srx 220 cluster 3 zones + dmz

image_pdfimage_print

nos yet finished.

To do:

  • dhcp relay
  • pass dhcp settings
  • nat

Config at the momment






root@srxC-1# show | display set 
set version 12.1X46-D30.2
set groups node0 system host-name srxC-1
set groups node0 interfaces fxp0 unit 0 family inet address 10.210.14.135/27
set groups node1 system host-name srxC-2
set groups node1 interfaces fxp0 unit 0 family inet address 10.210.14.136/27
set apply-groups "${node}"
set system root-authentication encrypted-password "$1$r/Ym5vue$BfCLpEinDJluTBXP8zGXC."
set system services ssh
set system services telnet
set system services xnm-clear-text
set system services dhcp-local-server group POOL_LAB interface reth0.101
set system services dhcp-local-server group POOL_TEST interface reth0.100
set system services dhcp-local-server group POOL_PROD interface reth0.102
set system syslog archive size 100k
set system syslog archive files 3
set system syslog user * any emergency
set system syslog file messages any critical
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands error
set system max-configurations-on-flash 5
set system max-configuration-rollbacks 5
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set chassis cluster reth-count 1        
set chassis cluster redundancy-group 1 node 0 priority 200
set chassis cluster redundancy-group 1 node 1 priority 100
set chassis cluster redundancy-group 0 node 1 priority 254
set interfaces ge-0/0/3 gigether-options redundant-parent reth0
set interfaces ge-0/0/4 gigether-options redundant-parent reth0
set interfaces ge-3/0/3 gigether-options redundant-parent reth0
set interfaces ge-3/0/4 gigether-options redundant-parent reth0
set interfaces fab0 fabric-options member-interfaces ge-0/0/5
set interfaces fab1 fabric-options member-interfaces ge-3/0/5
set interfaces reth0 vlan-tagging
set interfaces reth0 redundant-ether-options redundancy-group 1
set interfaces reth0 redundant-ether-options lacp active
set interfaces reth0 unit 100 description "100 TEST Interface"
set interfaces reth0 unit 100 vlan-id 100
set interfaces reth0 unit 100 family inet address 10.128.100.1/24
set interfaces reth0 unit 101 description "101 LAB Interface"
set interfaces reth0 unit 101 vlan-id 101
set interfaces reth0 unit 101 family inet address 10.128.101.1/24
set interfaces reth0 unit 102 description "102 PROD Interface"
set interfaces reth0 unit 102 vlan-id 102
set interfaces reth0 unit 102 family inet address 10.128.102.1/24
set interfaces reth0 unit 103 description "103 DMZ Interface"
set interfaces reth0 unit 103 vlan-id 103
set interfaces reth0 unit 104 description "104 Internet Interface"
set interfaces reth0 unit 104 vlan-id 104
set interfaces reth0 unit 104 family inet dhcp-client retransmission-attempt 6
set interfaces reth0 unit 104 family inet dhcp-client retransmission-interval 5
set interfaces reth0 unit 104 family inet dhcp-client update-server
set routing-options static route 0.0.0.0/0 qualified-next-hop 172.18.1.1
set routing-options static route 0.0.0.0/0 qualified-next-hop 172.18.2.1 preference 10
set protocols stp
set security policies default-policy permit-all
set security zones security-zone UNTRUST description "UNTRUST towards Inet"
set security zones security-zone UNTRUST interfaces reth0.104 host-inbound-traffic system-services dhcp
set security zones security-zone TEST_ZONE description "Zone TEST"
set security zones security-zone TEST_ZONE host-inbound-traffic system-services ping
set security zones security-zone TEST_ZONE host-inbound-traffic system-services traceroute
set security zones security-zone TEST_ZONE interfaces reth0.100 host-inbound-traffic system-services dhcp
set security zones security-zone LAB_ZONE description "Zone LAB"
set security zones security-zone LAB_ZONE interfaces reth0.101 host-inbound-traffic system-services dhcp
set security zones security-zone PROD_ZONE description "Zone PROD"
set security zones security-zone PROD_ZONE interfaces reth0.102 host-inbound-traffic system-services dhcp
set security zones security-zone DMZ_ZONE description "Zone DMZ"
set security zones security-zone DMZ_ZONE interfaces reth0.103
set access address-assignment pool POOL_TEST family inet network 10.128.100.0/24
set access address-assignment pool POOL_TEST family inet range POOL_TEST_RANGE low 10.128.100.100
set access address-assignment pool POOL_TEST family inet range POOL_TEST_RANGE high 10.128.100.250
set access address-assignment pool POOL_TEST family inet dhcp-attributes maximum-lease-time 2419200
set access address-assignment pool POOL_TEST family inet dhcp-attributes router 10.128.100.1
set access address-assignment pool POOL_LAB family inet network 10.128.101.0/24
set access address-assignment pool POOL_LAB family inet range POOL_LAB_RANGE low 10.128.101.100
set access address-assignment pool POOL_LAB family inet range POOL_LAB_RANGE high 10.128.101.250
set access address-assignment pool POOL_LAB family inet dhcp-attributes maximum-lease-time 2419200
set access address-assignment pool POOL_LAB family inet dhcp-attributes router 10.128.101.1
set access address-assignment pool POOL_PROD family inet network 10.128.102.0/24
set access address-assignment pool POOL_PROD family inet range POOL_PROD_RANGE low 10.128.102.100
set access address-assignment pool POOL_PROD family inet range POOL_PROD_RANGE high 10.128.102.250
set access address-assignment pool POOL_PROD family inet dhcp-attributes maximum-lease-time 2419200
set access address-assignment pool POOL_PROD family inet dhcp-attributes router 10.128.102.1

Source nat for TEST zone

set security nat source rule-set SRC_NAT_TEST_RULESET_1 from zone TEST_ZONE
set security nat source rule-set SRC_NAT_TEST_RULESET_1 to zone UNTRUST
set security nat source rule-set SRC_NAT_TEST_RULESET_1 rule RULE_TEST_1 match source-address 0.0.0.0/0
set security nat source rule-set SRC_NAT_TEST_RULESET_1 rule RULE_TEST_1 match destination-address 0.0.0.0/0
set security nat source rule-set SRC_NAT_TEST_RULESET_1 rule RULE_TEST_1 then source-nat interface

 

 

References


 

DHCP

Propagatting settings
http://forums.juniper.net/t5/Junos/DHCP-Propagate-Setting-clarification/td-p/274627
http://forums.juniper.net/t5/SRX-Services-Gateway/Problem-with-dhcp-propagate-settings/td-p/37414

Relay
https://www.juniper.net/documentation/en_US/junos12.1×46/topics/topic-map/dhcp-security-relay-agent.html
Relay option 82
https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/dhcp-subscriber-access-dhcp-relay-using-option-82-overview.html
Global DHCP relay
https://kb.juniper.net/InfoCenter/index?page=content&id=KB15755&actp=METADATA

Dhcp Server
https://www.juniper.net/documentation/en_US/junos12.1×44/topics/example/security-device-dhcp-server-configuring.html

Configure DHCP Server in Juniper SRX Device

Dhcp in a non default routing instance
https://kb.juniper.net/InfoCenter/index?page=content&id=KB21169&actp=METADATA

Dhcp server in multiple routing instances
https://kb.juniper.net/InfoCenter/index?page=content&id=KB29401

dhcp subsistem not running
https://forums.juniper.net/t5/SRX-Services-Gateway/SRX240-DHCP-Server-Error-the-dhcp-subsystem-is-not-running/td-p/149052

dhcp pool example
http://junosnotes.blogspot.be/2014/09/srx-virtualisation-basics.html

dhcp client not working
https://forums.juniper.net/t5/SRX-Services-Gateway/DHCP-Client-not-working/td-p/291197

Configuring the Device as dhcp client
http://www.juniper.net/documentation/en_US/junos12.1×46/topics/example/security-device-dhcp-client-configuring.html

dhcp relay – two ways to configure?

Public iP addressed Server behind SRX
https://forums.juniper.net/t5/SRX-Services-Gateway/Public-IP-addressed-Server-behind-SRX/td-p/105564

Dhcp relay problem
http://www.juniperforum.com/index.php?topic=7573.0

Configuring Layer 2 Security Zones
http://www.juniper.net/documentation/en_US/junos12.1/topics/example/security-zone-layer2-configuring.html

Configuring Layer 2 Logical Interfaces
http://www.juniper.net/documentation/en_US/junos12.1/topics/example/security-layer2-logical-interface-configuring.html

configuring Bridge Domains
http://www.juniper.net/documentation/en_US/junos12.1/topics/example/security-bridge-domain-configuring.html

Layer 2 Bridging and Transparent Mode Overview
http://www.juniper.net/documentation/en_US/junos12.1/topics/concept/security-layer2-bridging-transparent-mode-overview.html

Configuration Example – Transparent mode on SRX platforms
https://kb.juniper.net/InfoCenter/index?page=content&id=KB21421&actp=METADATA

Configuring Security Zones and Policies for SRX Series
https://www.juniper.net/documentation/en_US/junos12.1×46/topics/example/security-srx-device-zone-and-policy-configuring.html

Configuring Source NAT for Egress Interface Translation
http://www.juniper.net/documentation/en_US/junos12.1×46/topics/example/nat-security-source-nat-egress-interface-configuring.html

cisco sg300 cli

image_pdfimage_print

Advise

.oPYo. .oPYo.  o    o  
8    8 8    8  `b  d'  
8      8    8   `bd'   
8      8    8   .PY.   
8    8 8    8  .P  Y.  
`YooP' `YooP' .P    Y. 
:.....::.....:..::::..:
:::::::::::::::::::::::

screen /dev/ttyUSB0 9600 cs8 -cstopb -parenb
::::::::::::::::::::::::::::::::::::::::::::::::
Pogoplug
screen /dev/ttyUSB1 115200,cs8,-parenb,-cstopb
::::::::::::::::::::::::::::::::::::::::::::::::
Cisco Catalyst 2950
screen /dev/ttyUSB1 9600,cs8,-parenb,-cstopb
:::::::::::::::::::::::::::::::::::::::::::::::::::
NSLU2
screen /dev/ttyUSB0 115200,cs8,-parenb,-cstopb
::::::::::::::::::::::::::::::::::::::::::::::::::
Last login: Sun Apr 23 16:00:41 2017 from 10.128.10.43
root@cox:~# screen /dev/ttyUSB0 115200,cs8,-parenb,-cstopb







                                                                                switch477671#
switch477671#
switch477671#show running-config 
config-file-header
switch477671
v1.3.0.62 / R750_NIK_1_3_647_260
CLI v1.0
set system mode switch 

file SSD indicator encrypted
@
ssd-control-start
ssd config
ssd file passphrase control unrestricted
no ssd file integrity control
ssd-control-end cb0a3fdb1f3a1af4e4430033719968c0
!
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___________
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
hostname switch477671                                 
!                                                     
switch477671#                                         
switch477671#
switch477671#in
% Unrecognized command
switch477671#configure in
switch477671#configure in
% Wrong number of parameters or invalid range, size or characters entered
switch477671#configure in
% Wrong number of parameters or invalid range, size or characters entered
switch477671#configure t
switch477671(config)#interface vlan 1
switch477671(config-if)#ip address 10.210.14.138 255.255.255.224
Please ensure that the port through which the device is managed has the proper
settings and is a member of the new management interface.
Would you like to apply this new configuration? (Y/N)[N] Y
switch477671(config-if)#exigt
% Unrecognized command
switch477671(config-if)#exit
switch477671(config)#02-May-2013 15:07:21 %AAA-I-CONNECT: New http connection for user cisco, source 10.210.14.143 destination 10.210.14.138 ACCEPTED


after some simple config

vlan database
vlan 223,233,999
exit
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___________
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
hostname switch477671
!
interface vlan 1
 no ip address dhcp
!
interface vlan 223
 name "VLAN 223"
!
interface vlan 233
 name "VLAN 233"
!
interface vlan 999
 name MGMT
 ip address 10.210.14.138 255.255.255.224
!
interface gigabitethernet1
 switchport trunk native vlan 223
!
interface gigabitethernet2
 switchport trunk native vlan 223
!
interface gigabitethernet3
 switchport trunk native vlan 233
!
interface gigabitethernet4
 switchport trunk native vlan 233
!
interface gigabitethernet10
 switchport trunk native vlan 999
!
exit
switch477671#
switch477671#

 

 

References


 

Cli reference guide

srx100b cluster with Fernando

image_pdfimage_print

 

Failed cabling


 

Fixed cabling


 

Loading .data.rel @ 0x8f0456e8 (136 bytes)
Clearing .bss @ 0x8f045770 (11600 bytes)
## Starting application at 0x8f0000a0 ...
Consoles: U-Boot console  
Found compatible API, ver. 2.7

FreeBSD/MIPS U-Boot bootstrap loader, Revision 2.7
(ccheng@svl-junos-d081.juniper.net, Tue Nov 26 19:05:43 PST 2013)
Memory: 512MB
[0]Booting from nand-flash slice 2
Un-Protected 1 sectors
writing to flash...
Protected 1 sectors
Loading /boot/defaults/loader.conf 
/kernel data=0xb0efe0+0x134628 syms=[0x4+0x8b320+0x4+0xc9df5]


Hit [Enter] to boot immediately, or space bar for command prompt.
Booting [/kernel]...               
Kernel entry at 0x801000e0 ...
init regular console
Primary ICache: Sets 64 Size 128 Asso 4
Primary DCache: Sets 1 Size 128 Asso 64
Secondary DCache: Sets 128 Size 128 Asso 8
GDB: debug ports: uart
GDB: current port: uart
KDB: debugger backends: ddb gdb
KDB: current backend: ddb
kld_map_v: 0x8ff80000, kld_map_p: 0x0
Copyright (c) 1996-2013, Juniper Networks, Inc.
All rights reserved.
Copyright (c) 1992-2006 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
        The Regents of the University of California. All rights reserved.
JUNOS 12.1X46-D10.2 #0: 2013-12-18 02:03:20 UTC
    builder@briath.juniper.net:/volume/build/junos/12.1/service/12.1X46-D10.2/obj-octeon/junos/bsd/kernels/JSRXNLE/kernel
JUNOS 12.1X46-D10.2 #0: 2013-12-18 02:03:20 UTC
    builder@briath.juniper.net:/volume/build/junos/12.1/service/12.1X46-D10.2/obj-octeon/junos/bsd/kernels/JSRXNLE/kernel
real memory  = 536870912 (512MB)
avail memory = 279027712 (266MB)
FreeBSD/SMP: Multiprocessor System Detected: 2 CPUs
Security policy loaded: JUNOS MAC/pcap (mac_pcap)
Security policy loaded: JUNOS MAC/runasnonroot (mac_runasnonroot)
netisr_init: !debug_mpsafenet, forcing maxthreads from 2 to 1
cpu0 on motherboard
: CAVIUM's OCTEON 5020 CPU Rev. 0.1 with no FPU implemented
        L1 Cache: I size 32kb(128 line), D size 8kb(128 line), sixty four way.
        L2 Cache: Size 128kb, 8 way
obio0 on motherboard
uart0:  on obio0
uart0: console (9600,n,8,1)
twsi0 on obio0
dwc0:  on obio0
usb0:  on dwc0
usb0: USB revision 2.0
uhub0: vendor 0x0000 DWC OTG root hub, class 9/0, rev 2.00/1.00, addr 1
uhub0: 1 port with 1 removable, self powered
uhub1: vendor 0x0409 product 0x005a, class 9/0, rev 2.00/1.00, addr 2
uhub1: single transaction translator
uhub1: 2 ports with 1 removable, self powered
umass0: STMicroelectronics ST72682  High Speed Mode, rev 2.00/2.10, addr 3
cpld0 on obio0
pcib0:  on obio0
Disabling Octeon big bar support
PCI Status: PCI 32-bit: 0xc041b
pcib0: Initialized controller
pci0:  on pcib0
pci0:  at device 2.0 (no driver attached)
pci0:  at device 2.1 (no driver attached)
pci0:  at device 2.2 (no driver attached)
gblmem0 on obio0
octpkt0:  on obio0
cfi0: <AMD/Fujitsu - 4MB> on obio0
Timecounter "mips" frequency 500000000 Hz quality 0
###PCB Group initialized for udppcbgroup
###PCB Group initialized for tcppcbgroup
da0 at umass-sim0 bus 0 target 0 lun 0
da0:  Removable Direct Access SCSI-2 device 
da0: 40.000MB/s transfers
da0: 1000MB (2048000 512 byte sectors: 64H 32S/T 1000C)
Trying to mount root from ufs:/dev/da0s2a
WARNING: / was not properly dismounted
MFSINIT: Initialising MFSROOT 
WARNING: / was not properly dismounted
Process-1 beginning MFSROOT initialization...
Creating MFSROOT...
/dev/md0: 20.0MB (40956 sectors) block size 16384, fragment size 2048
        using 4 cylinder groups of 5.00MB, 320 blks, 640 inodes.
super-block backups (for fsck -b #) at:
 32, 10272, 20512, 30752
Populating MFSROOT...
Creating symlinks...
Setting up mounts...
Continuing boot from MFSROOT...
Attaching /cf/packages/junos via /dev/mdctl...
Mounted junos package on /dev/md1...
A
Media check on da0
Automatic reboot in progress...
** /dev/da0s2a (NO WRITE)
** Last Mounted on /
** Root file system
** Phase 1 - Check Blocks and Sizes
** Phase 2 - Check Pathnames
** Phase 3 - Check Connectivity
** Phase 4 - Check Reference Counts
** Phase 5 - Check Cyl groups
159 files, 78524 used, 71514 free (50 frags, 8933 blocks, 0.0% fragmentation)
mount reload of '/' failed: Operation not supported 

Verified junos signed by PackageProduction_12_1_0
Verified jboot signed by PackageProduction_12_1_0
veriexec: cannot update veriexec for /sbin/preinit-main: No such file or directory
veriexec: cannot update veriexec for /sbin/init-mfs-root: No such file or directory
veriexec: cannot update veriexec for /sbin/ls: No such file or directory
veriexec: cannot update veriexec for /sbin/chroot: No such file or directory
veriexec: cannot update veriexec for /sbin/settty: No such file or directory
Verified junos-12.1X46-D10.2-domestic signed by PackageProduction_12_1_0
Checking integrity of BSD labels:
  s1: Passed
  s2: Passed
  s3: Passed
root@% assed
root@% /bo0s3e
root@% STEM CLEAN; SKIPPING CHECKS
root@% 12426 free (26 frags, 1550 blocks, 0.2% fragmentation)
root@% /bo0s3f
root@% STEM CLEAN; SKIPPING CHECKS
root@% 26077 free (173 frags, 3238 blocks, 0.1% fragmentation)
root@% g integrity of licenses:
root@% g integrity of configuration:
root@% e.conf.gz: Passed
root@%  configuration ...
root@% d ticks drifted too much,                        resetting synchronization...
root@% mmit complete
root@%  initial options: .
root@% g optional daemons:  usbd.
root@% nitial network setup:
root@% 
root@%  interface configuration:
root@% nal daemons: eventd.
root@% nal routing options:kern.module_path: /boot//kernel;/boot/modules -> /boot/modules;/modules/ifpfe_drv;/modules;
root@% pfe drv: ifpfed_dialer.
root@% dditional network setup:.
root@% g final network daemons:.
root@%  ldconfig path: /usr/lib /opt/lib
root@% g standard daemons: cron.
root@%  rc.mips initialization:.
root@% ackage initialization:.
root@% g local daemons:set cores for group access
root@% 
root@% curelevel: -1 -> 1
root@% g JAIL MFS partition...
root@% S partition created
root@% grade.uboot="0xBFC00000"
root@% grade.loader="0xBFE00000"
root@% dia /dev/da0 has dual root support
root@% : JUNOS versions running on dual partitions are not same
root@% /da0s1a
root@% STEM CLEAN; SKIPPING CHECKS
root@% 79026 free (34 frags, 9874 blocks, 0.0% fragmentation)
root@%  22 22:41:21 UTC 2017
root@% 
root@% c (ttyu0)
root@% 
root@% root
root@% d:
root@% 
root@% OS 12.1X46-D10.2 built 2013-12-18 02:03:20 UTC
root@% 

root@% 
root@% 
root@% 
root@% 
root@% 
root@% 
root@% 
root@% 
root@% 
root@% 
root@% 
root@% 
root@% 
root@% 
root@% 
root@% 
root@% 
root@% 
root@% 
root@% clo
clo: Command not found.
root@% cli
{secondary:node1}
root> show chassis cluster status   
Cluster ID: 1 
Node                  Priority          Status    Preempt  Manual failover

Redundancy group: 0 , Failover count: 0
    node0                   1           primary        no       no  
    node1                   1           secondary      no       no  

{secondary:node1}
root> 

{secondary:node1}
root> show chassis cluster interfaces 
Control link status: Up

Control interfaces: 
    Index   Interface        Status   Internal-SA
    0       fxp1             Up       Disabled   

Fabric link status: Down

Fabric interfaces: 
    Name    Child-interface    Status
                               (Physical/Monitored)
    fab0   
    fab0   
    fab1   
    fab1   
   
Redundant-pseudo-interface Information:
    Name         Status      Redundancy-group
    lo0          Up          0                

{secondary:node1}
root> 

{primary:node0}
root@srxC-1> 

{primary:node0}
root@srxC-1> 

{primary:node0}
root@srxC-1> 

{primary:node0}
root@srxC-1> 

{primary:node0}
root@srxC-1> show chassis cluster interfaces 
Control link status: Up

Control interfaces: 
    Index   Interface        Status   Internal-SA
    0       fxp1             Up       Disabled   

Fabric link status: Down

Fabric interfaces: 
    Name    Child-interface    Status
                               (Physical/Monitored)
    fab0   
    fab0   
    fab1   
    fab1   
   
Redundant-pseudo-interface Information:
    Name         Status      Redundancy-group
    lo0          Up          0                

{primary:node0}
root@srxC-1> 

{primary:node0}
root@srxC-1> configure 
warning: Clustering enabled; using private edit
warning: uncommitted changes will be discarded on exit
Entering configuration mode

{primary:node0}[edit]
root@srxC-1# exit 
Exiting configuration mode

{primary:node0}
root@srxC-1> show interfaces 
Physical interface: fe-0/0/0, Enabled, Physical link is Down
  Interface index: 129, SNMP ifIndex: 501
  Link-level type: Ethernet, MTU: 1514, Link-mode: Half-duplex, Speed: 10m,
  BPDU Error: None, MAC-REWRITE Error: None, Loopback: Disabled,
  Source filtering: Disabled, Flow control: Enabled
  Device flags   : Present Running Down
  Interface flags: Hardware-Down SNMP-Traps Internal: 0x0
  Link flags     : None
  CoS queues     : 8 supported, 8 maximum usable queues
  Current address: 78:fe:3d:ca:3c:c0, Hardware address: 78:fe:3d:ca:3c:c0
  Last flapped   : 2017-03-22 15:05:46 UTC (00:28:09 ago)
  Input rate     : 0 bps (0 pps)
  Output rate    : 0 bps (0 pps)
  Active alarms  : LINK
  Active defects : LINK
  Interface transmit statistics: Disabled

Physical interface: gr-0/0/0, Enabled, Physical link is Up
  Interface index: 143, SNMP ifIndex: 522
  Type: GRE, Link-level type: GRE, MTU: Unlimited, Speed: 800mbps
  Link flags     : Scheduler Keepalives DTE
  Device flags   : Present Running
  Interface flags: Point-To-Point
                                        
{primary:node0}
root@srxC-1> show interfaces terse 
Interface               Admin Link Proto    Local                 Remote
fe-0/0/0                up    down
gr-0/0/0                up    up  
ip-0/0/0                up    up  
fe-0/0/1                up    down
fe-0/0/2                up    down
fe-0/0/3                up    down
fe-0/0/4                up    down
fe-0/0/5                up    up  
fe-0/0/6                up    down
fe-0/0/7                up    up  
fe-1/0/0                up    down
fe-1/0/1                up    down
fe-1/0/2                up    down
fe-1/0/3                up    down
fe-1/0/4                up    down
fe-1/0/5                up    up  
fe-1/0/6                up    down
fe-1/0/7                up    up  
fab0                    up    down
fab0.0                  up    down inet     30.17.0.200/24  
fab1                    up    down
fab1.0                  up    down inet     30.18.0.200/24  
fxp0                    up    up        
fxp0.0                  up    up   inet     10.210.14.135/27
fxp1                    up    up  
fxp1.0                  up    up   inet     129.16.0.1/2    
                                   tnp      0x1100001       
gre                     up    up  
ipip                    up    up  
irb                     up    up  
lo0                     up    up  
lo0.16384               up    up   inet     127.0.0.1           --> 0/0
lo0.16385               up    up   inet     10.0.0.1            --> 0/0
                                            10.0.0.16           --> 0/0
                                            128.0.0.1           --> 0/0
                                            128.0.0.4           --> 0/0
                                            128.0.1.16          --> 0/0
lo0.32768               up    up  
lsi                     up    up  
mtun                    up    up  
pimd                    up    up  
pime                    up    up  
pp0                     up    up  
ppd0                    up    up  
ppe0                    up    up  
                                        
{primary:node0}
root@srxC-1> 

{primary:node0}
root@srxC-1> 

{primary:node0}
root@srxC-1> 

{primary:node0}
root@srxC-1> configure 
warning: Clustering enabled; using private edit
warning: uncommitted changes will be discarded on exit
Entering configuration mode

{primary:node0}[edit]
root@srxC-1# edit interfaces 

{primary:node0}[edit interfaces]
root@srxC-1# set fab 0
                 ^
missing or invalid device number in 'fab'.
root@srxC-1# set fab 0      
                 ^
missing or invalid device number in 'fab'.
root@srxC-1# set fab 0                                                        
                 ^
missing or invalid device number in 'fab'.
root@srxC-1# set fab 0                                            
                 ^
missing or invalid device number in 'fab'.
root@srxC-1#                                  

{primary:node0}[edit interfaces]
root@srxC-1# 

{primary:node0}[edit interfaces]
root@srxC-1# 

{primary:node0}[edit interfaces]
root@srxC-1# 

{primary:node0}[edit interfaces]
root@srxC-1# 

{primary:node0}[edit interfaces]
root@srxC-1# set fab0 fabric-options member-interfaces fe  
                                                       ^
missing or invalid fpc number in 'fe' at 'fe'
root@srxC-1# set fab0 fabric-options member-interfaces fe-    
                                                       ^
missing or invalid fpc number in 'fe-' at 'fe-'
root@srxC-1# set fab0 fabric-options member-interfaces fe-0/0/5 

{primary:node0}[edit interfaces]
root@srxC-1# set fab0 fabric-options member-interfaces fe-1/0/5    

{primary:node0}[edit interfaces]
root@srxC-1# delete fab0 fabric-options member-interfaces fe-1/0/5 

{primary:node0}[edit interfaces]
root@srxC-1# set fab1 fabric-options member-interfaces fe-1/0/5      

{primary:node0}[edit interfaces]
root@srxC-1# top 

{primary:node0}[edit]
root@srxC-1# commit and-quit 
node0: 
configuration check succeeds
node1: 
commit complete
node0: 
commit complete
Exiting configuration mode

{primary:node0}
root@srxC-1> show chassis cluster interfaces    
Control link status: Up

Control interfaces: 
    Index   Interface        Status   Internal-SA
    0       fxp1             Up       Disabled   

Fabric link status: Up

Fabric interfaces: 
    Name    Child-interface    Status
                               (Physical/Monitored)
    fab0    fe-0/0/5           Up   / Up  
    fab0   
    fab1    fe-1/0/5           Up   / Up  
    fab1   
   
Redundant-pseudo-interface Information:
    Name         Status      Redundancy-group
    lo0          Up          0                

{primary:node0}
root@srxC-1> configure 
warning: Clustering enabled; using private edit
warning: uncommitted changes will be discarded on exit
Entering configuration mode

{primary:node0}[edit]
root@srxC-1# save jsec/lab8-part3-start.config 
error: save: could not open file 'jsec/lab8-part3-start.config': No such file or directory

{primary:node0}[edit]
root@srxC-1# save lab8-part3-start.config         
Wrote 82 lines of configuration to 'lab8-part3-start.config'

{primary:node0}[edit]
root@srxC-1# 

{primary:node0}[edit]
root@srxC-1# 

{primary:node0}[edit]
root@srxC-1# conf
             ^
unknown command.
root@srxC-1#        

{primary:node0}[edit]
root@srxC-1# 

{primary:node0}[edit]
root@srxC-1# 

{primary:node0}[edit]
root@srxC-1# show ?                                                  
Possible completions:
  <[Enter]>            Execute this command
> access               Network access configuration
> access-profile       Access profile for this instance
> accounting-options   Accounting data configuration
> applications         Define applications by protocol characteristics
+ apply-groups         Groups from which to inherit configuration data
> bridge-domains       Bridge domain configuration
> chassis              Chassis configuration
> class-of-service     Class-of-service configuration
> ethernet-switching-options  Ethernet-switching configuration options
> event-options        Event processing configuration
> firewall             Define a firewall configuration
> forwarding-options   Configure options to control packet forwarding
> groups               Configuration groups
> interfaces           Interface configuration
> multi-chassis        
> policy-options       Policy option configuration
> protocols            Routing protocol configuration
> routing-instances    Routing instance configuration
> routing-options      Protocol-independent routing option configuration
> schedulers           Security scheduler
> security             Security configuration
{primary:node0}[edit]                   
root@srxC-1# show com
                  ^
syntax error.
root@srxC-1# edit chassis cluster 

{primary:node0}[edit chassis cluster]
root@srxC-1# set redundancy-group 1 node 0 priority 200 

{primary:node0}[edit chassis cluster]
root@srxC-1# set redundancy-group 1 node 1 priority 100    

{primary:node0}[edit chassis cluster]
root@srxC-1# set redundancy-group 2 node 1 priority 200 

{primary:node0}[edit chassis cluster]
root@srxC-1# set redundancy-group 2 node 0 priority 100    

{primary:node0}[edit chassis cluster]
root@srxC-1# 

{primary:node0}[edit chassis cluster]
root@srxC-1# 

{primary:node0}[edit chassis cluster]
root@srxC-1# set redundancy-group 2 preempt 

{primary:node0}[edit chassis cluster]
root@srxC-1# set redundancy-group 2 interface-monitor fe-0
                                                      ^
missing or invalid pic in 'fe-0' at 'fe-0'
root@srxC-1# set redundancy-group 2 interface-monitor fe-1/0/3 
                                                               ^
missing argument.

{primary:node0}[edit chassis cluster]
root@srxC-1# set redundancy-group 2 interface-monitor fe-1/0/3 weight 255 

{primary:node0}[edit chassis cluster]
root@srxC-1# show 
redundancy-group 1 {
    node 0 priority 200;
    node 1 priority 100;
}
redundancy-group 2 {
    node 1 priority 200;
    node 0 priority 100;
    preempt;
    interface-monitor {
        ##
        ## Warning: Interface must be defined before configuring monitoring
        ##
        fe-1/0/3 weight 255;
    }
}

{primary:node0}[edit chassis cluster]
root@srxC-1# top edit interfaces 

{primary:node0}[edit interfaces]
root@srxC-1# set fe-0/0/4 fastether-options redundant-parent reth0 

{primary:node0}[edit interfaces]
root@srxC-1#

continue

{primary:node0}[edit interfaces]
root@srxC-1# set fe-1/0/4 fastether-options redundant-parent reth0    

{primary:node0}[edit interfaces]
root@srxC-1# set reth 0
                 ^
missing or invalid device number in 'reth'.
root@srxC-1# set reth 0   
                 ^
missing or invalid device number in 'reth'.
root@srxC-1#              

{primary:node0}[edit interfaces]
root@srxC-1# set reth0 redundant-ether-options redundancy-group 1 

{primary:node0}[edit interfaces]
root@srxC-1# set reth0 vlan-tagging 

{primary:node0}[edit interfaces]
root@srxC-1# 

{primary:node0}[edit interfaces]
root@srxC-1# 

{primary:node0}[edit interfaces]
root@srxC-1# set reth0 unit 223 va                         
                                ^
syntax error.
root@srxC-1# set reth0 unit 223 vlan-id 223                

{primary:node0}[edit interfaces]
root@srxC-1# set reth0 unit 223 family inetaddr          
                                       ^
syntax error.
root@srxC-1# set reth0 unit 223 family inet address 172.20.30.1/24 

{primary:node0}[edit interfaces]
root@srxC-1# 

{primary:node0}[edit interfaces]
root@srxC-1# set fe-0/0/4 f
                           ^
'f' is ambiguous.
Possible completions:
> fastether-options    Fast Ethernet interface-specific options
  flexible-vlan-tagging  Support for no tagging, or single and double 802.1q VLAN tagging
{primary:node0}[edit interfaces]
root@srxC-1# set fe-0/0/4 fastether-options redundant-parent reth1 

{primary:node0}[edit interfaces]
root@srxC-1# set fe-1/0/4 fastether-options redundant-parent reth1    

{primary:node0}[edit interfaces]
root@srxC-1# set reth1 redundant-ether-options redundancy-group 2 

{primary:node0}[edit interfaces]
root@srxC-1# set reth1 vlan-tagging 

{primary:node0}[edit interfaces]
root@srxC-1# set reth1 unit 233 vlan-id 233  

{primary:node0}[edit interfaces]
root@srxC-1# set reth1 unit 233 family inet address 172.30.30.1/24 

{primary:node0}[edit interfaces]
root@srxC-1# 

{primary:node0}[edit interfaces]
root@srxC-1# set fe-0/0/3 unit 0 family inet address 172.18.2.2/30 

{primary:node0}[edit interfaces]
root@srxC-1# top 

{primary:node0}[edit]
root@srxC-1# commit 
[edit chassis cluster redundancy-group 2 interface-monitor]
  'fe-1/0/3'
    Interface must be defined before configuring monitoring
error: commit failed: (statements constraint check failed)

{primary:node0}[edit]
root@srxC-1# edit 
                  ^
syntax error, expecting  or .

{primary:node0}[edit]
root@srxC-1# chas
             ^
unknown command.
root@srxC-1#        

{primary:node0}[edit]
root@srxC-1# chass
             ^
unknown command.
root@srxC-1# edit chassis cluster 

{primary:node0}[edit chassis cluster]
root@srxC-1# set reth-count 2 

{primary:node0}[edit chassis cluster]
root@srxC-1# top 

{primary:node0}[edit]
root@srxC-1# commit 
[edit chassis cluster redundancy-group 2 interface-monitor]
  'fe-1/0/3'
    Interface must be defined before configuring monitoring
error: commit failed: (statements constraint check failed)

{primary:node0}[edit]
root@srxC-1# show interfaces terse 
                                   ^
invalid interface type in 'terse'.

{primary:node0}[edit]
root@srxC-1# run show interfaces terse 
Interface               Admin Link Proto    Local                 Remote
fe-0/0/0                up    down
gr-0/0/0                up    up  
ip-0/0/0                up    up  
fe-0/0/1                up    down
fe-0/0/2                up    up  
fe-0/0/3                up    up  
fe-0/0/4                up    down
fe-0/0/5                up    up  
fe-0/0/5.0              up    up   aenet    --> fab0.0
fe-0/0/6                up    down
fe-0/0/7                up    up  
fe-1/0/0                up    down
fe-1/0/1                up    down
fe-1/0/2                up    up  
fe-1/0/3                up    up  
fe-1/0/4                up    down
fe-1/0/5                up    up  
fe-1/0/5.0              up    up   aenet    --> fab1.0
fe-1/0/6                up    down
fe-1/0/7                up    up  
fab0                    up    up  
fab0.0                  up    up   inet     30.17.0.200/24  
                                        
{primary:node0}[edit]
root@srxC-1# 

{primary:node0}[edit]
root@srxC-1# 

{primary:node0}[edit]
root@srxC-1# edit interfaces 

{primary:node0}[edit interfaces]
root@srxC-1# delete set fe-0/0/3
                    ^
invalid interface type in 'set'.
root@srxC-1# delete unit 0set fe-0/0/3
                    ^
invalid interface type in 'unit'.
root@srxC-1# delete family inetunit 0set fe-0/0/3                             
                    ^
invalid interface type in 'family'.
root@srxC-1# delete fe-0/0/3 unit 0 family inet address 172.18.2.2/30         

{primary:node0}[edit interfaces]
root@srxC-1# set fe-1/0/3 unit 0 family inet address 172.18.2.2/30      

{primary:node0}[edit interfaces]
root@srxC-1# top commit 
error: can only commit from top of private configuration

{primary:node0}[edit interfaces]
root@srxC-1# top 

{primary:node0}[edit]
root@srxC-1# commit 
node0: 
configuration check succeeds
node1: 
commit complete
node0: 
commit complete

{primary:node0}[edit]
root@srxC-1# show run
                  ^
syntax error.
root@srxC-1# show       
## Last changed: 2017-03-22 16:49:42 UTC
version 12.1X46-D10.2;
groups {
    node0 {
        system {
            host-name srxC-1;
        }
        interfaces {
            fxp0 {
                unit 0 {
                    family inet {
                        address 10.210.14.135/27;
                    }
                }
            }
        }
    }
    node1 {
        system {
            host-name srxC-2;
        }
        interfaces {
            fxp0 {
                unit 0 {                
                    family inet {
                        address 10.210.14.136/27;
                    }
                }
            }
        }
    }
}
apply-groups "${node}";
system {
    root-authentication {
        encrypted-password "$1$bm0kzC/V$sdhVilesr.7VVePsGA54./"; ## SECRET-DATA
    }
    services {
        ssh;
        telnet;
        xnm-clear-text;
    }
    syslog {
        archive size 100k files 3;
        user * {
            any emergency;
        }                               
        file messages {
            any critical;
            authorization info;
        }
        file interactive-commands {
            interactive-commands error;
        }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
}
chassis {
    cluster {
        reth-count 2;
        redundancy-group 1 {
            node 0 priority 200;
            node 1 priority 100;
        }                               
        redundancy-group 2 {
            node 1 priority 200;
            node 0 priority 100;
            preempt;
            interface-monitor {
                fe-1/0/3 weight 255;
            }
        }
    }
}
interfaces {
    fe-0/0/3 {
        unit 0 {
            family inet;
        }
    }
    fe-0/0/4 {
        fastether-options {
            redundant-parent reth1;
        }
    }
    fe-1/0/3 {
        unit 0 {                        
            family inet {
                address 172.18.2.2/30;
            }
        }
    }
    fe-1/0/4 {
        fastether-options {
            redundant-parent reth1;
        }
    }
    fab0 {
        fabric-options {
            member-interfaces {
                fe-0/0/5;
            }
        }
    }
    fab1 {
        fabric-options {
            member-interfaces {
                fe-1/0/5;
            }
        }                               
    }
    reth0 {
        vlan-tagging;
        redundant-ether-options {
            redundancy-group 1;
        }
        unit 223 {
            vlan-id 223;
            family inet {
                address 172.20.30.1/24;
            }
        }
    }
    reth1 {
        vlan-tagging;
        redundant-ether-options {
            redundancy-group 2;
        }
        unit 233 {
            vlan-id 233;
            family inet {
                address 172.30.30.1/24;
                                        
{primary:node0}[edit]
root@srxC-1# 

 

Monitoring 30/04/2017


After I thought the root cause of the last issue was fixed, continued with the laboratory, in the first ping test there was already some failures that made it go deeper on the analysis,

 

ping to 172.30.30.99 works
ping to 172.20.30.99 doesnt
------------------------------------------------
root@srxC-2# run ping 172.30.30.99 detail count 2                             
PING 172.30.30.99 (172.30.30.99): 56 data bytes
64 bytes from 172.30.30.99 via reth1.0: icmp_seq=0 ttl=64 time=2.214 ms
64 bytes from 172.30.30.99 via reth1.0: icmp_seq=1 ttl=64 time=2.311 ms

--- 172.30.30.99 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 2.214/2.263/2.311/0.048 ms

{primary:node1}[edit]
root@srxC-2# run ping 172.20.30.99 detail count 2    
PING 172.20.30.99 (172.20.30.99): 56 data bytes
^C
--- 172.20.30.99 ping statistics ---
2 packets transmitted, 0 packets received, 100% packet loss



------------------------------------------------
{primary:node1}
root@srxC-2> show route 172.20.30.0 

inet.0: 10 destinations, 11 routes (10 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 13:38:07
                    > to 172.18.1.1 via fe-0/0/3.0
                    [Static/10] 13:38:04
                    > to 172.18.2.1 via fe-1/0/3.0

{primary:node1}
root@srxC-2> show route 172.30.30.0    

inet.0: 10 destinations, 11 routes (10 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

172.30.30.0/24     *[Direct/0] 12:38:29
                    > via reth1.0
----------------------------------------------

{primary:node1}[edit]
root@srxC-2# run show interfaces reth* terse  
Interface               Admin Link Proto    Local                 Remote
reth0                   up    down
reth0.0                 up    down inet     172.20.30.1/24  
reth1                   up    up  
reth1.0                 up    up   inet     172.30.30.1/24  

-----------------------------------------

Check reth's configuration


root@srxC-2# show | display set | match reth
set system services dhcp-local-server group POOL_233 interface reth1.233
set system services dhcp-local-server group POOL_223 interface reth0.223
set chassis cluster reth-count 2
set interfaces fe-0/0/4 fastether-options redundant-parent reth1
set interfaces fe-1/0/4 fastether-options redundant-parent reth1
set interfaces reth0 redundant-ether-options redundancy-group 1
set interfaces reth0 unit 0 family inet address 172.20.30.1/24
set interfaces reth1 redundant-ether-options redundancy-group 2
set interfaces reth1 unit 0 family inet address 172.30.30.1/24
set security zones security-zone TRUST interfaces reth0.0 host-inbound-traffic system-services all
set security zones security-zone TRUST interfaces reth1.0 host-inbound-traffic system-services al

reth0 interfaces assignment is missing


root@srxC-2#set interfaces fe-0/0/2 fastether-options redundant-parent reth0 
root@srxC-2#set interfaces fe-1/0/2 fastether-options redundant-parent reth0 

----------------
{primary:node1}[edit]
root@srxC-2# run ping 172.20.30.99 detail count 2    
PING 172.20.30.99 (172.20.30.99): 56 data bytes
64 bytes from 172.20.30.99 via reth0.0: icmp_seq=0 ttl=64 time=2.909 ms
64 bytes from 172.20.30.99 via reth0.0: icmp_seq=1 ttl=64 time=2.466 ms

--- 172.20.30.99 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 2.466/2.688/2.909/0.222 ms

{primary:node1}[edit]
root@srxC-2# run ping 172.30.30.99 detail count 2    
PING 172.30.30.99 (172.30.30.99): 56 data bytes
64 bytes from 172.30.30.99 via reth1.0: icmp_seq=0 ttl=64 time=4.057 ms
64 bytes from 172.30.30.99 via reth1.0: icmp_seq=1 ttl=64 time=2.432 ms

--- 172.30.30.99 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 2.432/3.245/4.057/0.812 ms

Step 3.18

{primary:node1}[edit]
root@srxC-2# run ping 172.20.30.99 detail count 2    
PING 172.20.30.99 (172.20.30.99): 56 data bytes
64 bytes from 172.20.30.99 via reth0.0: icmp_seq=0 ttl=64 time=2.839 ms
64 bytes from 172.20.30.99 via reth0.0: icmp_seq=1 ttl=64 time=2.510 ms

--- 172.20.30.99 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 2.510/2.675/2.839/0.164 ms

{primary:node1}[edit]
root@srxC-2# run ping 172.30.30.99 detail count 2    
PING 172.30.30.99 (172.30.30.99): 56 data bytes
64 bytes from 172.30.30.99 via reth1.0: icmp_seq=0 ttl=64 time=2.552 ms
64 bytes from 172.30.30.99 via reth1.0: icmp_seq=1 ttl=64 time=2.503 ms

--- 172.30.30.99 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 2.503/2.527/2.552/0.025 ms

{primary:node1}[edit]
root@srxC-2# run ping 172.18.2.1 detail count 2      
PING 172.18.2.1 (172.18.2.1): 56 data bytes
64 bytes from 172.18.2.1 via fe-1/0/3.0: icmp_seq=0 ttl=64 time=3.213 ms
64 bytes from 172.18.2.1 via fe-1/0/3.0: icmp_seq=1 ttl=64 time=2.561 ms

--- 172.18.2.1 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 2.561/2.887/3.213/0.326 ms

Were the ping test successfull

Part 4: Monitoring Traffic Flows


srxC-2                            Seconds: 34                  Time: 00:18:03

Interface    Link  Input packets        (pps)     Output packets        (pps)
 fab0          Up              0          (0)           126826          (2)
 fab1          Up              0          (0)           140269          (4)
 fxp0          Up              0                             1
 fxp1          Up        1065523                       1688558
 gre           Up              0                             0
 ipip          Up              0                             0
 irb           Up              0                             0
 lo0           Up         107989                        107989
 lsi           Up              0                             0
 mtun          Up              0                             0
 pimd          Up              0                             0
 pime          Up              0                             0
 pp0           Up              0          (0)                0          (0)
 ppd0          Up              0          (0)                0          (0)
 ppe0          Up              0          (0)                0          (0)
 reth0         Up            819          (0)              786          (0)
 reth1         Up           4769          (0)              334          (0)
 st0           Up              0          (0)                0          (0)
 tap           Up              0                             0

Bytes=b, Clear=c, Delta=d, Packets=p, Quit=q or ESC, Rate=r, Up=^U, Down=^D

 

POGOPLUG Version E02 TO OpenWRT/LEDE

image_pdfimage_print

files needed

If you intend replacing the existing bootloader: openwrt-kirkwood-pogo_e02-u-boot.kwb
If you intend to install a second stage bootloader: openwrt-kirkwood-pogo_e02_second_stage-u-boot.img
openwrt-kirkwood-pogoe02-rootfs.ubifs

U-Boot 2011.12 (Feb 20 2012 - 21:21:59)
Pogoplug E02

SoC:   Kirkwood 88F6281_A0
DRAM:  256 MiB
WARNING: Caches not enabled
NAND:  128 MiB
In:    serial
Out:   serial
Err:   serial
Net:   egiga0
88E1116 Initialized on egiga0
Hit any key to stop autoboot:  0 
u-boot>> 

current env

u-boot>> env print
arcNumber=2097
baudrate=115200
bootcmd=usb start; run force_rescue_bootcmd; run ubifs_bootcmd; run usb_bootcmd; usb stop; run rescue_bootcmd; run pogo_bootcmd; reset
bootdelay=3
console=ttyS0,115200
ethact=egiga0
ethaddr=00:25:31:02:29:7E
force_rescue=0
force_rescue_bootcmd=if test $force_rescue -eq 1 || ext2load usb 0:1 0x1700000 /rescueme 1 || fatload usb 0:1 0x1700000 /rescueme.txt 1; then run rescue_bootcmd; fi
led_error=orange blinking
led_exit=green off
led_init=green blinking
mainlineLinux=yes
mtdids=nand0=orion_nand
mtdparts=mtdparts=orion_nand:1M(u-boot),4M(uImage),32M(rootfs),-(data)
partition=nand0,2
pogo_bootcmd=if fsload uboot-original-mtd0.kwb; then go 0x800200; fi
rescue_bootcmd=if test $rescue_installed -eq 1; then run rescue_set_bootargs; nand read.e 0x800000 0x100000 0x400000; bootm 0x800000; else run pogo_bootcmd; fi
rescue_installed=0
rescue_set_bootargs=setenv bootargs console=$console ubi.mtd=2 root=ubi0:rootfs ro rootfstype=ubifs $mtdparts $rescue_custom_params
stderr=serial
stdin=serial
stdout=serial
ubifs_bootcmd=run ubifs_set_bootargs; if ubi part data && ubifsmount rootfs && ubifsload 0x800000 /boot/uImage && ubifsload 0x1100000 /boot/uInitrd; then bootm 0x800000 0x1100000; fi
ubifs_mtd=3
ubifs_set_bootargs=setenv bootargs console=$console ubi.mtd=$ubifs_mtd root=ubi0:rootfs rootfstype=ubifs $mtdparts $ubifs_custom_params
usb_boot=mw 0x800000 0 1; ext2load usb $usb_device 0x800000 /boot/uImage; if ext2load usb $usb_device 0x1100000 /boot/uInitrd; then bootm 0x800000 0x1100000; else bootm 0x800000; fi
usb_bootcmd=run usb_init; run usb_set_bootargs; run usb_boot
usb_device=0:1
usb_init=run usb_scan
usb_root=/dev/sda1
usb_rootdelay=10
usb_rootfstype=ext2
usb_scan=usb_scan_done=0;for scan in $usb_scan_list; do run usb_scan_$scan; if test $usb_scan_done -eq 0 && ext2load usb $usb 0x800000 /boot/uImage 1; then usb_scan_done=1; echo "Found bootable drive on usb $usb"; setenv usb_device $usb; setenv usb_root /dev/$dev; fi; done
usb_scan_1=usb=0:1 dev=sda1
usb_scan_2=usb=1:1 dev=sdb1
usb_scan_3=usb=2:1 dev=sdc1
usb_scan_4=usb=3:1 dev=sdd1
usb_scan_list=1 2 3 4
usb_set_bootargs=setenv bootargs console=$console root=$usb_root rootdelay=$usb_rootdelay rootfstype=$usb_rootfstype $mtdparts $usb_custom_params

Environment size: 2342/131068 bytes
u-boot>> 

 

Pogo: 10.128.10.138

Kali:     10.128.10.174

setenv ipaddr 10.128.10.138
setenv serverip 10.128.10.174
saveenv

 

u-boot>> setenv ipaddr 10.128.10.138
u-boot>> setenv serverip 10.128.10.174
u-boot>> saveenv
Saving Environment to NAND...
Erasing Nand...
Erasing at 0xc0000 -- 100% complete.
Writing to Nand... done
u-boot>> 

download to tftp server and tftp it

# cp openwrt-kirkwood-pogo_e02_second_stage-u-boot.img /tftpboot/
# service atftpd start

https://downloads.openwrt.org/chaos_calmer/15.05/kirkwood/generic/uboot-kirkwood-pogo_e02_second_stage/openwrt-kirkwood-pogo_e02_second_stage-u-boot.img

u-boot>> tftpboot 0x800000 openwrt-kirkwood-pogo_e02_second_stage-u-boot.img
Using egiga0 device
TFTP from server 10.128.10.174; our IP address is 10.128.10.138
Filename 'openwrt-kirkwood-pogo_e02_second_stage-u-boot.img'.
Load address: 0x800000
Loading: T T T T T T T T T T 
Retry count exceeded; starting again
Using egiga0 device
TFTP from server 10.128.10.174; our IP address is 10.128.10.138
Filename 'openwrt-kirkwood-pogo_e02_second_stage-u-boot.img'.
Load address: 0x800000
Loading: T T T T T T T ###############################
done
Bytes transferred = 454920 (6f108 hex)
u-boot>> 

I ended up following this tutorial and something called Lede got installed

http://loetzimmer.de/openwrt/lede-kirkwood-pogo_02-uboot_config.txt

mtdparts del 
mtdparts add nand0 0x00100000@0x0 u-boot
mtdparts add nand0 0x07f00000@0x00100000 data

u-boot>> mtdparts delall
u-boot>> mtdparts add nand0 0x00100000@0x0 u-boot
mtdparts variable not set, see 'help mtdparts'
u-boot>> mtdparts add nand0 0x07f00000@0x00100000 data
u-boot>> mtdparts


PogoE02> mtdparts

device nand0 , # parts = 2
 #: name                size            offset          mask_flags
 0: u-boot              0x00100000      0x00000000      0
 1: data                0x07f00000      0x00100000      0

active partition: nand0,0 - (u-boot) 0x00100000 @ 0x00000000

defaults:
mtdids  : none
mtdparts: none

tftpboot 0x2000000 uboot.2016.05-tld-1.pogo_e02.mtd0.kwb
nand erase 0x0 0x80000
nand write 0x2000000 0x0 0x80000

tftpboot 0x2000000 lede-kirkwood-pogo_e02-root.ubi
nand erase 0x00100000 0x07f00000
nand write 0x2000000 0x00100000 0x6a0000

setenv ubifs_boot 'if ubi part data && ubifsmount ubi:rootfs && ubifsload 0x800000 /boot/uImage && ubifsumount; then bootm 0x800000; fi'
setenv ubifs_bootcmd 'run ubifs_set_bootargs; run ubifs_boot'
setenv ubifs_set_bootargs 'setenv bootargs console=$console $mtdparts'
setenv bootcmd 'run ubifs_bootcmd; usb start; run usb_bootcmd; usb stop; reset'
saveenv

login

BusyBox v1.25.1 () built-in shell (ash)

     _________
    /        /\      _    ___ ___  ___
   /  LE    /  \    | |  | __|   \| __|
  /    DE  /    \   | |__| _|| |) | _|
 /________/  LE  \  |____|___|___/|___|                      lede-project.org
 \        \   DE /
  \    LE  \    /  -----------------------------------------------------------
   \  DE    \  /    Reboot (17.01.0, r3205-59508e3)
    \________\/    -----------------------------------------------------------

=== WARNING! =====================================
There is no root password defined on this device!
Use the "passwd" command to set up a new password
in order to prevent unauthorized SSH logins.
--------------------------------------------------

 

 

U-Boot 2016.05-tld-1 (Jun 12 2016 - 13:23:43 -0700)
Pogo E02

SoC:   Kirkwood 88F6281_A0
DRAM:  256 MiB
WARNING: Caches not enabled
NAND:  128 MiB
In:    serial
Out:   serial
Err:   serial
Net:   egiga0
Hit any key to stop autoboot:  0 
PogoE02> 

 

Deactivate Firewall via Luci


 

 

References


https://wiki.openwrt.org/toh/cloudengines/pogoplug

wrt54g OpenWrt Backfire 10.03.1 optimized for droning.

image_pdfimage_print

 

Targets


  • Install Backfire on a couple of WRT54g
  • Quick personalize hostname and banner.
  • Enable remote access.
  • Do as less as possible to have a decent machine capable to run iperf at top speed.
  • Install iperf as service

Downloaded version


 

After uploading firmware default internal ip address is 192.168.1.1

Change default password


 

 

Change hostname and sync time


System > System

  • Set hostname
  • Check Syn with browser

 

Change Firewall settings


Go to Network > Firewall

  • disable: Enable SYN-flood protection.
  • disable:Drop invalid packets.
  • change wan input to accept.

Software remove, update list and install.


  • Go to System > Software
  • Check Initial free space.

 

  • firewall
  • kmod-ppp
  • kmod-wlcompact
  • luci-app-firewall
  • ppp-mod-ppoe
  • uhttpd
  • wireless-tools
  • wlc

 

  • Click update lists

Click on available packages

after install iperf and wget.

Change Banner


root@GuyJ:~# vi /etc/banner

Create iperf service


touch /etc/init.d/iperf
chmod +x /etc/init.d/iperf
vi /etc/init.d/iperf
#!/bin/sh /etc/rc.common

START=50

start() {

/usr/bin/iperf -s &
}

/etc/init.d/iperf enable

/etc/init.d/iperf start

Check services status

for F in /etc/init.d/* ; do $F enabled && echo $F on || echo $F **disabled**; done

Using iperf to measure bandwitdht

image_pdfimage_print

Install iperf on Pogoplug


root@FLUG:~# apt-get install iperf

Install as service on Pogoplug


root@FLUG:~# touch /etc/init.d/iperf
root@FLUG:~# chmod +x /etc/init.d/iperf
vi /etc/init.d/iperf

add the following
#!/bin/bash
/usr/bin/iperf -s &

update-rc.d iperf defaults

Check Pogoplug Speeds


root@CAROLA:/var/www# iperf -c 10.128.10.188
------------------------------------------------------------
Client connecting to 10.128.10.188, TCP port 5001
TCP window size: 43.8 KByte (default)
------------------------------------------------------------
[  3] local 10.128.10.13 port 37261 connected with 10.128.10.188 port 5001
[ ID] Interval       Transfer     Bandwidth
[  3]  0.0-10.0 sec   69 MBytes   552 Mbits/sec

root@Beyer:~# iperf -c 10.128.10.13
------------------------------------------------------------
Client connecting to 10.128.10.13, TCP port 5001
TCP window size: 43.8 KByte (default)
------------------------------------------------------------
[  3] local 10.128.10.188 port 50211 connected with 10.128.10.13 port 5001
[ ID] Interval       Transfer     Bandwidth
[  3]  0.0-10.0 sec   728 MBytes   611 Mbits/sec

root@Beyer:~# iperf -c 10.128.10.206
------------------------------------------------------------
Client connecting to 10.128.10.206, TCP port 5001
TCP window size: 43.8 KByte (default)
------------------------------------------------------------
[  3] local 10.128.10.188 port 49051 connected with 10.128.10.206 port 5001
[ ID] Interval       Transfer     Bandwidth
[  3]  0.0-10.0 sec   714 MBytes   598 Mbits/sec
root@Beyer:~# 

Iperf installation on Nslu


root@DUBFIRE:~# wget http://downloads.openwrt.org/kamikaze/8.09/ixp4xx/packages/iperf-mt_2.0.4-1_armeb.ipk
root@DUBFIRE:~# wget http://downloads.openwrt.org/kamikaze/8.09/ixp4xx/packages/uclibcxx_0.2.2-1_armeb.ipk 
root@DUBFIRE:~# wget http://downloads.openwrt.org/kamikaze/8.09/ixp4xx/packages/libpthread_0.9.29-14_armeb.ipk 
root@DUBFIRE:~# opkg install libpthread_0.9.29-14_armeb.ipk 
Installing libpthread (0.9.29-14) to root...
Configuring libpthread
root@DUBFIRE:~# opkg install uclibcxx_0.2.2-1_armeb.ipk 
Installing uclibcxx (0.2.2-1) to root...
Configuring uclibcxx
root@DUBFIRE:~# opkg install iperf-mt_2.0.4-1_armeb.ipk 
Installing iperf-mt (2.0.4-1) to root...
Configuring iperf-mt
root@DUBFIRE:~# 

root@DUBFIRE:~# iperf -v 
iperf version 2.0.4 (7 Apr 2008) pthreads

Install iperf to run in autostart

touch /etc/init.d/iperf
chmod +x /etc/init.d/iperf



vi /etc/init.d/iperf 
#!/bin/sh /etc/rc.common

START=50

start() {

/usr/bin/iperf -s & 
}

/etc/init.d/iperf enable

/etc/init.d/iperf start 
root@DUBFIRE:~# for F in /etc/init.d/* ; do $F enabled && echo $F on || echo $F **disabled**; done


root@TEMPLE:~# /etc/init.d/iperf enable
root@TEMPLE:~# 
root@TEMPLE:~# /etc/init.d/iperf start 
root@TEMPLE:~# ------------------------------------------------------------
Server listening on TCP port 5001
TCP window size: 85.3 KByte (default)
------------------------------------------------------------
for F in /etc/init.d/* ; do $F enabled && echo $F on || echo $F *
*disabled**; done
/etc/init.d/boot on
/etc/init.d/cron on
/etc/init.d/dnsmasq on
/etc/init.d/done on
/etc/init.d/dropbear on
/etc/init.d/firewall on
/etc/init.d/fstab on
/etc/init.d/httpd **disabled**
/etc/init.d/iperf on
/etc/init.d/led on
/etc/init.d/network on
/etc/init.d/rcS on
/etc/init.d/sysctl on
/etc/init.d/telnet on
/etc/init.d/umount **disabled**
/etc/init.d/usb on
/etc/init.d/watchdog on
root@TEMPLE:~# 

Speed test on NSLU


root@DUBFIRE:~# iperf -c 10.128.10.188
------------------------------------------------------------
Client connecting to 10.128.10.188, TCP port 5001
TCP window size: 48.9 KByte (default)
------------------------------------------------------------
[  5] local 10.128.10.193 port 49727 connected with 10.128.10.188 port 5001
[ ID] Interval       Transfer     Bandwidth
[  5]  0.0-10.0 sec  91.8 MBytes  77.0 Mbits/sec

root@LIEBING:~# iperf -c 10.128.10.188
------------------------------------------------------------
Client connecting to 10.128.10.188, TCP port 5001
TCP window size: 48.9 KByte (default)
------------------------------------------------------------
[  5] local 10.128.10.190 port 44356 connected with 10.128.10.188 port 5001
[ ID] Interval       Transfer     Bandwidth
[  5]  0.0-10.0 sec  91.3 MBytes  76.6 Mbits/sec

root@TEMPLE:~# iperf -c 10.128.10.188
------------------------------------------------------------
Client connecting to 10.128.10.188, TCP port 5001
TCP window size: 33.8 KByte (default)
------------------------------------------------------------
[  5] local 10.128.10.113 port 50787 connected with 10.128.10.188 port 5001
[ ID] Interval       Transfer     Bandwidth
[  5]  0.0-10.0 sec  91.8 MBytes  77.0 Mbits/sec

root@Huntemann:~# iperf -c 10.128.10.188
------------------------------------------------------------
Client connecting to 10.128.10.188, TCP port 5001
TCP window size: 37.6 KByte (default)
------------------------------------------------------------
[  5] local 10.128.10.248 port 49789 connected with 10.128.10.188 port 5001
[ ID] Interval       Transfer     Bandwidth
[  5]  0.0-10.0 sec  91.3 MBytes  76.6 Mbits/sec
root@Huntemann:~# 

One to another system speed test differences:

root@FLUG:~# iperf -c 10.128.10.13 -n10000M -i 2
------------------------------------------------------------
Client connecting to 10.128.10.13, TCP port 5001
TCP window size: 43.8 KByte (default)
------------------------------------------------------------
[  3] local 10.128.10.206 port 45092 connected with 10.128.10.13 port 5001
[ ID] Interval       Transfer     Bandwidth
[  3]  0.0- 2.0 sec  96.4 MBytes   404 Mbits/sec
[  3]  2.0- 4.0 sec  97.1 MBytes   407 Mbits/sec
[  3]  4.0- 6.0 sec  97.1 MBytes   407 Mbits/sec
[  3]  6.0- 8.0 sec  97.1 MBytes   407 Mbits/sec
[  3]  8.0-10.0 sec  97.4 MBytes   408 Mbits/sec
[  3] 10.0-12.0 sec  97.1 MBytes   407 Mbits/sec
[  3] 12.0-14.0 sec  97.1 MBytes   407 Mbits/sec
[  3] 14.0-16.0 sec  96.9 MBytes   406 Mbits/sec
[  3] 16.0-18.0 sec  97.0 MBytes   407 Mbits/sec
[  3] 18.0-20.0 sec  96.9 MBytes   406 Mbits/sec
[  3] 20.0-22.0 sec  96.8 MBytes   406 Mbits/sec

root@CAROLA:~# iperf -c 10.128.10.206 -n10000M -i 2
------------------------------------------------------------
Client connecting to 10.128.10.206, TCP port 5001
TCP window size: 43.8 KByte (default)
------------------------------------------------------------
[  3] local 10.128.10.13 port 53888 connected with 10.128.10.206 port 5001
[ ID] Interval       Transfer     Bandwidth
[  3]  0.0- 2.0 sec   127 MBytes   533 Mbits/sec
[  3]  2.0- 4.0 sec   126 MBytes   526 Mbits/sec
[  3]  4.0- 6.0 sec   124 MBytes   518 Mbits/sec
[  3]  6.0- 8.0 sec   133 MBytes   559 Mbits/sec
[  3]  8.0-10.0 sec   130 MBytes   544 Mbits/sec
[  3] 10.0-12.0 sec   137 MBytes   575 Mbits/sec
^C[  3]  0.0-12.9 sec   833 MBytes   541 Mbits/sec


Troubleshooting speed tests


root@CAROLA:~# mii-tool 
eth0: negotiated 1000baseT-FD flow-control, link ok


root@CAROLA:~# ethtool eth0
Settings for eth0:
	Supported ports: [ TP MII ]
	Supported link modes:   10baseT/Half 10baseT/Full 
	                        100baseT/Half 100baseT/Full 
	                        1000baseT/Full 
	Supported pause frame use: No
	Supports auto-negotiation: Yes
	Advertised link modes:  10baseT/Half 10baseT/Full 
	                        100baseT/Half 100baseT/Full 
	                        1000baseT/Full 
	Advertised pause frame use: No
	Advertised auto-negotiation: Yes
	Link partner advertised link modes:  10baseT/Half 10baseT/Full 
	                                     100baseT/Half 100baseT/Full 
	                                     1000baseT/Full 
	Link partner advertised pause frame use: Symmetric
	Link partner advertised auto-negotiation: Yes
	Speed: 1000Mb/s
	Duplex: Full
	Port: MII
	PHYAD: 0
	Transceiver: external
	Auto-negotiation: on
	Supports Wake-on: d
	Wake-on: d
	Link detected: yes
root@CAROLA:~# 



root@CAROLA:~# ethtool -i eth0
driver: mv643xx_eth
version: 1.4
firmware-version: N/A
bus-info: platform
supports-statistics: yes
supports-test: no
supports-eeprom-access: no
supports-register-dump: no
supports-priv-flags: no
root@CAROLA:~# 

[SRX] Configuring & monitoring DHCP

image_pdfimage_print

Configuring 2 dhcp groups and assigning to 2 interfaces.


set system services dhcp-local-server group POOL_233 interface reth1.233
set system services dhcp-local-server group POOL_223 interface reth0.223
set access address-assignment pool POOL_233 family inet network 172.30.30.0/24
set access address-assignment pool POOL_233 family inet range r233 low 172.30.30.100
set access address-assignment pool POOL_233 family inet range r233 high 172.30.30.250
set access address-assignment pool POOL_233 family inet dhcp-attributes maximum-lease-time 2419200
set access address-assignment pool POOL_233 family inet dhcp-attributes router 172.30.30.1
set access address-assignment pool POOL_233 family inet dhcp-attributes name-server 8.8.8.8
set access address-assignment pool POOL_223 family inet network 172.20.30.0/24
set access address-assignment pool POOL_223 family inet range r223 low 172.20.30.100
set access address-assignment pool POOL_223 family inet range r223 high 172.20.30.250
set access address-assignment pool POOL_223 family inet dhcp-attributes router 172.20.30.1

Statistics commands

show dhcp server binding
show dhcp server statistics
clear dhcp server binding
clear dhcp server statistics

When checking who’s running the dhcp server pay attention, its not both systems at the time

{secondary:node0}
root@srxC-1> show dhcp server binding 
error: the dhcp-service subsystem is not running

{secondary:node0}
root@srxC-1> 


{primary:node1}
root@srxC-2> show dhcp server binding 

IP address        Session Id  Hardware address   Expires     State      Interface
172.30.30.100     2           00:26:b9:e9:34:95  2418777     BOUND      reth1.233           

Statistics initially

{primary:node1}
root@srxC-2> show dhcp server statistics 
Packets dropped:
    Total                      0

Messages received:
    BOOTREQUEST                6
    DHCPDECLINE                0
    DHCPDISCOVER               3
    DHCPINFORM                 0
    DHCPRELEASE                1
    DHCPREQUEST                2

Messages sent:
    BOOTREPLY                  5
    DHCPOFFER                  3
    DHCPACK                    2
    DHCPNAK                    0
    DHCPFORCERENEW             0

With more clients connected it’s possible to observe more bindings.

root@srxC-2> show dhcp server statistics    
Packets dropped:
    Total                      0

Messages received:
    BOOTREQUEST                13
    DHCPDECLINE                0
    DHCPDISCOVER               6
    DHCPINFORM                 0
    DHCPRELEASE                1
    DHCPREQUEST                6

Messages sent:
    BOOTREPLY                  12
    DHCPOFFER                  6
    DHCPACK                    5
    DHCPNAK                    1
    DHCPFORCERENEW             0

{primary:node1}
root@srxC-2> show dhcp server binding       

IP address        Session Id  Hardware address   Expires     State      Interface
172.30.30.102     4           00:25:31:01:fe:0f  2418799     BOUND      reth1.233           
172.30.30.103     5           00:25:31:02:29:7e  2418831     BOUND      reth1.233           
172.30.30.101     3           00:25:31:04:9b:f4  2418704     BOUND      reth1.233           
172.30.30.100     2           00:26:b9:e9:34:95  2418199     BOUND      reth1.233           

[SRX] Disabling interfaces with: rpm probe & ip-monitoring

image_pdfimage_print
set services rpm probe PROBE-IPSEC-TUNNEL_1 test 00-icmp-gre-interface probe-count 3
set services rpm probe PROBE-IPSEC-TUNNEL_1 test 00-icmp-gre-interface probe-interval 15
set services rpm probe PROBE-IPSEC-TUNNEL_1 test 00-icmp-gre-interface test-interval 10
set services rpm probe PROBE-IPSEC-TUNNEL_1 test 00-icmp-gre-interface thresholds successive-loss 3
set services rpm probe PROBE-IPSEC-TUNNEL_1 test 00-icmp-gre-interface thresholds total-loss 3
set services rpm probe PROBE-IPSEC-TUNNEL_1 test 00-icmp-gre-interface  target address 172.16.222.77
set services rpm probe PROBE-IPSEC-TUNNEL_1 test 00-icmp-gre-interface  destination-interface gr-0/0/0.0
set services ip-monitoring policy POLICY-IPSEC-TUNNEL_1 match rpm-probe PROBE-IPSEC-TUNNEL_1
set services ip-monitoring policy POLICY-IPSEC-TUNNEL_1 then interface gr-0/0/0.0 disable
set services rpm probe PROBE-IPSEC-TUNNEL_1_GR-1 test 01-icmp-gre-interface1 probe-count 3
set services rpm probe PROBE-IPSEC-TUNNEL_1_GR-1 test 01-icmp-gre-interface1 probe-interval 15
set services rpm probe PROBE-IPSEC-TUNNEL_1_GR-1 test 01-icmp-gre-interface1 test-interval 
set services rpm probe PROBE-IPSEC-TUNNEL_1_GR-1 test 01-icmp-gre-interface1 thresholds successive-loss 3
set services rpm probe PROBE-IPSEC-TUNNEL_1_GR-1 test 01-icmp-gre-interface1 thresholds total-loss 3
set services rpm probe PROBE-IPSEC-TUNNEL_1_GR-1 test 01-icmp-gre-interface1  target address 172.16.219.77
set services rpm probe PROBE-IPSEC-TUNNEL_1_GR-1 test 01-icmp-gre-interface1  destination-interface gr-0/0/0.1
set services ip-monitoring policy POLICY-IPSEC-TUNNEL_1_GR-1 match rpm-probe PROBE-IPSEC-TUNNEL_1_GR-1
set services ip-monitoring policy POLICY-IPSEC-TUNNEL_1_GR-1 then interface gr-0/0/0.1 disable

Check status for ip-monitoring

> show services ip-monitoring status

Policy - POLICY-IPSEC-TUNNEL_1 (Status: FAIL)
  RPM Probes:
    Probe name             Test Name       Address          Status
    ---------------------- --------------- ---------------- ---------
    PROBE-IPSEC-TUNNEL_1   00-icmp-gre-interface 172.16.222.77 FAIL
  Interface-Action:
    interface         policy action   admin state action status
    ----------------- --------------- ----------- -----------------
    gr-0/0/0.0        Disable         DOWN        FAILOVER

Policy - POLICY-IPSEC-TUNNEL_1_GR-1 (Status: PASS)
  RPM Probes:
    Probe name             Test Name       Address          Status
    ---------------------- --------------- ---------------- ---------
    PROBE-IPSEC-TUNNEL_1_GR-1 01-icmp-gre-interface1 172.16.219.77 PASS
  Interface-Action:
    interface         policy action   admin state action status
    ----------------- --------------- ----------- -----------------
    gr-0/0/0.1        Disable         UP          NO-ACTION

{primary:node0}

Check history

> show services rpm history-results
    Owner, Test                 Probe received              Round trip time
    PROBE-IPSEC-TUNNEL_1, 00-icmp-gre-interface Thu Apr  6 09:38:12 2017Request timed out
    PROBE-IPSEC-TUNNEL_1, 00-icmp-gre-interface Thu Apr  6 09:38:27 2017Request timed out
    PROBE-IPSEC-TUNNEL_1, 00-icmp-gre-interface Thu Apr  6 09:38:52 2017Request timed out
    PROBE-IPSEC-TUNNEL_1, 00-icmp-gre-interface Thu Apr  6 09:39:07 2017Request timed out
    PROBE-IPSEC-TUNNEL_1, 00-icmp-gre-interface Thu Apr  6 09:39:22 2017Request timed out
    PROBE-IPSEC-TUNNEL_1, 00-icmp-gre-interface Thu Apr  6 09:39:47 2017Request timed out
    PROBE-IPSEC-TUNNEL_1, 00-icmp-gre-interface Thu Apr  6 09:40:02 2017Request timed out
    PROBE-IPSEC-TUNNEL_1, 00-icmp-gre-interface Thu Apr  6 09:40:17 2017Request timed out
    PROBE-IPSEC-TUNNEL_1, 00-icmp-gre-interface Thu Apr  6 09:40:42 2017Request timed out
    PROBE-IPSEC-TUNNEL_1, 00-icmp-gre-interface Thu Apr  6 09:40:57 2017Request timed out
    PROBE-IPSEC-TUNNEL_1, 00-icmp-gre-interface Thu Apr  6 09:41:12 2017Request timed out
    PROBE-IPSEC-TUNNEL_1, 00-icmp-gre-interface Thu Apr  6 09:41:37 2017Request timed out
    PROBE-IPSEC-TUNNEL_1, 00-icmp-gre-interface Thu Apr  6 09:41:52 2017Request timed out
    PROBE-IPSEC-TUNNEL_1, 00-icmp-gre-interface Thu Apr  6 09:42:07 2017Request timed out
    PROBE-IPSEC-TUNNEL_1, 00-icmp-gre-interface Thu Apr  6 09:42:32 2017Request timed out
    PROBE-IPSEC-TUNNEL_1, 00-icmp-gre-interface Thu Apr  6 09:42:47 2017Request timed out
    PROBE-IPSEC-TUNNEL_1, 00-icmp-gre-interface Thu Apr  6 09:43:02 2017Request timed out
    PROBE-IPSEC-TUNNEL_1, 00-icmp-gre-interface Thu Apr  6 09:43:27 2017Request timed out
    PROBE-IPSEC-TUNNEL_1, 00-icmp-gre-interface Thu Apr  6 09:43:42 2017Request timed out
    PROBE-IPSEC-TUNNEL_1, 00-icmp-gre-interface Thu Apr  6 09:43:57 2017Request timed out
    PROBE-IPSEC-TUNNEL_1, 00-icmp-gre-interface Thu Apr  6 09:44:22 2017Request timed out
    PROBE-IPSEC-TUNNEL_1, 00-icmp-gre-interface Thu Apr  6 09:44:37 2017Request timed out
    PROBE-IPSEC-TUNNEL_1, 00-icmp-gre-interface Thu Apr  6 09:44:52 2017Request timed out
    PROBE-IPSEC-TUNNEL_1, 00-icmp-gre-interface Thu Apr  6 09:45:17 2017Request timed out
    PROBE-IPSEC-TUNNEL_1, 00-icmp-gre-interface Thu Apr  6 09:45:32 2017Request timed out
    PROBE-IPSEC-TUNNEL_1, 00-icmp-gre-interface Thu Apr  6 09:45:47 2017Request timed out
    PROBE-IPSEC-TUNNEL_1, 00-icmp-gre-interface Thu Apr  6 09:46:12 2017Request timed out
    PROBE-IPSEC-TUNNEL_1, 00-icmp-gre-interface Thu Apr  6 09:46:27 2017Request timed out
    PROBE-IPSEC-TUNNEL_1, 00-icmp-gre-interface Thu Apr  6 09:46:42 2017Request timed out
    PROBE-IPSEC-TUNNEL_1, 00-icmp-gre-interface Thu Apr  6 09:47:07 2017Request timed out
    PROBE-IPSEC-TUNNEL_1, 00-icmp-gre-interface Thu Apr  6 09:47:22 2017Request timed out
    PROBE-IPSEC-TUNNEL_1, 00-icmp-gre-interface Thu Apr  6 09:47:37 2017Request timed out
    PROBE-IPSEC-TUNNEL_1, 00-icmp-gre-interface Thu Apr  6 09:48:02 2017Request timed out
    PROBE-IPSEC-TUNNEL_1, 00-icmp-gre-interface Thu Apr  6 09:48:17 2017Request timed out
    PROBE-IPSEC-TUNNEL_1, 00-icmp-gre-interface Thu Apr  6 09:48:32 2017Request timed out
    PROBE-IPSEC-TUNNEL_1, 00-icmp-gre-interface Thu Apr  6 09:48:57 2017Request timed out
    PROBE-IPSEC-TUNNEL_1, 00-icmp-gre-interface Thu Apr  6 09:49:12 2017Request timed out
    PROBE-IPSEC-TUNNEL_1, 00-icmp-gre-interface Thu Apr  6 09:49:27 2017Request timed out
    PROBE-IPSEC-TUNNEL_1, 00-icmp-gre-interface Thu Apr  6 09:49:52 2017Request timed out
    PROBE-IPSEC-TUNNEL_1, 00-icmp-gre-interface Thu Apr  6 09:50:07 2017Request timed out
    PROBE-IPSEC-TUNNEL_1, 00-icmp-gre-interface Thu Apr  6 09:50:22 2017Request timed out
    PROBE-IPSEC-TUNNEL_1, 00-icmp-gre-interface Thu Apr  6 09:50:47 2017Request timed out
    PROBE-IPSEC-TUNNEL_1, 00-icmp-gre-interface Thu Apr  6 09:51:02 2017Request timed out
    PROBE-IPSEC-TUNNEL_1, 00-icmp-gre-interface Thu Apr  6 09:51:17 2017Request timed out
    PROBE-IPSEC-TUNNEL_1, 00-icmp-gre-interface Thu Apr  6 09:51:42 2017Request timed out
    PROBE-IPSEC-TUNNEL_1, 00-icmp-gre-interface Thu Apr  6 09:51:57 2017Request timed out
    PROBE-IPSEC-TUNNEL_1, 00-icmp-gre-interface Thu Apr  6 09:52:12 2017Request timed out
    PROBE-IPSEC-TUNNEL_1, 00-icmp-gre-interface Thu Apr  6 09:52:37 2017Request timed out
    PROBE-IPSEC-TUNNEL_1, 00-icmp-gre-interface Thu Apr  6 09:52:52 2017Request timed out
    PROBE-IPSEC-TUNNEL_1, 00-icmp-gre-interface Thu Apr  6 09:53:07 2017Request timed out
    PROBE-IPSEC-TUNNEL_1_GR-1, 01-icmp-gre-interface1 Thu Apr  6 09:42:16 2017            12859 usec
    PROBE-IPSEC-TUNNEL_1_GR-1, 01-icmp-gre-interface1 Thu Apr  6 09:42:31 2017            12702 usec
    PROBE-IPSEC-TUNNEL_1_GR-1, 01-icmp-gre-interface1 Thu Apr  6 09:42:46 2017            12733 usec
    PROBE-IPSEC-TUNNEL_1_GR-1, 01-icmp-gre-interface1 Thu Apr  6 09:42:56 2017            12809 usec
    PROBE-IPSEC-TUNNEL_1_GR-1, 01-icmp-gre-interface1 Thu Apr  6 09:43:11 2017            12843 usec
    PROBE-IPSEC-TUNNEL_1_GR-1, 01-icmp-gre-interface1 Thu Apr  6 09:43:26 2017            12697 usec
    PROBE-IPSEC-TUNNEL_1_GR-1, 01-icmp-gre-interface1 Thu Apr  6 09:43:36 2017            13159 usec
    PROBE-IPSEC-TUNNEL_1_GR-1, 01-icmp-gre-interface1 Thu Apr  6 09:43:51 2017            13007 usec
    PROBE-IPSEC-TUNNEL_1_GR-1, 01-icmp-gre-interface1 Thu Apr  6 09:44:06 2017            12875 usec
    PROBE-IPSEC-TUNNEL_1_GR-1, 01-icmp-gre-interface1 Thu Apr  6 09:44:16 2017            12970 usec
    PROBE-IPSEC-TUNNEL_1_GR-1, 01-icmp-gre-interface1 Thu Apr  6 09:44:46 2017Request timed out
    PROBE-IPSEC-TUNNEL_1_GR-1, 01-icmp-gre-interface1 Thu Apr  6 09:44:46 2017            12595 usec
    PROBE-IPSEC-TUNNEL_1_GR-1, 01-icmp-gre-interface1 Thu Apr  6 09:44:56 2017            13110 usec
    PROBE-IPSEC-TUNNEL_1_GR-1, 01-icmp-gre-interface1 Thu Apr  6 09:45:11 2017            12768 usec
    PROBE-IPSEC-TUNNEL_1_GR-1, 01-icmp-gre-interface1 Thu Apr  6 09:45:26 2017            12832 usec
    PROBE-IPSEC-TUNNEL_1_GR-1, 01-icmp-gre-interface1 Thu Apr  6 09:45:36 2017            12779 usec
    PROBE-IPSEC-TUNNEL_1_GR-1, 01-icmp-gre-interface1 Thu Apr  6 09:45:51 2017            12738 usec
    PROBE-IPSEC-TUNNEL_1_GR-1, 01-icmp-gre-interface1 Thu Apr  6 09:46:06 2017            12646 usec
    PROBE-IPSEC-TUNNEL_1_GR-1, 01-icmp-gre-interface1 Thu Apr  6 09:46:16 2017            13435 usec
    PROBE-IPSEC-TUNNEL_1_GR-1, 01-icmp-gre-interface1 Thu Apr  6 09:46:31 2017            16055 usec
    PROBE-IPSEC-TUNNEL_1_GR-1, 01-icmp-gre-interface1 Thu Apr  6 09:46:46 2017            16007 usec
    PROBE-IPSEC-TUNNEL_1_GR-1, 01-icmp-gre-interface1 Thu Apr  6 09:46:56 2017            17703 usec
    PROBE-IPSEC-TUNNEL_1_GR-1, 01-icmp-gre-interface1 Thu Apr  6 09:47:11 2017            25385 usec
    PROBE-IPSEC-TUNNEL_1_GR-1, 01-icmp-gre-interface1 Thu Apr  6 09:47:26 2017            12766 usec
    PROBE-IPSEC-TUNNEL_1_GR-1, 01-icmp-gre-interface1 Thu Apr  6 09:47:36 2017            12862 usec
    PROBE-IPSEC-TUNNEL_1_GR-1, 01-icmp-gre-interface1 Thu Apr  6 09:47:51 2017            12777 usec
    PROBE-IPSEC-TUNNEL_1_GR-1, 01-icmp-gre-interface1 Thu Apr  6 09:48:06 2017            12722 usec
    PROBE-IPSEC-TUNNEL_1_GR-1, 01-icmp-gre-interface1 Thu Apr  6 09:48:16 2017            13091 usec
    PROBE-IPSEC-TUNNEL_1_GR-1, 01-icmp-gre-interface1 Thu Apr  6 09:48:31 2017            13572 usec
    PROBE-IPSEC-TUNNEL_1_GR-1, 01-icmp-gre-interface1 Thu Apr  6 09:48:46 2017            12649 usec
    PROBE-IPSEC-TUNNEL_1_GR-1, 01-icmp-gre-interface1 Thu Apr  6 09:48:56 2017            12970 usec
    PROBE-IPSEC-TUNNEL_1_GR-1, 01-icmp-gre-interface1 Thu Apr  6 09:49:11 2017            13074 usec
    PROBE-IPSEC-TUNNEL_1_GR-1, 01-icmp-gre-interface1 Thu Apr  6 09:49:26 2017            12757 usec
    PROBE-IPSEC-TUNNEL_1_GR-1, 01-icmp-gre-interface1 Thu Apr  6 09:49:36 2017            13249 usec
    PROBE-IPSEC-TUNNEL_1_GR-1, 01-icmp-gre-interface1 Thu Apr  6 09:49:51 2017            12856 usec
    PROBE-IPSEC-TUNNEL_1_GR-1, 01-icmp-gre-interface1 Thu Apr  6 09:50:06 2017            19809 usec
    PROBE-IPSEC-TUNNEL_1_GR-1, 01-icmp-gre-interface1 Thu Apr  6 09:50:16 2017            32523 usec
    PROBE-IPSEC-TUNNEL_1_GR-1, 01-icmp-gre-interface1 Thu Apr  6 09:50:31 2017            12650 usec
    PROBE-IPSEC-TUNNEL_1_GR-1, 01-icmp-gre-interface1 Thu Apr  6 09:50:46 2017            13210 usec
    PROBE-IPSEC-TUNNEL_1_GR-1, 01-icmp-gre-interface1 Thu Apr  6 09:50:56 2017            24201 usec
    PROBE-IPSEC-TUNNEL_1_GR-1, 01-icmp-gre-interface1 Thu Apr  6 09:51:11 2017            13179 usec
    PROBE-IPSEC-TUNNEL_1_GR-1, 01-icmp-gre-interface1 Thu Apr  6 09:51:26 2017            13287 usec
    PROBE-IPSEC-TUNNEL_1_GR-1, 01-icmp-gre-interface1 Thu Apr  6 09:51:36 2017            13397 usec
    PROBE-IPSEC-TUNNEL_1_GR-1, 01-icmp-gre-interface1 Thu Apr  6 09:51:51 2017            12869 usec
    PROBE-IPSEC-TUNNEL_1_GR-1, 01-icmp-gre-interface1 Thu Apr  6 09:52:06 2017            13462 usec
    PROBE-IPSEC-TUNNEL_1_GR-1, 01-icmp-gre-interface1 Thu Apr  6 09:52:16 2017            12635 usec
    PROBE-IPSEC-TUNNEL_1_GR-1, 01-icmp-gre-interface1 Thu Apr  6 09:52:31 2017            12717 usec
    PROBE-IPSEC-TUNNEL_1_GR-1, 01-icmp-gre-interface1 Thu Apr  6 09:52:46 2017            12868 usec
    PROBE-IPSEC-TUNNEL_1_GR-1, 01-icmp-gre-interface1 Thu Apr  6 09:52:56 2017            12889 usec
    PROBE-IPSEC-TUNNEL_1_GR-1, 01-icmp-gre-interface1 Thu Apr  6 09:53:11 2017            12625 usec

{primary:node0}

EDU-JUN-JSEC-12.A: LAB 8: IMPLEMENTING HIGH AVAILABILITY TECHNIQUES

image_pdfimage_print

 

Overview


In this lab you will implement high availability chassis clustering.

  • Creating a baseline configuration.
  • Build chassis cluster.
  • Configure active/active chassis cluster.
  • Monitor traffic flows trough the chassis cluster.
  • Disable chassis cluster.

 

Network Diagram


 

 

Management interfaces

  • srxC-1: 10.120.14.135
  • srxC-2: 10.210.14.136

 

Table of contents


 

Part 1: Loading Baseline configuration

 

Part 2: Preparing and forming a Chassis cluster

 

  • step 2.5
  • Step 2.6
  • Step 2.7 Configure the fxp0 interfqce with the management IP
  • Step 2.8
  • Step 2.10 Configure the fxp0 interfqce with the management IP
  • Step 2.12 (This steps need to be performed on both devices)
  • Step 2.13 Initiate the chassis clister
  • Step 2.14 Log into the device one it has rebooted
  • Step 2.15 issue command Show interfqce fxp0 terse
  • Step 2.16 (This steps only need to bee performed on SRX1 device)
  • check clister statuus
  • Step 2.17 Check cluster interfqces
  • Step 2.18 Configure fab0 and fab1 interfaces. (For SRX 220hm fab0 is ge-0/0/5 and fab1 ge-3/0/5)
  • Step 2.19 show cluster interfaces.

Part 3: configuring an Active/Active Cluster

  • Step 3.1 load config.
  • Step 3.2 Configure redundancy groups.
  • Step 3.3 create another redundancy group.
  • Step 3.4 Perform interface monitoring.
  • Step 3.5 create redundant link.
  • Step 3.6 create another redundant link.
  • Step 3.7 configure interface with an IP address.
  • Step 3.8 Increase the reth count.
  • Step 3.9 Show chassis cluster interfaces.
  • Step 3.10 show chassis cluster status.
  • Step 3.11 Configure Node1 to have a higher priority than Node 0.
  • Step 3.12 Show chassis cluster status.
  • Step 3.13 go to security and configure the policy to allow all traffic.
  • Step 3.14 Configure the Untrust zone to contain interfaces ge-0/0/3 and ge-5/0/3.
  • Step 3.15 Configure the Trust zone to contain interfaces reth0 and reth1. All system services should be allowed.
  • Step 3.16 Delet the current default statuc route and configure two default floating static routes.
  • Step 3.17 show route 0/0 exact.
  • Step 3.18 Check connectivity by issuing pings.

Part 4: Monitoring Traffic Flows

 

  • Step 4.1 load.
  • Step 4.2 telnet.
  • Step 4.3 log in to virtual routers.
  • Step 4.4 Generate traffic.
  • Step 4.5 run monitor interface traffic.
  • step 4.6 cancel the ping.
  • Step 4.7 generate traffic.
  • Step 4.8 return to SRX device and perform a monitor interface traffic.
  • Step 4.9 disable interface ge-5/0/3.
  • Step 4.10 run show chassis cluster interface.
  • Step 4.11 run show chassis cluster status.
  • Step 4.12 Go to the virtual router.
  • Step 4.13 run monitor interface traffic.
  • Step 4.14 remove the disable on ge-5/0/3.
  • Step 4.15 show chassis cluster status.
  • Step 4.16 return to the virtual router.

Part 5: Disabling the Chassis Cluster

  • Step 5.1 return to SRX and disable cluster.
  • Step 5.2 log in on the SRX.
  • Step 5.3 load config.
  • Step 5.4 disable cluster on second device.
  • Step 5.5 after reboot log in on second device.
  • Step 5.6 load config on second device.

 

Part 1: Loading Baseline configuration


  • Check both devices have same Hardware and same software version
> show chassis hardware detail 
> show version
  • Destroy cluster and load the factory default settings.

On srcC-1

root@srxC-1> set chassis cluster disable reboot 

For cluster-ids greater than 15 and when deploying more than one
cluster in a single Layer 2 BROADCAST domain, it is mandatory that
fabric and control links are either connected back-to-back or
are connected on separate private VLANS.

{primary:node0}
root@srxC-1>                                                                                
*** FINAL System shutdown message from root@srxC-1 ***                       

System going down IMMEDIATELY                   

On srxC-2

root@srxC-2> set chassis cluster disable reboot 

For cluster-ids greater than 15 and when deploying more than one
cluster in a single Layer 2 BROADCAST domain, it is mandatory that
fabric and control links are either connected back-to-back or
are connected on separate private VLANS.

{primary:node1}
root@srxC-2>                                                                                
*** FINAL System shutdown message from root@serxC-2 ***                      

System going down IMMEDIATELY          

On srxC-2

Amnesiac (ttyu0)

login: root
Password:

--- JUNOS 12.1X46-D30.2 built 2015-01-08 08:49:56 UTC

root@% cli
root> configure 
Entering configuration mode

[edit]
root# load factory-default 
warning: activating factory configuration

[edit]
root# set system root-authentication plain-text-password 
New password:
Retype new password:

[edit]
root# commit 
commit complete

On srxC-1

root> configure 
Entering configuration mode

[edit]
root# load factory-default 
warning: activating factory configuration

[edit]
root# set system root-authentication plain-text-password 
New password:
Retype new password:

[edit]
root# commit 
commit complete
  • Delete unnecessary config sections.

On srxc-1
see the interfaces default config

root@srx-CL# run show interfaces terse
Interface               Admin Link Proto    Local                 Remote
ge-0/0/0                up    down
ge-0/0/0.0              up    down
gr-0/0/0                up    up
ip-0/0/0                up    up
lsq-0/0/0               up    up
lt-0/0/0                up    up
mt-0/0/0                up    up
sp-0/0/0                up    up
sp-0/0/0.0              up    up   inet
                                   inet6
sp-0/0/0.16383          up    up   inet     10.0.0.1            --> 10.0.0.16
                                            10.0.0.6            --> 0/0
                                            128.0.0.1           --> 128.0.1.16
                                            128.0.0.6           --> 0/0
ge-0/0/1                up    down
ge-0/0/1.0              up    down eth-switch
ge-0/0/2                up    up
ge-0/0/2.0              up    up   eth-switch
ge-0/0/3                up    up
ge-0/0/3.0              up    up   eth-switch
ge-0/0/4                up    up
ge-0/0/4.0              up    up   eth-switch
ge-0/0/5                up    up
ge-0/0/5.0              up    up   eth-switch
ge-0/0/6                up    up
ge-0/0/6.0              up    up   eth-switch
ge-0/0/7                up    up
ge-0/0/7.0              up    up   eth-switch
fxp2                    up    up
fxp2.0                  up    up   tnp      0x1
gre                     up    up
ipip                    up    up
irb                     up    up
lo0                     up    up
lo0.16384               up    up   inet     127.0.0.1           --> 0/0
lo0.16385               up    up   inet     10.0.0.1            --> 0/0
                                            10.0.0.16           --> 0/0
                                            128.0.0.1           --> 0/0
                                            128.0.0.4           --> 0/0
                                            128.0.1.16          --> 0/0
lo0.32768               up    up
lsi                     up    up
mtun                    up    up
pimd                    up    up
pime                    up    up
pp0                     up    up
ppd0                    up    up
ppe0                    up    up
st0                     up    up
tap                     up    up
vlan                    up    up
vlan.0                  up    up   inet     192.168.1.1/24



delete system services web-management 
delete system services dhcp
delete system name-server 
delete security zones
delete security nat    
delete security screen
delete security policies 
delete interfaces ge-0/0/0  
delete interfaces ge-0/0/1    
delete interfaces ge-0/0/2    
delete interfaces ge-0/0/3    
delete interfaces ge-0/0/4    
delete interfaces ge-0/0/5    
delete interfaces ge-0/0/6    
delete interfaces ge-0/0/7    
delete vlans 
delete interfaces vlan 
commit check
commit 





RESULT
root@srx-CL# show | display set 
set version 12.1X46-D30.2
set system root-authentication encrypted-password "$1$yEkMRQhq$A50BTFmv.67.kb7Bc9ysW/"
set system services ssh
set system services telnet
set system services xnm-clear-text
set system syslog archive size 100k
set system syslog archive files 3
set system syslog user * any emergency
set system syslog file messages any critical
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands error
set system max-configurations-on-flash 5
set system max-configuration-rollbacks 5
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set protocols stp

[edit]
root@srx-CL# 

On srxC-2

root# run show interfaces terse
Interface               Admin Link Proto    Local                 Remote
ge-0/0/0                up    down
ge-0/0/0.0              up    down
gr-0/0/0                up    up
ip-0/0/0                up    up
lsq-0/0/0               up    up
lt-0/0/0                up    up
mt-0/0/0                up    up
sp-0/0/0                up    up
sp-0/0/0.0              up    up   inet
                                   inet6
sp-0/0/0.16383          up    up   inet     10.0.0.1            --> 10.0.0.16
                                            10.0.0.6            --> 0/0
                                            128.0.0.1           --> 128.0.1.16
                                            128.0.0.6           --> 0/0
ge-0/0/1                up    down
ge-0/0/1.0              up    down eth-switch
ge-0/0/2                up    down
ge-0/0/2.0              up    down eth-switch
ge-0/0/3                up    down
ge-0/0/3.0              up    down eth-switch
ge-0/0/4                up    down
ge-0/0/4.0              up    down eth-switch
ge-0/0/5                up    up
ge-0/0/5.0              up    up   eth-switch
ge-0/0/6                up    down
ge-0/0/6.0              up    down eth-switch
ge-0/0/7                up    up
ge-0/0/7.0              up    up   eth-switch
fxp2                    up    up
fxp2.0                  up    up   tnp      0x1
gre                     up    up
ipip                    up    up
irb                     up    up
lo0                     up    up
lo0.16384               up    up   inet     127.0.0.1           --> 0/0
lo0.16385               up    up   inet     10.0.0.1            --> 0/0
                                            10.0.0.16           --> 0/0
                                            128.0.0.1           --> 0/0
                                            128.0.0.4           --> 0/0
                                            128.0.1.16          --> 0/0
lo0.32768               up    up
lsi                     up    up
mtun                    up    up
pimd                    up    up
pime                    up    up
pp0                     up    up
ppd0                    up    up
ppe0                    up    up
st0                     up    up
tap                     up    up
vlan                    up    up
vlan.0                  up    up   inet     192.168.1.1/24

[edit]
root# 
delete system services web-management 
delete system services dhcp
delete system name-server 
delete security zones
delete security nat    
delete security screen
delete security policies 
delete interfaces ge-0/0/0  
delete interfaces ge-0/0/1    
delete interfaces ge-0/0/2    
delete interfaces ge-0/0/3    
delete interfaces ge-0/0/4    
delete interfaces ge-0/0/5    
delete interfaces ge-0/0/6    
delete interfaces ge-0/0/7    
delete vlans 
delete interfaces vlan 
commit check
commit 

On srxC-2

root# show | display set 
set version 12.1X46-D30.2
set system root-authentication encrypted-password "$1$R1DmnEJN$HAZv4Okk7xkylcTy0Qapm/"
set system services ssh
set system services telnet
set system services xnm-clear-text
set system syslog archive size 100k
set system syslog archive files 3
set system syslog user * any emergency
set system syslog file messages any critical
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands error
set system max-configurations-on-flash 5
set system max-configuration-rollbacks 5
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set protocols stp

[edit]
root# 

Part 2: Preparing and forming a Chassis cluster


  • step 2.0

root# run show chassis hardware 
Hardware inventory:
Item             Version  Part number  Serial number     Description
Chassis                                AQ2812AA0002      SRX220H
Routing Engine   REV 21   750-031175   AAEX6001          RE-SRX220H
FPC 0                                                    FPC
  PIC 0                                                  8x GE Base PIC
Power Supply 0  

[edit]
root# run show chassis firmware    
Part                     Type       Version
FPC 0                    O/S        Version 12.1X46-D30.2 by builder on 2015-01
FWDD                     O/S        Version 12.1X46-D30.2 by builder on 2015-01

[edit]
root# 

  • step 2.1 Edit interfaces

 

[edit]
root# edit interfaces 
  • step 2.2 show

 

[edit interfaces]
root# show 

[edit interfaces]
  • step 2.3 delete interfaces

 

[edit interfaces]
root# delete ge-0/0/0 
warning: statement not found

[edit interfaces]
root# delete ge-0/0/4 
warning: statement not found
  • step 2.4 delete hostname

 

[edit interfaces]
root# up 1 edit system 

[edit system]
root# delete host-name 
warning: statement not found

Step 2.5 up to 2.12 will be performed only on SRX1 device.

  • step 2.5 Go to edit groups node0
[edit system]
root@srxC-1# top edit groups node0 

[edit groups node0]
root@srxC-1# 
  • Step 2.6 Configure hostname for node0
[edit groups node0]
root@srxC-1# set system host-name srxC-1 
  • Step 2.7 Configure the fxp0 interface with the management IP.
[edit groups node0]
root@srxC-1# set interfaces fxp0 unit  0 family inet address 10.210.14.135/27
  • Step 2.8 Navigate to [edit groups node1]
[edit groups node0]
root@srxC-1# up 1 edit node1 

[edit groups node1]
root@srxC-1# 
    • Step 2.9 Configure hostname for node1
[edit groups node1]
root@srxC-1# set system host-name srxC-2 
  • Step 2.10 Configure the fxp0 interface with the management IP for SRX2.
[edit groups node1]
root@srxC-1# set interfaces fxp0 unit 0 family inet address 10.210.14.136/27 
  • Step 2.11 Apply the recently created groups by issuing the command top set apply-groups ${node}
[edit groups node1]
root@srxC-1# top set apply-groups ${node}

[edit groups node1]
root@srxC-1# top show groups 
node0 {
 system {
 host-name srxC-1;
 }
 interfaces {
 fxp0 {
 unit 0 {
 family inet {
 address 10.210.14.135/27;
 }
 }
 }
 }
}
node1 {
 system {
 host-name srxC-2;
 }
 interfaces {
 fxp0 {
 unit 0 {
 family inet {
 address 10.210.14.136/27;
 } 
 }
 }
 }
}

[edit groups node1]
root@srxC-1#

 

  • Step 2.12 (This steps need to be performed on both devices).

on srxC-1

[edit groups node1]
root# commit and-quit 
commit complete
Exiting configuration mode

root>
  • Step 2.13 Initiate the chassis cluster.

on srxC-1

root> set chassis cluster cluster-id 1 node 0 reboot 
Successfully enabled chassis cluster. Going to reboot now.

root>                                                                                
*** FINAL System shutdown message from root@ ***                             

System going down IMMEDIATELY

On srxC-2

root> set chassis cluster cluster-id 1 node 1 reboot 
Successfully enabled chassis cluster. Going to reboot now.

root>                                                                                
*** FINAL System shutdown message from root@ ***                             

System going down IMMEDIATELY     

 

  • Step 2.14 Log into the device one it has rebooted.

 

on srxC-1

Fri Apr  7 22:58:19 UTC 2017

srxC-1 (ttyu0)

login: root
Password:

--- JUNOS 12.1X46-D30.2 built 2015-01-08 08:49:56 UTC 
root@srxC-1% cli
{primary:node0}
root@srxC-1> 

Question: what is the hostname?

on srxC-2

Amnesiac (ttyu0)

login: root
Password:

--- JUNOS 12.1X46-D30.2 built 2015-01-08 08:49:56 UTC

  • Step 2.15 issue command Show interface fxp0 terse.

 

On srxC-2

root@srxC-2> show interfaces terse fxp0 
Interface Admin Link Proto Local Remote
fxp0 up up

On srxC-1

root@srxC-1> show interfaces terse fxp0 
Interface Admin Link Proto Local Remote
fxp0 up up 
fxp0.0 up up inet 10.210.14.135/27

{primary:node0}
root@srxC-1> 
  • Step 2.16 (This steps only need to bee performed on SRX1 device).

On srxC-2

root@srxC-2> show chassis cluster status
Monitor Failure codes:
 CS Cold Sync monitoring FL Fabric Connection monitoring
 GR GRES monitoring HW Hardware monitoring
 IF Interface monitoring IP IP monitoring
 LB Loopback monitoring MB Mbuf monitoring
 NH Nexthop monitoring NP NPC monitoring
 SP SPU monitoring SM Schedule monitoring

Cluster ID: 1
Node Priority Status Preempt Manual Monitor-failures

Redundancy group: 0 , Failover count: 2
node0 1 primary no no None
node1 1 secondary-hold no no None

{secondary-hold:node1}
root@srxC-2> show interfaces terse fxp0
Interface Admin Link Proto Local Remote
fxp0 up up

{secondary-hold:node1}
root@srxC-2> show chassis cluster status
Monitor Failure codes:
 CS Cold Sync monitoring FL Fabric Connection monitoring
 GR GRES monitoring HW Hardware monitoring
 IF Interface monitoring IP IP monitoring
 LB Loopback monitoring MB Mbuf monitoring
 NH Nexthop monitoring NP NPC monitoring
 SP SPU monitoring SM Schedule monitoring

Cluster ID: 1
Node Priority Status Preempt Manual Monitor-failures

Redundancy group: 0 , Failover count: 2
node0 1 primary no no None
node1 1 secondary no no None

{secondary:node1}
root@srxC-2>

On srxC-1

{primary:node0}
root@srxC-1> show chassis cluster status 
Monitor Failure codes:
 CS Cold Sync monitoring FL Fabric Connection monitoring
 GR GRES monitoring HW Hardware monitoring
 IF Interface monitoring IP IP monitoring
 LB Loopback monitoring MB Mbuf monitoring
 NH Nexthop monitoring NP NPC monitoring 
 SP SPU monitoring SM Schedule monitoring
 
Cluster ID: 1
Node Priority Status Preempt Manual Monitor-failures

Redundancy group: 0 , Failover count: 1
node0 1 primary no no None 
node1 1 secondary no no None 

{primary:node0}
root@srxC-1> 
  • Step 2.17 Check cluster interfaces.

 

{primary:node0}
root@srxC-1> show chassis cluster interfaces 
Control link status: Up

Control interfaces: 
 Index Interface Status Internal-SA
 0 fxp1 Up Disabled 

Fabric link status: Down

Fabric interfaces: 
 Name Child-interface Status
 (Physical/Monitored)
 fab0 
 fab0 
 fab1 
 fab1 
 
Redundant-pseudo-interface Information:
 Name Status Redundancy-group
 lo0 Up 0 

{primary:node0}
root@srxC-1> 

whats the status of the control link: fxp1
Whats the status of the fabrik link: fab0 & fab1
Which steps are needed to bring the fabric link to perational mode?

  • Step 2.18 Configure fab0 and fab1 interfaces. (For SRX 220h fab0 is ge-0/0/5 and fab1 ge-3/0/5).

 

edit interfaces
set fab0 fabric-options member-interfaces ge-0/0/5
set fab1 fabric-options member-interfaces ge-3/0/5
{primary:node0}[edit interfaces]
root@srxC-1# 

{primary:node0}[edit interfaces]
root@srxC-1# top 

{primary:node0}[edit]
root@srxC-1# commit and-quit 
node0: 
configuration check succeeds
node1: 
commit complete
node0: 
commit complete
Exiting configuration mode

{primary:node0}
root@srxC-1> 

 

  • Step 2.19 show chassis cluster interfaces.
root@srxC-1> show chassis cluster interfaces 
Control link status: Up

Control interfaces: 
 Index Interface Status Internal-SA
 0 fxp1 Up Disabled 

Fabric link status: Up

Fabric interfaces: 
 Name Child-interface Status
 (Physical/Monitored)
 fab0 ge-0/0/5 Up / Up 
 fab0 
 fab1 ge-3/0/5 Up / Up 
 fab1 
 
Redundant-pseudo-interface Information:
 Name Status Redundancy-group
 lo0 Up 0 

{primary:node0}
root@srxC-1> 

what is the Fabric link status?

  • Step 2.20 Save config
{primary:node0}[edit]
root@srxC-1# save jsec/lab8-part3-start.config 
Wrote 82 lines of configuration to 'jsec/lab8-part3-start.config'

{primary:node0}[edit]
root@srxC-1#

Part 3: configuring an Active/Active Cluster


In this lab part you configure redundancy group 1 and redundancy group 2 in an active/active cluster configuration.

 

 

  • Step 3.1 load config
root@srxC-1> configure 
warning: Clustering enabled; using private edit
warning: uncommitted changes will be discarded on exit
Entering configuration mode

{primary:node0}[edit]
root@srxC-1# load override lab8-part3-start.config 
  • Step 3.2 Configure redundancy groups

Configure redundancy group 1: with node0 with higher priority.
node 0 priority 200
node 1 priority 100

A higuer priority number is better

{primary:node0}[edit]
root@srxC-1# edit chassis cluster 

{primary:node0}[edit chassis cluster]
root@srxC-1# set redundancy-group 1 node 0 priority 200 

{primary:node0}[edit chassis cluster]
root@srxC-1# set redundancy-group 1 node 1 priority 100 

{primary:node0}[edit chassis cluster]
root@srxC-1# 
  • Step 3.3 create another redundancy group

Configure redundancy group 2: with node1 with higher priority

node 0 priority 100
node 1 priority 200

Preempt will make node 1 reacquire primacy once the failover problem is fixed.

{primary:node0}[edit chassis cluster]
root@srxC-1# set redundancy-group 2 node 1 priority 200
root@srxC-1# set redundancy-group 2 node 0 priority 100 
root@srxC-1# set redundancy-group 2 preempt 

    • Step 3.4 Perform interface monitoring

Monitor status of interface ge-3/0/3 for redundancy group 2, with weight of 255.
If interface ge-3/0/3 fails, the redundancy group will failover to Node 0.

 

root@srxC-1# set redundancy-group 2 interface-monitor ge-3/0/3 weight 255 

{primary:node0}[edit chassis cluster]
root@srxC-1# show 
redundancy-group 1 {
 node 0 priority 200;
 node 1 priority 100;
}
redundancy-group 2 {
 node 1 priority 200;
 node 0 priority 100;
 preempt;
 interface-monitor {
 ##
 ## Warning: Interface must be defined before configuring monitoring
 ##
 ge-3/0/3 weight 255;
 }
}

{primary:node0}[edit chassis cluster]
root@srxC-1# 
  • Step 3.5 create redundant link.

Create reth0: ge-0/0/4 & ge-3/0/4
Associate reth0 to redundancy group 1
Assign to reth0 vlan tag 223
Assign to reth0 ip address 172.20.30.1

{primary:node0}[edit chassis cluster]
root@srxC-1# top edit interfaces 

{primary:node0}[edit interfaces]
root@srxC-1# set ge-0/0/4 gigether-options redundant-parent reth0 

{primary:node0}[edit interfaces]
root@srxC-1# set ge-3/0/4 gigether-options redundant-parent reth0 

{primary:node0}[edit interfaces]
root@srxC-1# set reth0 redundant-ether-options redundancy-group 1 

{primary:node0}[edit interfaces]
root@srxC-1# set reth0 vlan-tagging 

{primary:node0}[edit interfaces]
root@srxC-1# set reth0 unit 223 vlan-id 223 

{primary:node0}[edit interfaces]
root@srxC-1# set reth0 unit 223 family inet address 172.20.30.1/24 

{primary:node0}[edit interfaces]
  • Step 3.6 create another redundant link.

Create reth1: ge-0/0/2 & ge-3/0/2
Associate reth1 to redundancy group 2
Assign reth1 vlan tag 233
Assign reth1 ip address 172.30.30.1

 

{primary:node0}[edit interfaces]
root@srxC-1# set ge-0/0/2 gigether-options redundant-parent reth1 

{primary:node0}[edit interfaces]
root@srxC-1# set ge-3/0/2 gigether-options redundant-parent reth1 

{primary:node0}[edit interfaces]
root@srxC-1# set reth1 redundant-ether-options redundancy-group 2 

{primary:node0}[edit interfaces]
root@srxC-1# set reth1 vlan-tagging 

{primary:node0}[edit interfaces]
root@srxC-1# set reth1 unit 233 vlan-id 233 

{primary:node0}[edit interfaces]
root@srxC-1# set reth1 unit 233 family inet address 172.30.30.1/24 

{primary:node0}[edit interfaces]
root@srxC-1# 
  • Step 3.7 configure interfaces to Inet with an IP address.

Assign ip address 172.18.2.2 to ge-3/0/3

 

{primary:node0}[edit interfaces]
root@srxC-1# set ge-3/0/3 unit 0 family inet address 172.18.2.2/30 

{primary:node0}[edit interfaces]
root@srxC-1# show 
ge-0/0/2 {
 gigether-options {
 redundant-parent reth1;
 }
}
ge-0/0/4 {
 gigether-options {
 redundant-parent reth0;
 }
}
ge-3/0/2 {
 gigether-options {
 redundant-parent reth1;
 }
}
ge-3/0/3 {
 unit 0 {
 family inet {
 address 172.18.2.2/30;
 }
 }
}
ge-3/0/4 {
 gigether-options { 
 redundant-parent reth0;
 }
}
fab0 {
 fabric-options {
 member-interfaces {
 ge-0/0/5;
 }
 }
}
fab1 {
 fabric-options {
 member-interfaces {
 ge-3/0/5;
 }
 }
}
reth0 {
 vlan-tagging;
 redundant-ether-options {
 redundancy-group 1;  }
 unit 223 { 
 vlan-id 223;
 family inet {
 address 172.20.30.1/24;
 }
 }
}
reth1 {
 vlan-tagging;
 redundant-ether-options {
 redundancy-group 2;
 }
 unit 233 {
 vlan-id 233;
 family inet {
 address 172.30.30.1/24;
 }
 }
}

{primary:node0}[edit interfaces]
root@srxC-1# 
{primary:node0}[edit interfaces]
root@srxC-1# top 

{primary:node0}[edit]
root@srxC-1# commit 
[edit chassis cluster]
 'redundancy-group 1'
 redundancy-group-id (1) cannot exceed reth-count (0)
error: configuration check-out failed

{primary:node0}[edit]
root@srxC-1#

Were you able to commit the configuration?
Where can you increse the reth count?

  • Step 3.8 Increase the reth count.

 

{primary:node0}[edit]
root@srxC-1# edit chassis cluster 
{primary:node0}[edit chassis cluster]
root@srxC-1# set reth-count 2 

{primary:node0}[edit chassis cluster]
root@srxC-1# top 

{primary:node0}[edit]
root@srxC-1# commit 
node0: 
configuration check succeeds
node1: 
commit complete
node0: 
commit complete

{primary:node0}[edit]
root@srxC-1# 

Why would you not want to set the reth count to its maximum possible number

  • Step 3.9 Show chassis cluster interfaces.
root@srxC-1# run show chassis cluster interfaces 
Control link status: Up

Control interfaces: 
 Index Interface Status Internal-SA
 0 fxp1 Up Disabled 

Fabric link status: Up

Fabric interfaces: 
 Name Child-interface Status
 (Physical/Monitored)
 fab0 ge-0/0/5 Up / Up 
 fab0 
 fab1 ge-3/0/5 Up / Up 
 fab1 

Redundant-ethernet Information: 
 Name Status Redundancy-group
 reth0 Up 1 
 reth1 Up 2 
 
Redundant-pseudo-interface Information:
 Name Status Redundancy-group
 lo0 Up 0 

Interface Monitoring:
 Interface Weight Status Redundancy-group
 ge-3/0/3 255 Up 2 

{primary:node0}[edit]
root@srxC-1# 

Within which redundancy groups are reth0 and reth1 contained?

  • Step 3.10 show chassis cluster status.

 

{primary:node0}[edit]
root@srxC-1# run show chassis cluster status 
Monitor Failure codes:
 CS Cold Sync monitoring FL Fabric Connection monitoring
 GR GRES monitoring HW Hardware monitoring
 IF Interface monitoring IP IP monitoring
 LB Loopback monitoring MB Mbuf monitoring
 NH Nexthop monitoring NP NPC monitoring 
 SP SPU monitoring SM Schedule monitoring
 
Cluster ID: 1
Node Priority Status Preempt Manual Monitor-failures

Redundancy group: 0 , Failover count: 1
node0 1 primary no no None 
node1 1 secondary no no None 

Redundancy group: 1 , Failover count: 1
node0 200 primary no no None 
node1 100 secondary no no None 

Redundancy group: 2 , Failover count: 0
node0 100 secondary yes no None 
node1 200 primary yes no None 

{primary:node0}[edit]
root@srxC-1# 

Redundancy group 0 is reserved for Group for Redundant REs and is called RG0

Which node is primary for redundancy group 2?

Why is Node 0 primary for redundancy group 0?

How would you ensure Node 0 acquires primacy for redundancy group 0 if both nodes reboot around the same time?

  • Step 3.11 Configure Node1 to have a higher priority than Node 0 for redundancy group 0.

 

{primary:node0}[edit]
root@srxC-1# set chassis cluster redundancy-group 0 node 1 priority 254 

{primary:node0}[edit]
root@srxC-1# commit 
node0: 
configuration check succeeds
node1: 
commit complete
node0: 
commit complete

{primary:node0}[edit]
root@srxC-1# 
  • Step 3.12 Show chassis cluster status.

 

root@srxC-1# run show chassis cluster status 
Monitor Failure codes:
 CS Cold Sync monitoring FL Fabric Connection monitoring
 GR GRES monitoring HW Hardware monitoring
 IF Interface monitoring IP IP monitoring
 LB Loopback monitoring MB Mbuf monitoring
 NH Nexthop monitoring NP NPC monitoring 
 SP SPU monitoring SM Schedule monitoring
 
Cluster ID: 1
Node Priority Status Preempt Manual Monitor-failures

Redundancy group: 0 , Failover count: 1
node0 1 primary no no None 
node1 254 secondary no no None 

Redundancy group: 1 , Failover count: 1
node0 200 primary no no None 
node1 100 secondary no no None 

Redundancy group: 2 , Failover count: 0
node0 100 secondary yes no None 
node1 200 primary yes no None 

{primary:node0}[edit]
root@srxC-1# 

Which node will acquire primacy for redundancy group 0 if both nodes reboot at the same time?

Why is node 0 still the primary node for redundancy group 0

  • Step 3.13 go to security and configure the policy to allow all traffic.

 

{primary:node0}[edit]
root@srxC-1# edit security 

{primary:node0}[edit security]
root@srxC-1# set policies default-policy permit-all 
  • Step 3.14 Configure the Untrust zone to contain interfaces ge-0/0/3 and ge-3/0/3.
{primary:node0}[edit security]
root@srxC-1# edit zones 

{primary:node0}[edit security zones]
root@srxC-1# set security-zone untrust interfaces ge-0/0/3 

{primary:node0}[edit security zones]
root@srxC-1# set security-zone untrust interfaces ge-3/0/3 
  • Step 3.15 Configure the Trust zone to contain interfaces reth0 and reth1. All system services should be allowed.

 

root@srxC-1# set security-zone trust interfaces reth0.223 host-inbound-traffic system-services all

{primary:node0}[edit security zones]
root@srxC-1# set security-zone trust interfaces reth1.233 host-inbound-traffic system-services all

{primary:node0}[edit security zones]
root@srxC-1# show
security-zone untrust {
 interfaces {
 ge-0/0/3.0;
 ge-3/0/3.0;
 }
}
security-zone trust {
 interfaces {
 reth0.223 {
 host-inbound-traffic {
 system-services {
 all;
 }
 }
 }
 reth1.233 {
 host-inbound-traffic {
 system-services {
 all;
 }
 }
 }
 }
} 

{primary:node0}[edit security zones]
root@srxC-1# 
  • Step 3.16 Delete the current default static route and configure two default floating static routes.

{primary:node0}[edit security]
root@srxC-1# top edit routing-options 

{primary:node0}[edit routing-options]
root@srxC-1# show 

{primary:node0}[edit routing-options]
root@srxC-1# delete static route 0/0 
warning: statement not found

{primary:node0}[edit routing-options]
root@srxC-1# set static route 0/0 qualified-next-hop 172.18.1.1 

{primary:node0}[edit routing-options]
root@srxC-1# set static route 0/0 qualified-next-hop 172.18.2.1 preference 10 

{primary:node0}[edit routing-options]
root@srxC-1# top 

{primary:node0}[edit]
root@srxC-1# commit and-quit 
[edit security zones security-zone untrust]
 'interfaces ge-0/0/3.0'
 Interface ge-0/0/3.0 must be configured under interfaces
error: configuration check-out failed

{primary:node0}[edit]
root@srxC-1# 


#configure ge-0/0/3.0
{primary:node0}[edit]
root@srxC-1# set interfaces ge-0/0/3 unit 0 family inet address 172.18.1.2/30 
{primary:node0}[edit]
root@srxC-1# commit 
node0: 
configuration check succeeds
node1: 
commit complete
node0: 
commit complete
  • Step 3.17 show route 0/0 exact.

At this point, interfaces ge-0/0/3 and ge-3/0/3 should be connected.

 

root@srxC-1> show route 0/0 exact 

inet.0: 11 destinations, 12 routes (11 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0 *[Static/5] 00:00:57
 > to 172.18.1.1 via ge-0/0/3.0
 [Static/10] 00:00:58
 > to 172.18.2.1 via ge-3/0/3.0

{primary:node0}
root@srxC-1> 

If we disconnect the monitored interface ge-3/0/3 we get an orange status.

 

  • Step 3.18 Check connectivity by issuing pings.

In the video below its possible to appreciate pings performed to the firewall interface on vlan 233.


https://www.youtube.com/watch?v=YDxc66ybrMQ

The behaviour is the following:

  • With one interface of each cluster member connected to VLAN 233.
  • There are pings running from a computer connected on that VLAN towards the interface 172.30.30.1
  • srxC-1 Connected to switch port 3
  • srxC-2 Connected to switch port 1.
  • srxC-2 unpluggued form switch > No more ping
  • At 60 seconds, cable is reconnectedm and ping is back.
  • At 120 seconds, srxC-2 is powered off, no ping is lost.
root@srxC-1> ping 172.18.2.1 detail
PING 172.18.2.1 (172.18.2.1): 56 data bytes
64 bytes from 172.18.2.1 via ge-3/0/3.0: icmp_seq=0 ttl=64 time=12.182 ms
64 bytes from 172.18.2.1 via ge-3/0/3.0: icmp_seq=1 ttl=64 time=11.207 ms
64 bytes from 172.18.2.1 via ge-3/0/3.0: icmp_seq=2 ttl=64 time=10.176 ms
64 bytes from 172.18.2.1 via ge-3/0/3.0: icmp_seq=3 ttl=64 time=9.221 ms
^C
--- 172.18.2.1 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max/stddev = 9.221/10.697/12.182/1.109 ms


{primary:node0}
root@srxC-1> ping 172.18.1.1 detail
PING 172.18.1.1 (172.18.1.1): 56 data bytes
64 bytes from 172.18.1.1 via ge-0/0/3.0: icmp_seq=0 ttl=64 time=3.713 ms
64 bytes from 172.18.1.1 via ge-0/0/3.0: icmp_seq=1 ttl=64 time=2.315 ms
64 bytes from 172.18.1.1 via ge-0/0/3.0: icmp_seq=2 ttl=64 time=2.470 ms
^C
--- 172.18.1.1 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 2.315/2.833/3.713/0.626 ms

{primary:node0}
root@srxC-1> ping 172.18.2.1 detail
PING 172.18.2.1 (172.18.2.1): 56 data bytes
64 bytes from 172.18.2.1 via ge-3/0/3.0: icmp_seq=0 ttl=64 time=11.863 ms
64 bytes from 172.18.2.1 via ge-3/0/3.0: icmp_seq=1 ttl=64 time=11.291 ms
^C
--- 172.18.2.1 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 11.291/11.577/11.863/0.286 ms

{primary:node0}
root@srxC-1> 

{primary:node0}
root@srxC-1> ping 172.20.30.2 detail 
PING 172.20.30.2 (172.20.30.2): 56 data bytes
64 bytes from 172.20.30.2 via reth0.223: icmp_seq=0 ttl=64 time=2.621 ms
64 bytes from 172.20.30.2 via reth0.223: icmp_seq=1 ttl=64 time=2.566 ms
64 bytes from 172.20.30.2 via reth0.223: icmp_seq=2 ttl=64 time=2.589 ms
^C
--- 172.20.30.2 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 2.566/2.592/2.621/0.023 ms

{primary:node0}
root@srxC-1>

root@srxC-1> ping 172.30.30.2 detail 
PING 172.30.30.2 (172.30.30.2): 56 data bytes
64 bytes from 172.30.30.2 via reth1.233: icmp_seq=0 ttl=64 time=4.101 ms
64 bytes from 172.30.30.2 via reth1.233: icmp_seq=1 ttl=64 time=13.249 ms
64 bytes from 172.30.30.2 via reth1.233: icmp_seq=2 ttl=64 time=12.204 ms
64 bytes from 172.30.30.2 via reth1.233: icmp_seq=3 ttl=64 time=11.241 ms
64 bytes from 172.30.30.2 via reth1.233: icmp_seq=4 ttl=64 time=10.149 ms
64 bytes from 172.30.30.2 via reth1.233: icmp_seq=5 ttl=64 time=9.239 ms
^C
--- 172.30.30.2 ping statistics ---
6 packets transmitted, 6 packets received, 0% packet loss
round-trip min/avg/max/stddev = 4.101/10.031/13.249/2.954 ms

{primary:node0}
root@srxC-1> 

 

  • Step 3.19 Save config
{primary:node0}[edit]
root@srxC-1# save jsec/lab8-part4-start.config 
Wrote 203 lines of configuration to 'jsec/lab8-part4-start.config'

{primary:node0}[edit]
root@srxC-1# 

Part 4: Monitoring Traffic Flows


  • Step 4.1 load.

 

root@srxC-1# load override jsec/lab8-part4-start.config 
  • Step 4.2 telnet to bottom routers.

 

codehere
  • Step 4.3 log in to bottom routers.

 

codehere
  • Step 4.4 Generate traffic to 172.18.3.1 from vr223.

codehere
  • Step 4.5 run monitor interface traffic.

 

{primary:node0}[edit]
root@srxC-1# run monitor interface traffic
  • step 4.6 cancel the ping.

 

codehere
  • Step 4.7 generate traffic to 172.18.3.1 from vr233.

 

codehere
  • Step 4.8 return to SRX device and perform a run monitor interface traffic.

 

run monitor interface traffic
  • Step 4.9 disable interface ge-5/0/3.

 

codehere
  • Step 4.10 run show chassis cluster interface.

 

root@srxC-1# run show chassis cluster interfaces
  • Step 4.11 run show chassis cluster status.

 

root@srxC-1# run show chassis cluster status 
Monitor Failure codes:
 CS Cold Sync monitoring FL Fabric Connection monitoring
 GR GRES monitoring HW Hardware monitoring
 IF Interface monitoring IP IP monitoring
 LB Loopback monitoring MB Mbuf monitoring
 NH Nexthop monitoring NP NPC monitoring 
 SP SPU monitoring SM Schedule monitoring
 
Cluster ID: 1
Node Priority Status Preempt Manual Monitor-failures

Redundancy group: 0 , Failover count: 1
node0 1 primary no no None 
node1 254 secondary no no None 

Redundancy group: 1 , Failover count: 1
node0 200 primary no no None 
node1 100 secondary no no None 

Redundancy group: 2 , Failover count: 6
node0 100 secondary yes no None 
node1 200 primary yes no None 

{primary:node0}[edit]
root@srxC-1# 
  • Step 4.12 Go to bottom router vr233 and ping 172.18.3.1.

 

codehere
  • Step 4.13 run monitor interface traffic.

 

run monitor interface traffic
  • Step 4.14 remove the disable on ge-5/0/3.

 

codehere
  • Step 4.15 show chassis cluster status.

 

run show chassis cluster status 
  • Step 4.16 return to bottom router vr233 and stop the ping.
codehere

Part 5: Disabling the Chassis Cluster


 

  • Step 5.1 return to SRX and disable cluster.

 

{primary:node1}
root@srx-CL> set chassis cluster disable reboot 

For cluster-ids greater than 15 and when deploying more than one
cluster in a single Layer 2 BROADCAST domain, it is mandatory that
fabric and control links are either connected back-to-back or
are connected on separate private VLANS.

{primary:node1}
root@srx-CL> 
*** FINAL System shutdown message from root@srx-CL *** 

System going down IMMEDIATELY 
  • Step 5.2 log in on the SRX.

 

codehere
  • Step 5.3 load config.

 

root@srx-CL# load factory-default 
warning: activating factory configuration

[edit]
root@srx-CL# set system root-authentication plain-text-password 
New password:
Retype new password:

[edit]
root@srx-CL# commit 
commit complete

[edit]
root@srx-CL# 
  • Step 5.4 disable cluster on second device.

 

{primary:node0}
root@srx-C2> 
ge-0/0/0 up down
gr-0/0/0 up up 
ip-0/0/0 up up 
ge-0/0/1 up down
ge-0/0/2 up up 
ge-0/0/2.0 up up aenet --> reth0.0
ge-0/0/3 up up 
ge-0/0/3.0 up up aenet --> reth1.0
ge-0/0/4 up up 
ge-0/0/5 up up 
ge-0/0/5.0 up up aenet --> fab0.0
ge-0/0/6 up up 
ge-0/0/7 up up 
fab0 up up 
fab0.0 up up inet 30.17.0.200/24 
fxp0 up up 
fxp0.0 up up inet 10.210.14.135/27
 10.210.14.137/27
fxp1 up up 
fxp1.0 up up inet 129.16.0.1/2 
 tnp 0x1100001 
fxp2 up up 
fxp2.0 up up tnp 0x1100001 
gre up up 
ipip up up 
irb up up 
lo0 up up 
lo0.16384 up up inet 127.0.0.1 --> 0/0
lo0.16385 up up inet 10.0.0.1 --> 0/0


root@srx-C2> set chassis cluster disable reboot 

For cluster-ids greater than 15 and when deploying more than one
cluster in a single Layer 2 BROADCAST domain, it is mandatory that
fabric and control links are either connected back-to-back or
are connected on separate private VLANS.

{primary:node0}
root@srx-C2> 
*** FINAL System shutdown message from root@srx-CL *** 

System going down IMMEDIATELY 
  • Step 5.5 after reboot log in on second device.

 

.
  • Step 5.6 load config on second device.

 

same as step 5.3

 

Appendix 1: CISCO SWITCH CONFIG


 

In this switch there is already some LAG links configured, we are going to use just a single part of those links initially.

In order to use those links, connect reth0 interfaces to ports 5 and 7 on the cisco swtich.

Create VLAN 223 and assigned it untagged to port 9.

Then assign that VLAN to LAG links LAG1 and LAG2.

Go to VLAN management > Create VLAN.

Click Add. And add VLAN 223.

Go to Port VLAN Membership and edit port 9

Add the VLAN 223 untagged to port ge9

On LAG1 add VLAN 223 Tagged

On LAG2 the same: add vlan 223 tagged

 

Appendix 2 Avaya Switch config


 

 

Appendix 3: Hardware and Software mismatch while creating the cluster


References


Juniper SRX220 How to Cluster Firewall – JSRP

Documents needed

SRX Stencils

SORTING REDUNDAND AND AGGREGATED LINKS AT SWITCH AND FIREWALL LEVEL.

Creating HA Juniper SRX Chassis Cluster (cool design)

VCSA: Change from Windows Appliance to Virtual Appliance.

image_pdfimage_print

 

Current Install

Versioning

 

Download Page Digiboy

 

Mount it on a windows Machine

 

microserver.lab.youaresecure.be

 

  • This is the third attempt: No ntp, no dns record.

 

  • Set it their dns record and IP address (doesnt work)

  • otherwise with DHCP it will fail (doesnt work)

 

 

 

References


Digiboy

VCSA Failed to start services (with screenshoot and recommendations)

The Nightmae of Vcenter server (with the background blue color)

TU ru ru ru rUUUUUUU