Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Example: Configure Multinode High Availability in a Hybrid Deployment

Read this topic to learn how to configure Multinode High Availability solution on SRX Series Firewalls. The example covers configuration in active/backup mode when SRX Series Firewalls are connected to a router on one side and switch on the other side.

Overview

In a hybrid deployments, participating SRX Series Firewalls operate as independent nodes in a mixed mode of routed networks on one side and locally connected networks on the other side. An encrypted logical interchassis link (ICL) connects the nodes over a routed network.

In Multinode High Availability, activeness is determined at the services redundancy group (SRG) level. The SRX Series Firewall, on which the SRG1 is active, hosts the floating IP address and steers traffic towards it using the floating IP address. During a failover, the floating IP address moves from the old active node to the new active node and continues the communication client devices.

Note:

As of Junos OS Release 22.3R1, we support a two-node configuration in the Multinode High Availability solution.

In this example, you'll establish high availability between the SRX Series Firewalls and secure the tunnel traffic by enabling HA link encryption.

Requirements

This example uses the following hardware and software components:

  • Two SRX Series Firewalls or vSRX Virtual Firewall Instances
  • A Juniper Networks(R) MX960 Universal Routing Platform at one end
  • A Juniper Networks(R) EX9214 Ethernet Switch at the other end
  • Junos OS Release 22.3R1

Topology

Figure 1 shows the topology used in this example.

Figure 1: Multinode High Availability In Hybrid NetworkMultinode High Availability In Hybrid Network

As shown in the topology, two SRX Series Firewalls connected to routers on untrust side and to a switch trust side of the network. The nodes communicate with each other using a routable IP address (floating IP address) over the network. Loopback interfaces are used to host the IP addresses on SRX Series and upstream router.

In general, you can use Aggregated Ethernet (AE) or a revenue Ethernet port on the SRX Series Firewalls to setup an ICL connection. In this example, we've used GE ports for the ICL. We've also configured a routing instance for the ICL path to ensure maximum segmentation.

In a typical high availability deployment, you have multiple routers and switches on the northbound and southbound sides of the network. For this example, we are using one routers and one switch.

You'll perform the following tasks to build a Multinode High Availability setup:

  • Configure a pair of SRX Series Firewalls as local and peer nodes by assigning IDs.
  • Configure services redundancy groups (SRGs).
  • Configure a loopback interface (lo0.0) to host a floating IP address on the Layer 3 side.
  • Configure virtual IP addresses for activeness determination and enforcement on the Layer 2 side.
  • Configure a signal route required for activeness enforcement and use it along with the route exists policy.
  • Configure a VPN profile for the high availability (ICL) traffic using IKEv2.
  • Configure BFD monitoring options.
  • Configure a routing policy and routing options.
  • Configure appropriate security policies to manage traffic in your network.
  • Configure stateless firewall filtering and quality of service (QoS) as per your network requirements.

  • Configure interfaces and zones according to your network requirement. You must allow services such as IKE for link encryption and SSH for configuration synchronization as host-inbound system services on the security zone that is associated with the ICL.

In this example, you use static routes on SRX-1 and SRX-2 and advertise these routes into BGP to add the metric to determine which SRX Series Firewall is in the preferred path. Alternatively you can use route reflectors on the SRX Series Firewalls to advertise the routes learned via BGP and accordingly configure the routing policy to match on BGP.

You can configure the following options on SRG0 and SRG1:

  • SRG1: Active/backup signal route, deployment type, activeness priority, preemption, virtual IP address (for default gateway deployments), activeness probing and process packet on backup.

  • SRG1: BFD monitoring, IP monitoring, and interface monitoring options on SRG1.

  • SRG0: shutdown on failure and install on failure route options.

    When you configure monitoring (BFD or IP or Interface) options under SRG1, we recommend not to configure the shutdown-on-failure option under SRG0.

For interchassis link (ICL), we recommend the following configuration settings:

  • Use a loopback (lo0) interface using an aggregated Ethernet interface (ae0), or any revenue Ethernet interface to establish the ICL. Do not to use the dedicated HA ports (control and fabric ports) if available on your SRX Series Firewall).
  • Set MTU of 1514
  • Allow the following services on the security zone associated with interfaces used for ICL
    • IKE, high-availability, SSH

    • Protocols depends on routing protocol you need

    • BFD to monitor the neighboring routes

Configuration

Before You Begin

Junos IKE package is required on your SRX Series Firewalls for Multinode High Availability configuration. This package is available as a default package or as an optional package on SRX Series Firewalls. See Support for Junos IKE Package for details.

If the package is not installed by default on your SRX Series firewall, use the following command to install it. You require this step for ICL encryption.

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

These configurations are captured from a lab environment, and are provided for reference only. Actual configurations may vary based on the specific requirements of your environment.

On SRX-1 Device

On SRX-2 Device

The following sections show configuration snippets on the router and switch required for setting up Multinode High Availability setup in the network.

On the Router (MX960)

On the Switch (EX9214)

Configuration

Step-by-Step Procedure

We're showing the configuration of SRX-01 in the step-by-step procedure.

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

  1. Configure Interfaces.

    The interfaces ge-0/0/3 connects to the switch, ge-0/0/4 connects the router and the ge-0/0/2 interface is used for the ICL.

  2. Configure the loopback interfaces.

    Assign the IP address (10.11.0.1) to the loopback interface. This IP address acts as the floating IP address.

    Using the loopback interface ensures that at any given point, traffic from the adjacent routers will be steered toward the floating IP address (that is, toward the active node).

  3. Configure the security policies.

    Ensure you have configured security policies as per your network requirements. In this example, you'll configure a policy to permit all traffic.

  4. Configure security zones, assign interfaces to the zones, and specify the allowed system services for the security zones.

    Assign the interfaces ge-0/0/3 and ge-0/0/4 to the trust and untrust zones respectively. Assign the lo0.0 interface to the untrust zone to connect over the public IP network. Assign the interface ge-0/0/2 to the halink zone. You use this zone to set up the ICL.

  5. Configure routing options.

  6. Configure both local node and peer node details such as node ID, lP addresses of the local node and peer node, and the interface for the peer node.

    You'll use the ge-0/0/2 interface for communicating with the peer node using the ICL.

  7. Attach the IPsec VPN profile IPSEC_VPN_ICL to the peer node.

    You'll need this configuration to establish a secure ICL link between the nodes.

  8. Configure Bidirectional Forwarding Detection (BFD) protocol options for the peer node.

  9. Associate the peer node ID 2 to the services redundancy group 0 (SRG0).

  10. Configure the services redundancy group 1 (SRG1).

    In this step, you specify the deployment type as hybrid, because you are setting up Multinode High Availability in a Layer 3 and Layer 2 network.

    Assign a virtual IP (VIP) address and an interface for SRG1.

  11. Configure IP and BFD monitoring parameters for SRG1 to check the reachability of an IP address and to detect failures in network.

    You can configure BFD liveliness by specifying source and destination IP addresses and the interface connecting to the peer device.

    For IP monitoring, specify the interfaces used for connecting the neighboring router and switch.
  12. Configure an active signal route required for activeness enforcement.

    In this step, the active SRX Series Firewall creates the route with IP address 10.39.1.1 and the backup SRX Series Firewall creates the route with IP address 10.39.1.2 depending on the configuration. In this example, the policy on the SRX-1 matches on 10.39.1.1 (since its active) and advertises static/direct routes with a metric 10 making it preferred. The policy on SRX-2 matches on 10.39.1.2 (since its backup) and advertises static/direct routes with a metric 20 making it less preferred.

    The active signal route IP address you assign is used for route preference advertisement.

    Note: You must specify the active signal route along with the route-exists policy in the policy-options statement. When you configure the active-signal-route with if-route-exists condition, the HA module adds this route to the routing table.
  13. Configure policy options.

  14. Configure BFD peering sessions options and specify liveness detection timers.

  15. Configure CA certificates as per your requirements.

  16. Define Internet Key Exchange (IKE) configuration for Multinode High Availability. An IKE configuration defines the algorithms and keys used to establish a secure connection.

    For the Multinode High availability feature, you must configure the IKE version as v2-only.
  17. Specify the IPsec proposal protocol and encryption algorithm. Specify IPsec options to create a IPsec tunnel between two participant devices to secure VPN communication.

    The same VPN name IPSEC_VPN_ICL must be mentioned for vpn_profile in chassis high availability configuration. Specifying the ha-link-encryption option encrypts the ICL to secure high availability traffic flow between the nodes.

Configuration Options for Software Upgrades

In Multinode High Availability, during software upgrade, you can divert the traffic by closing down interfaces on the node. Here, traffic cannot pass through the nodes. Check Software Upgrade in Multinode High Availability for details.

  1. Configure all traffic interfaces under “shutdown-on-failure” option. Example:
    CAUTION:

    Do not use interfaces assigned for the interchassis link (ICL).

Results (SRX-1)

From configuration mode, confirm your configuration by entering the following commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Results (SRX-2)

From configuration mode, confirm your configuration by entering the following commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

On your security devices, you'll get the following message that asks you to reboot the device:

Verification

Confirm that the configuration is working properly.

Check Multinode High Availability Details

Purpose

View and verify the details of the Multinode High Availability setup configured on your security device.

Action

From operational mode, run the following command:

On SRX-1

On SRX-2

Meaning

Verify these details from the command output:

  • Local node and peer node details such as IP address and ID.

  • The field Encrypted: YES indicates that the traffic is protected.

  • The field Deployment Type: HYBRID indicates a hybrid mode configuration—that is, the network has a router on one side and a switch on the other.

  • The field Services Redundancy Group: 1 indicates the status of the SRG1 (ACTIVE or BACKUP) on that node.

Check Multinode High Availability Peer Node Status

Purpose

View and verify the peer node details.

Action

From operational mode, run the following command:

SRX-1

SRX-2

Meaning

Verify these details from the command output:

  • Peer node details such as interface used, IP address, and ID

  • Encryption status, connection status, and cold synchronization status

  • Packet statistics across the node.

Check Multinode High Availability Service Redundancy Groups

Purpose

Verify that the SRGs are configured and working correctly.

Action

From operational mode, run the following command:

For SRG0:

For SRG1:

Meaning

Verify these details from the command output:

  • Peer node details such as deployment type, status, and active and back up signal routes.

  • Virtual IP Information such as IP address and virtual MAC address.

  • IP monitoring and BFD monitoring status.

Verify the Multinode High Availability Status Before and After Failover

Purpose

Check the change in node status before and after failover in a Multinode High Availability setup.

Action

To check the Multinode High Availability status on the backup node (SRX-2), run the following command from operational mode:

Under the Services Redundancy Group: 1 section, you can see the Status: BACKUP field. This field value indicates that the status of SRG 1 is backup.

Initiate the failover on the active node (SRX-1 device) and again run the command on the backup node (SRX-2).

Note that under the Services Redundancy Group: 1 section, the status of SRG1 has changed from BACKUP to ACTIVE.

You can also see peer node details under the Peer Information section. The output shows the status of peer as BACKUP.