読者です 読者をやめる 読者になる 読者になる

labunix's blog

labunixのラボUnix

VMware Player上にvSRX-HAを構築してみる。

■VMware Player上にvSRX-HAを構築してみる。

 vSRXでSRXを評価する方式を検討する。
 http://labunix.hateblo.jp/entry/20151213/1449950248

 vSRXのシャーシクラスタ(HA構成/A-P)を試してみる。
 http://labunix.hateblo.jp/entry/20150919/1442600451

■構成図は以下のようにする。
 reth自体がLAG、PortChannelと同等なので想定していたCiscoのL3スイッチは省ける。

$ cat vSRX-HA.sh 
#!/bin/bash

echo "[Untrust-Term0],\
        [Untrust-Term5] -- eth0 --> \
      [172.16.76.205/24\nreth2-L3-Untrust],\
        [None-IP\nreth3-L2-Untrust] -- "ge-{0,7}/0/{3,4}" --> \
      [vSRX-HA] -- "ge-{0,7}/0/{6,5,0,1,2}" --> \
      [192.168.152.205/24\nreth0-L3-Trust],\
      [None-IP\nreth1-L2-Trust],\
        [172.16.76.20{3,4}/24\nmanage-link fxp0],\
        [control-link fxp1],[fablic-link fab{0,1}] -- "{172.16.76,192.168.152}.100" --> \
      [vm-jessie] -- WAN --> \
      [The Internet]"| \
  graph-easy --dot | \
  awk '!a[$0]++ && \
       !/fxp0.*ge-....[1256]/ && \
       !/L3-Trust.*ge-....[0126]/ && \
       !/L2-Trust.*ge-....[0125]/ && \
       !/L2-Untrust.*[246]/ && \
       !/L3-Untrust.*3/ && \
       !/fxp1.*ge-....[0256]/ && \
       !/fab.*ge-....[0156]/ && \
       !/[cl]-link.*NAT-GW/ && \
       !/NAT-GW-A.*LAN2/ && \
       !/NAT-GW-P.*LAN1/ && \
       !/Term0.*L2-Untrust/ && \
       !/Term5.*L3-Untrust/ && \
       !/[cl]-link.*1[97]2./ && \
       !/e-link.*192./ && \
       !/Trust.*172./' | \
  sed -e 's/\([cl]-link.* *color=.\)#000000\(.*fontcolor=.\)#000000/\1#cc0000\2#cc0000/g' \
      -e 's/\(e-link.* [a-z]*color=.\)#000000\(.*fontcolor=.\)#000000/\1#00cc00\2#00cc00/g' \
      -e 's/\(L2-Trust.* [a-z]*color=.\)#000000\(.*fontcolor=.\)#000000/\1#0000cc\2#0000cc/g' \
      -e 's/\(L2-Trust.*\), label="192.168.152.100"/\1/g' | \
  #cat
  dot -Tpng -o vSRX-HA.png

f:id:labunix:20151221005248p:plain

■host-onlyを5つ、NATを2つアサインして起動。

$ vmware -v
VMware Player 12.1.0 build-3272444

$ grep "hostonly\|nat" vmware/vSRX-HA{1,2}/vSRX-HA*.vmx
vmware/vSRX-HA1/vSRX-HA1.vmx:ethernet0.connectionType = "hostonly"
vmware/vSRX-HA1/vSRX-HA1.vmx:ethernet1.connectionType = "hostonly"
vmware/vSRX-HA1/vSRX-HA1.vmx:ethernet2.connectionType = "hostonly"
vmware/vSRX-HA1/vSRX-HA1.vmx:ethernet3.connectionType = "hostonly"
vmware/vSRX-HA1/vSRX-HA1.vmx:ethernet4.connectionType = "hostonly"
vmware/vSRX-HA1/vSRX-HA1.vmx:ethernet5.connectionType = "nat"
vmware/vSRX-HA1/vSRX-HA1.vmx:ethernet6.connectionType = "nat"
vmware/vSRX-HA2/vSRX-HA2.vmx:ethernet0.connectionType = "hostonly"
vmware/vSRX-HA2/vSRX-HA2.vmx:ethernet1.connectionType = "hostonly"
vmware/vSRX-HA2/vSRX-HA2.vmx:ethernet2.connectionType = "hostonly"
vmware/vSRX-HA2/vSRX-HA2.vmx:ethernet3.connectionType = "hostonly"
vmware/vSRX-HA2/vSRX-HA2.vmx:ethernet4.connectionType = "hostonly"
vmware/vSRX-HA2/vSRX-HA2.vmx:ethernet5.connectionType = "nat"
vmware/vSRX-HA2/vSRX-HA2.vmx:ethernet6.connectionType = "nat"

■デフォルトログインはroot。(node0/node1)

root
cli
show configuration | save default
file list | match default

■すべてのinterfaceを削除(node0/node1)
 VLANがアサインされているモデルやバージョンはVLANも削除する。

configure
delete interface
delete security
set system root-authentication plain-text-password

■この状態で保存する。(node0/node1)

commit and-quit
show configuration | save before-cc

■シャーシクラスタを解除するには以下のどちらかのコマンドを投入
 ※失敗した時用に準備

set chassis cluster disable reboot
set chassis cluster-id 0 node 0 reboot

■ノード名を設定して再起動(node0)

set chassis cluster cluster-id 1 node 0
request system reboot

■ノード名を設定して再起動(node1)

set chassis cluster cluster-id 1 node 1
request system reboot

■ホスト名とマネージメントポート(fxp0)を設定
 ここからはプライマリ側から作業する。

cli
show chassis status | save after-reboot
configure
set groups node0 system host-name vSRX-node0
set groups node0 interface fxp0 unit 0 family inet address 172.16.76.203/24
set groups node1 system host-name vSRX-node1
set groups node1 interface fxp0 unit 0 family inet address 172.16.76.204/24
set apply-groups ${node}
commit and-quit

■sshでログイン
 defaultは良いとして、before-ccの状態は貼り付けておく。

root@vSRX-node0> file show before-cc | no-more                
## Last commit: 2015-12-20 22:47:42 UTC by root
version 12.1X47-D20.7;
system {
    root-authentication {
        encrypted-password "$1$yqUSA2Rz$yJ8p/QAiEVhKLuRJuEgT01"; ## SECRET-DATA
    }
    services {
        ssh;
        web-management {
            http {
                interface ge-0/0/0.0;
            }
        }
    }
    syslog {
        user * {
            any emergency;
        }
        file messages {
            any any;
            authorization info;
        }
        file interactive-commands {
            interactive-commands any;
        }
    }
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
}

{primary:node0}

■再起動、fxp0設定前の状態。
 当たり前だけれども、この状態で対向が見えていないとcommit出来ないので、
 もう一度やり直した方が良い。

$ ssh root@172.16.76.203

root@vSRX-node0> file show after-reboot 
Monitor Failure codes:
    CS  Cold Sync monitoring        FL  Fabric Connection monitoring
    GR  GRES monitoring             HW  Hardware monitoring
    IF  Interface monitoring        IP  IP monitoring
    LB  Loopback monitoring         MB  Mbuf monitoring
    NH  Nexthop monitoring          NP  NPC monitoring
    SP  SPU monitoring              SM  Schedule monitoring
    CF  Config Sync monitoring
 
Cluster ID: 1
Node   Priority Status         Preempt Manual   Monitor-failures
 
Redundancy group: 0 , Failover count: 1
node0  1        primary        no      no       None
node1  1        secondary-hold no      no       None

{primary:node0}

■fxp0の確認

root@vSRX-node0> show interfaces fxp0 terse 
Interface               Admin Link Proto    Local                 Remote
fxp0                    up    up  
fxp0.0                  up    up   inet     172.16.76.203/24

{primary:node0}

■node1にログインして確認すれば、fxp0にnode1用のIPアドレスが見える。

request routing-engine login node 1
cli

root@vSRX-node1> show interfaces fxp0 terse 
Interface               Admin Link Proto    Local                 Remote
fxp0                    up    up  
fxp0.0                  up    up   inet     172.16.76.204/24

{secondary:node1}

■fxp1は自動で割り振られる。

root@vSRX-node0> show interfaces fxp1 terse 
Interface               Admin Link Proto    Local                 Remote
fxp1                    up    up  
fxp1.0                  up    up   inet     129.16.0.1/2    
                                   tnp      0x1100001       

{primary:node0}

■ファブリックリンク(fab0/fab1)を設定

configure
set interfaces fab0 fabric-options member-interfaces ge-0/0/2
set interfaces fab1 fabric-options member-interfaces ge-7/0/2
commit and-quit

■fab0/fab1の設定を確認

root@vSRX-node0> show interfaces fab0 terse 
Interface               Admin Link Proto    Local                 Remote
fab0                    up    up  
fab0.0                  up    up   inet     30.17.0.200/24  

{primary:node0}
root@vSRX-node0> show interfaces fab1 terse      
Interface               Admin Link Proto    Local                 Remote
fab1                    up    up  
fab1.0                  up    up   inet     30.18.0.200/24  

{primary:node0}

■rethを設定する。
 まずいくつのrethを準備するか定義する。
 後から増やせるが、「redundancy-group 0」は「lo0」用のため実質使えない。

configure
set chassis cluster reth-count 5
commit and-quit

root@vSRX-node0> show interfaces terse | match reth     
reth0                   up    down
reth1                   up    down
reth2                   up    down
reth3                   up    down
reth4                   up    down

{primary:node0}

■優先度を設定する。

configure
set chassis cluster redundancy-group 0 node 0 priority 200
set chassis cluster redundancy-group 0 node 1 priority 100
set chassis cluster redundancy-group 1 node 0 priority 200
set chassis cluster redundancy-group 1 node 1 priority 100
set chassis cluster redundancy-group 2 node 0 priority 200
set chassis cluster redundancy-group 2 node 1 priority 100
set chassis cluster redundancy-group 3 node 0 priority 200
set chassis cluster redundancy-group 3 node 1 priority 100
set chassis cluster redundancy-group 4 node 0 priority 200
set chassis cluster redundancy-group 4 node 1 priority 100
commit and-quit

■フェイルオーバはこのreth単位で行う。

root@vSRX-node0> show chassis cluster status | no-more 
Monitor Failure codes:
    CS  Cold Sync monitoring        FL  Fabric Connection monitoring
    GR  GRES monitoring             HW  Hardware monitoring
    IF  Interface monitoring        IP  IP monitoring
    LB  Loopback monitoring         MB  Mbuf monitoring
    NH  Nexthop monitoring          NP  NPC monitoring              
    SP  SPU monitoring              SM  Schedule monitoring
    CF  Config Sync monitoring
 
Cluster ID: 1
Node   Priority Status         Preempt Manual   Monitor-failures

Redundancy group: 0 , Failover count: 1
node0  200      primary        no      no       None           
node1  100      secondary      no      no       None           

Redundancy group: 1 , Failover count: 1
node0  200      primary        no      no       None           
node1  100      secondary      no      no       None           

Redundancy group: 2 , Failover count: 1
node0  200      primary        no      no       None           
node1  100      secondary      no      no       None           

Redundancy group: 3 , Failover count: 1
node0  200      primary        no      no       None           
node1  100      secondary      no      no       None           

Redundancy group: 4 , Failover count: 1
node0  200      primary        no      no       None           
node1  100      secondary      no      no       None           

{primary:node0}

■reth1をnode0->node1にフェイルオーバ
 セカンダリ側の優先度が「255」に書き換えられてフェイルオーバしたことが分かる。

request chassis cluster failover redundancy-group 1 node 1

root@vSRX-node0> show chassis cluster status | last 15 | no-more    

Redundancy group: 0 , Failover count: 1
node0  200      primary        no      no       None           
node1  100      secondary      no      no       None           

Redundancy group: 1 , Failover count: 2
node0  200      secondary      no      yes      None           
node1  255      primary        no      yes      None           

Redundancy group: 2 , Failover count: 1
node0  200      primary        no      no       None           
node1  100      secondary      no      no       None           

Redundancy group: 3 , Failover count: 1
node0  200      primary        no      no       None           
node1  100      secondary      no      no       None           

Redundancy group: 4 , Failover count: 1
node0  200      primary        no      no       None           
node1  100      secondary      no      no       None           
                         
{primary:node0}

■reth1をnode1->node0にフェイルバック
 セカンダリ側の優先度が「100」に戻りフェイルバックしたことが分かる。

request chassis cluster failover reset redundancy-group 1

root@vSRX-node0> show chassis cluster status | last 15 | no-more            

Redundancy group: 0 , Failover count: 1
node0  200      primary        no      no       None           
node1  100      secondary      no      no       None           

Redundancy group: 1 , Failover count: 2
node0  200      secondary      no      no       None           
node1  100      primary        no      no       None           

Redundancy group: 2 , Failover count: 1
node0  200      primary        no      no       None           
node1  100      secondary      no      no       None           

Redundancy group: 3 , Failover count: 1
node0  200      primary        no      no       None           
node1  100      secondary      no      no       None           

Redundancy group: 4 , Failover count: 1
node0  200      primary        no      no       None           
node1  100      secondary      no      no       None           
                                        
{primary:node0}

■L3-rethを設定する。

configure
set interfaces reth0 unit 0 family inet address 192.168.152.205/24
set interfaces reth0 redundant-ether-options redundancy-group 1
set interfaces ge-0/0/5 gigether-options redundant-parent reth0
set interfaces ge-7/0/5 gigether-options redundant-parent reth0
set interfaces reth2 unit 0 family inet address 172.16.76.205/24
set interfaces reth2 redundant-ether-options redundancy-group 2
set interfaces ge-0/0/4 gigether-options redundant-parent reth2
set interfaces ge-7/0/4 gigether-options redundant-parent reth2
commit and-quit

■L3-rethを確認する。

root@vSRX-node0> show interfaces reth[02] terse 
Interface               Admin Link Proto    Local                 Remote
reth0                   up    up  
reth2                   up    up  

{primary:node0}

root@vSRX-node0> show interfaces reth[02].0 terse        
Interface               Admin Link Proto    Local                 Remote
reth0.0                 up    up   inet     192.168.152.205/24
reth2.0                 up    up   inet     172.16.76.205/24

{primary:node0}

root@vSRX-node0> show interfaces ge-[07]/0/[45] terse 
Interface               Admin Link Proto    Local                 Remote
ge-0/0/4                up    up  
ge-0/0/5                up    up  
ge-7/0/4                up    up  
ge-7/0/5                up    up  

{primary:node0}

■L2-rethを設定する。
 L2なのでIPを設定しない。

configure
set interfaces reth1 unit 0 family inet
set interfaces reth1 redundant-ether-options redundancy-group 3
set interfaces ge-0/0/6 gigether-options redundant-parent reth0
set interfaces ge-7/0/6 gigether-options redundant-parent reth0
set interfaces reth3 unit 0 family inet
set interfaces reth3 redundant-ether-options redundancy-group 4
set interfaces ge-0/0/3 gigether-options redundant-parent reth0
set interfaces ge-7/0/3 gigether-options redundant-parent reth0
commit and-quit

root@vSRX-node0> show interfaces reth[13] terse 
Interface               Admin Link Proto    Local                 Remote
reth1                   up    down
reth3                   up    down

{primary:node0}
root@vSRX-node0> 

root@vSRX-node0> show interfaces reth[13].0 terse  
Interface               Admin Link Proto    Local                 Remote
reth1.0                 up    down inet    
reth3.0                 up    down inet    

{primary:node0}

root@vSRX-node0> show interfaces ge-[07]/0/[36] terse 
Interface               Admin Link Proto    Local                 Remote
ge-0/0/3                up    up  
ge-0/0/6                up    up  
ge-7/0/3                up    up  
ge-7/0/6                up    up  

{primary:node0}

■Zoneを設定する。
 SRXではZoneをinterfaceに関連付ける仕様らしい。

configure
set security zones security-zone L3-Trust interface reth0
set security zones security-zone L2-Trust interface reth1
set security zones security-zone L3-Untrust interface reth2
set security zones security-zone L2-Untrust interface reth3
commit and-quit

■J-Webを許可

set system services web-management http interface fxp0.0

root@vSRX-node0> show configuration | display set | match web-management
set system services web-management http interface ge-0/0/0.0
set system services web-management http interface fxp0.0

{primary:node0}

■ルーティングの設定

set routing-options static route 0/0 next-hop 192.168.152.1

root@vSRX-node0> show route          

inet.0: 6 destinations, 7 routes (6 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 00:12:18
                    > to 192.168.152.1 via reth0.0
172.16.76.0/24     *[Direct/0] 01:44:22
                    > via fxp0.0
                    [Direct/0] 01:04:02
                    > via reth2.0
172.16.76.203/32   *[Local/0] 01:44:22
                      Local via fxp0.0
172.16.76.205/32   *[Local/0] 01:04:02
                      Local via reth2.0
192.168.152.0/24   *[Direct/0] 01:10:25
                    > via reth0.0
192.168.152.205/32 *[Local/0] 01:10:25
                      Local via reth0.0

{primary:node0}

■L3-Untrust->L3Trustの全許可ポリシーの設定

configure
set security policies from-zone L3-Untrust to-zone L3-Trust policy allow-all-internal match source-address any
set security policies from-zone L3-Untrust to-zone L3-Trust policy allow-all-internal match destination-address any
set security policies from-zone L3-Untrust to-zone L3-Trust policy allow-all-internal match application any
set security policies from-zone L3-Untrust to-zone L3-Trust policy allow-all-internal then permit
commit and-quit

■システムアラームの確認

root@vSRX-node0> show system alarms 
node0:
--------------------------------------------------------------------------
1 alarms currently active
Alarm time               Class  Description
2015-12-20 22:56:14 UTC  Minor  Rescue configuration is not set

node1:
--------------------------------------------------------------------------
1 alarms currently active
Alarm time               Class  Description
2015-12-20 22:56:06 UTC  Minor  Rescue configuration is not set

{primary:node0}

■node1のアラームはnode1にログインして消す。

request system configuration rescue save 
request routing-engine login node 1
cli
exit
exit

root@vSRX-node0> show system alarms 
node0:
--------------------------------------------------------------------------
No alarms currently active

node1:
--------------------------------------------------------------------------
No alarms currently active

{primary:node0}


■管理者アカウントの作成
 SSHでログインして確認

configure
set system login user labunix class super-user
set system login user labunix authentication plain-text-password
commit and-quit

■ドメイン名、DNSの設定
 BSDのdigを使って確認

configure
set system domain-name localdomain
set system name-server 172.16.76.2
set system name-server 192.168.152.2
commit and-quit
exit
dig yahoo.co.jp

% dig -v
DiG 9.6.-ESV-R11

■NTPによる時刻同期とタイムゾーンの設定

configure
set system ntp server 172.16.76.100
set system ntp server 192.168.152.100
set system ntp source-address 192.168.152.205
set system time-zone Asia/Tokyo
commit and-quit

set date ntp
show ntp associations
show ntp status

■SNMP/SNMP Trap/Syslogの設定

set snmp community public authorization read-only
set snmp trap-group private targets 172.16.76.100
set system syslog host 172.16.76.100 facility-override local7

■すべての情報を一括で取得。

root@vSRX-node0> request support information | save check.log