Tuesday, July 23, 2013
[How to] remove whole chassis cluster configuration from SRX
Here's some CLI commands to break chassis cluster:
1.
> set chassis cluster cluster-id 0 node 0 reboot
> set chassis cluster cluster-id 0 node 1 reboot
2.
#load factory-default
#set system root-authentication plain-text-password
reference: http://www.juniper.net/techpubs/software/junos-security/junos-security96/junos-security-swconfig-security/cc_disabling.html
Wednesday, January 16, 2013
[How to] Setup PPPoE on SRX devices for internet ADSL
Many internet services providers ( ISP) use a Point-to-Point Protocol over Ethernet (PPPoE) connection for their users. This type of connection helps them save their valuable IP address source because users' IP address are on-demand; automatically provided by ISPs. That is, those IP addresses are not fixed, and can be easily reused. Moreover, using this technology allows the providers authenticate end users with the access control function, perform accounting, and monitor users' behaviors to ensure security.
The following figure is a typical model for PPPoE setup.
A connection is established between Router A and Router B, which are PPPoE client and PPPoE Server correspondingly. This connection (point-to-point protocol) uses an account which is provided by the ISP, and have PAP and/or CHAP security method.
For example, assume we want to setup a PPPoE connection to have an internet access. We have a SRX device and we know the account to connect to the ISP.
So after having fe-0/0/7 as the interface connecting to the internet line, we'll configure a virtual interface (logical interface) pp0 playing as PPPoE client port.
set interfaces fe-0/0/7 unit 0 encapsulation ppp-over-ether
set interfaces pp0 unit 0 ppp-options chap default-chap-secret <PASSWORD>Don't forget to configure a default route to this interface and add it to a zone.
set interfaces pp0 unit 0 ppp-options chap local-name <USERNAME>
set interfaces pp0 unit 0 ppp-options chap passive
set interfaces pp0 unit 0 pppoe-options underlying-interface fe-0/0/7.0
set interfaces pp0 unit 0 pppoe-options idle-timeout 0
set interfaces pp0 unit 0 pppoe-options auto-reconnect 3
set interfaces pp0 unit 0 pppoe-options client
set interfaces pp0 unit 0 family inet mtu 1492
set interfaces pp0 unit 0 family inet negotiate-address
set routing-options static route 0.0.0.0/0 next-hop pp0.0
set security zones security-zone untrust interfaces pp0.0
Done! After having all the configurations, we should now have an internet connection.
Troubleshooting
show ppp statistics
show pppoe statistics
show interfaces pp0
Note that some ISPs store your old modem device's MAC address in their PPPoE device, so you might have to ask them to reboot their device to receive your new MAC.
Tuesday, December 11, 2012
[How to] Setup virtual chassis between two SRX650 devices
Setup virtual chassis between two SRX650 devices with 4
on-board ports
Device
|
Virtual
interfaces
|
Physical
interfaces
|
Fuctions
|
node
|
SRX650-01
|
fxp0
|
ge-0/0/0
|
management interface
|
Node0
|
fxp1
|
ge-0/0/1
|
control interface
|
||
fab0
|
ge-0/0/2
|
fabric ports ( data links)
|
||
SRX650-02
|
fxp0
|
ge-0/0/0
|
management interface
|
Node1
|
fxp1
|
ge-0/0/1
|
control interface
|
||
fab1
|
ge-0/0/2
|
fabric ports ( data links)
|
Note: because we have only 4 ports on each device, so we have only 1 virtual aggressive interface reth0. If we have 2 modules 24-port, then we will be able to create 2 or more virtual interface (reth0, reth1,...)
Physical conectivity:
-
Ge-0/0/1 (node 0) to Ge-0/0/1 (node 1)
-
Ge-0/0/2 (node 0) to Ge-0/0/2 (node 1)
-
Ge-0/0/3 plays as routing interface between
zones
Configuration:
Physically connect the two devices. On the SRX 650
device, connect ge-0/0/1 on device A to ge-0/0/1 on device B. The
ge-0/0/1 interface on device B will change to ge-9/0/1 after clustering
happens.
Set the devices into cluster mode with the following
command and reboot the devices. Note that this is an operational mode and not a configure mode command.
- On node 0:
- On node 1:
user@host> set chassis cluster cluster-id 1 node 1
reboot
After rebooting 2 devices, we config on a device, and the
config will be automatically copied to the other device when a commit command
is done.
Set up the device specific configurations such as host names
and management IP addresses, this is specific to each device and is the only
part of the configuration that is unique to its specific node. This is
done by entering the following commands (all on the primary node):
On device A:
{primary:node0}
# set group node0 system host-name <name-node0>
# set group node0 interfaces fxp0 unit 0 family inet address
# set group node1 system host-name <name-node1>
# set group node1 interfaces fxp0 unit 0 family inet address
{primary:node0}
# set group node0 system host-name <name-node0>
# set group node0 interfaces fxp0 unit 0 family inet address
# set group node1 system host-name <name-node1>
# set group node1 interfaces fxp0 unit 0 family inet address
- Set this command is set so that the individual configs for each node set by the above commands is applied only to that node. (required)
Create FAB links (data plane
links for RTO sync, etc).
On device A:
{primary:node0}
# set interfaces fab0 fabric-options member-interfaces ge-0/0/2
{primary:node0}
# set interfaces fab0 fabric-options member-interfaces ge-0/0/2
# set
interfaces fab1 fabric-options member-interfaces ge-9/0/2
Set up the Redundancy Group 0
for the Routing Engine failover properties. Also setup Redundancy Group 1
(all the interfaces will be in one Redundancy Group in this example) to define
the failover properties for the Reth interfaces.
{primary:node0}
# set chassis cluster redundancy-group 0 node 0 priority 100
# set chassis cluster redundancy-group 0 node 1 priority 1
# set chassis cluster redundancy-group 1 node 0 priority 100
# set chassis cluster redundancy-group 1 node 1 priority 1
# set chassis cluster redundancy-group 0 node 0 priority 100
# set chassis cluster redundancy-group 0 node 1 priority 1
# set chassis cluster redundancy-group 1 node 0 priority 100
# set chassis cluster redundancy-group 1 node 1 priority 1
Set up the Interface
monitoring. Monitoring the health of the interfaces is one way to trigger
Redundancy group failover. Note: interface monitoring is not recommended for
redundancy-group 0.
On device
A:
{primary:node0}
# set chassis cluster redundancy-group 1 interface-monitor ge-0/0/3 weight 255
# set chassis cluster redundancy-group 1 interface-monitor ge-9/0/0 weight 255
{primary:node0}
# set chassis cluster redundancy-group 1 interface-monitor ge-0/0/3 weight 255
# set chassis cluster redundancy-group 1 interface-monitor ge-9/0/0 weight 255
Setup the Redundant Ethernet interfaces (Reth interface) and assign the Redundant interface to a zone. Make sure that you setup your max number of redundant interfaces as follows:
On device A:
{primary:node0}
# set chassis cluster reth-count 1
# set security zones security-zone trust interfaces reth0.0
{primary:node0}
# set chassis cluster reth-count 1
# set security zones security-zone trust interfaces reth0.0
# set interfaces
ge-0/0/3 gigether-options redundant-parent reth0
# set interfaces
ge-9/0/3 gigether-options redundant-parent reth0
# set interfaces fab0
fabric-options member-interfaces ge-0/0/2
# set interfaces fab1
fabric-options member-interfaces ge-9/0/2
# set interfaces reth0
vlan-tagging
# set interfaces reth0
redundant-ether-options redundancy-group 1
# set interfaces reth0
unit 10 vlan-id 10
# set interfaces reth0
unit 10 family inet address 192.168.10.1/24
# set interfaces reth0
unit 11 vlan-id 11
# set interfaces reth0
unit 11 family inet address 192.168.11.1/24
# set interfaces reth0
unit 12 vlan-id 12
# set interfaces reth0
unit 12 family inet address 192.168.12.1/24
Because there is only one interface
ge-0/0/3 left for routing, so we have to
use vlan-tagging on interface reth0 – its parent redundant interface.
Commit and changes will be
copied over to the Secondary Node, Device B.
On device A:
{primary:node0}
# commit
{primary:node0}
# commit
This will prepare the basic
clustering setting for both the devices.
Troubleshoot.
Problem:
In my case, the node 1 in the hold/lost state, and we unable to see
the physical interface in 'show interface terse' on Chassis Cluster
This is caused when the management
or control interfaces are configured on the device.
Solution:
Delete the configured management and
control interface on the device and their related configuration and commit the
changes.
# delele
interfaces
# commit
QUESTIONS
1.
Which interfaces are used for the
control and data planes?
2.
What is the purpose of a fab
interface?
3.
What is an RG? What is the
sigfinicance of RG-0 and RG-1?
4.
What is the default threshold for
interface monitoring?
5.
What happens if the cluster-id value equals 0?
ANSWERS
1.
It depends on the devices. For most
SRX devices, ge-0/0/1 is used for control plane, and ge-0/0/2 (and maybe
ge-0/0/3, … in SPC 0) is used for data plane.
2.
A fabric interface plays as data
link between two devices in a cluser model. Two connected fab interfaces form a
data plane between the two.
3.
An RG (Redundancy Group) is an
abstract construct that includes and manages a collection of objects from both nodes.
RG-0 is for reserve, while RG-1 represents a group of up to 128 redundant
ethernet interfaces (reth#).
4.
255
5.
Then the device ignores virtual
chassis mode.
-
Subscribe to:
Posts (Atom)