Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Logical Systems in a Chassis Cluster

A chassis cluster provides high availability on SRX Series Firewalls where two devices operate as a single device. Chassis cluster includes the synchronization of configuration files and the dynamic runtime session states between the SRX Series Firewalls, which are part of chassis cluster setup. For more information, see the following topics:

Understanding Logical Systems in the Context of Chassis Cluster

The behavior of a chassis cluster whose nodes consist of SRX Series Firewalls running logical systems is the same as that of a cluster whose SRX Series nodes in the cluster are not running logical systems. No difference exists between events that cause a node to fail over. In particular, if a link associated with a single logical system fails, then the device fails over to another node in the cluster.

The primary administrator configures the chassis cluster (including both primary and secondary nodes) before he or she creates and configures the logical systems. Each node in the cluster has the same configuration, as is the case for nodes in a cluster not running logical systems. All logical system configurations are synchronized and replicated between both nodes in the cluster.

When you use SRX Series Firewalls running logical systems within a chassis cluster, you must purchase and install the same number of licenses for each node in the chassis cluster. Logical systems licenses pertain to a single chassis, or node, within a chassis cluster and not to the cluster collectively.

Starting with Junos OS Release 12.3X48-D50, when you configure the logical systems within a chassis cluster, if logical systems licenses on backup node are not sufficient when you commit the configuration, a warning message is displayed about the number of licenses required on backup node as well, just as on primary node in all the previous releases.

Example: Configuring Logical Systems in an Active/Passive Chassis Cluster (Primary Administrators Only)

This example shows how to configure logical systems in a basic active/passive chassis cluster.

Note:

The primary administrator configures the chassis cluster and creates logical systems (including an optional interconnect logical system), administrators, and security profiles. Either the primary administrator or the user logical system administrator configures a user logical system. The configuration is synchronized between nodes in the cluster.

Requirements

Before you begin:

Note:

For this example, chassis cluster and logical system configuration is performed on the primary (node 0) device at the root level by the primary administrator. Log in to the device as the primary administrator. See Understanding the Primary Logical Systems and the Primary Administrator Role.

Note:

When you use SRX Series Firewalls running logical systems in a chassis cluster, you must purchase and install the same number of logical system licenses for each node in the chassis cluster. Logical system licenses pertain to a single chassis or node within a chassis cluster and not to the cluster collectively.

Overview

In this example, the basic active/passive chassis cluster consists of two devices:

  • One device actively provides logical systems, along with maintaining control of the chassis cluster.

  • The other device passively maintains its state for cluster failover capabilities should the active device become inactive.

Note:

Logical systems in an active/active chassis cluster are configured in a similar manner as for logical systems in an active/passive chassis cluster. For active/active chassis clusters, there can be multiple redundancy groups that can be primary on different nodes.

The primary administrator configures the following logical systems on the primary device (node 0):

  • Primary logical system—The primary administrator configures a security profile to provision portions of the system’s security resources to the primary logical system and configures the resources of the primary logical system.

  • User logical systems LSYS1 and LSYS2 and their administrators—The primary administrator also configures security profiles to provision portions of the system’s security resources to user logical systems. The user logical system administrator can then configure interfaces, routing, and security resources allocated to his or her logical system.

  • Interconnect logical system LSYS0 that connects logical systems on the device—The primary administrator configures logical tunnel interfaces between the interconnect logical system and each logical system. These peer interfaces effectively allow for the establishment of tunnels.

Note:

This example does not describe configuring features such as NAT, IDP, or VPNs for a logical system. See SRX Series Logical Systems Primary Administrator Configuration Tasks Overview and User Logical Systems Configuration Overview for more information about features that can be configured for logical systems.

If you are performing proxy ARP in a chassis cluster configuration, you must apply the proxy ARP configuration to the reth interfaces rather than the member interfaces because the reth interfaces contain the logical configurations. See Configuring Proxy ARP for NAT (CLI Procedure).

Topology

Figure 1 shows the topology used in this example.

Figure 1: Logical Systems in a Chassis ClusterLogical Systems in a Chassis Cluster

Configuration

Chassis Cluster Configuration (Primary Administrator)

CLI Quick Configuration

To quickly create logical systems and user logical system administrators and configure the primary and interconnect logical systems, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.

On {primary:node0}

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.

To configure a chassis cluster:

Note:

Perform the following steps on the primary device (node 0). They are automatically copied over to the secondary device (node 1) when you execute a commit command.

  1. Configure control ports for the clusters.

  2. Configure the fabric (data) ports of the cluster that are used to pass RTOs in active/passive mode.

  3. Assign some elements of the configuration to a specific member. Configure out-of-band management on the fxp0 interface of the SRX Services Gateway using separate IP addresses for the individual control planes of the cluster.

  4. Configure redundancy groups for chassis clustering.

  5. Configure the data interfaces on the platform so that in the event of a data plane failover, the other chassis cluster member can take over the connection seamlessly.

Results

From operational mode, confirm your configuration by entering the show configuration command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

Logical System Configuration (Primary Administrator)

CLI Quick Configuration

To quickly create logical systems and user logical system administrators and configure the primary and interconnect logical systems, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.

Note:

You are prompted to enter and then reenter plain-text passwords.

On {primary:node0}

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.

To create logical systems and user logical system administrators and configure the primary and interconnect logical systems:

  1. Create the interconnect and user logical systems.

  2. Configure user logical system administrators.

    Step-by-Step Procedure
    1. Configure the user logical system administrator for LSYS1.

    2. Configure the user logical system administrator for LSYS2.

  3. Configure security profiles and assign them to logical systems.

    Step-by-Step Procedure
    1. Configure a security profile and assign it to the root logical system.

    2. Assign a dummy security profile containing no resources to the interconnect logical system LSYS0.

    3. Configure a security profile and assign it to LSYS1.

    4. Configure a security profile and assign it to LSYS2.

  4. Configure the primary logical system.

    Step-by-Step Procedure
    1. Configure logical tunnel interfaces.

    2. Configure a routing instance.

    3. Configure zones.

    4. Configure security policies.

  5. Configure the interconnect logical system.

    Step-by-Step Procedure
    1. Configure logical tunnel interfaces.

    2. Configure the VPLS routing instance.

  6. Configure logical tunnel interfaces for the user logical systems.

    Step-by-Step Procedure
    1. Configure logical tunnel interfaces for LSYS1.

    2. Configure logical tunnel interfaces for LSYS2.

Results

From configuration mode, confirm the configuration for LSYS0 by entering the show logical-systems LSYS0 command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

From configuration mode, confirm the configuration for the primary logical system by entering the show interfaces, show routing-instances, and show security commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

User Logical System Configuration (User Logical System Administrator)

CLI Quick Configuration

To quickly configure user logical systems, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.

Enter the following commands while logged in as the user logical system administrator for LSYS1:

Enter the following commands while logged in as the user logical system administrator for LSYS2:

Step-by-Step Procedure
Note:

The user logical system administrator performs the following configuration while logged in to his or her user logical system. The primary administrator can also configure a user logical system at the [edit logical-systems logical-system] hierarchy level.

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.

To configure the LSYS1 user logical system:

  1. Configure interfaces.

  2. Configure routing.

  3. Configure zones and security policies.

Step-by-Step Procedure

To configure the LSYS2 user logical system:

  1. Configure interfaces.

  2. Configure routing.

  3. Configure zones and security policies.

Results

From configuration mode, confirm the configuration for LSYS1 by entering the show interfaces, show routing-instances, show routing-options, and show security commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

From configuration mode, confirm the configuration for LSYS2 by entering the show interfaces, show routing-instances, and show security commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

Confirm that the configuration is working properly.

Verifying Chassis Cluster Status

Purpose

Verify the chassis cluster status, failover status, and redundancy group information.

Action

From operational mode, enter the show chassis cluster status command.

Troubleshooting Chassis Cluster with Logs

Purpose

Identify any chassis cluster issues by looking at the logs on both nodes.

Action

From operational mode, enter these show log commands.

Verifying Logical System Licenses

Purpose

Verify information about logical system licenses.

Action

From operational mode, enter the show system license status logical-system all command.

Verifying Logical System License Usage

Purpose

Verify information about logical system license usage.

Note:

The actual number of licenses used is only displayed on the primary node.

Action

From operational mode, enter the show system license command.

Verifying Intra-Logical System Traffic on a Logical System

Purpose

Verify information about currently active security sessions within a logical system.

Action

From operational mode, enter the show security flow session logical-system LSYS1 command.

Verifying Intra-Logical System Traffic Within All Logical Systems

Purpose

Verify information about currently active security sessions on all logical systems.

Action

From operational mode, enter the show security flow session logical-system all command.

Verifying Traffic Between User Logical Systems

Purpose

Verify information about currently active security sessions between logical systems.

Action

From operational mode, enter the show security flow session logical-system logical-system-name command.

Example: Configuring Logical Systems in an Active/Passive Chassis Cluster (IPv6) (Primary Administrators Only)

This example shows how to configure logical systems in a basic active/passive chassis cluster with IPv6 addresses.

Note:

The primary administrator configures the chassis cluster and creates logical systems (including an optional interconnect logical system), administrators, and security profiles. Either the primary administrator or the user logical system administrator configures a user logical system. The configuration is synchronized between nodes in the cluster.

Requirements

Before you begin:

  • Obtain two SRX Series Firewalls with identical hardware configurations. See Example: Configuring an Active/Passive Chassis Cluster on SRX5800 Devices. This chassis cluster deployment scenario includes the configuration of the SRX Series Firewall for connections to an MX240 edge router and an EX8208 Ethernet Switch.

  • Physically connect the two devices (back-to-back for the fabric and control ports) and ensure that they are the same models. You can configure both the fabric and control ports on the SRX5000 line. For the SRX1400 or SRX1500 devices or the SRX3000 line, you can configure the fabric ports only. (Platform support depends on the Junos OS release in your installation.)

  • Set the chassis cluster ID and node ID on each device and reboot the devices to enable clustering. See Example: Setting the Node ID and Cluster ID for Security Devices in a Chassis Cluster .

Note:

For this example, chassis cluster and logical system configuration is performed on the primary (node 0) device at the root level by the primary administrator. Log in to the device as the primary administrator. See Understanding the Primary Logical Systems and the Primary Administrator Role.

Note:

When you use SRX Series Firewalls running logical systems in a chassis cluster, you must purchase and install the same number of logical system licenses for each node in the chassis cluster. Logical system licenses pertain to a single chassis or node within a chassis cluster and not to the cluster collectively.

Overview

In this example, the basic active/passive chassis cluster consists of two devices:

  • One device actively provides logical systems, along with maintaining control of the chassis cluster.

  • The other device passively maintains its state for cluster failover capabilities should the active device become inactive.

Note:

Logical systems in an active/active chassis cluster are configured in a similar manner as for logical systems in an active/passive chassis cluster. For active/active chassis clusters, there can be multiple redundancy groups that can be primary on different nodes.

The primary administrator configures the following logical systems on the primary device (node 0):

  • Primary logical system—The primary administrator configures a security profile to provision portions of the system’s security resources to the primary logical system and configures the resources of the primary logical system.

  • User logical systems LSYS1 and LSYS2 and their administrators—The primary administrator also configures security profiles to provision portions of the system’s security resources to user logical systems. The user logical system administrator can then configure interfaces, routing, and security resources allocated to his or her logical system.

  • Interconnect logical system LSYS0 that connects logical systems on the device—The primary administrator configures logical tunnel interfaces between the interconnect logical system and each logical system. These peer interfaces effectively allow for the establishment of tunnels.

Note:

This example does not describe configuring features such as NAT, IDP, or VPNs for a logical system. See SRX Series Logical Systems Primary Administrator Configuration Tasks Overview and User Logical Systems Configuration Overview for more information about features that can be configured for logical systems.

If you are performing proxy ARP in a chassis cluster configuration, you must apply the proxy ARP configuration to the reth interfaces rather than the member interfaces because the reth interfaces contain the logical configurations. See Configuring Proxy ARP for NAT (CLI Procedure).

Topology

Figure 2 shows the topology used in this example.

Figure 2: Logical Systems in a Chassis Cluster (IPv6)Logical Systems in a Chassis Cluster (IPv6)

Configuration

Chassis Cluster Configuration with IPv6 Addresses (Primary Administrator)

CLI Quick Configuration

To quickly create logical systems and user logical system administrators and configure the primary and interconnect logical systems, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.

On {primary:node0}

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.

To configure a chassis cluster:

Note:

Perform the following steps on the primary device (node 0). They are automatically copied over to the secondary device (node 1) when you execute a commit command.

  1. Configure control ports for the clusters.

  2. Configure the fabric (data) ports of the cluster that are used to pass RTOs in active/passive mode.

  3. Assign some elements of the configuration to a specific member. Configure out-of-band management on the fxp0 interface of the SRX Services Gateway using separate IP addresses for the individual control planes of the cluster.

  4. Configure redundancy groups for chassis clustering.

  5. Configure the data interfaces on the platform so that in the event of a data plane failover, the other chassis cluster member can take over the connection seamlessly.

Results

From operational mode, confirm your configuration by entering the show configuration command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

Logical System Configuration with IPv6 Addresses (Primary Administrator)

CLI Quick Configuration

To quickly create logical systems and user logical system administrators and configure the primary and interconnect logical systems, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.

Note:

You are prompted to enter and then reenter plain-text passwords.

On {primary:node0}

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.

To create logical systems and user logical system administrators and configure the primary and interconnect logical systems:

  1. Create the interconnect and user logical systems.

  2. Configure user logical system administrators.

    Step-by-Step Procedure
    1. Configure the user logical system administrator for LSYS1.

    2. Configure the user logical system administrator for LSYS2.

  3. Configure security profiles and assign them to logical systems.

    Step-by-Step Procedure
    1. Configure a security profile and assign it to the root logical system.

    2. Assign a dummy security profile containing no resources to the interconnect logical system LSYS0.

    3. Configure a security profile and assign it to LSYS1.

    4. Configure a security profile and assign it to LSYS2.

  4. Configure the primary logical system.

    Step-by-Step Procedure

    1. Configure logical tunnel interfaces.

    2. Configure a routing instance.

    3. Configure zones.

    4. Configure security policies.

  5. Configure the interconnect logical system.

    Step-by-Step Procedure
    1. Configure logical tunnel interfaces.

    2. Configure the VPLS routing instance.

  6. Configure logical tunnel interfaces for the user logical systems.

    Step-by-Step Procedure
    1. Configure logical tunnel interfaces for LSYS1.

    2. Configure logical tunnel interfaces for LSYS2.

Results

From configuration mode, confirm the configuration for LSYS0 by entering the show logical-systems LSYS0 command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

From configuration mode, confirm the configuration for the primary logical system by entering the show interfaces, show routing-instances, and show security commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

User Logical System Configuration with IPv6 (User Logical System Administrator)

CLI Quick Configuration

To quickly configure user logical systems, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.

Enter the following commands while logged in as the user logical system administrator for LSYS1:

Enter the following commands while logged in as the user logical system administrator for LSYS2:

Step-by-Step Procedure
Note:

The user logical system administrator performs the following configuration while logged in to his or her user logical system. The primary administrator can also configure a user logical system at the [edit logical-systems logical-system] hierarchy level.

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.

To configure the LSYS1 user logical system:

  1. Configure interfaces.

  2. Configure routing.

  3. Configure zones and security policies.

Step-by-Step Procedure

To configure the LSYS2 user logical system:

  1. Configure interfaces.

  2. Configure routing.

  3. Configure zones and security policies.

Results

From configuration mode, confirm the configuration for LSYS1 by entering the show interfaces, show routing-instances, show routing-options, and show security commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

From configuration mode, confirm the configuration for LSYS2 by entering the show interfaces, show routing-instances, and show security commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

Confirm that the configuration is working properly.

Verifying Chassis Cluster Status (IPv6)

Purpose

Verify the chassis cluster status, failover status, and redundancy group information.

Action

From operational mode, enter the show chassis cluster status command.

Troubleshooting Chassis Cluster with Logs (IPv6)

Purpose

Use these logs to identify any chassis cluster issues. You should run these logs on both nodes.

Action

From operational mode, enter these show log commands.

Verifying Logical System Licenses (IPv6)

Purpose

Verify information about logical system licenses.

Action

From operational mode, enter the show system license status logical-system all command.

Verifying Logical System License Usage (IPv6)

Purpose

Verify information about logical system license usage.

Note:

The actual number of licenses used is only displayed on the primary node.

Action

From operational mode, enter the show system license command.

Verifying Intra-Logical System Traffic on a Logical System (IPv6)

Purpose

Verify information about currently active security sessions within a logical system.

Action

From operational mode, enter the show security flow session logical-system LSYS1 command.

Verifying Intra-Logical System Traffic Within All Logical Systems (IPv6)

Purpose

Verify information about currently active security sessions on all logical systems.

Action

From operational mode, enter the show security flow session logical-system all command.

Verifying Traffic Between User Logical Systems (IPv6)

Purpose

Verify information about currently active security sessions between logical systems.

Action

From operational mode, enter the show security flow session logical-system logical-system-name command.

Change History Table

Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.

Release
Description
12.3X48-D50
Starting with Junos OS Release 12.3X48-D50, when you configure the logical systems within a chassis cluster, if logical systems licenses on backup node are not sufficient when you commit the configuration, a warning message is displayed about the number of licenses required on backup node as well, just as on primary node in all the previous releases.