Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

vSRX Virtual Firewall Cluster Staging and Provisioning for VMware

Staging and provisioning a vSRX Virtual Firewall cluster includes the following tasks:

Deploying the VMs and Additional Network Interfaces

The vSRX Virtual Firewall cluster uses three interfaces exclusively for clustering (the first two are predefined):

  • Out-of-band management interface (fxp0).

  • Cluster control link (em0).

  • Cluster fabric links (fab0 and fab1). For example, you can specify ge-0/0/0 as fab0 on node0 and ge-7/0/0 as fab1 on node1.

Initially, the VM has only two interfaces. A cluster requires three interfaces (two for the cluster and one for management) and additional interfaces to forward data. You can add interfaces through the VMware vSphere Web Client.

  1. On the VMware vSphere Web Client, click Edit Virtual Machine Settings for each VM to create additional interfaces.
  2. Click Add Hardware and specify the attributes in Table 1.
    Table 1: Hardware Attributes

    Attribute

    Description

    Adapter Type

    Select VMXNET 3 from the list.

    Network label

    Select the network label from the list.

    Connect at power on

    Ensure that there is a check mark next to this option.

Creating the Data Interfaces Using VMware

To map all the data interfaces to the desired networks:

  1. Choose Configuration > Networking.
  2. Click Add Networking to create a vSwitch for fabric link.

    Choose the following attributes:

    • Connection Type

      • Virtual Machines

    • Network Access

      • Create a vSphere switch

      • No physical adapters

    • Port Group Properties

      • Network Label: chassis cluster Reth

      • VLAN ID: None(0)

      Click Properties to enable the following features:

      • Security-> Effective Polices:

        • MAC Address Changes: Accept

        • Forged Transmits: Accept

The data interface will be connected through the data vSwitch using the above procedure.

Prestaging the Configuration from the Console

The following procedure explains the configuration commands required to set up the vSRX Virtual Firewall chassis cluster. The procedure powers up both nodes, adds the configuration to the cluster, and allows SSH remote access.

  1. Log in as the root user. There is no password.
  2. Start the CLI.
  3. Enter configuration mode.
  4. Copy the following commands and paste them into the CLI:
  5. Set the root authentication password by entering a cleartext password, an encrypted password, or an SSH public key string (DSA or RSA).
  6. To enable SSH remote access:
  7. To enable IPv6:

    This step is optional and requires a system reboot.

  8. Commit the configuration to activate it on the device.
  9. When you have finished configuring the device, exit configuration mode.

Connecting and Installing the Staging Configuration

After the vSRX Virtual Firewall cluster initial setup, set the cluster ID and the node ID, as described in Configure a vSRX Chassis Cluster in Junos OS.

After reboot, the two nodes are reachable on interface fxp0 with SSH. If the configuration is operational, the show chassis cluster status command displays output similar to that shown in the following sample output.

vSRX Virtual Firewall> show chassis cluster status

A cluster is healthy when the primary and secondary nodes are present and both have a priority greater than 0.