Questo documento evidenzia l'abilitazione del protocollo IPv6 per una coppia di Firewall SRX3600 in cluster.
1° step: verifica chassis cluster
{primary:node0}
root@SRX>; show chassis cluster status
Monitor Failure codes:
CS Cold Sync monitoring FL Fabric Connection monitoring
GR GRES monitoring HW Hardware monitoring
IF Interface monitoring IP IP monitoring
LB Loopback monitoring MB Mbuf monitoring
NH Nexthop monitoring NP NPC monitoring
SP SPU monitoring SM Schedule monitoring
CF Config Sync monitoring RE Relinquish monitoring
Cluster ID: 1
Node Priority Status Preempt Manual Monitor-failures
Redundancy group: 0 , Failover count: 1
node0 200 primary no no None
node1 100 secondary no no None
Redundancy group: 1 , Failover count: 3
node0 200 primary no no None
node1 100 secondary no no None
{primary:node0}
root@SRX>;
2° step: enable IPv6
{primary:node0}
root@SRX>edit
{primary:node0}
root@SRX# set security forwarding-option family inet6 mode flow-based
{primary:node0}
root@SRX# commit check
A questo punto il nodo ci dice che ha bisogno di un reload completo del cluster
{primary:node0}
root@SRX> show security flow status
Flow forwarding mode:
Inet forwarding mode: flow based
Inet6 forwarding mode: drop [ flow based ]
…. output omitted
3° step: loggarsi sul nodo 1 secondario ed abilitare la features ipv6
{secondary:node1}
root@SRX>edit
{secondary:node1}
root@SRX# set security forwarding-option family inet6 mode flow-based
{primary:node0}
root@SRX# commit check
Di nuovo il nodo ci chiede di eseguire un reload del cluster
4° step: eseguire il reload del nodo secondario
{secondary:node1}
root@SRX> request system reboot
YES
Attendere i tempi di reload nodo
Una volta che il nodo secondario torna UP abbiamo necessità di fare lo stesso per il nodo 0 primario e pertanto andiamo a deviare il traffico sul nodo 1 secondario mediante operazione di failover cluster
5° step: deviazione del traffico su nodo 1 secondario
{primary:node0}
root@SRX> request chassis cluster failover redundancy-group 0 node 1
-----------------------------------------------------------------------------
Initiated manual failover for redundancy group 0
{primary:node0}
root@SRX> request chassis cluster failover redundancy-group 1 node 1
-----------------------------------------------------------------------------
Initiated manual failover for redundancy group 1
Attendere i tempi di failover (sono un pò lunghi)
VERIFICA
root@SRX>; show chassis cluster status
Cluster ID: 1
Node Priority Status Preempt Manual Monitor-failures
Redundancy group: 0 , Failover count: 1
node0 200 secondary-hold no no None
node1 255 primary no no None
Redundancy group: 1 , Failover count: 3
node0 200 secondary no no None
node1 255 primary no no None
Dopo pochi minuti:
root@SRX>; show chassis cluster status
Cluster ID: 1
Node Priority Status Preempt Manual Monitor-failures
Redundancy group: 0 , Failover count: 1
node0 200 secondary no no None
node1 255 primary no no None
Redundancy group: 1 , Failover count: 3
node0 200 secondary no no None
node1 255 primary no no None
6° step: fare il reload del nodo 0:
{secondary:node0}
root@SRX> request system reboot
YES
Attendere i tempi di reload nodo
Una volta che il nodo 0 torna UP procediamo con l'abilitazione del protocollo IPv6
7° step: enable IPv6 su nodo 0
{secondary:node0}
root@SRX>edit
{primary:node0}
root@SRX# set security forwarding-option family inet6 mode flow-based
{secondary:node0}
root@SRX# commit and-quit
VERIFICA
root@SRX> show security flow status
Flow forwarding mode:
Inet forwarding mode: flow based
Inet6 forwarding mode: flow based
…. output omitted
8° step: riportare la situazione del cluster nella posizione originale
{secondary:node1}
root@SRX> request chassis cluster failover redundancy-group 0 node 0
-----------------------------------------------------------------------------
Initiated manual failover for redundancy group 0
{secondary:node1}
root@SRX> request chassis cluster failover redundancy-group 1 node 0
-----------------------------------------------------------------------------
Initiated manual failover for redundancy group 1
VERIFICA:
{primary:node0}
root@SRX> show chassis cluster status
Cluster ID: 1
Node Priority Status Preempt Manual Monitor-failures
Redundancy group: 0 , Failover count: 1
node0 255 primary no no None
node1 100 secondary no no None
Redundancy group: 1 , Failover count: 3
node0 255 primary no no None
node1 100 secondary no no None
Per riportare ai valori di priorità originale (200 e 100) si esegue l'operazione di reset failover
9° step: reset failover
{primary:node0}
root@SRX> request chassis cluster failover reset redundancy-group 0
-----------------------------------------------------------------------------
No reset required for redundancy group 0
node1:
-----------------------------------------------------------------------------
Successfully reset manual failover for redundancy group 0
{primary:node0}
root@SRX> request chassis cluster failover reset redundancy-group 1
-----------------------------------------------------------------------------
No reset required for redundancy group 1
node1:
-----------------------------------------------------------------------------
Successfully reset manual failover for redundancy group 0
VERIFICA:
{primary:node0}
root@SRX> show chassis cluster status
Cluster ID: 1
Node Priority Status Preempt Manual Monitor-failures
Redundancy group: 0 , Failover count: 1
node0 200 primary no no None
node1 100 secondary no no None
Redundancy group: 1 , Failover count: 3
node0 200 primary no no None
node1 100 secondary no no None
A questo punto il cluster SRX è IPv6 Compliant