예: Junos OS 구성 그룹을 사용하여 멀티노드 고가용성 구성
Junos OS 구성 그룹을 사용하여 멀티노드 고가용성을 구성하는 방법을 이해하려면 이 주제를 읽어보십시오.
멀티노드 고가용성에서는 두 개의 Junos OS 보안 디바이스가 독립적인 디바이스로 작동합니다. 이러한 디바이스는 fxp0 인터페이스에 고유한 호스트 이름과 IP 주소를 갖습니다. Junos 그룹 문을 사용하여 멀티노드 고가용성을 구성할 수 있습니다. 두 디바이스 간에 동일한 보안 구성과 상태를 보장하기 위해 멀티노드 고가용성 설정을 위한 그룹을 구성할 수 있습니다. 멀티노드 고가용성 노드는 독점적으로 이 그룹 방법을 기반으로 구성을 동기화합니다.
두 노드 모두에서 공통적인 문을 구성해야 하는 경우 다음 접근 방식 중 하나를 사용할 수 있습니다.
-
한 디바이스에서 공통 구성(예: 보안)을 구성하고 다른 디바이스에서 수동으로 복사하여 붙여넣을 수 있습니다. 또는 일부 외부 도구(예: 스크립팅)를 사용하여 해당하는 경우 동일한 구성 코드 조각을 두 디바이스에 복사할 수 있습니다.
-
두 노드 간에 동기화된 공통 Junos 그룹 구성을 사용하지만 하나의 디바이스에서 편집됩니다. 이 접근 방식에는 다음이 포함됩니다.
-
기능/기능을 그룹의 일부로 구성합니다. 이러한 구성 그룹을 사용하면 더 작고 논리적으로 구성된 구성 파일을 만들 수 있습니다
-
옵션을 사용하여 구성을 동기화합니다.
edit system commit peers-synchronize -
문을 사용하여 그룹에서 디바이스 이름을 언급합니다.
when peers <device-name>
멀티노드 고가용성의 두 디바이스에서 (peers-synchronize 옵션 사용하여) 구성 동기화를 활성화하면 [groups] 아래의 한 피어에서 구성한 구성 설정이 커밋 작업 시 다른 피어와 자동으로 동기화됩니다.
구성 그룹에 대한 자세한 내용은 구성 그룹을 사용하여 빠르게 디바이스 구성을 참조하십시오.
Security Director 또는 Security Director Cloud에서 시스템은 정책 템플릿 및 공유 개체를 사용하여 Junos 그룹과 유사한 재사용 가능한 구성 코드 조각을 관리합니다.
-
이 예에서는 Junos 그룹 문을 사용하여 멀티노드 고가용성을 구성합니다.
팁:
| 읽기 시간 |
30분 |
| 구성 시간 |
60분 |
사전 요구 사항 예
표 2 에는 구성을 지원하는 하드웨어 및 소프트웨어 구성 요소가 나와 있습니다.
| 하드웨어 요구 사항 |
지원되는 방화벽 및 가상 방화벽. |
| 소프트웨어 요구 사항 |
이 예는 Junos OS 릴리스 24.4R1을 사용하여 테스트했습니다. Junos OS 그룹 및 멀티노드 고가용성 지원에 대한 자세한 내용은 기능 탐색기를 참조하십시오. 멀티노드 고가용성 구성을 위해 방화벽에 Junos IKE 패키지가 필요합니다. 이 패키지는 디바이스에서 기본 패키지 또는 옵션 패키지로 사용할 수 있습니다. 자세한 내용은 Junos IKE 패키지 지원을 참조하십시오. 패키지가 기본적으로 방화벽에 설치되어 있지 않으면 다음 명령을 사용하여 설치합니다. user@host> request system software add optional://junos-ike.tgz ICL 암호화를 위해 이 단계가 필요합니다. |
| 라이선스 요구 사항 |
멀티노드 고가용성을 구성하는 데 별도의 라이선스는 필요하지 않습니다. IDP, 애플리케이션 식별, 주니퍼 ATP 클라우드와 같은 기능에 필요한 라이선스는 각 방화벽마다 다르며 각 디바이스에 설정해야 합니다. 라이선스는 각 디바이스마다 고유하며 멀티노드 고가용성 설정의 노드 간에 공유할 수 없습니다. 따라서 두 노드 모두에서 동일한 라이선스를 사용해야 합니다. |
시작하기 전에
| 자세히 알아보기 |
멀티노드 고가용성에서 그룹 구성을 사용하면 재사용 가능한 구성 블록을 생성할 수 있으므로 설정이 간소화됩니다. 이러한 그룹은 구성의 여러 부분에 적용될 수 있으므로 일관성을 보장하고 반복적인 입력의 필요성을 줄일 수 있습니다. 이 접근 방식을 사용하면 구성 파일이 보다 간결하고 논리적으로 구조화됩니다. 그룹 구성은 주니퍼 네트웍스 디바이스의 구성 파일을 쉽게 유지 관리하는 데 도움이 됩니다. |
| 자세히 알아보기 |
기능 개요
표 3 은 이 예에 구축된 구성 요소에 대한 간략한 요약을 제공합니다.
| 사용된 기술 |
|
| 기본 검증 작업 |
|
토폴로지 일러스트레이션
그림 1 은 이 구성 예에서 사용되는 토폴로지를 보여줍니다.
그림 1: 레이어 3 네트워크
의 멀티노드 고가용성
의 멀티노드 고가용성
토폴로지에서 볼 수 있듯이, MNHA의 SRX 디바이스 2개는 인접 라우터(라우터 역할을 하는 vSRX 인스턴스)에 연결됩니다. 암호화된 논리적 섀시 간 링크(ICL)가 노드를 연결합니다. 노드는 네트워크를 통해 라우팅 가능한 IP 주소(유동 IP 주소)를 사용하여 서로 통신합니다. 이 예에서는 ICL에 GE 포트를 사용했습니다. 또한 최대의 세그멘테이션을 보장하기 위해 ICL 경로에 대한 라우팅 인스턴스를 구성했습니다.
루프백 인터페이스는 방화벽과 라우터에서 IP 주소를 호스팅하는 데 사용되며 각 노드의 루프백 유닛의 IP 주소는 통신에 사용됩니다. 일반적인 고가용성 구축에서는 네트워크의 노스바운드 및 사우스바운드 양에 여러 라우터와 스위치가 있습니다.
이 예에서는 디바이스에 여러 구성 그룹을 만들고 구성을 동기화합니다.
토폴로지 개요
표 4 는 이 예에서 사용되는 인터페이스 구성에 대한 세부 정보를 보여줍니다.
| 디바이스 | 인터페이스 | IP 주소 | 영역 | 구성 대상 |
|---|---|---|---|---|
| SRX-01 | lo0.1 | 172.26.0.11/32 | ICL 존 | ICD 링크를 통해 데이터 패킷을 전달하는 데 사용되는 로컬 포워딩 주소입니다. |
| lo0.1 | 172.26.0.1/32 | ICL 존 | 아이슬 | |
| lo0.0 | 172.25.0.0/32 | 왼쪽 구역 | 유동 IP 주소 | |
| ge-0/0/1.39 | 10.1.39.1/24 | ICL 존 | ICL에서 노드 0 연결 | |
|
|
|
업스트림 및 다운스트림 라우터에 연결합니다. | |
| SRX-02 | lo0.1 | 172.26.0.12/32 | ICL 존 | ICD 링크를 통해 데이터 패킷을 전달하는 데 사용되는 로컬 포워딩 주소입니다. |
| lo0.1 | 172.26.0.2/32 | ICL 존 | 아이슬 | |
| lo0.0 | 172.25.0.0/32 | 왼쪽 구역 | 유동 IP 주소 | |
| ge-0/0/1.39 | 10.1.39.2/24 | ICL 존 | ICL에서 노드 0 연결 | |
|
|
|
업스트림 및 다운스트림 라우터에 연결합니다. |
| 디바이스 | 인터페이스 | IP 주소 | 구성 대상 |
|---|---|---|---|
| 라우터 1(R1) | ge-0/0/0.31 | 10.0.31.1/24 | SRX-01에 연결 |
| ge-0/0/1.32 | 10.0.32.1/24 | SRX-02에 연결 | |
| 라우터 2(R2) | ge-0/0/0.33 | 10.0.33.1/24 | SRX-01에 연결 |
| ge-0/0/1.34 | 10.0.34.1/24 | SRX-02에 연결 |
Junos 그룹 문을 사용하여 멀티노드 고가용성 구성
검증
다음 show 명령을 사용하여 이 예에서 기능을 확인합니다.
| 명령 | 검증 작업 |
|---|---|
| show chassis 고가용성 정보 |
상태를 포함한 멀티노드 고가용성 세부 정보를 표시합니다. |
| show chassis high-availability peer-info | 멀티노드 고가용성 설정에서 피어 노드의 피어 노드, 연결 세부 정보 및 패킷 통계와 같은 세부 정보를 표시합니다. |
| show chassis high-availability services-중복-group | 멀티노드 고가용성 설정에서 서비스 중복 그룹 정보를 표시합니다. |
멀티노드 고가용성 세부 정보 확인
목적
보안 디바이스에 구성된 멀티노드 고가용성 설정의 세부 정보를 보고 확인합니다.
작업
운영 모드의 두 노드에서 다음 명령을 실행합니다.
use@vsrx-mnha-n0> show chassis high-availability information
Node failure codes:
HW Hardware monitoring LB Loopback monitoring
MB Mbuf monitoring SP SPU monitoring
CS Cold Sync monitoring SU Software Upgrade
Node Status: ONLINE
Local-id: 1
Local-IP: 172.26.0.1
Local Forwarding IP: 172.26.0.11
HA Peer Information:
Peer Id: 2 IP address: 172.26.0.2 Interface: lo0.1
Routing Instance: icl
Encrypted: YES
Conn State: UP
Configured BFD Detection Time: 3 * 1000ms
Cold Sync Status: COMPLETE
Peer Forwarding IP: 172.26.0.12 Interface: lo0.1
Peer ICD Conn State: UP
Services Redundancy Group: 0
Current State: ONLINE
Peer Information:
Peer Id: 2
SRG failure event codes:
BF BFD monitoring
IP IP monitoring
IF Interface monitoring
CP Control Plane monitoring
Services Redundancy Group: 1
Deployment Type: ROUTING
Status: BACKUP
Activeness Priority: 100
Preemption: DISABLED
Process Packet In Backup State: YES
Control Plane State: READY
System Integrity Check: COMPLETE
Failure Events: NONE
Peer Information:
Peer Id: 2
Status : ACTIVE
Health Status: HEALTHY
Failover Readiness: N/A
user@vsrx-mnha-n1# show chassis high-availability information
Node failure codes:
HW Hardware monitoring LB Loopback monitoring
MB Mbuf monitoring SP SPU monitoring
CS Cold Sync monitoring SU Software Upgrade
Node Status: ONLINE
Local-id: 2
Local-IP: 172.26.0.2
Local Forwarding IP: 172.26.0.12
HA Peer Information:
Peer Id: 1 IP address: 172.26.0.1 Interface: lo0.1
Routing Instance: icl
Encrypted: YES
Conn State: UP
Configured BFD Detection Time: 3 * 1000ms
Cold Sync Status: COMPLETE
Peer Forwarding IP: 172.26.0.11 Interface: lo0.1
Peer ICD Conn State: UP
Services Redundancy Group: 0
Current State: ONLINE
Peer Information:
Peer Id: 1
SRG failure event codes:
BF BFD monitoring
IP IP monitoring
IF Interface monitoring
CP Control Plane monitoring
Services Redundancy Group: 1
Deployment Type: ROUTING
Status: ACTIVE
Activeness Priority: 200
Preemption: DISABLED
Process Packet In Backup State: YES
Control Plane State: READY
System Integrity Check: N/A
Failure Events: NONE
Peer Information:
Peer Id: 1
Status : BACKUP
Health Status: HEALTHY
Failover Readiness: READY
의미
명령 출력에서 다음 세부 사항을 확인합니다.
-
IP 주소 및 ID와 같은 로컬 노드 및 피어 노드 세부 정보.
-
Node Status: ONLINE노드가 작동 중임을 나타냅니다. -
Conn State: UPICL 링크가 설정되어 작동 중임을 나타냅니다. -
Peer ICD Conn State: UPICD 링크가 설정되어 작동 중임을 나타냅니다. Encrypted: YESICL 연결이 암호화되었음을 나타냅니다.-
Peer Information서비스 중복 그룹은 피어 노드가 정상이며 페일오버할 준비가 되었음을 나타냅니다.
멀티노드 고가용성 피어 노드 세부 정보 확인
목적
멀티노드 고가용성 설정에서 피어 노드의 세부 정보를 봅니다.
작업
운영 모드에서 다음 명령을 실행합니다.
user@vsrx-mnha-n0> show chassis high-availability peer-info
HA Peer Information:
Peer-ID: 2 IP address: 172.26.0.2 Interface: lo0.1
Routing Instance: icl
Encrypted: YES Conn State: UP
Cold Sync Status: COMPLETE
Peer Forwarding IP: 172.26.0.12 Interface: lo0.1
Peer ICD Conn State: UP
Internal Interface: st0.16000
Internal Local-IP: 180.100.1.1
Internal Peer-IP: 180.100.1.2
Internal Routing-instance: __juniper_private1__
Packet Statistics:
Receive Error : 0 Send Error : 0
Packet-type Sent Received
SRG Status Msg 12 9
SRG Status Ack 9 9
Attribute Msg 7 4
Attribute Ack 4 4
의미
명령 출력에서 다음 세부 정보를 얻을 수 있습니다.
-
Peer ID: 2다른 노드의 ID를 표시합니다. -
Conn State: UPPeer ICD Conn State: UPICL 및 ICD 링크가 모두 설정되었음을 나타냅니다. Packet Statistics노드 간에 전송된 패킷을 표시합니다.
멀티노드 고가용성 서비스 중복 그룹 세부 정보 확인
목적
멀티노드 고가용성 SRG 세부 정보의 세부 정보를 보고 확인합니다.
작업
운영 모드에서 다음 명령을 실행합니다.
SRX-01 디바이스
user@vsrx-mnha-n0> show chassis high-availability services-redundancy-group 1
SRG failure event codes:
BF BFD monitoring
IP IP monitoring
IF Interface monitoring
CP Control Plane monitoring
Services Redundancy Group: 1
Deployment Type: ROUTING
Status: BACKUP
Activeness Priority: 100
Preemption: DISABLED
Process Packet In Backup State: YES
Control Plane State: READY
System Integrity Check: COMPLETE
Failure Events: NONE
Peer Information:
Peer Id: 2
Status : ACTIVE
Health Status: HEALTHY
Failover Readiness: N/A
Signal Route Info:
Active Signal Route:
IP: 172.24.0.1
Routing Instance: default
Status: NOT INSTALLED
Backup Signal Route:
IP: 172.24.0.0
Routing Instance: default
Status: INSTALLED
Split-brain Prevention Probe Info:
DST-IP: 10.0.30.1
SRC-IP: 172.25.0.0
Routing Instance: vr
Type: ICMP Probe
Status: NOT RUNNING
Result: N/A Reason: N/A
SRG Path Monitor Info:
SRG Monitor Status: UP
SRG Monitor Threshold: 200
SRG Monitor Weight: 0
SRG Monitor Failed Objects: NONE
Object Name: routers
Object Status: UP
Object Monitored Entries: [ BFD ]
Object Failures: [ BFD ]
Object Threshold: 200
Object Current Weight: 100
Object Name: endpoints
Object Status: UP
Object Monitored Entries: [ IP ]
Object Failures: [ IP ]
Object Threshold: 200
Object Current Weight: 100
IP SRGID Table:
SRGID IP Prefix Routing Table
1 172.25.0.0/32 vr
이제 SRX-02 디바이스에서 동일한 명령을 실행하고 상태, 피어 정보 등과 같은 명령 출력 차이를 확인합니다.
user@vsrx-mnha-n1> show chassis high-availability services-redundancy-group 1
SRG failure event codes:
BF BFD monitoring
IP IP monitoring
IF Interface monitoring
CP Control Plane monitoring
Services Redundancy Group: 1
Deployment Type: ROUTING
Status: ACTIVE
Activeness Priority: 200
Preemption: DISABLED
Process Packet In Backup State: YES
Control Plane State: READY
System Integrity Check: COMPLETE
Failure Events: NONE
Peer Information:
Peer Id: 1
Status : BACKUP
Health Status: HEALTHY
Failover Readiness: READY
Signal Route Info:
Active Signal Route:
IP: 172.24.0.1
Routing Instance: default
Status: INSTALLED
Backup Signal Route:
IP: 172.24.0.0
Routing Instance: default
Status: NOT INSTALLED
Split-brain Prevention Probe Info:
DST-IP: 10.0.30.1
SRC-IP: 172.25.0.0
Routing Instance: vr
Type: ICMP Probe
Status: NOT RUNNING
Result: N/A Reason: N/A
SRG Path Monitor Info:
SRG Monitor Status: UP
SRG Monitor Threshold: 200
SRG Monitor Weight: 0
SRG Monitor Failed Objects: NONE
Object Name: routers
Object Status: UP
Object Monitored Entries: [ BFD ]
Object Failures: [ BFD ]
Object Threshold: 200
Object Current Weight: 100
Object Name: endpoints
Object Status: UP
Object Monitored Entries: [ IP ]
Object Failures: [ IP ]
Object Threshold: 200
Object Current Weight: 100
IP SRGID Table:
SRGID IP Prefix Routing Table
1 172.25.0.0/32 vr
의미
명령 출력에서 다음 세부 사항을 확인합니다.
-
Deployment Type: ROUTING멀티노드 고가용성이 레이어 3(라우팅) 모드에 대해 설정되었음을 나타냅니다. -
Status: BACKUP현재 노드가 백업 노드로 작동 중임을 나타냅니다. -
Peer Information구축 유형, 상태, 활성 및 백업 신호 경로와 같은 피어 노드 세부 정보를 제공합니다. -
또한 출력은 구성된 모니터링 옵션 및 실패 이벤트(있는 경우)를 나타냅니다.
모든 디바이스에서 명령 설정
활성 노드로 구성된 디바이스(vsrx-mnha-n0)
참고: 이 예에서 사용되는 디바이스 이름은 vsrx-mnha-n0 및 vsrx-mnha-n1입니다. 이 구성에 디바이스의 호스트 이름을 사용해야 합니다.
set groups mnha-sync when peers vsrx-mnha-n0 set groups mnha-sync when peers vsrx-mnha-n1 set groups mnha-sync security ike proposal ike-prop authentication-method pre-shared-keys set groups mnha-sync security ike proposal ike-prop dh-group group20 set groups mnha-sync security ike proposal ike-prop encryption-algorithm aes-256-gcm set groups mnha-sync security ike proposal ike-prop lifetime-seconds 28800 set groups mnha-sync security ike policy ike-policy proposals ike-prop set groups mnha-sync security ike policy ike-policy pre-shared-key ascii-text "$ABc123" set groups mnha-sync security ike policy icl proposals ike-prop set groups mnha-sync security ike gateway r1 ike-policy ike-policy set groups mnha-sync security ike gateway r1 address 10.0.30.1 set groups mnha-sync security ike gateway r1 dead-peer-detection probe-idle-tunnel set groups mnha-sync security ike gateway r1 dead-peer-detection interval 5 set groups mnha-sync security ike gateway r1 dead-peer-detection threshold 5 set groups mnha-sync security ike gateway r1 external-interface lo0.0 set groups mnha-sync security ike gateway r1 version v2-only set groups mnha-sync security ike gateway icl ike-policy icl set groups mnha-sync security ike gateway icl version v2-only set groups mnha-sync security ipsec proposal ipsec-prop encryption-algorithm aes-256-gcm set groups mnha-sync security ipsec proposal ipsec-prop lifetime-seconds 3600 set groups mnha-sync security ipsec policy ipsec-policy perfect-forward-secrecy keys group20 set groups mnha-sync security ipsec policy ipsec-policy proposals ipsec-prop set groups mnha-sync security ipsec vpn r1 bind-interface st0.0 set groups mnha-sync security ipsec vpn r1 ike gateway r1 set groups mnha-sync security ipsec vpn r1 ike ipsec-policy ipsec-policy set groups mnha-sync security ipsec vpn r1 traffic-selector ts1 local-ip 10.0.35.11/32 set groups mnha-sync security ipsec vpn r1 traffic-selector ts1 remote-ip 10.0.30.11/32 set groups mnha-sync security ipsec vpn r1 establish-tunnels immediately set groups mnha-sync security ipsec vpn icl ha-link-encryption set groups mnha-sync security ipsec vpn icl ike gateway icl set groups mnha-sync security ipsec vpn icl ike ipsec-policy ipsec-policy set groups mnha-sync security policies from-zone icl to-zone icl policy permit match source-address any set groups mnha-sync security policies from-zone icl to-zone icl policy permit match destination-address any set groups mnha-sync security policies from-zone icl to-zone icl policy permit match application any set groups mnha-sync security policies from-zone icl to-zone icl policy permit then permit set groups mnha-sync security policies global policy internal match source-address any set groups mnha-sync security policies global policy internal match destination-address any set groups mnha-sync security policies global policy internal match application any set groups mnha-sync security policies global policy internal match from-zone right set groups mnha-sync security policies global policy internal match from-zone vpn set groups mnha-sync security policies global policy internal match from-zone left set groups mnha-sync security policies global policy internal match to-zone left set groups mnha-sync security policies global policy internal match to-zone right set groups mnha-sync security policies global policy internal match to-zone vpn set groups mnha-sync security policies global policy internal then permit set groups mnha-sync security policies global policy internal then log session-close set groups mnha-sync security policies global policy untrust match source-address any set groups mnha-sync security policies global policy untrust match destination-address any set groups mnha-sync security policies global policy untrust match application any set groups mnha-sync security policies global policy untrust match from-zone left set groups mnha-sync security policies global policy untrust match from-zone right set groups mnha-sync security policies global policy untrust match to-zone untrust set groups mnha-sync security policies global policy untrust then permit set groups mnha-sync security zones security-zone vpn interfaces st0.0 set groups mnha-sync security zones security-zone left interfaces lo0.0 host-inbound-traffic system-services ike set groups mnha-sync security zones security-zone left interfaces lo0.0 host-inbound-traffic system-services ping set groups mnha-sync security zones security-zone left interfaces ge-0/0/3.100 host-inbound-traffic system-services ping set groups mnha-sync security zones security-zone left interfaces ge-0/0/3.100 host-inbound-traffic protocols bgp set groups mnha-sync security zones security-zone left interfaces ge-0/0/3.100 host-inbound-traffic protocols bfd set groups mnha-sync security zones security-zone right interfaces ge-0/0/4.101 host-inbound-traffic system-services ping set groups mnha-sync security zones security-zone right interfaces ge-0/0/4.101 host-inbound-traffic protocols bgp set groups mnha-sync security zones security-zone right interfaces ge-0/0/4.101 host-inbound-traffic protocols bfd set groups mnha-sync security zones security-zone untrust interfaces ge-0/0/0.102 host-inbound-traffic system-services ping set groups mnha-sync security zones security-zone untrust interfaces ge-0/0/0.102 host-inbound-traffic protocols bfd set groups mnha-sync security zones security-zone untrust interfaces ge-0/0/0.102 host-inbound-traffic protocols bgp set groups mnha-sync interfaces st0 unit 0 family inet set groups mnha-sync-icl system commit peers vsrx-mnha-n1 routing-instance icl set groups mnha-sync-icl system static-host-mapping vsrx-mnha-n1 inet 172.26.0.2 set groups icd chassis high-availability local-id local-forwarding-ip 172.26.0.11 set groups icd chassis high-availability peer-id 2 peer-forwarding-ip 172.26.0.12 set groups icd chassis high-availability peer-id 2 peer-forwarding-ip interface lo0.1 set groups icd chassis high-availability peer-id 2 peer-forwarding-ip liveness-detection minimum-interval 1000 set groups icd chassis high-availability peer-id 2 peer-forwarding-ip liveness-detection multiplier 5 set groups icd interfaces lo0 unit 1 family inet address 172.26.0.11/32 set groups monitor-simple chassis high-availability services-redundancy-group 1 monitor bfd-liveliness 10.0.31.1 src-ip 10.0.31.10 set groups monitor-simple chassis high-availability services-redundancy-group 1 monitor bfd-liveliness 10.0.31.1 routing-instance vr set groups monitor-simple chassis high-availability services-redundancy-group 1 monitor bfd-liveliness 10.0.31.1 session-type singlehop set groups monitor-simple chassis high-availability services-redundancy-group 1 monitor bfd-liveliness 10.0.31.1 interface ge-0/0/0.100 set groups monitor-simple chassis high-availability services-redundancy-group 1 monitor bfd-liveliness 10.0.33.1 src-ip 10.0.33.10 set groups monitor-simple chassis high-availability services-redundancy-group 1 monitor bfd-liveliness 10.0.33.1 routing-instance vr set groups monitor-simple chassis high-availability services-redundancy-group 1 monitor bfd-liveliness 10.0.33.1 session-type singlehop set groups monitor-simple chassis high-availability services-redundancy-group 1 monitor bfd-liveliness 10.0.33.1 interface ge-0/0/0.101 set groups monitor-simple chassis high-availability services-redundancy-group 1 monitor bfd-liveliness 10.0.38.1 src-ip 10.0.38.10 set groups monitor-simple chassis high-availability services-redundancy-group 1 monitor bfd-liveliness 10.0.38.1 routing-instance vr set groups monitor-simple chassis high-availability services-redundancy-group 1 monitor bfd-liveliness 10.0.38.1 session-type singlehop set groups monitor-simple chassis high-availability services-redundancy-group 1 monitor bfd-liveliness 10.0.38.1 interface ge-0/0/0.102 set groups monitor-simple chassis high-availability services-redundancy-group 1 monitor interface ge-0/0/0 set groups monitor-advanced chassis high-availability services-redundancy-group 1 monitor monitor-object endpoints object-threshold 200 set groups monitor-advanced chassis high-availability services-redundancy-group 1 monitor monitor-object endpoints ip threshold 100 set groups monitor-advanced chassis high-availability services-redundancy-group 1 monitor monitor-object endpoints ip destination-ip 10.0.30.10 routing-instance vr set groups monitor-advanced chassis high-availability services-redundancy-group 1 monitor monitor-object endpoints ip destination-ip 10.0.30.10 weight 50 set groups monitor-advanced chassis high-availability services-redundancy-group 1 monitor monitor-object endpoints ip destination-ip 10.0.35.10 routing-instance vr set groups monitor-advanced chassis high-availability services-redundancy-group 1 monitor monitor-object endpoints ip destination-ip 10.0.35.10 weight 50 set groups monitor-advanced chassis high-availability services-redundancy-group 1 monitor monitor-object routers object-threshold 200 set groups monitor-advanced chassis high-availability services-redundancy-group 1 monitor monitor-object routers bfd-liveliness threshold 100 set groups monitor-advanced chassis high-availability services-redundancy-group 1 monitor monitor-object routers bfd-liveliness destination-ip 10.0.31.1 src-ip 10.0.31.10 set groups monitor-advanced chassis high-availability services-redundancy-group 1 monitor monitor-object routers bfd-liveliness destination-ip 10.0.31.1 routing-instance vr set groups monitor-advanced chassis high-availability services-redundancy-group 1 monitor monitor-object routers bfd-liveliness destination-ip 10.0.31.1 session-type singlehop set groups monitor-advanced chassis high-availability services-redundancy-group 1 monitor monitor-object routers bfd-liveliness destination-ip 10.0.31.1 interface ge-0/0/3.100 set groups monitor-advanced chassis high-availability services-redundancy-group 1 monitor monitor-object routers bfd-liveliness destination-ip 10.0.31.1 weight 100 set groups monitor-advanced chassis high-availability services-redundancy-group 1 monitor monitor-object routers bfd-liveliness destination-ip 10.0.33.1 src-ip 10.0.33.10 set groups monitor-advanced chassis high-availability services-redundancy-group 1 monitor monitor-object routers bfd-liveliness destination-ip 10.0.33.1 routing-instance vr set groups monitor-advanced chassis high-availability services-redundancy-group 1 monitor monitor-object routers bfd-liveliness destination-ip 10.0.33.1 session-type singlehop set groups monitor-advanced chassis high-availability services-redundancy-group 1 monitor monitor-object routers bfd-liveliness destination-ip 10.0.33.1 interface ge-0/0/4.101 set groups monitor-advanced chassis high-availability services-redundancy-group 1 monitor monitor-object routers bfd-liveliness destination-ip 10.0.33.1 weight 100 set groups monitor-advanced chassis high-availability services-redundancy-group 1 monitor monitor-object routers bfd-liveliness destination-ip 10.0.38.1 src-ip 10.0.38.10 set groups monitor-advanced chassis high-availability services-redundancy-group 1 monitor monitor-object routers bfd-liveliness destination-ip 10.0.38.1 routing-instance vr set groups monitor-advanced chassis high-availability services-redundancy-group 1 monitor monitor-object routers bfd-liveliness destination-ip 10.0.38.1 session-type singlehop set groups monitor-advanced chassis high-availability services-redundancy-group 1 monitor monitor-object routers bfd-liveliness destination-ip 10.0.38.1 interface ge-0/0/0.102 set groups monitor-advanced chassis high-availability services-redundancy-group 1 monitor monitor-object routers bfd-liveliness destination-ip 10.0.38.1 weight 100 set groups monitor-advanced chassis high-availability services-redundancy-group 1 monitor srg-threshold 200 set apply-groups mnha-sync set apply-groups mnha-sync-icl set apply-groups monitor-advanced set apply-groups icd set system commit peers vsrx-mnha-n1 user user set system commit peers vsrx-mnha-n1 authentication "$ABC123" set chassis high-availability local-id 1 set chassis high-availability local-id local-ip 172.26.0.1 set chassis high-availability peer-id 2 peer-ip 172.26.0.2 set chassis high-availability peer-id 2 interface lo0.1 set chassis high-availability peer-id 2 routing-instance icl set chassis high-availability peer-id 2 vpn-profile icl set chassis high-availability peer-id 2 liveness-detection minimum-interval 1000 set chassis high-availability peer-id 2 liveness-detection multiplier 3 set chassis high-availability services-redundancy-group 0 peer-id 2 set chassis high-availability services-redundancy-group 1 deployment-type routing set chassis high-availability services-redundancy-group 1 peer-id 2 set chassis high-availability services-redundancy-group 1 activeness-probe dest-ip 10.0.30.1 set chassis high-availability services-redundancy-group 1 activeness-probe dest-ip src-ip 172.25.0.0 set chassis high-availability services-redundancy-group 1 activeness-probe dest-ip routing-instance vr set chassis high-availability services-redundancy-group 1 active-signal-route 172.24.0.1 set chassis high-availability services-redundancy-group 1 backup-signal-route 172.24.0.0 set chassis high-availability services-redundancy-group 1 prefix-list srg1-prefix routing-instance vr set chassis high-availability services-redundancy-group 1 managed-services ipsec set chassis high-availability services-redundancy-group 1 process-packet-on-backup set chassis high-availability services-redundancy-group 1 activeness-priority 100 set security ike proposal ike-prop authentication-method pre-shared-keys set security ike proposal ike-prop dh-group group20 set security ike proposal ike-prop encryption-algorithm aes-256-gcm set security ike proposal ike-prop lifetime-seconds 28800 set security ike policy ike-policy proposals ike-prop set security ike policy ike-policy pre-shared-key ascii-text "$ABC123" set security ike policy icl proposals ike-prop set security ike policy icl pre-shared-key ascii-text "$ABC123." set security ike gateway icl ike-policy icl set security ike gateway icl version v2-only set security ipsec proposal ipsec-prop encryption-algorithm aes-256-gcm set security ipsec proposal ipsec-prop lifetime-seconds 3600 set security ipsec policy ipsec-policy perfect-forward-secrecy keys group20 set security ipsec policy ipsec-policy proposals ipsec-prop set security ipsec vpn icl ha-link-encryption set security ipsec vpn icl ike gateway icl set security ipsec vpn icl ike ipsec-policy ipsec-policy set security zones security-zone icl interfaces ge-0/0/3.36 host-inbound-traffic system-services ping set security zones security-zone icl interfaces ge-0/0/3.36 host-inbound-traffic protocols bgp set security zones security-zone icl interfaces ge-0/0/3.36 host-inbound-traffic protocols bfd set security zones security-zone icl interfaces lo0.1 host-inbound-traffic system-services ping set security zones security-zone icl interfaces lo0.1 host-inbound-traffic system-services ike set security zones security-zone icl interfaces lo0.1 host-inbound-traffic system-services high-availability set security zones security-zone icl interfaces lo0.1 host-inbound-traffic system-services ssh set security zones security-zone icl interfaces lo0.1 host-inbound-traffic protocols bfd set security zones security-zone icl interfaces ge-0/0/1.39 host-inbound-traffic system-services ping set security zones security-zone icl interfaces ge-0/0/1.39 host-inbound-traffic protocols bgp set security zones security-zone icl interfaces ge-0/0/1.39 host-inbound-traffic protocols bfd set interfaces ge-0/0/0 description for-monitoring set interfaces ge-0/0/0 vlan-tagging set interfaces ge-0/0/0 unit 102 description vr-uplink-r2 set interfaces ge-0/0/0 unit 102 vlan-id 38 set interfaces ge-0/0/0 unit 102 family inet address 10.0.38.10/24 set interfaces ge-0/0/1 description br-lab-ha-1 set interfaces ge-0/0/1 vlan-tagging set interfaces ge-0/0/1 mtu 9000 set interfaces ge-0/0/1 unit 39 description icl-n1 set interfaces ge-0/0/1 unit 39 vlan-id 39 set interfaces ge-0/0/1 unit 39 family inet address 10.1.39.1/24 set interfaces ge-0/0/3 vlan-tagging set interfaces ge-0/0/3 unit 36 description icl-r1 set interfaces ge-0/0/3 unit 36 vlan-id 36 set interfaces ge-0/0/3 unit 36 family inet address 10.0.36.10/24 set interfaces ge-0/0/3 unit 100 description vr-left-r1 set interfaces ge-0/0/3 unit 100 vlan-id 31 set interfaces ge-0/0/3 unit 100 family inet address 10.0.31.10/24 set interfaces ge-0/0/4 vlan-tagging set interfaces ge-0/0/4 unit 101 description vr-right-r2 set interfaces ge-0/0/4 unit 101 vlan-id 33 set interfaces ge-0/0/4 unit 101 family inet address 10.0.33.10/24 set interfaces lo0 unit 0 description "Floating IP" set interfaces lo0 unit 0 family inet address 172.25.0.0/32 set interfaces lo0 unit 1 description ICL set interfaces lo0 unit 1 family inet address 172.26.0.1/32 set policy-options prefix-list export-int 0.0.0.0/0 set policy-options prefix-list export-int 172.25.0.0/32 set policy-options prefix-list export-uplink 10.0.30.0/24 set policy-options prefix-list export-uplink 10.0.35.0/24 set policy-options prefix-list srg1-prefix 172.25.0.0/32 set policy-options policy-statement export-icl-r1 term 10 from interface lo0.1 set policy-options policy-statement export-icl-r1 term 10 then accept set policy-options policy-statement export-icl-r1 term 100 then reject set policy-options policy-statement export-icl-to-n1 term 10 from interface lo0.1 set policy-options policy-statement export-icl-to-n1 term 10 then accept set policy-options policy-statement export-icl-to-n1 term 100 then reject set policy-options policy-statement export-to-int term 10 from prefix-list export-int set policy-options policy-statement export-to-int term 10 from condition srg1_backup set policy-options policy-statement export-to-int term 10 then as-path-prepend 65031 set policy-options policy-statement export-to-int term 10 then accept set policy-options policy-statement export-to-int term 20 from prefix-list export-int set policy-options policy-statement export-to-int term 20 from condition srg1_active set policy-options policy-statement export-to-int term 20 then accept set policy-options policy-statement export-to-int term 90 from prefix-list export-int set policy-options policy-statement export-to-int term 90 then as-path-prepend "65031 65031" set policy-options policy-statement export-to-int term 90 then accept set policy-options policy-statement export-to-int term 100 then reject set policy-options policy-statement export-to-uplink term 10 from prefix-list export-uplink set policy-options policy-statement export-to-uplink term 10 from condition srg1_backup set policy-options policy-statement export-to-uplink term 10 then as-path-prepend 65031 set policy-options policy-statement export-to-uplink term 10 then accept set policy-options policy-statement export-to-uplink term 20 from prefix-list export-uplink set policy-options policy-statement export-to-uplink term 20 from condition srg1_active set policy-options policy-statement export-to-uplink term 20 then accept set policy-options policy-statement export-to-uplink term 90 from prefix-list export-uplink set policy-options policy-statement export-to-uplink term 90 then as-path-prepend "65031 65031" set policy-options policy-statement export-to-uplink term 90 then accept set policy-options policy-statement export-to-uplink term 100 then reject set policy-options condition srg1_active if-route-exists 172.24.0.1/32 set policy-options condition srg1_active if-route-exists table inet.0 set policy-options condition srg1_backup if-route-exists 172.24.0.0/32 set policy-options condition srg1_backup if-route-exists table inet.0 set routing-instances icl instance-type virtual-router set routing-instances icl protocols bgp group icl neighbor 10.0.36.1 export export-icl-r1 set routing-instances icl protocols bgp group icl neighbor 10.0.36.1 peer-as 65030 set routing-instances icl protocols bgp group icl neighbor 10.1.39.2 export export-icl-to-n1 set routing-instances icl protocols bgp group icl neighbor 10.1.39.2 peer-as 65032 set routing-instances icl protocols bgp local-as 65031 set routing-instances icl protocols bgp bfd-liveness-detection minimum-interval 500 set routing-instances icl protocols bgp bfd-liveness-detection multiplier 3 set routing-instances icl interface ge-0/0/1.39 set routing-instances icl interface ge-0/0/3.36 set routing-instances icl interface lo0.1 set routing-instances vr instance-type virtual-router set routing-instances vr protocols bgp group r1 neighbor 10.0.31.1 export export-to-int set routing-instances vr protocols bgp group r1 neighbor 10.0.31.1 peer-as 65030 set routing-instances vr protocols bgp group r2 neighbor 10.0.33.1 export export-to-int set routing-instances vr protocols bgp group r2 neighbor 10.0.33.1 peer-as 65035 set routing-instances vr protocols bgp group uplink-r2 neighbor 10.0.38.1 export export-to-uplink set routing-instances vr protocols bgp group uplink-r2 neighbor 10.0.38.1 peer-as 65039 set routing-instances vr protocols bgp local-as 65031 set routing-instances vr protocols bgp bfd-liveness-detection minimum-interval 1000 set routing-instances vr protocols bgp bfd-liveness-detection multiplier 3 set routing-instances vr interface ge-0/0/0.102 set routing-instances vr interface ge-0/0/3.100 set routing-instances vr interface ge-0/0/4.101 set routing-instances vr interface lo0.0
백업 노드로 구성된 디바이스(SRX-02)
참고: 이 예에서 사용되는 디바이스 이름은 vsrx-mnha-n0 및 vsrx-mnha-n1입니다. 이 구성에 디바이스의 호스트 이름을 사용해야 합니다.
set groups mnha-sync-icl system commit peers vsrx-mnha-n0 routing-instance icl set groups mnha-sync-icl system static-host-mapping vsrx-mnha-n0 inet 172.26.0.1 set groups mnha-sync when peers vsrx-mnha-n0 set groups mnha-sync when peers vsrx-mnha-n1 set groups mnha-sync security ike proposal ike-prop authentication-method pre-shared-keys set groups mnha-sync security ike proposal ike-prop dh-group group20 set groups mnha-sync security ike proposal ike-prop encryption-algorithm aes-256-gcm set groups mnha-sync security ike proposal ike-prop lifetime-seconds 28800 set groups mnha-sync security ike policy ike-policy proposals ike-prop set groups mnha-sync security ike policy ike-policy pre-shared-key ascii-text "$ABC123" set groups mnha-sync security ike policy icl proposals ike-prop set groups mnha-sync security ike gateway r1 ike-policy ike-policy set groups mnha-sync security ike gateway r1 address 10.0.30.1 set groups mnha-sync security ike gateway r1 dead-peer-detection probe-idle-tunnel set groups mnha-sync security ike gateway r1 dead-peer-detection interval 5 set groups mnha-sync security ike gateway r1 dead-peer-detection threshold 5 set groups mnha-sync security ike gateway r1 external-interface lo0.0 set groups mnha-sync security ike gateway r1 version v2-only set groups mnha-sync security ike gateway icl ike-policy icl set groups mnha-sync security ike gateway icl version v2-only set groups mnha-sync security ipsec proposal ipsec-prop encryption-algorithm aes-256-gcm set groups mnha-sync security ipsec proposal ipsec-prop lifetime-seconds 3600 set groups mnha-sync security ipsec policy ipsec-policy perfect-forward-secrecy keys group20 set groups mnha-sync security ipsec policy ipsec-policy proposals ipsec-prop set groups mnha-sync security ipsec vpn r1 bind-interface st0.0 set groups mnha-sync security ipsec vpn r1 ike gateway r1 set groups mnha-sync security ipsec vpn r1 ike ipsec-policy ipsec-policy set groups mnha-sync security ipsec vpn r1 traffic-selector ts1 local-ip 10.0.35.11/32 set groups mnha-sync security ipsec vpn r1 traffic-selector ts1 remote-ip 10.0.30.11/32 set groups mnha-sync security ipsec vpn r1 establish-tunnels immediately set groups mnha-sync security ipsec vpn icl ha-link-encryption set groups mnha-sync security ipsec vpn icl ike gateway icl set groups mnha-sync security ipsec vpn icl ike ipsec-policy ipsec-policy set groups mnha-sync security flow tcp-mss ipsec-vpn mss 1400 set groups mnha-sync security flow tcp-session strict-syn-check set groups mnha-sync security policies from-zone icl to-zone icl policy permit match source-address any set groups mnha-sync security policies from-zone icl to-zone icl policy permit match destination-address any set groups mnha-sync security policies from-zone icl to-zone icl policy permit match application any set groups mnha-sync security policies from-zone icl to-zone icl policy permit then permit set groups mnha-sync security policies global policy internal match source-address any set groups mnha-sync security policies global policy internal match destination-address any set groups mnha-sync security policies global policy internal match application any set groups mnha-sync security policies global policy internal match from-zone right set groups mnha-sync security policies global policy internal match from-zone vpn set groups mnha-sync security policies global policy internal match from-zone left set groups mnha-sync security policies global policy internal match to-zone left set groups mnha-sync security policies global policy internal match to-zone right set groups mnha-sync security policies global policy internal match to-zone vpn set groups mnha-sync security policies global policy internal then permit set groups mnha-sync security policies global policy internal then log session-close set groups mnha-sync security policies global policy untrust match source-address any set groups mnha-sync security policies global policy untrust match destination-address any set groups mnha-sync security policies global policy untrust match application any set groups mnha-sync security policies global policy untrust match from-zone left set groups mnha-sync security policies global policy untrust match from-zone right set groups mnha-sync security policies global policy untrust match to-zone untrust set groups mnha-sync security policies global policy untrust then permit set groups mnha-sync security zones security-zone vpn interfaces st0.0 set groups mnha-sync security zones security-zone left interfaces lo0.0 host-inbound-traffic system-services ike set groups mnha-sync security zones security-zone left interfaces lo0.0 host-inbound-traffic system-services ping set groups mnha-sync security zones security-zone left interfaces ge-0/0/3.100 host-inbound-traffic system-services ping set groups mnha-sync security zones security-zone left interfaces ge-0/0/3.100 host-inbound-traffic protocols bgp set groups mnha-sync security zones security-zone left interfaces ge-0/0/3.100 host-inbound-traffic protocols bfd set groups mnha-sync security zones security-zone right interfaces ge-0/0/4.101 host-inbound-traffic system-services ping set groups mnha-sync security zones security-zone right interfaces ge-0/0/4.101 host-inbound-traffic protocols bgp set groups mnha-sync security zones security-zone right interfaces ge-0/0/4.101 host-inbound-traffic protocols bfd set groups mnha-sync security zones security-zone untrust interfaces ge-0/0/0.102 host-inbound-traffic system-services ping set groups mnha-sync security zones security-zone untrust interfaces ge-0/0/0.102 host-inbound-traffic protocols bfd set groups mnha-sync security zones security-zone untrust interfaces ge-0/0/0.102 host-inbound-traffic protocols bgp set groups mnha-sync interfaces st0 unit 0 family inet set groups icd chassis high-availability local-id local-forwarding-ip 172.26.0.12 set groups icd chassis high-availability peer-id 1 peer-forwarding-ip 172.26.0.11 set groups icd chassis high-availability peer-id 1 peer-forwarding-ip interface lo0.1 set groups icd chassis high-availability peer-id 1 peer-forwarding-ip liveness-detection minimum-interval 1000 set groups icd chassis high-availability peer-id 1 peer-forwarding-ip liveness-detection multiplier 5 set groups icd interfaces lo0 unit 1 family inet address 172.26.0.12/32 set groups monitor-simple chassis high-availability services-redundancy-group 1 monitor bfd-liveliness 10.0.32.1 src-ip 10.0.32.10 set groups monitor-simple chassis high-availability services-redundancy-group 1 monitor bfd-liveliness 10.0.32.1 routing-instance vr set groups monitor-simple chassis high-availability services-redundancy-group 1 monitor bfd-liveliness 10.0.32.1 session-type singlehop set groups monitor-simple chassis high-availability services-redundancy-group 1 monitor bfd-liveliness 10.0.32.1 interface ge-0/0/3.100 set groups monitor-simple chassis high-availability services-redundancy-group 1 monitor bfd-liveliness 10.0.34.1 src-ip 10.0.34.10 set groups monitor-simple chassis high-availability services-redundancy-group 1 monitor bfd-liveliness 10.0.34.1 routing-instance vr set groups monitor-simple chassis high-availability services-redundancy-group 1 monitor bfd-liveliness 10.0.34.1 session-type singlehop set groups monitor-simple chassis high-availability services-redundancy-group 1 monitor bfd-liveliness 10.0.34.1 interface ge-0/0/4.101 set groups monitor-simple chassis high-availability services-redundancy-group 1 monitor bfd-liveliness 10.0.39.1 src-ip 10.0.39.10 set groups monitor-simple chassis high-availability services-redundancy-group 1 monitor bfd-liveliness 10.0.39.1 routing-instance vr set groups monitor-simple chassis high-availability services-redundancy-group 1 monitor bfd-liveliness 10.0.39.1 session-type singlehop set groups monitor-simple chassis high-availability services-redundancy-group 1 monitor bfd-liveliness 10.0.39.1 interface ge-0/0/0.102 set groups monitor-simple chassis high-availability services-redundancy-group 1 monitor interface ge-0/0/0 set groups monitor-advanced chassis high-availability services-redundancy-group 1 monitor monitor-object endpoints object-threshold 200 set groups monitor-advanced chassis high-availability services-redundancy-group 1 monitor monitor-object endpoints ip threshold 100 set groups monitor-advanced chassis high-availability services-redundancy-group 1 monitor monitor-object endpoints ip destination-ip 10.0.30.10 routing-instance vr set groups monitor-advanced chassis high-availability services-redundancy-group 1 monitor monitor-object endpoints ip destination-ip 10.0.30.10 weight 50 set groups monitor-advanced chassis high-availability services-redundancy-group 1 monitor monitor-object endpoints ip destination-ip 10.0.35.10 routing-instance vr set groups monitor-advanced chassis high-availability services-redundancy-group 1 monitor monitor-object endpoints ip destination-ip 10.0.35.10 weight 50 set groups monitor-advanced chassis high-availability services-redundancy-group 1 monitor monitor-object routers object-threshold 200 set groups monitor-advanced chassis high-availability services-redundancy-group 1 monitor monitor-object routers bfd-liveliness threshold 100 set groups monitor-advanced chassis high-availability services-redundancy-group 1 monitor monitor-object routers bfd-liveliness destination-ip 10.0.32.1 src-ip 10.0.32.10 set groups monitor-advanced chassis high-availability services-redundancy-group 1 monitor monitor-object routers bfd-liveliness destination-ip 10.0.32.1 routing-instance vr set groups monitor-advanced chassis high-availability services-redundancy-group 1 monitor monitor-object routers bfd-liveliness destination-ip 10.0.32.1 session-type singlehop set groups monitor-advanced chassis high-availability services-redundancy-group 1 monitor monitor-object routers bfd-liveliness destination-ip 10.0.32.1 interface ge-0/0/3.100 set groups monitor-advanced chassis high-availability services-redundancy-group 1 monitor monitor-object routers bfd-liveliness destination-ip 10.0.32.1 weight 100 set groups monitor-advanced chassis high-availability services-redundancy-group 1 monitor monitor-object routers bfd-liveliness destination-ip 10.0.34.1 src-ip 10.0.34.10 set groups monitor-advanced chassis high-availability services-redundancy-group 1 monitor monitor-object routers bfd-liveliness destination-ip 10.0.34.1 routing-instance vr set groups monitor-advanced chassis high-availability services-redundancy-group 1 monitor monitor-object routers bfd-liveliness destination-ip 10.0.34.1 session-type singlehop set groups monitor-advanced chassis high-availability services-redundancy-group 1 monitor monitor-object routers bfd-liveliness destination-ip 10.0.34.1 interface ge-0/0/4.101 set groups monitor-advanced chassis high-availability services-redundancy-group 1 monitor monitor-object routers bfd-liveliness destination-ip 10.0.34.1 weight 100 set groups monitor-advanced chassis high-availability services-redundancy-group 1 monitor monitor-object routers bfd-liveliness destination-ip 10.0.39.1 src-ip 10.0.39.10 set groups monitor-advanced chassis high-availability services-redundancy-group 1 monitor monitor-object routers bfd-liveliness destination-ip 10.0.39.1 routing-instance vr set groups monitor-advanced chassis high-availability services-redundancy-group 1 monitor monitor-object routers bfd-liveliness destination-ip 10.0.39.1 session-type singlehop set groups monitor-advanced chassis high-availability services-redundancy-group 1 monitor monitor-object routers bfd-liveliness destination-ip 10.0.39.1 interface ge-0/0/0.102 set groups monitor-advanced chassis high-availability services-redundancy-group 1 monitor monitor-object routers bfd-liveliness destination-ip 10.0.39.1 weight 100 set groups monitor-advanced chassis high-availability services-redundancy-group 1 monitor srg-threshold 200 set apply-groups mnha-sync set apply-groups mnha-sync-icl set apply-groups monitor-advanced set apply-groups icd set system commit peers vsrx-mnha-n0 user user set system commit peers vsrx-mnha-n0 authentication "$ABC123" set chassis high-availability local-id 2 set chassis high-availability local-id local-ip 172.26.0.2 set chassis high-availability peer-id 1 peer-ip 172.26.0.1 set chassis high-availability peer-id 1 interface lo0.1 set chassis high-availability peer-id 1 routing-instance icl set chassis high-availability peer-id 1 vpn-profile icl set chassis high-availability peer-id 1 liveness-detection minimum-interval 1000 set chassis high-availability peer-id 1 liveness-detection multiplier 3 set chassis high-availability services-redundancy-group 0 peer-id 1 set chassis high-availability services-redundancy-group 1 deployment-type routing set chassis high-availability services-redundancy-group 1 peer-id 1 set chassis high-availability services-redundancy-group 1 activeness-probe dest-ip 10.0.30.1 set chassis high-availability services-redundancy-group 1 activeness-probe dest-ip src-ip 172.25.0.0 set chassis high-availability services-redundancy-group 1 activeness-probe dest-ip routing-instance vr set chassis high-availability services-redundancy-group 1 active-signal-route 172.24.0.1 set chassis high-availability services-redundancy-group 1 backup-signal-route 172.24.0.0 set chassis high-availability services-redundancy-group 1 prefix-list srg1-prefix routing-instance vr set chassis high-availability services-redundancy-group 1 managed-services ipsec set chassis high-availability services-redundancy-group 1 process-packet-on-backup set chassis high-availability services-redundancy-group 1 activeness-priority 200 set security ike proposal ike-prop authentication-method pre-shared-keys set security ike proposal ike-prop dh-group group20 set security ike proposal ike-prop encryption-algorithm aes-256-gcm set security ike proposal ike-prop lifetime-seconds 28800 set security ike policy ike-policy proposals ike-prop set security ike policy ike-policy pre-shared-key ascii-text "$ABC123" set security ike policy icl proposals ike-prop set security ike policy icl pre-shared-key ascii-text "$ABC123" set security ike gateway icl ike-policy icl set security ike gateway icl version v2-only set security ipsec proposal ipsec-prop encryption-algorithm aes-256-gcm set security ipsec proposal ipsec-prop lifetime-seconds 3600 set security ipsec policy ipsec-policy perfect-forward-secrecy keys group20 set security ipsec policy ipsec-policy proposals ipsec-prop set security ipsec vpn icl ha-link-encryption set security ipsec vpn icl ike gateway icl set security ipsec vpn icl ike ipsec-policy ipsec-policy set security zones security-zone icl interfaces ge-0/0/3.37 host-inbound-traffic system-services ping set security zones security-zone icl interfaces ge-0/0/3.37 host-inbound-traffic protocols bgp set security zones security-zone icl interfaces ge-0/0/3.37 host-inbound-traffic protocols bfd set security zones security-zone icl interfaces lo0.1 host-inbound-traffic system-services ping set security zones security-zone icl interfaces lo0.1 host-inbound-traffic system-services ike set security zones security-zone icl interfaces lo0.1 host-inbound-traffic system-services high-availability set security zones security-zone icl interfaces lo0.1 host-inbound-traffic system-services ssh set security zones security-zone icl interfaces lo0.1 host-inbound-traffic protocols bfd set security zones security-zone icl interfaces ge-0/0/1.39 host-inbound-traffic system-services ping set security zones security-zone icl interfaces ge-0/0/1.39 host-inbound-traffic protocols bgp set security zones security-zone icl interfaces ge-0/0/1.39 host-inbound-traffic protocols bfd set interfaces ge-0/0/0 description for-monitoring set interfaces ge-0/0/0 vlan-tagging set interfaces ge-0/0/0 unit 102 description vr-uplink-r2 set interfaces ge-0/0/0 unit 102 vlan-id 39 set interfaces ge-0/0/0 unit 102 family inet address 10.0.39.10/24 set interfaces ge-0/0/1 description br-lab-ha-1 set interfaces ge-0/0/1 vlan-tagging set interfaces ge-0/0/1 mtu 9000 set interfaces ge-0/0/1 unit 39 description icl-n0 set interfaces ge-0/0/1 unit 39 vlan-id 39 set interfaces ge-0/0/1 unit 39 family inet address 10.1.39.2/24 set interfaces ge-0/0/3 vlan-tagging set interfaces ge-0/0/3 unit 37 description icl-r1 set interfaces ge-0/0/3 unit 37 vlan-id 37 set interfaces ge-0/0/3 unit 37 family inet address 10.0.37.10/24 set interfaces ge-0/0/3 unit 100 description vr-left-r1 set interfaces ge-0/0/3 unit 100 vlan-id 32 set interfaces ge-0/0/3 unit 100 family inet address 10.0.32.10/24 set interfaces ge-0/0/4 vlan-tagging set interfaces ge-0/0/4 unit 101 description vr-right-r2 set interfaces ge-0/0/4 unit 101 vlan-id 34 set interfaces ge-0/0/4 unit 101 family inet address 10.0.34.10/24 set interfaces lo0 unit 0 description "Floating IP" set interfaces lo0 unit 0 family inet address 172.25.0.0/32 set interfaces lo0 unit 1 description ICL set interfaces lo0 unit 1 family inet address 172.26.0.2/32 set policy-options prefix-list export-int 0.0.0.0/0 set policy-options prefix-list export-int 172.25.0.0/32 set policy-options prefix-list export-uplink 10.0.30.0/24 set policy-options prefix-list export-uplink 10.0.35.0/24 set policy-options prefix-list srg1-prefix 172.25.0.0/32 set policy-options policy-statement export-icl-r1 term 10 from interface lo0.1 set policy-options policy-statement export-icl-r1 term 10 then accept set policy-options policy-statement export-icl-r1 term 100 then reject set policy-options policy-statement export-icl-to-n0 term 10 from interface lo0.1 set policy-options policy-statement export-icl-to-n0 term 10 then accept set policy-options policy-statement export-icl-to-n0 term 100 then reject set policy-options policy-statement export-to-int term 10 from prefix-list export-int set policy-options policy-statement export-to-int term 10 from condition srg1_backup set policy-options policy-statement export-to-int term 10 then as-path-prepend 65032 set policy-options policy-statement export-to-int term 10 then accept set policy-options policy-statement export-to-int term 20 from prefix-list export-int set policy-options policy-statement export-to-int term 20 from condition srg1_active set policy-options policy-statement export-to-int term 20 then accept set policy-options policy-statement export-to-int term 90 from prefix-list export-int set policy-options policy-statement export-to-int term 90 then as-path-prepend "65032 65032 65032" set policy-options policy-statement export-to-int term 90 then accept set policy-options policy-statement export-to-int term 100 then reject set policy-options policy-statement export-to-uplink term 10 from prefix-list export-uplink set policy-options policy-statement export-to-uplink term 10 from condition srg1_backup set policy-options policy-statement export-to-uplink term 10 then as-path-prepend 65032 set policy-options policy-statement export-to-uplink term 10 then accept set policy-options policy-statement export-to-uplink term 20 from prefix-list export-uplink set policy-options policy-statement export-to-uplink term 20 from condition srg1_active set policy-options policy-statement export-to-uplink term 20 then accept set policy-options policy-statement export-to-uplink term 90 from prefix-list export-uplink set policy-options policy-statement export-to-uplink term 90 then as-path-prepend "65032 65032 65032" set policy-options policy-statement export-to-uplink term 90 then accept set policy-options policy-statement export-to-uplink term 100 then reject set policy-options condition srg1_active if-route-exists 172.24.0.1/32 set policy-options condition srg1_active if-route-exists table inet.0 set policy-options condition srg1_backup if-route-exists 172.24.0.0/32 set policy-options condition srg1_backup if-route-exists table inet.0 set routing-instances icl instance-type virtual-router set routing-instances icl protocols bgp group icl neighbor 10.0.37.1 export export-icl-r1 set routing-instances icl protocols bgp group icl neighbor 10.0.37.1 peer-as 65030 set routing-instances icl protocols bgp group icl neighbor 10.1.39.1 export export-icl-to-n0 set routing-instances icl protocols bgp group icl neighbor 10.1.39.1 peer-as 65031 set routing-instances icl protocols bgp local-as 65032 set routing-instances icl protocols bgp bfd-liveness-detection minimum-interval 500 set routing-instances icl protocols bgp bfd-liveness-detection multiplier 3 set routing-instances icl interface ge-0/0/1.39 set routing-instances icl interface ge-0/0/3.37 set routing-instances icl interface lo0.1 set routing-instances vr instance-type virtual-router set routing-instances vr protocols bgp group r1 neighbor 10.0.32.1 export export-to-int set routing-instances vr protocols bgp group r1 neighbor 10.0.32.1 peer-as 65030 set routing-instances vr protocols bgp group r2 neighbor 10.0.34.1 export export-to-int set routing-instances vr protocols bgp group r2 neighbor 10.0.34.1 peer-as 65035 set routing-instances vr protocols bgp group uplink-r2 neighbor 10.0.39.1 export export-to-uplink set routing-instances vr protocols bgp group uplink-r2 neighbor 10.0.39.1 peer-as 65039 set routing-instances vr protocols bgp local-as 65032 set routing-instances vr protocols bgp bfd-liveness-detection minimum-interval 1000 set routing-instances vr protocols bgp bfd-liveness-detection multiplier 3 set routing-instances vr interface ge-0/0/0.102 set routing-instances vr interface ge-0/0/3.100 set routing-instances vr interface ge-0/0/4.101 set routing-instances vr interface lo0.0
라우터 1(라우터로 구성된 디바이스)
set security policies default-policy permit-all set security zones security-zone left host-inbound-traffic system-services ping set security zones security-zone left host-inbound-traffic system-services ike set security zones security-zone left host-inbound-traffic protocols bgp set security zones security-zone left host-inbound-traffic protocols bfd set security zones security-zone left interfaces ge-0/0/2.30 set security zones security-zone left interfaces ge-0/0/0.31 set security zones security-zone left interfaces ge-0/0/1.32 set security zones security-zone left interfaces st0.0 set security zones security-zone left enable-reverse-reroute set security zones security-zone icl host-inbound-traffic system-services ping set security zones security-zone icl host-inbound-traffic protocols bgp set security zones security-zone icl host-inbound-traffic protocols bfd set security zones security-zone icl interfaces ge-0/0/0.36 set security zones security-zone icl interfaces ge-0/0/1.37 set interfaces ge-0/0/0 description br-lab-1 set interfaces ge-0/0/0 vlan-tagging set interfaces ge-0/0/0 unit 31 description vr-mnha-n0 set interfaces ge-0/0/0 unit 31 vlan-id 31 set interfaces ge-0/0/0 unit 31 family inet address 10.0.31.1/24 set interfaces ge-0/0/0 unit 36 description icl-n0 set interfaces ge-0/0/0 unit 36 vlan-id 36 set interfaces ge-0/0/0 unit 36 family inet address 10.0.36.1/24 set interfaces ge-0/0/1 vlan-tagging set interfaces ge-0/0/1 unit 32 description vr-mnha-n1 set interfaces ge-0/0/1 unit 32 vlan-id 32 set interfaces ge-0/0/1 unit 32 family inet address 10.0.32.1/24 set interfaces ge-0/0/1 unit 37 description icl-n1 set interfaces ge-0/0/1 unit 37 vlan-id 37 set interfaces ge-0/0/1 unit 37 family inet address 10.0.37.1/24 set interfaces ge-0/0/2 vlan-tagging set interfaces ge-0/0/2 unit 30 description vr-linux-1 set interfaces ge-0/0/2 unit 30 vlan-id 30 set interfaces ge-0/0/2 unit 30 family inet address 10.0.30.1/24 set interfaces st0 unit 0 family inet set policy-options policy-statement export-icl-n0 term 10 from interface ge-0/0/1.37 set policy-options policy-statement export-icl-n0 term 10 then accept set policy-options policy-statement export-icl-n0 term 100 then reject set policy-options policy-statement export-icl-n1 term 10 from interface ge-0/0/0.36 set policy-options policy-statement export-icl-n1 term 10 then accept set policy-options policy-statement export-icl-n1 term 100 then reject set policy-options policy-statement export-to-mnha-fws term 10 from interface ge-0/0/2.30 set policy-options policy-statement export-to-mnha-fws term 10 then accept set policy-options policy-statement export-to-mnha-fws term 100 then reject set routing-instances icl instance-type virtual-router set routing-instances icl protocols bgp group icl local-as 65030 set routing-instances icl protocols bgp group icl bfd-liveness-detection minimum-interval 500 set routing-instances icl protocols bgp group icl bfd-liveness-detection multiplier 3 set routing-instances icl protocols bgp group icl neighbor 10.0.36.10 export export-icl-n0 set routing-instances icl protocols bgp group icl neighbor 10.0.36.10 peer-as 65031 set routing-instances icl protocols bgp group icl neighbor 10.0.37.10 export export-icl-n1 set routing-instances icl protocols bgp group icl neighbor 10.0.37.10 peer-as 65032 set routing-instances icl interface ge-0/0/0.36 set routing-instances icl interface ge-0/0/1.37 set routing-instances vr instance-type virtual-router set routing-instances vr protocols bgp group mnha-n0 neighbor 10.0.31.10 peer-as 65031 set routing-instances vr protocols bgp group mnha-n1 neighbor 10.0.32.10 peer-as 65032 set routing-instances vr protocols bgp export export-to-mnha-fws set routing-instances vr protocols bgp local-as 65030 set routing-instances vr protocols bgp bfd-liveness-detection minimum-interval 1000 set routing-instances vr protocols bgp bfd-liveness-detection multiplier 3 set routing-instances vr interface ge-0/0/0.31 set routing-instances vr interface ge-0/0/1.32 set routing-instances vr interface ge-0/0/2.30 set routing-instances vr interface st0.0
라우터 2(라우터로 구성된 디바이스)
set security policies default-policy permit-all set security zones security-zone right host-inbound-traffic system-services ping set security zones security-zone right host-inbound-traffic protocols bgp set security zones security-zone right host-inbound-traffic protocols bfd set security zones security-zone right interfaces ge-0/0/0.33 set security zones security-zone right interfaces ge-0/0/1.34 set security zones security-zone right interfaces ge-0/0/2.35 set security zones security-zone right enable-reverse-reroute set security zones security-zone trust tcp-rst set security zones security-zone trust host-inbound-traffic system-services ping set security zones security-zone trust host-inbound-traffic protocols bgp set security zones security-zone trust host-inbound-traffic protocols bfd set security zones security-zone trust interfaces ge-0/0/0.39 set security zones security-zone trust interfaces ge-0/0/0.38 set interfaces ge-0/0/0 description br-lab-1 set interfaces ge-0/0/0 vlan-tagging set interfaces ge-0/0/0 unit 33 description vr-mnha-n0 set interfaces ge-0/0/0 unit 33 vlan-id 33 set interfaces ge-0/0/0 unit 33 family inet address 10.0.33.1/24 set interfaces ge-0/0/0 unit 38 description uplink-mnha-n0 set interfaces ge-0/0/0 unit 38 vlan-id 38 set interfaces ge-0/0/0 unit 38 family inet address 10.0.38.1/24 set interfaces ge-0/0/0 unit 39 description uplink-mnha-n1 set interfaces ge-0/0/0 unit 39 vlan-id 39 set interfaces ge-0/0/0 unit 39 family inet address 10.0.39.1/24 set interfaces ge-0/0/1 description br-poc-mgmt set interfaces ge-0/0/1 vlan-tagging set interfaces ge-0/0/1 unit 34 description vr-mnha-n1 set interfaces ge-0/0/1 unit 34 vlan-id 34 set interfaces ge-0/0/1 unit 34 family inet address 10.0.34.1/24 set interfaces ge-0/0/2 vlan-tagging set interfaces ge-0/0/2 unit 35 description vr-linux-2 set interfaces ge-0/0/2 unit 35 vlan-id 35 set interfaces ge-0/0/2 unit 35 family inet address 10.0.35.1/24 set policy-options policy-statement export-default term 10 from route-filter 0.0.0.0/0 exact set policy-options policy-statement export-default term 10 then accept set policy-options policy-statement export-default term 100 then reject set policy-options policy-statement export-to-mnha-fws term 10 from interface ge-0/0/0.35 set policy-options policy-statement export-to-mnha-fws term 10 then accept set policy-options policy-statement export-to-mnha-fws term 100 then reject set policy-options policy-statement import-from-n1 from neighbor 10.0.34.10 set policy-options policy-statement import-from-n1 then local-preference 1000 set routing-instances uplink instance-type virtual-router set routing-instances uplink routing-options static route 0.0.0.0/0 next-hop 172.30.192.1 set routing-instances uplink protocols bgp family inet unicast loops 1 set routing-instances uplink protocols bgp group trust export export-default set routing-instances uplink protocols bgp group trust local-as 65039 set routing-instances uplink protocols bgp group trust bfd-liveness-detection minimum-interval 1000 set routing-instances uplink protocols bgp group trust bfd-liveness-detection multiplier 3 set routing-instances uplink protocols bgp group trust neighbor 10.0.38.10 peer-as 65031 set routing-instances uplink protocols bgp group trust neighbor 10.0.39.10 peer-as 65032 set routing-instances uplink interface ge-0/0/0.38 set routing-instances uplink interface ge-0/0/0.39 set routing-instances uplink interface ge-0/0/1.0 deactivate routing-instances uplink interface ge-0/0/1.0 set routing-instances vr instance-type virtual-router set routing-instances vr protocols bgp family inet unicast loops 1 set routing-instances vr protocols bgp group mnha-n0 neighbor 10.0.33.10 peer-as 65031 set routing-instances vr protocols bgp group mnha-n1 neighbor 10.0.34.10 import import-from-n1 set routing-instances vr protocols bgp group mnha-n1 neighbor 10.0.34.10 peer-as 65032 set routing-instances vr protocols bgp export export-to-mnha-fws set routing-instances vr protocols bgp local-as 65035 set routing-instances vr protocols bgp bfd-liveness-detection minimum-interval 1000 set routing-instances vr protocols bgp bfd-liveness-detection multiplier 3 set routing-instances vr interface ge-0/0/0.33 set routing-instances vr interface ge-0/0/1.34 set routing-instances vr interface ge-0/0/2.35
구성 출력 표시
구성 모드에서 , 및 show groups기타 세부 정보를 입력show high availability하여 구성을 확인합니다. 출력에 의도한 구성이 표시되지 않으면 이 예의 구성 지침을 반복하여 수정합니다.
SRX-01(액티브 노드)
[edit]
user@vsrx-mnha-n0# show chassis high-availability
local-id {
1;
local-ip 172.26.0.1;
}
peer-id 2 {
peer-ip 172.26.0.2;
interface lo0.1;
routing-instance icl;
vpn-profile icl;
liveness-detection {
minimum-interval 1000;
multiplier 3;
}
}
services-redundancy-group 0 {
peer-id {
2;
}
}
services-redundancy-group 1 {
deployment-type routing;
peer-id {
2;
}
activeness-probe {
dest-ip {
10.0.30.1;
src-ip 172.25.0.0;
routing-instance vr;
}
}
active-signal-route {
172.24.0.1;
}
backup-signal-route {
172.24.0.0;
}
prefix-list srg1-prefix {
routing-instance vr;
}
managed-services ipsec;
process-packet-on-backup;
activeness-priority 100;
}
[edit]
user@vsrx-mnha-n0# show groups mnha-sync
when {
peers [ vsrx-mnha-n0 vsrx-mnha-n1 ];
}
security {
ike {
proposal ike-prop {
authentication-method pre-shared-keys;
dh-group group20;
encryption-algorithm aes-256-gcm;
lifetime-seconds 28800;
}
policy ike-policy {
proposals ike-prop;
pre-shared-key ascii-text "$ABC123"; ## SECRET-DATA
}
policy icl {
proposals ike-prop;
}
gateway r1 {
ike-policy ike-policy;
address 10.0.30.1;
dead-peer-detection {
probe-idle-tunnel;
interval 5;
threshold 5;
}
external-interface lo0.0;
version v2-only;
}
gateway icl {
ike-policy icl;
version v2-only;
}
}
ipsec {
proposal ipsec-prop {
encryption-algorithm aes-256-gcm;
lifetime-seconds 3600;
}
policy ipsec-policy {
perfect-forward-secrecy {
keys group20;
}
proposals ipsec-prop;
}
vpn r1 {
bind-interface st0.0;
ike {
gateway r1;
ipsec-policy ipsec-policy;
}
traffic-selector ts1 {
local-ip 10.0.35.11/32;
remote-ip 10.0.30.11/32;
}
establish-tunnels immediately;
}
vpn icl {
ha-link-encryption;
ike {
gateway icl;
ipsec-policy ipsec-policy;
}
}
}
policies {
from-zone icl to-zone icl {
policy permit {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
global {
policy internal {
match {
source-address any;
destination-address any;
application any;
from-zone [ right vpn left ];
to-zone [ left right vpn ];
}
then {
permit;
log {
session-close;
}
}
}
policy untrust {
match {
source-address any;
destination-address any;
application any;
from-zone [ left right ];
to-zone untrust;
}
then {
permit;
}
}
}
}
zones {
security-zone vpn {
interfaces {
st0.0;
}
}
security-zone left {
interfaces {
lo0.0 {
host-inbound-traffic {
system-services {
ike;
ping;
}
}
}
ge-0/0/3.100 {
host-inbound-traffic {
system-services {
ping;
}
protocols {
bgp;
bfd;
}
}
}
}
}
security-zone right {
interfaces {
ge-0/0/4.101 {
host-inbound-traffic {
system-services {
ping;
}
protocols {
bgp;
bfd;
}
}
}
}
}
security-zone untrust {
interfaces {
ge-0/0/0.102 {
host-inbound-traffic {
system-services {
ping;
}
protocols {
bfd;
bgp;
}
}
}
}
}
}
}
interfaces {
st0 {
unit 0 {
family inet;
}
}
}
routing-instances {
vr {
interface st0.0;
}
}
[edit]
user@vsrx-mnha-n0# show groups monitor-simple
chassis {
high-availability {
services-redundancy-group 1 {
monitor {
bfd-liveliness 10.0.31.1 {
src-ip 10.0.31.10;
routing-instance vr;
session-type singlehop;
interface ge-0/0/0.100;
}
bfd-liveliness 10.0.33.1 {
src-ip 10.0.33.10;
routing-instance vr;
session-type singlehop;
interface ge-0/0/0.101;
}
bfd-liveliness 10.0.38.1 {
src-ip 10.0.38.10;
routing-instance vr;
session-type singlehop;
interface ge-0/0/0.102;
}
interface {
ge-0/0/0;
}
}
}
}
}
[edit]
user@vsrx-mnha-n0# show groups monitor-advanced
chassis {
high-availability {
services-redundancy-group 1 {
monitor {
monitor-object endpoints {
object-threshold 200;
ip {
threshold 100;
destination-ip 10.0.30.10 {
routing-instance vr;
weight 50;
}
destination-ip 10.0.35.10 {
routing-instance vr;
weight 50;
}
}
}
monitor-object routers {
object-threshold 200;
bfd-liveliness {
threshold 100;
destination-ip 10.0.31.1 {
src-ip 10.0.31.10;
routing-instance vr;
session-type singlehop;
interface ge-0/0/3.100;
weight 100;
}
destination-ip 10.0.33.1 {
src-ip 10.0.33.10;
routing-instance vr;
session-type singlehop;
interface ge-0/0/4.101;
weight 100;
}
destination-ip 10.0.38.1 {
src-ip 10.0.38.10;
routing-instance vr;
session-type singlehop;
interface ge-0/0/0.102;
weight 100;
}
}
}
srg-threshold 200;
}
}
}
}
[edit]
user@vsrx-mnha-n0# show groups mnha-sync-icl
system {
commit {
peers {
vsrx-mnha-n1 {
routing-instance icl;
}
}
}
static-host-mapping {
vsrx-mnha-n1 inet 172.26.0.2;
}
}
[edit]
user@vsrx-mnha-n0# show groups icd
chassis {
high-availability {
local-id {
local-forwarding-ip 172.26.0.11;
}
peer-id 2 {
peer-forwarding-ip {
172.26.0.12;
interface lo0.1;
liveness-detection {
minimum-interval 1000;
multiplier 5;
}
}
}
}
}
interfaces {
lo0 {
unit 1 {
family inet {
address 172.26.0.11/32;
}
}
}
}
SRX-02
[edit]
user@vsrx-mnha-n1# show chassis high-availability
local-id {
2;
local-ip 172.26.0.2;
}
peer-id 1 {
peer-ip 172.26.0.1;
interface lo0.1;
routing-instance icl;
vpn-profile icl;
liveness-detection {
minimum-interval 1000;
multiplier 3;
}
}
services-redundancy-group 0 {
peer-id {
1;
}
}
services-redundancy-group 1 {
deployment-type routing;
peer-id {
1;
}
activeness-probe {
dest-ip {
10.0.30.1;
src-ip 172.25.0.0;
routing-instance vr;
}
}
active-signal-route {
172.24.0.1;
}
backup-signal-route {
172.24.0.0;
}
prefix-list srg1-prefix {
routing-instance vr;
}
managed-services ipsec;
process-packet-on-backup;
activeness-priority 200;
}
[edit]
user@vsrx-mnha-n1# show groups mnha-sync
when {
peers [ vsrx-mnha-n0 vsrx-mnha-n1 ];
}
security {
ike {
proposal ike-prop {
authentication-method pre-shared-keys;
dh-group group20;
encryption-algorithm aes-256-gcm;
lifetime-seconds 28800;
}
policy ike-policy {
proposals ike-prop;
pre-shared-key ascii-text "$ABC123"; ## SECRET-DATA
}
policy icl {
proposals ike-prop;
}
gateway r1 {
ike-policy ike-policy;
address 10.0.30.1;
dead-peer-detection {
probe-idle-tunnel;
interval 5;
threshold 5;
}
external-interface lo0.0;
version v2-only;
}
gateway icl {
ike-policy icl;
version v2-only;
}
}
ipsec {
proposal ipsec-prop {
encryption-algorithm aes-256-gcm;
lifetime-seconds 3600;
}
policy ipsec-policy {
perfect-forward-secrecy {
keys group20;
}
proposals ipsec-prop;
}
vpn r1 {
bind-interface st0.0;
ike {
gateway r1;
ipsec-policy ipsec-policy;
}
traffic-selector ts1 {
local-ip 10.0.35.11/32;
remote-ip 10.0.30.11/32;
}
establish-tunnels immediately;
}
vpn icl {
ha-link-encryption;
ike {
gateway icl;
ipsec-policy ipsec-policy;
}
}
}
flow {
tcp-mss {
ipsec-vpn {
mss 1400;
}
}
tcp-session {
strict-syn-check;
}
}
policies {
from-zone icl to-zone icl {
policy permit {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
global {
policy internal {
match {
source-address any;
destination-address any;
application any;
from-zone [ right vpn left ];
to-zone [ left right vpn ];
}
then {
permit;
log {
session-close;
}
}
}
policy untrust {
match {
source-address any;
destination-address any;
application any;
from-zone [ left right ];
to-zone untrust;
}
then {
permit;
}
}
}
}
zones {
security-zone vpn {
interfaces {
st0.0;
}
}
security-zone left {
interfaces {
lo0.0 {
host-inbound-traffic {
system-services {
ike;
ping;
}
}
}
ge-0/0/3.100 {
host-inbound-traffic {
system-services {
ping;
}
protocols {
bgp;
bfd;
}
}
}
}
}
security-zone right {
interfaces {
ge-0/0/4.101 {
host-inbound-traffic {
system-services {
ping;
}
protocols {
bgp;
bfd;
}
}
}
}
}
security-zone untrust {
interfaces {
ge-0/0/0.102 {
host-inbound-traffic {
system-services {
ping;
}
protocols {
bfd;
bgp;
}
}
}
}
}
}
}
interfaces {
st0 {
unit 0 {
family inet;
}
}
}
routing-instances {
vr {
interface st0.0;
}
}
[edit]
user@vsrx-mnha-n1# show groups monitor-simple
chassis {
high-availability {
services-redundancy-group 1 {
monitor {
bfd-liveliness 10.0.32.1 {
src-ip 10.0.32.10;
routing-instance vr;
session-type singlehop;
interface ge-0/0/3.100;
}
bfd-liveliness 10.0.34.1 {
src-ip 10.0.34.10;
routing-instance vr;
session-type singlehop;
interface ge-0/0/4.101;
}
bfd-liveliness 10.0.39.1 {
src-ip 10.0.39.10;
routing-instance vr;
session-type singlehop;
interface ge-0/0/0.102;
}
interface {
ge-0/0/0;
}
}
}
}
}
[edit]
user@vsrx-mnha-n1# show groups monitor-advanced
chassis {
high-availability {
services-redundancy-group 1 {
monitor {
monitor-object endpoints {
object-threshold 200;
ip {
threshold 100;
destination-ip 10.0.30.10 {
routing-instance vr;
weight 50;
}
destination-ip 10.0.35.10 {
routing-instance vr;
weight 50;
}
}
}
monitor-object routers {
object-threshold 200;
bfd-liveliness {
threshold 100;
destination-ip 10.0.32.1 {
src-ip 10.0.32.10;
routing-instance vr;
session-type singlehop;
interface ge-0/0/3.100;
weight 100;
}
destination-ip 10.0.34.1 {
src-ip 10.0.34.10;
routing-instance vr;
session-type singlehop;
interface ge-0/0/4.101;
weight 100;
}
destination-ip 10.0.39.1 {
src-ip 10.0.39.10;
routing-instance vr;
session-type singlehop;
interface ge-0/0/0.102;
weight 100;
}
}
}
srg-threshold 200;
}
}
}
}
[edit]
user@vsrx-mnha-n1# show groups mnha-sync-icl
system {
commit {
peers {
vsrx-mnha-n0 {
routing-instance icl;
}
}
}
static-host-mapping {
vsrx-mnha-n0 inet 172.26.0.1;
}
}
[edit]
user@vsrx-mnha-n1# show groups icd
chassis {
high-availability {
local-id {
local-forwarding-ip 172.26.0.12;
}
peer-id 1 {
peer-forwarding-ip {
172.26.0.11;
interface lo0.1;
liveness-detection {
minimum-interval 1000;
multiplier 5;
}
}
}
}
}
interfaces {
lo0 {
unit 1 {
family inet {
address 172.26.0.12/32;
}
}
}
}