Example: Configuring an Active/Passive Chassis Cluster Pair with an IPsec Tunnel (CLI)

Enabling clustering
In node 0:
user@host> set chassis cluster node 0 cluster-id 1warning: A reboot is required for chassis cluster to be enabled
In node 1:
user@host> set chassis cluster node 1 cluster-id 1 rebootSuccessfully enabled chassis cluster. Going to reboot now.{primary:node1}user@host# set chassis cluster control-ports fpc 2 port 0{primary:node1}user@host# set chassis cluster control-ports fpc 14 port 0
Management interface
In a cluster, the configuration is shared among the cluster members. Member-specific configurations (such as the IP address of the management port of each member) are entered using configuration groups.
{primary:node1}user@host# set groups node0 system host-name SRX5800-1{primary:node1}user@host# set groups node0 interfaces fxp0 unit 0 family inet address 172.19.100.50/24{primary:node1}user@host#set groups node1 system host-name SRX5800-2{primary:node1}user@host# set groups node1 interfaces fxp0 unit 0 family inet address 172.19.100.51/24{primary:node1}user@host# set apply-groups “${node}”
Fabric interface
{primary:node1}user@host# set interfaces fab0 fabric-options member-interfaces xe-5/3/0{primary:node1}user@host# set interfaces fab1 fabric-options member-interfaces xe-17/3/0
Redundancy groups
{primary:node1}user@host# set chassis cluster reth-count 2{primary:node1}user@host# set chassis cluster heartbeat-interval 1000{primary:node1}user@host# set chassis cluster heartbeat-threshold 3{primary:node1}user@host# set chassis cluster node 0{primary:node1}user@host# set chassis cluster node 1{primary:node1}user@host# set chassis cluster redundancy-group 0 node 0 priority 254{primary:node1}user@host# set chassis cluster redundancy-group 0 node 1 priority 1{primary:node1}user@host# set chassis cluster redundancy-group 1 node 0 priority 254{primary:node1}user@host# set chassis cluster redundancy-group 1 node 1 priority 1{primary:node1}user@host# set chassis cluster redundancy-group 1 preempt{primary:node1}user@host# set chassis cluster redundancy-group 1 interface-monitor xe-5/0/0 weight 255{primary:node1}user@host# set chassis cluster redundancy-group 1 interface-monitor xe-5/1/0 weight 255{primary:node1}user@host# set chassis cluster redundancy-group 1 interface-monitor xe-17/0/0 weight 255{primary:node1}user@host# set chassis cluster redundancy-group 1 interface-monitor xe-17/1/0 weight 255
Redundant Ethernet interfaces
{primary:node1}user@host# set interfaces xe-5/1/0 gigether-options redundant-parent reth1{primary:node1}user@host# set interfaces xe-17/1/0 gigether-options redundant-parent reth1{primary:node1}user@host# set interfaces xe-5/0/0 gigether-options redundant-parent reth0{primary:node1}user@host# set interfaces xe-17/0/0 gigether-options redundant-parent reth0{primary:node1}user@host# set interfaces reth0 redundant-ether-options redundancy-group 1{primary:node1}user@host# set interfaces reth0 unit 0 family inet address 10.1.1.60/16{primary:node1}user@host# set interfaces reth1 redundant-ether-options redundancy-group 1{primary:node1}user@host# set interfaces reth1 unit 0 family inet address 10.2.1.60/16
IPsec configuration
{primary:node1}user@host# set interfaces st0 unit 0 multipoint family inet address 10.10.1.1/30{primary:node1}user@host# set interfaces st0 family inet address 10.10.1.1/30{primary:node1}user@host# set security ike policy preShared mode main{primary:node1}user@host# set security ike policy preShared proposal-set standard{primary:node1}user@host# set security ike policy preShared pre-shared-key ascii-text "juniper"## Encrypted password{primary:node1}user@host# set security ike gateway SRX210-1 ike-policy preShared{primary:node1}user@host# set security ike gateway SRX210-1 address 10.1.1.90{primary:node1}user@host# set security ike gateway SRX210-1 external-interface reth0.0{primary:node1}user@host# set security ipsec policy std proposal-set standard{primary:node1}user@host# set security ipsec vpn SRX210-1 bind-interface st0.0{primary:node1}user@host# set security ipsec vpn SRX210-1 vpn-monitor optimized{primary:node1}user@host# set security ipsec vpn SRX210-1 ike gateway SRX210-1{primary:node1}user@host# set security ipsec vpn SRX210-1 ike ipsec-policy std{primary:node1}user@host# set security ipsec vpn SRX210-1 establish-tunnels immediately
Static routes
{primary:node1}user@host# set routing-options static route 0.0.0.0/0 next-hop 10.2.1.1{primary:node1}user@host# set routing-options static route 10.3.0.0/16 next-hop 10.10.1.2
Security zones
{primary:node1}user@host# set security zones security-zone Untrust host-inbound-traffic system-services all{primary:node1}user@host# set security zones security-zone Untrust host-inbound-traffic protocols all{primary:node1}user@host# set security zones security-zone Untrust interfaces reth1.0{primary:node1}user@host# set security zones security-zone Trust host-inbound-traffic system-services all{primary:node1}user@host# set security zones security-zone Trust host-inbound-traffic protocols all{primary:node1}user@host# set security zones security-zone Trust interfaces reth0.0{primary:node1}user@host# set security zones security-zone vpn host-inbound-traffic system-services all{primary:node1}user@host# set security zones security-zone vpn host-inbound-traffic protocols all{primary:node1}user@host# set security zones security-zone vpn interfaces st0.0
Security policies
{primary:node1}user@host# set security policies from-zone Trust to-zone Untrust policy ANY match source-address any{primary:node1}user@host# set security policies from-zone Trust to-zone Untrust policy ANY match destination-address any{primary:node1}user@host# set security policies from-zone Trust to-zone Untrust policy ANY match application any{primary:node1}user@host# set security policies from-zone Trust to-zone vpn policy ANY then permit

Example: Configuring an Active/Passive Chassis Cluster Pair with an IPsec Tunnel (CLI)

Related Topics