View OND on GitHub

Open Network Design

OND → Accelerating Interconnectednes

Designs | Readme | About | Training Download this project as a .zip fileDownload this project as a tar.gz file

Requirements

Tools: straight through ethernet cable and straight through serial cable with A end RJ45 (B end to usb or DB9 depending on user computer).

If this is not a factory shipped device then please backup or create a rescue configuration before you begin i.e. don’t blow away the current configuration fully in case you need it later. Please perform the steps up until Step 5. on both devices and always commit check and show | compare before a commit or commit confirmed X.

Step 1.

Please note that both devices will have to start from factory defaults or alternatively

request system zeroize

and have ge-0/0/7 connected back-to-backon each device, and have switching disabled before being brought in to cluster mode (which we will address further down anyway ref: https://www.juniper.net/techpubs/software/junos-security/junos-security10.2/junos-security-swconfig-security/topic-43896.html).

Take a moment to review the SRX cluster node default port allocations: https://www.juniper.net/techpubs/en_US/junos12.1/topics/reference/general/chassis-cluster-srx-series-node-interface-understanding.html

Step 2.

Power on.
Connect computer ethernet to any port other than ge-0/0/0 (i.e. ge-0/0/1-6 for an SRX220). If this is an already configured device then go to EDIT mode and load factory-default and commit. Also, you may need to run request system storage clean-up to make space for a new image if upgrading/downgrading. From the serial cable:

set system root-authentication plain-text-password <CR>

Step 3.

Grab the serial numbers for asset management run show chassis hardware and enable ge-0/0/0:

set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ssh
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services dhcp
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ping
set interfaces ge-0/0/0 unit 0 family inet address 192.168.1.1

Then from your local host or elsewhere (optional) upload your preferred and JTAC recommended image as per https://kb.juniper.net/InfoCenter/index?page=content&id=KB21476&smlogin=true.

scp junos-srxsme-11.4R7.5-domestic.tgz [email protected]:/var/tmp

Check the MD5 signature on all software before installing on any device. DO NOT SKIP THIS STEP. On the destination SRX:

file checksum md5 /var/tmp/junos-srxsme-11.4R7.5-domestic.tgz

The checksums must match otherwise you will brick the device… good luck with that…

root> file checksum md5 /var/tmp/junos-srxsme-11.4R7.5-domestic.tgz
MD5 (/var/tmp/junos-srxsme-11.4R7.5-domestic.tgz) = fe4a909941d5d899d6997f9b75c4e0f0

Then install to the system:

run request system software add /var/tmp/junos-srxsme-11.4R7.5-domestic.tgz

And optionally allow it to do the validate option (no harm) and in fact safer to:

run request system software add /var/tmp/junos-srxsme-11.4R7.5-domestic.tgz no-copy no-validate

Then run request system reboot.

Step 4.

Remove all the spurious stuff which must be removed for clustering anyway:

delete vlans
delete interfaces vlan
delete security zones security-zone trust interfaces
delete security zones security-zone untrust interfaces
delete security policies from-zone trust to-zone untrust policy trust-to-untrust
delete interfaces
delete protocols stp
set interfaces ge-0/0/0 unit 0 family inet
delete system services telnet
delete system services xnm-clear-text
delete system services web-management https interface vlan.0
delete system name-server
commit check
commit

You can now go pure console to get the new config up or you can temporarily re-add the SSH and ge-0/0/0 config to facilitate faster ‘in-band’ config upload as per:

set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ssh
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services dhcp
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ping
set interfaces ge-0/0/0 unit 0 family inet address 192.168.1.1

Step 5.

Set clustering on node ‘0’ from operational mode (and verify).

set chassis cluster cluster-id 1 node 0 reboot

then set clustering on node ‘1’ from operational mode (and verify).

set chassis cluster cluster-id 1 node 1 reboot

Step 6.

Dump up your actual clustered configuration however make sure you remove the last pieces of the old config:

delete interfaces ge-0/0/0 unit 0
delete interfaces ge-0/0/6
delete interfaces ge-0/0/7
delete system services dhcp propagate-settings ge-0/0/0.0

Step 7.

Test your cluster (and the cluster/HA LED lights should be green!)

show chassis cluster status

Check the config on the second node from the first:

request routing-engine login node 1

Remove alarms and ensure a ‘rescue’ config:

set chassis alarm management-ethernet link-down ignore
commit check
commit
run request system configuration rescue save
run show configuration | display set

Bonus

Loading a locally prepared config in ‘set’ mode. Create or update the config on a unix text editor and ensure there are no hidden and extra CR+LF characters, then use the load set command as per https://www.juniper.net/techpubs/en_US/src4.0/topics/concept/src-configuration-commands-load.html. Some of us are old school Cisco peeps…

Ctrl+D ends the input when you have successfully typed it all in, and perhaps re-do the hostname and root password again just in case you forgot to change them previously.

set system host-name cc-cty-cst-fw02a0
set system root-authentication plain-text-password <CR>
New password:
Retype new password:

If the config is very long, do it in 250 line stages to save the buffer filling up on your terminal emulation program.