■VMware Player上にvSRX-HAを構築してみる。
vSRXでSRXを評価する方式を検討する。
http://labunix.hateblo.jp/entry/20151213/1449950248
vSRXのシャーシクラスタ(HA構成/A-P)を試してみる。
http://labunix.hateblo.jp/entry/20150919/1442600451
■構成図は以下のようにする。
reth自体がLAG、PortChannelと同等なので想定していたCiscoのL3スイッチは省ける。
$ cat vSRX-HA.sh
echo "[Untrust-Term0],\
[Untrust-Term5] -- eth0 --> \
[172.16.76.205/24\nreth2-L3-Untrust],\
[None-IP\nreth3-L2-Untrust] -- "ge-{0,7}/0/{3,4}" --> \
[vSRX-HA] -- "ge-{0,7}/0/{6,5,0,1,2}" --> \
[192.168.152.205/24\nreth0-L3-Trust],\
[None-IP\nreth1-L2-Trust],\
[172.16.76.20{3,4}/24\nmanage-link fxp0],\
[control-link fxp1],[fablic-link fab{0,1}] -- "{172.16.76,192.168.152}.100" --> \
[vm-jessie] -- WAN --> \
[The Internet]"| \
graph-easy --dot | \
awk '!a[$0]++ && \
!/fxp0.*ge-....[1256]/ && \
!/L3-Trust.*ge-....[0126]/ && \
!/L2-Trust.*ge-....[0125]/ && \
!/L2-Untrust.*[246]/ && \
!/L3-Untrust.*3/ && \
!/fxp1.*ge-....[0256]/ && \
!/fab.*ge-....[0156]/ && \
!/[cl]-link.*NAT-GW/ && \
!/NAT-GW-A.*LAN2/ && \
!/NAT-GW-P.*LAN1/ && \
!/Term0.*L2-Untrust/ && \
!/Term5.*L3-Untrust/ && \
!/[cl]-link.*1[97]2./ && \
!/e-link.*192./ && \
!/Trust.*172./' | \
sed -e 's/\([cl]-link.* *color=.\)#000000\(.*fontcolor=.\)#000000/\1#cc0000\2#cc0000/g' \
-e 's/\(e-link.* [a-z]*color=.\)#000000\(.*fontcolor=.\)#000000/\1#00cc00\2#00cc00/g' \
-e 's/\(L2-Trust.* [a-z]*color=.\)#000000\(.*fontcolor=.\)#000000/\1#0000cc\2#0000cc/g' \
-e 's/\(L2-Trust.*\), label="192.168.152.100"/\1/g' | \
dot -Tpng -o vSRX-HA.png
■host-onlyを5つ、NATを2つアサインして起動。
$ vmware -v
VMware Player 12.1.0 build-3272444
$ grep "hostonly\|nat" vmware/vSRX-HA{1,2}/vSRX-HA*.vmx
vmware/vSRX-HA1/vSRX-HA1.vmx:ethernet0.connectionType = "hostonly"
vmware/vSRX-HA1/vSRX-HA1.vmx:ethernet1.connectionType = "hostonly"
vmware/vSRX-HA1/vSRX-HA1.vmx:ethernet2.connectionType = "hostonly"
vmware/vSRX-HA1/vSRX-HA1.vmx:ethernet3.connectionType = "hostonly"
vmware/vSRX-HA1/vSRX-HA1.vmx:ethernet4.connectionType = "hostonly"
vmware/vSRX-HA1/vSRX-HA1.vmx:ethernet5.connectionType = "nat"
vmware/vSRX-HA1/vSRX-HA1.vmx:ethernet6.connectionType = "nat"
vmware/vSRX-HA2/vSRX-HA2.vmx:ethernet0.connectionType = "hostonly"
vmware/vSRX-HA2/vSRX-HA2.vmx:ethernet1.connectionType = "hostonly"
vmware/vSRX-HA2/vSRX-HA2.vmx:ethernet2.connectionType = "hostonly"
vmware/vSRX-HA2/vSRX-HA2.vmx:ethernet3.connectionType = "hostonly"
vmware/vSRX-HA2/vSRX-HA2.vmx:ethernet4.connectionType = "hostonly"
vmware/vSRX-HA2/vSRX-HA2.vmx:ethernet5.connectionType = "nat"
vmware/vSRX-HA2/vSRX-HA2.vmx:ethernet6.connectionType = "nat"
■デフォルトログインはroot。(node0/node1)
root
cli
show configuration | save default
file list | match default
■すべてのinterfaceを削除(node0/node1)
VLANがアサインされているモデルやバージョンはVLANも削除する。
configure
delete interface
delete security
set system root-authentication plain-text-password
■この状態で保存する。(node0/node1)
commit and-quit
show configuration | save before-cc
■シャーシクラスタを解除するには以下のどちらかのコマンドを投入
※失敗した時用に準備
set chassis cluster disable reboot
set chassis cluster-id 0 node 0 reboot
■ノード名を設定して再起動(node0)
set chassis cluster cluster-id 1 node 0
request system reboot
■ノード名を設定して再起動(node1)
set chassis cluster cluster-id 1 node 1
request system reboot
■ホスト名とマネージメントポート(fxp0)を設定
ここからはプライマリ側から作業する。
cli
show chassis status | save after-reboot
configure
set groups node0 system host-name vSRX-node0
set groups node0 interface fxp0 unit 0 family inet address 172.16.76.203/24
set groups node1 system host-name vSRX-node1
set groups node1 interface fxp0 unit 0 family inet address 172.16.76.204/24
set apply-groups ${node}
commit and-quit
■sshでログイン
defaultは良いとして、before-ccの状態は貼り付けておく。
root@vSRX-node0> file show before-cc | no-more
version 12.1X47-D20.7;
system {
root-authentication {
encrypted-password "$1$yqUSA2Rz$yJ8p/QAiEVhKLuRJuEgT01";
}
services {
ssh;
web-management {
http {
interface ge-0/0/0.0;
}
}
}
syslog {
user * {
any emergency;
}
file messages {
any any;
authorization info;
}
file interactive-commands {
interactive-commands any;
}
}
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
}
{primary:node0}
■再起動、fxp0設定前の状態。
当たり前だけれども、この状態で対向が見えていないとcommit出来ないので、
もう一度やり直した方が良い。
$ ssh root@172.16.76.203
root@vSRX-node0> file show after-reboot
Monitor Failure codes:
CS Cold Sync monitoring FL Fabric Connection monitoring
GR GRES monitoring HW Hardware monitoring
IF Interface monitoring IP IP monitoring
LB Loopback monitoring MB Mbuf monitoring
NH Nexthop monitoring NP NPC monitoring
SP SPU monitoring SM Schedule monitoring
CF Config Sync monitoring
Cluster ID: 1
Node Priority Status Preempt Manual Monitor-failures
Redundancy group: 0 , Failover count: 1
node0 1 primary no no None
node1 1 secondary-hold no no None
{primary:node0}
■fxp0の確認
root@vSRX-node0> show interfaces fxp0 terse
Interface Admin Link Proto Local Remote
fxp0 up up
fxp0.0 up up inet 172.16.76.203/24
{primary:node0}
■node1にログインして確認すれば、fxp0にnode1用のIPアドレスが見える。
request routing-engine login node 1
cli
root@vSRX-node1> show interfaces fxp0 terse
Interface Admin Link Proto Local Remote
fxp0 up up
fxp0.0 up up inet 172.16.76.204/24
{secondary:node1}
■fxp1は自動で割り振られる。
root@vSRX-node0> show interfaces fxp1 terse
Interface Admin Link Proto Local Remote
fxp1 up up
fxp1.0 up up inet 129.16.0.1/2
tnp 0x1100001
{primary:node0}
■ファブリックリンク(fab0/fab1)を設定
configure
set interfaces fab0 fabric-options member-interfaces ge-0/0/2
set interfaces fab1 fabric-options member-interfaces ge-7/0/2
commit and-quit
■fab0/fab1の設定を確認
root@vSRX-node0> show interfaces fab0 terse
Interface Admin Link Proto Local Remote
fab0 up up
fab0.0 up up inet 30.17.0.200/24
{primary:node0}
root@vSRX-node0> show interfaces fab1 terse
Interface Admin Link Proto Local Remote
fab1 up up
fab1.0 up up inet 30.18.0.200/24
{primary:node0}
■rethを設定する。
まずいくつのrethを準備するか定義する。
後から増やせるが、「redundancy-group 0」は「lo0」用のため実質使えない。
configure
set chassis cluster reth-count 5
commit and-quit
root@vSRX-node0> show interfaces terse | match reth
reth0 up down
reth1 up down
reth2 up down
reth3 up down
reth4 up down
{primary:node0}
■優先度を設定する。
configure
set chassis cluster redundancy-group 0 node 0 priority 200
set chassis cluster redundancy-group 0 node 1 priority 100
set chassis cluster redundancy-group 1 node 0 priority 200
set chassis cluster redundancy-group 1 node 1 priority 100
set chassis cluster redundancy-group 2 node 0 priority 200
set chassis cluster redundancy-group 2 node 1 priority 100
set chassis cluster redundancy-group 3 node 0 priority 200
set chassis cluster redundancy-group 3 node 1 priority 100
set chassis cluster redundancy-group 4 node 0 priority 200
set chassis cluster redundancy-group 4 node 1 priority 100
commit and-quit
■フェイルオーバはこのreth単位で行う。
root@vSRX-node0> show chassis cluster status | no-more
Monitor Failure codes:
CS Cold Sync monitoring FL Fabric Connection monitoring
GR GRES monitoring HW Hardware monitoring
IF Interface monitoring IP IP monitoring
LB Loopback monitoring MB Mbuf monitoring
NH Nexthop monitoring NP NPC monitoring
SP SPU monitoring SM Schedule monitoring
CF Config Sync monitoring
Cluster ID: 1
Node Priority Status Preempt Manual Monitor-failures
Redundancy group: 0 , Failover count: 1
node0 200 primary no no None
node1 100 secondary no no None
Redundancy group: 1 , Failover count: 1
node0 200 primary no no None
node1 100 secondary no no None
Redundancy group: 2 , Failover count: 1
node0 200 primary no no None
node1 100 secondary no no None
Redundancy group: 3 , Failover count: 1
node0 200 primary no no None
node1 100 secondary no no None
Redundancy group: 4 , Failover count: 1
node0 200 primary no no None
node1 100 secondary no no None
{primary:node0}
■reth1をnode0->node1にフェイルオーバ
セカンダリ側の優先度が「255」に書き換えられてフェイルオーバしたことが分かる。
request chassis cluster failover redundancy-group 1 node 1
root@vSRX-node0> show chassis cluster status | last 15 | no-more
Redundancy group: 0 , Failover count: 1
node0 200 primary no no None
node1 100 secondary no no None
Redundancy group: 1 , Failover count: 2
node0 200 secondary no yes None
node1 255 primary no yes None
Redundancy group: 2 , Failover count: 1
node0 200 primary no no None
node1 100 secondary no no None
Redundancy group: 3 , Failover count: 1
node0 200 primary no no None
node1 100 secondary no no None
Redundancy group: 4 , Failover count: 1
node0 200 primary no no None
node1 100 secondary no no None
{primary:node0}
■reth1をnode1->node0にフェイルバック
セカンダリ側の優先度が「100」に戻りフェイルバックしたことが分かる。
request chassis cluster failover reset redundancy-group 1
root@vSRX-node0> show chassis cluster status | last 15 | no-more
Redundancy group: 0 , Failover count: 1
node0 200 primary no no None
node1 100 secondary no no None
Redundancy group: 1 , Failover count: 2
node0 200 secondary no no None
node1 100 primary no no None
Redundancy group: 2 , Failover count: 1
node0 200 primary no no None
node1 100 secondary no no None
Redundancy group: 3 , Failover count: 1
node0 200 primary no no None
node1 100 secondary no no None
Redundancy group: 4 , Failover count: 1
node0 200 primary no no None
node1 100 secondary no no None
{primary:node0}
■L3-rethを設定する。
configure
set interfaces reth0 unit 0 family inet address 192.168.152.205/24
set interfaces reth0 redundant-ether-options redundancy-group 1
set interfaces ge-0/0/5 gigether-options redundant-parent reth0
set interfaces ge-7/0/5 gigether-options redundant-parent reth0
set interfaces reth2 unit 0 family inet address 172.16.76.205/24
set interfaces reth2 redundant-ether-options redundancy-group 2
set interfaces ge-0/0/4 gigether-options redundant-parent reth2
set interfaces ge-7/0/4 gigether-options redundant-parent reth2
commit and-quit
■L3-rethを確認する。
root@vSRX-node0> show interfaces reth[02] terse
Interface Admin Link Proto Local Remote
reth0 up up
reth2 up up
{primary:node0}
root@vSRX-node0> show interfaces reth[02].0 terse
Interface Admin Link Proto Local Remote
reth0.0 up up inet 192.168.152.205/24
reth2.0 up up inet 172.16.76.205/24
{primary:node0}
root@vSRX-node0> show interfaces ge-[07]/0/[45] terse
Interface Admin Link Proto Local Remote
ge-0/0/4 up up
ge-0/0/5 up up
ge-7/0/4 up up
ge-7/0/5 up up
{primary:node0}
■L2-rethを設定する。
L2なのでIPを設定しない。
configure
set interfaces reth1 unit 0 family inet
set interfaces reth1 redundant-ether-options redundancy-group 3
set interfaces ge-0/0/6 gigether-options redundant-parent reth0
set interfaces ge-7/0/6 gigether-options redundant-parent reth0
set interfaces reth3 unit 0 family inet
set interfaces reth3 redundant-ether-options redundancy-group 4
set interfaces ge-0/0/3 gigether-options redundant-parent reth0
set interfaces ge-7/0/3 gigether-options redundant-parent reth0
commit and-quit
root@vSRX-node0> show interfaces reth[13] terse
Interface Admin Link Proto Local Remote
reth1 up down
reth3 up down
{primary:node0}
root@vSRX-node0>
root@vSRX-node0> show interfaces reth[13].0 terse
Interface Admin Link Proto Local Remote
reth1.0 up down inet
reth3.0 up down inet
{primary:node0}
root@vSRX-node0> show interfaces ge-[07]/0/[36] terse
Interface Admin Link Proto Local Remote
ge-0/0/3 up up
ge-0/0/6 up up
ge-7/0/3 up up
ge-7/0/6 up up
{primary:node0}
■Zoneを設定する。
SRXではZoneをinterfaceに関連付ける仕様らしい。
configure
set security zones security-zone L3-Trust interface reth0
set security zones security-zone L2-Trust interface reth1
set security zones security-zone L3-Untrust interface reth2
set security zones security-zone L2-Untrust interface reth3
commit and-quit
■J-Webを許可
set system services web-management http interface fxp0.0
root@vSRX-node0> show configuration | display set | match web-management
set system services web-management http interface ge-0/0/0.0
set system services web-management http interface fxp0.0
{primary:node0}
■ルーティングの設定
set routing-options static route 0/0 next-hop 192.168.152.1
root@vSRX-node0> show route
inet.0: 6 destinations, 7 routes (6 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
0.0.0.0/0 *[Static/5] 00:12:18
> to 192.168.152.1 via reth0.0
172.16.76.0/24 *[Direct/0] 01:44:22
> via fxp0.0
[Direct/0] 01:04:02
> via reth2.0
172.16.76.203/32 *[Local/0] 01:44:22
Local via fxp0.0
172.16.76.205/32 *[Local/0] 01:04:02
Local via reth2.0
192.168.152.0/24 *[Direct/0] 01:10:25
> via reth0.0
192.168.152.205/32 *[Local/0] 01:10:25
Local via reth0.0
{primary:node0}
■L3-Untrust->L3Trustの全許可ポリシーの設定
configure
set security policies from-zone L3-Untrust to-zone L3-Trust policy allow-all-internal match source-address any
set security policies from-zone L3-Untrust to-zone L3-Trust policy allow-all-internal match destination-address any
set security policies from-zone L3-Untrust to-zone L3-Trust policy allow-all-internal match application any
set security policies from-zone L3-Untrust to-zone L3-Trust policy allow-all-internal then permit
commit and-quit
■システムアラームの確認
root@vSRX-node0> show system alarms
node0:
--------------------------------------------------------------------------
1 alarms currently active
Alarm time Class Description
2015-12-20 22:56:14 UTC Minor Rescue configuration is not set
node1:
--------------------------------------------------------------------------
1 alarms currently active
Alarm time Class Description
2015-12-20 22:56:06 UTC Minor Rescue configuration is not set
{primary:node0}
■node1のアラームはnode1にログインして消す。
request system configuration rescue save
request routing-engine login node 1
cli
exit
exit
root@vSRX-node0> show system alarms
node0:
--------------------------------------------------------------------------
No alarms currently active
node1:
--------------------------------------------------------------------------
No alarms currently active
{primary:node0}
■管理者アカウントの作成
SSHでログインして確認
configure
set system login user labunix class super-user
set system login user labunix authentication plain-text-password
commit and-quit
■ドメイン名、DNSの設定
BSDのdigを使って確認
configure
set system domain-name localdomain
set system name-server 172.16.76.2
set system name-server 192.168.152.2
commit and-quit
exit
dig yahoo.co.jp
% dig -v
DiG 9.6.-ESV-R11
■NTPによる時刻同期とタイムゾーンの設定
configure
set system ntp server 172.16.76.100
set system ntp server 192.168.152.100
set system ntp source-address 192.168.152.205
set system time-zone Asia/Tokyo
commit and-quit
set date ntp
show ntp associations
show ntp status
■SNMP/SNMP Trap/Syslogの設定
set snmp community public authorization read-only
set snmp trap-group private targets 172.16.76.100
set system syslog host 172.16.76.100 facility-override local7
■すべての情報を一括で取得。
root@vSRX-node0> request support information | save check.log