Juniper SRX220 How to Cluster Firewall – JSRP

Have a pair of SRX220 firewalls at factory setup.  Do not attempt to cluster the firewalls after any changes have been made, more than likely, they will be deleted in order to cluster the SRX220’s (JSRP).  The hardest part to cluster these firewalls is not setting up the cluster, but because of all that is setup from the factory that has to be removed or prepped in order for the cluster to be configured.

Prepping the hardware:

Plug a cat5/6 cable from port 7 on firewall one to port 7 on firewall two.

Plug a cat5/6 cable from port 5 on firewall one to port 5 on firewall two.

Do not attempt to do the below unless you are using a console connection only.  If you are not doing the below with the console port, then stop, and do not even try clustering the firewalls.

Delete all sub-interfaces that are created during the default setup of the firewalls.

delete interfaces ge-0/0/0.0

delete interfaces ge-0/0/0

Do this to all “ge” interfaces.

Now delete everything else we do not need at this point.

delete vlans
delete interfaces vlan
delete interfaces interface-range interfaces-trust
delete security zones security-zone untrust interfaces

1) Ensure that there are no Proxy Arp settings under “Nat”.

2) Ensure that are no ports configured to ethernet-switching.  If so, remove/delete.

Setting up the Cluster

Overview:

– Our WAN/Uplink for this setup will be 8.8.8.x
– Our Internal network will be 192.168.2.x

We will now setup our node groups and our cluster management network.  Please note that port 6 will automatically be assigned to the fxp interface.  No way around this.  Port 7 is for H/A monitoring.  No way around this as well.

set groups node0 system host-name HOSTNAME
set groups node0 interfaces fxp0 unit 0 family inet address 192.168.1.1/24
set groups node1 system host-name HOSTNAME
set groups node1 interfaces fxp0 unit 0 family inet address 192.168.1.2/24
set apply-groups “${node}”

Create fabric links.  This is where the configuration will be monitoring and updated between both firewalls.  This is on port 5 where we already have cables going to both firewalls.

set interfaces fab0 fabric-options member-interfaces ge-0/0/5
set interfaces fab1 fabric-options member-interfaces ge-3/0/5

At this time, the cluster should already be online.  We just have to create redundancy groups and assign rethx interfaces to the physical ge-0/0/x interfaces.

set chassis cluster redundancy-group 0 node 0 priority 100
set chassis cluster redundancy-group 0 node 1 priority 1
set chassis cluster redundancy-group 1 node 0 priority 100
set chassis cluster redundancy-group 1 node 1 priority 1

Set interface monitoring on these two ports.

set chassis cluster redundancy-group 1 interface-monitor ge-0/0/0 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-3/0/0 weight 255

Set the amount of rethx interfaces we will be monitoring.  For this demo, we will be monitoring our uplink port ge-0/0/0 (reth0) and internal network ge-0/0/4 (reth1)

set chassis cluster reth-count 2

We are now going to assign virtual interfaces to our WAN/Uplink ports on both firewalls.  On Firewall 2, interfaces start at 3/0/0 for interface 0/0/0 on firewall 1.

set interfaces ge-0/0/0 gigether-options redundant-parent reth0
set interfaces ge-3/0/0 gigether-options redundant-parent reth0

Assign your uplink ip (wan) to the new reth0 interface.

set interfaces reth0 redundant-ether-options redundancy-group 1      
set interfaces reth0 unit 0 family inet address 8.8.8.1/24

Assign the untrust zone to reth0

set security zones security-zone trust interfaces reth0
Repeat for the internal network, but use reth1 for the virtual clustered interface.

Thanks,

Jason Rogers

 

 

, , , , ,

Comments are closed.