Configuring Global Cluster Data with Configuration Groups (JUNOS Clusters Only)

You can apply configuration groups to a JUNOS cluster object just as you can to a standalone JUNOS
device. See Using Configuration Groups .You can cluster J Series routers or SRX Series gateways. You
cannot cluster EX Series
devices, M Series devices, or MX Series devices.You can include configuration groups within templates
when configuring cluster objects.Exactly the same rules apply as when configuring a standalone device.
See Using
Configuration Groups with Templates.

Configuring Member-Level Data in a JUNOS Cluster

To provide configuration data for a specific cluster member, such as the node name,NSM implements a
special form of the wildcard mechanism to designate a configuration group to a specific cluster member.
For ease of management, we recommend placingall your member-specific configuration data in one
configuration group for each member.
You can apply multiple configuration groups to each member.
NOTE: Imported configurations already have the member-specific configuration groups created and
applied. Use the procedure described hereonly for modeled configurations.
We recommend using node0 and node1 as the names of the configuration groups that correspond to
member 0 and member 1 of the cluster, although you can use any name containing the strings node0
and node1. We recommend you do not use node0 ornode1 as the names of configuration groups that
contain cluster-level data.
To configure member-level data in a J Series cluster, follow these steps:
1. In the Device Manager, select Devices.
2. From the list of devices, select the cluster whose member you want to configure, and

then click the Edit icon.

3. In the Configuration tab, select Config Groups.
4. Click the Add icon and select Config Group for HA Node (node0|node1 etc) from the list.
5. Configure the group as desired and click OK.

A configuration group called node appears in the Config Group List.

6. Right-click Configuration in the cluster member tree and select Apply/Exclude Config Group from the

list.
The Apply/Exclude Config Groups dialog appears with the configuration group named node already
highlighted in the Available Config Groups list.
7. Click the Add icon above the Applied Config Groups list (and not the Add button).

A dialog box appears and requests you to enter a string.

8. Type apply ${node} in the box, and then click OK.

The ${node} is automatically expanded by NSM to create and apply configuration groups node0 and
node1 to each member node.
9. Click OK to apply the configuration group.

If you later need to edit the local data for a cluster member, you do so by editing the configuration group
for that member.

Configuring JUNOS Devices with Redundant Routing Engines

Configuring a device with dual Routing Engines differs from configuring a device with a single Routing
Engine in that you can configure features for a specific Routing Engine. Two special configuration groups
are used for this purpose:
Configuration

group re0 for the Routing Engine in slot 0

Configuration

group re1 for the Routing Engine in slot 1

Features configured in these special Routing Engine configuration groups appear only in the Routing
Engine configuration to which they were applied. They do not appear in the global configuration,
regardless of which Routing Engine is the master. All other configuration groups applied to the device
apply to the global configuration and
not to individual Routing Engines.

Configuring a Routing Engine

The following example configures a separate hostname for the Routing Engine in slot 0.
To configure a separate hostname for a Routing Engine in slot 0, and follow these steps:
1. In the navigation tree, select Device Manager > Devices.
2. In the Device Tree, double-click the JUNOS router with redundant Routing Engines.
3. In the Configuration tab of the device editor, select Config Groups List.
4. If the config group re0 exists, open it by double-clicking its icon. If it does not already

exist, click the Add icon, name the new configuration group re0, and then save it.
5. In the navigation tree for re0, select System.
6. In the Host Name field, assign a name to the Routing Engine, for example, Dual-RE-re0.
7. Click OK twice.

Figure: Configuring Routing Engine Specific Parameters

Viewing a Routing Engine Configuration

The following example shows how to display the hostname assigned to a specific Routing Engine. See
next Figure and follow these steps:
1. In the navigation tree, select Device Manager > Devices.

2. In the Device Tree, double-click the JUNOS router with redundant Routing Engines.
3. In the Info tab of the device editor, select Routing Engine Configuration.

Viewing a Routing Engine Configuration

The following example shows how to display the hostname assigned to a specific Routing Engine. See
next Figure and follow these steps:
1. In the navigation tree, select Device Manager > Devices.
2. In the Device Tree, double-click the JUNOS router with redundant Routing Engines.
3. In the Info tab of the device editor, select Routing Engine Configuration.
4. Double-click on the configuration group name to show the configuration for the corresponding Routing

Engine.
5. In the navigation tree, select System. The configured Routing Engine name appears in the Host Name

field.

Figure: Viewing the Routing Engine Configuration

Adding the IDP 250 Devices to NSM

This procedure assumes the IDP 250 devices are reachable through their respective management ports as
mentioned in the previous section.
The following steps are required to add the IDP-250 devices as standalone devices to NSM according to the
Network Architecture shown in Figure 34:

To import an IDP Series device with a known IP address:

1-

In the NSM navigation tree, select Device Manager > Devices.

Figure 1 : NSM Add IDP Device Wizard: Add Device

23-

Click the + icon and select Device to display the Add Device wizard.
Select Device Is Reachable (default) and click Next to display the page where you configure connection
settings.

Figure 2 : NSM Add Device Wizard: Connection Settings

4-

In the Specify Connection Settings dialog box, enter the following connection information:
-

Enter the IP address of the IDP Series device: 192.168.0.10

Enter admin for the username of the device admin user : admin

Enter the password for the device admin user. You set the password for admin when you ran the ACM Wizard
: $admin_pwd$

Enter the password for the device root user. You set the password for root when you ran the
ACM Wizard: $root_pwd$

Select SSH Version 2 and port 22.

Click Next.
The Wizard displays a page where you can verify the integrity of the connection between the IDP Series appliance and
NSM as shown in the figure below. Please wait a moment as the NSM retrieves SSH key fingerprint information from
the IDP Series appliance.
Figure 3 : NSM Add Device Wizard: SSH Key Fingerprint Information

5-

Log into the IDP OS command-line interface and verify the SSH key fingerprint.Comparing the
SSH key fingerprint information enables you to detect man-in-the-middle attacks:

a. Connect to the IDP OS command-line interface:

Use

SSH to connect to the IP address or hostname for the management interface.

Log in as admin and enter su to switch to root.

If

you prefer, make a connection through the serial port and log in as root.

b. Enter

cd /etc/ssh.

c. Enter

ssh-keygen -l -f ssh_host_dsa_key.

The command generates output similar to the following:

1024 f4:91:d0:04:b7:61:00:77:45:c3:cc:bd:af:b3:5b:a2 ssh_host_dsa_key.pub

After you have verified the SSH key fingerprint matches, click Next.
The Wizard displays a page where NSM retrieves and displays inventory information.
Please wait a moment as the NSM retrieves inventory information from the IDP Series Appliance.

Figure 4 : NSM Add Device Wizard: Inventory Information

6-

Verify that the device type, OS version, device serial number, and device mode are correct.

7-

Click Next to add the device to NSM. Upon success, NSM displays the following message:
Figure 5 : NSM Add Device Wizard: Add Device Confirmation

8-

Click Next to import the configuration from the IDP Series device. Upon success, NSM displays the following
message:
Figure 6 : NSM Add Device Wizard: Configuration Import Confirmation

9-

Click Finish.

10- After the job is complete, double-click the device in Device Manager to view the imported
configuration.
To check the device configuration status, mouse over the device and verify that the device status displays
Managed.

Figure 7 : NSM Device Manager: Viewing Device Status

VPN SSL SA NSM Integration

To add the VPN SSL Secure Access Appliances cluster in NSM, we should add the cluster first, and
then add each member. Adding a member is similar to adding a standalone device.
Secure Access clusters be configured by the device administrator to operate in active/passive mode
or in active/active mode.
Clusters in active/passive mode are made up of a primary member and a secondary member. All
traffic flows through the primary member. If the primary member fails, then the secondary member
takes over.
Adding and Importing the Secure Access Cluster to NSM
If the cluster is already installed and configured on the network, then you can add and import that
cluster into NSM.
1. On each cluster member device, configure NSM administrator logon credentials.
2. In NSM, add the cluster object using the Add Cluster wizard.
In the Device Manager, select Devices, click the Add icon and select Cluster from the list. Provide
the cluster name, color of the icon, OS name, platform, and managed OS version. The OS name,
platform, and OS version must match those on the physical devices.
3. In NSM, add each cluster member.
Right-click the cluster icon in the Device Manager, select New > Cluster Member, and follow the
instructions in the Add Cluster Member wizard. When prompted, select Device Is Not Reachable
to add an existing device with a dynamic IP address.
The last step in adding the cluster member prompts you to continue adding cluster members.
Select this option if you have more members to add; unselect it if you are done adding members.
4. On each cluster member device, configure and activate the NSM agent and establish an SSH
session with NSM.
5. Import the cluster.
In the Device Manager, open the cluster icon, right-click on one cluster member and select Import
Device from the list. You do this only once and for the entire cluster because the configuration is
identical for all cluster members.
After importing, the configuration appears at the cluster level in NSM. To edit the configuration,
open the cluster icon, not the individual cluster members.
Step b Step SA-4500 Cluster NSM Integration
This step by step configuration guide shows how to add the KAPSARC Secure Access SA-4500
cluster that already exists on the network and imports the configuration into NSM. The cluster in
this example has two members:
ROC-0ITC-CTR0IA-01-SSV and ROC-0ITC-CTR0IB-01-SSV.

Adding and importing a cluster consists of three major steps:

 Adding the Cluster

Adding the Cluster Members
Importing the Cluster configuration

Adding the Cluster

Add a new cluster to NSM as follows:

1. Select Device Manager > Devices, and then click the Add icon and select Cluster from the
list.
The Add Cluster wizard starts.
1.

Enter the cluster-level information into the New Cluster dialog box as shown in Figure 161
below:

Figure 8 Adding the Secure Access Cluster

1-

Click OK.
The new cluster appears in the Device Manager.

Adding the Cluster Members

1. On the device itself, configure the cluster member device with logon credentials for the NSM
administrator.
2. Add the cluster member in NSM:
a. In the Device Manager, right-click on the SA-Cluster icon and select New >Cluster Member
from the list.

b. In the New Cluster Member dialog box, enter a name and color for the cluster member and select
Device Is Not Reachable.
c. Click Next. The Specify OS Name, Version, and Platform screen appears.
d. Specify an IP address for the NSM Device Manager server, or accept the default, and then click
Next.
e. Make a note of the Unique External ID automatically displayed by NSM. The device administrator
will need it later to connect the device to NSM.
f. Enter the NSM username and password configured on the device.
g. Enter a first-connection one-time password, and make a note of it. The device administrator will
need it to connect the device to NSM.
h. Check the Keep Adding Cluster Members box to add another cluster member.
The Finish button changes to the Next button.
i. Click Next and repeat the process for the second cluster member. When you have finished adding
cluster members, leave the Keep Adding Cluster Members box empty and click Finish.
3. Configure and activate connectivity on each cluster member by performing the following steps
on each cluster member:
a. Open the System > Configuration > NSM Agent screen to add the NSM management
application.
b. In the Primary Server field, enter the IP address of the Device Server.
c. In the Primary Port field, enter 7804.
d. Fill out the Backup Server and Backup Port fields if a high availability Device Server is configured.
e. In the Device ID field, enter the unique external ID provided by the NSM administrator.
f. In the HMAC field, enter the one-time password, also provided by the NSM administrator.
g. Click the Enable button to enable the NSM agent.
h. Click Save Changes.
The device software initiates the TCP connection to NSM and identifies itself
using the specified device ID and HMAC. The two sides then engage in SSH transport layer
interactions to set up an encrypted tunnel, and NSM authenticates itself to the device based on
user name and password.
4. Confirm Connectivity in NSM.
Verify that the connection status of the cluster member in the Device List is Up.

Importing the Cluster configuration

To import the cluster configuration, follow these steps:

1. From the NSM navigation tree, select Device Manager > Devices.
2. Right-click SA-Cluster (the cluster name) and select Import Device from the list.
NSM starts a job to import the configuration. A job window reports the progress of the job. When the
job finishes, the configuration status for each cluster member changes from Import Needed to
Managed.