0 family inet address 10.94.127.30/27
    4. Configure redundant member links for reth0 (can be done from node0).
      [edit]set interfaces xe-1/0/0 gigether-options redundant-parent reth1set interfaces xe-1/0/1 gigether-options redundant-parent reth1set interfaces xe-2/0/0 gigether-options redundant-parent reth1set interfaces xe-2/0/1 gigether-options redundant-parent reth1
      ….
      set interfaces xe-14/0/0 gigether-options redundant-parent reth1set interfaces xe-14/0/1 gigether-options redundant-parent reth1set interfaces xe-15/0/0 gigether-options redundant-parent reth1set interfaces xe-15/0/1 gigether-options redundant-parent reth1

    Configuring Chassis Clustering – Security Zones and Security Policy

    Once chassis clustering is completely configured, the RETH interfaces should be assigned to the appropriate security zones and virtual routers. Going forward, the configuration will reference RETH interfaces instead of individual member interfaces. For this example, we are simply going to leave the RETH0 and RETH1 interfaces in the default virtual router inet.0, which does not require any additional configuration. Additional configuration of the perimeter security includes the following steps:

    • Zone and address book configuration
    • Security policy configuration

    To configure security on the SRX chassis cluster, follow these steps:

    1. Configure security zones and address books.
      [edit]set security zones functional-zone management host-inbound-traffic system-services sshset security zones functional-zone management host-inbound-traffic system-services httpsset security zones functional-zone management host-inbound-traffic protocols allset security zones security-zone untrust address-book address TVM-Client-Subnet 10.10.0.0/16set security zones security-zone untrust address-book address TrafficGenerator-External 10.40.0.0/16
      set security zones security-zone untrust host-inbound-traffic protocols allset security zones security-zone untrust interfaces reth1.0 host-inbound-traffic system-services allset security zones security-zone untrust interfaces reth1.0 host-inbound-traffic protocols all
      set security zones security-zone trust address-book address SA-server1 10.94.63.24/32set security zones security-zone trust address-book address SP-Server 10.94.127.180/32set security zones security-zone trust address-book address Exchange-Server 10.94.127.181/32set security zones security-zone trust address-book address MediaWiki-Server 10.94.127.182/32set security zones security-zone trust address-book address TVM-Server-Subnet 10.20.127.0/24set security zones security-zone trust address-book address TrafficGenerator-Internal-502 10.30.0.0/16set security zones security-zone trust address-book address TrafficGenerator-Internal-503 10.30.0.0/16set security zones security-zone trust address-book address TrafficGenerator-Internal-504 10.30.0.0/16set security zones security-zone trust address-book address TrafficGenerator-Internal-501 10.30.0.0/16set security zones security-zone trust address-book address TrafficGenerator-Internal-505 10.30.0.0/16
      set security zones security-zone trust host-inbound-traffic protocols allset security zones security-zone trust interfaces reth0.0 host-inbound-traffic system-services allset security zones security-zone trust interfaces reth0.0 host-inbound-traffic protocols all
    2. Configure outbound security policy for traffic sourcing from the trust zone (reth0) to the untrust zone (reth1).
      [edit]set security policies from-zone trust to-zone untrust policy Internet-access match source-address anyset security policies from-zone trust to-zone untrust policy Internet-access match destination-address anyset security policies from-zone trust to-zone untrust policy Internet-access match application junos-httpset security policies from-zone trust to-zone untrust policy Internet-access match application junos-httpsset security policies from-zone trust to-zone untrust policy Internet-access match application junos-http-extset security policies from-zone trust to-zone untrust policy Internet-access match application junos-ntpset security policies from-zone trust to-zone untrust policy Internet-access match application junos-dns-udpset security policies from-zone trust to-zone untrust policy Internet-access match application ICMPset security policies from-zone trust to-zone untrust policy Internet-access then permit
    3. Configure inbound security policies for traffic sourcing from the untrust zone (reth1) to the trust zone (reth0).
      [edit]set security policies from-zone untrust to-zone trust policy remote-access match source-address anyset security policies from-zone untrust to-zone trust policy remote-access match destination-address SA-server1set security policies from-zone untrust to-zone trust policy remote-access match application junos-httpsset security policies from-zone untrust to-zone trust policy remote-access then permit
      set security policies from-zone untrust to-zone trust policy Exchange-Access match source-address anyset security policies from-zone untrust to-zone trust policy Exchange-Access match destination-address Exchange-Serverset security policies from-zone untrust to-zone trust policy Exchange-Access match application junos-imapset security policies from-zone untrust to-zone trust policy Exchange-Access match application junos-pop3set security policies from-zone untrust to-zone trust policy Exchange-Access match application junos-ms-rpc-msexchangeset security policies from-zone untrust to-zone trust policy Exchange-Access match application junos-httpset security policies from-zone untrust to-zone trust policy Exchange-Access match application junos-httpsset security policies from-zone untrust to-zone trust policy Exchange-Access match application junos-http-extset security policies from-zone untrust to-zone trust policy Exchange-Access match application junos-ms-rpc-msexchange-directory-nspset security policies from-zone untrust to-zone trust policy Exchange-Access match application junos-ms-rpc-msexchange-directory-rfrset security policies from-zone untrust to-zone trust policy Exchange-Access match application junos-ms-rpc-msexchange-info-storeset security policies from-zone untrust to-zone trust policy Exchange-Access match application Exchangeset security policies from-zone untrust to-zone trust policy Exchange-Access match application junos-smtpset security policies from-zone untrust to-zone trust policy Exchange-Access then permitset security policies from-zone untrust to-zone trust policy MediaWiki-Access match source-address anyset security policies from-zone untrust to-zone trust policy MediaWiki-Access match destination-address MediaWiki-Serverset security policies from-zone untrust to-zone trust policy MediaWiki-Access match application junos-httpset security policies from-zone untrust to-zone trust policy MediaWiki-Access match application junos-httpsset security policies from-zone untrust to-zone trust policy MediaWiki-Access match application junos-http-extset security policies from-zone untrust to-zone trust policy MediaWiki-Access then permitset security policies from-zone untrust to-zone trust policy SharePoint-Access match source-address anyset security policies from-zone untrust to-zone trust policy SharePoint-Access match destination-address SP-Serverset security policies from-zone untrust to-zone trust policy SharePoint-Access match application junos-httpset security policies from-zone untrust to-zone trust policy SharePoint-Access match application junos-httpsset security policies from-zone untrust to-zone trust policy SharePoint-Access match application junos-http-extset security policies from-zone untrust to-zone trust policy SharePoint-Access match application SharePointset security policies from-zone untrust to-zone trust policy SharePoint-Access then permitset security policies from-zone untrust to-zone trust policy ICMP-allow match source-address anyset security policies from-zone untrust to-zone trust policy ICMP-allow match destination-address anyset security policies from-zone untrust to-zone trust policy ICMP-allow match application ICMPset security policies from-zone untrust to-zone trust policy ICMP-allow then permit

    Published: 2015-04-20