配置 SRX100 b 双机热备 HA 心得: 厂商指定 F0/0/7 - 控制接口, F0/0/6 - 设备管理接口
1, 配置 Cluster id 和 Node id
- set chassis cluster cluster-id 1 node 0 reboot
- set chassis cluster cluster-id 1 node 1 reboot
注: node 越小, 级别越高, 为主设备. 另外, 需要先把接口删除, 否则重启后不能进入 configure 模式.
2, 配置控制接口和数据接口, 数据这里接口我这里自己指定为 F0/0/2
控制接口系统默认指定 F0/0/7, 不需要配置, 直接 2 台设备 F0/0/7 互联就行.
- set interfaces fab0 fabric-options member-interfaces fe-0/0/2
- set interfaces fab1 fabric-options member-interfaces fe-1/0/2
注: 数据接口不用配置 ip
3, 每个机箱的个性化配置 :
- set groups node0 system host-name SRX-A
- set groups node0 interfaces fxp0 unit 0 family .NET address 192.168.100.100/24 ##### 主设备的管理 ip
- set groups node1 system host-name SRX-B
- set groups node1 interfaces fxp0 unit 0 family .NET address 192.168.100.101/24##### 备设备的管理 ip
- set apply-groups "${node}"
注: 2 台设备的管理 ip 都是 fxp0, 另外配置完成记得 set apply-groups "${node}", 否则出现问题.
4, 配置 Redundancy Group :RG0 为引擎切换. RG1 为数据层面切换, 记得此处有开启 preemt 抢占.
- set chassis cluster reth-count 8
- set chassis cluster redundancy-group 0 node 0 priority 200
- set chassis cluster redundancy-group 0 node 1 priority 100
- set chassis cluster redundancy-group 1 node 0 priority 200
- set chassis cluster redundancy-group 1 node 1 priority 100
- set chassis cluster redundancy-group 1 preempt
- set chassis cluster redundancy-group 1 interface-monitor fe-0/0/0 weight 255######## 配置接口 interface-monitor
- set chassis cluster redundancy-group 1 interface-monitor fe-0/0/1 weight 255######## 配置接口 interface-monitor
- set chassis cluster redundancy-group 1 interface-monitor fe-1/0/0 weight 255######## 配置接口 interface-monitor
- set chassis cluster redundancy-group 1 interface-monitor fe-1/0/1 weight 255######## 配置接口 interface-monitor
5, 将 interface-monitor 加入到冗余接口 reth0 reth1, 并把冗余接口加入到 RG1
- set interfaces fe-0/0/0 fastether-options redundant-parent reth0
- set interfaces fe-0/0/0 unit 0
- set interfaces fe-0/0/1 fastether-options redundant-parent reth1
- set interfaces fe-0/0/1 unit 0
- set interfaces fe-1/0/0 fastether-options redundant-parent reth0
- set interfaces fe-1/0/0 unit 0
- set interfaces fe-1/0/1 fastether-options redundant-parent reth1
- set interfaces fe-1/0/1 unit 0
- set interfaces reth0 redundant-ether-options redundancy-group 1
- set interfaces reth1 redundant-ether-options redundancy-group 1
6, 给冗余接口 reth0 reth1 配置 ip, 划入对应的区域, 及策略放通.
- set interfaces reth0 unit 0 family .NET address 202.100.1.10/24
- set interfaces reth1 unit 0 family .NET address 192.168.10.10/24
- set security zones security-zone untrust interfaces reth0.0 host-inbound-traffic system-services all
- set security zones security-zone untrust interfaces reth0.0 host-inbound-traffic protocols all
- set security zones security-zone trust interfaces reth1.0 host-inbound-traffic system-services all
- set security zones security-zone trust interfaces reth1.0 host-inbound-traffic protocols all
- set security policies from-zone untrust to-zone trust policy untrust-to-trust match source-address any
- set security policies from-zone untrust to-zone trust policy untrust-to-trust match destination-address any
- set security policies from-zone untrust to-zone trust policy untrust-to-trust match application any
- set security policies from-zone untrust to-zone trust policy untrust-to-trust then permit
- set security policies from-zone trust to-zone trust policy trust-to-trust match source-address any
- set security policies from-zone trust to-zone trust policy trust-to-trust match destination-address any
- set security policies from-zone trust to-zone trust policy trust-to-trust match application any
- set security policies from-zone trust to-zone trust policy trust-to-trust then permit
来源: http://www.bubuko.com/infodetail-3073876.html