Knowledge Search


×
 

[SRX] IP monitoring with FBF (filter-based forwarding in a dual ISP scenario)

  [KB22052] Show Article Properties


Summary:

The IP monitoring with a route failover feature is available with the 11.2 release. This article provides information about the specific configuration of this feature that is used to perform a route-failover in a typical dual ISP scenario.

Symptoms:

  • Two ISPs are present; one terminates on ge-0/0/0 and the other on ge-0/0/1.

  • The primary default gateway for the traffic is via ge-0/0/0.

  • Additionally, filter-based forwarding (FBF) has to be performed for the 10.10.10.0/24 subnet. For this subnet, the default primary gateway should be via ge-0/0/1.

  • Also, a failover has to be performed in each of the instances (inet.0 and the routing-instance), depending on the reach via the respective interfaces.
Solution:

RPM probe tests and the corresponding action for each instance will be configured.

Routing-Instance Configuration
:

set routing-instances FBF-1 instance-type forwarding >> First routing-instance
set routing-instances FBF-1 routing-options static route 0.0.0.0/0 next-hop 1.1.1.1

set routing-instances FBF-2 instance-type forwarding >> Second routing-instance
set routing-instances FBF-2 routing-options static route 0.0.0.0/0 next-hop 2.2.2.2
Interfaces and RIB Configuration:
set interfaces ge-0/0/0 unit 0 family inet address 1.1.1.2/24 >> First ISP network
set interfaces ge-0/0/1 unit 0 family inet address 2.2.2.1/24 >> Second ISP network

set interfaces ge-0/0/2 unit 0 family inet filter input F1
set interfaces ge-0/0/2 unit 0 family inet address 10.10.10.1/24 > LAN network

As the two ISPs are part of inet.0, the rib-group configuration is required to import the directly connected routes of the ISP into the routing-instance.

set routing-options interface-routes rib-group inet IMPORT-PHY
set routing-options rib-groups IMPORT-PHY import-rib inet.0
set routing-options rib-groups IMPORT-PHY import-rib FBF-1.inet.0
set routing-options rib-groups IMPORT-PHY import-rib FBF-2.inet.0

Firewall Filter Configuration:
set firewall filter F1 term 1 from source-address 10.10.10.2/32
set firewall filter F1 term 1 then routing-instance FBF-2

set firewall filter F1 term 2 from source-address 0.0.0.0/0
set firewall filter F1 term 2 then routing-instance FBF-1

RPM Configuration
set services rpm probe Probe-Server test testsvr target address 1.1.1.1 >> RPM Probes test for the target in first ISP.
set services rpm probe Probe-Server test testsvr probe-count 10
set services rpm probe Probe-Server test testsvr probe-interval 5
set services rpm probe Probe-Server test testsvr test-interval 10
set services rpm probe Probe-Server test testsvr thresholds successive-loss 10
set services rpm probe Probe-Server test testsvr thresholds total-loss 5
set services rpm probe Probe-Server test testsvr destination-interface ge-0/0/0.0
set services rpm probe Probe-Server test testsvr next-hop 1.1.1.1

set services rpm probe Probe-Server1 test testsvr target address 2.2.2.2 >> RPM Probes test for the target in second ISP.
set services rpm probe Probe-Server1 test testsvr probe-count 10
set services rpm probe Probe-Server1 test testsvr probe-interval 5
set services rpm probe Probe-Server1 test testsvr test-interval 10
set services rpm probe Probe-Server1 test testsvr thresholds successive-loss 10
set services rpm probe Probe-Server1 test testsvr thresholds total-loss 5
set services rpm probe Probe-Server1 test testsvr destination-interface ge-0/0/1.0
set services rpm probe Probe-Server1 test testsvr next-hop 2.2.2.2
IP-Monitoring Configuration
set services ip-monitoring policy Server-Tracking match rpm-probe Probe-Server
set services ip-monitoring policy Server-Tracking then preferred-route routing-instances FBF-1 route 0.0.0.0/0 next-hop 2.2.2.2 >> Installs route in the first routing-instance

set services ip-monitoring policy Server-Tracking1 match rpm-probe Probe-Server1
set services ip-monitoring policy Server-Tracking1 then preferred-route routing-instances FBF-2 route 0.0.0.0/0 next-hop 1.1.1.1
>> Installs route in the second routing-instance
Security Zone:
set security-zone security-zone <zone-name> interface <interface-name> host-inbound-traffic system-services rpm
set security-zone security-zone <zone-name> interface <interface-name> host-inbound-traffic system-services ping
system-services rpm and ping should be enabled under the zone hierarchy to have RPM statistics by sending out probes to a specified probe target, which is identified by an IP address or URL.

Notes:
  • To change only the route in inet.0 (and not in the customized routing-instance), remove routing-instance <instance-name> from the IP monitoring configuration.

  • In the above solution, two RPM probes are created, one for each forwarding type routing-instance, namely FBF-1 and FBF-2. When the RPM probes 1.1.1.1 (which is the next-hop of the ge-0/0/0.0 interface) fails, the 0.0.0.0/0 next-hop 2.2.2.2 route gets installed in the FBF-1 routing-instance.

    Similarly, the 0.0.0.0/0 next-hop 1.1.1.1  route will be installed in the FBF-2 routing-instance if the probes to 2.2.2.2 fail.

  • This solution works for reth interfaces as well.

  • The target IP can be any IP that is reachable from the particular link that needs to be monitored. It is preferable to keep it as the ISP's network.

  • It is assumed that the rest of the configuration that is required for a stateful firewall to work ( for example, Security Zones, Policies, and so on) is already done. To configure the rest of the SRX features, refer to KB15694 - SRX Getting Started - Configuration Examples & Troubleshooting (JumpStation).

  • The timings and intervals that are mentioned in the above example are indicative only. You can set these according to the network requirements.

  • For additional information on how IP monitoring route failover works, refer to the Junos® OS 11.2 Release Notes.

Verification:

To verify, run the following command:
user@SRX> show services ip-monitoring status all >>(when probe for ISP-2 has failed)

Policy - Payment-Server-Tracking
RPM Probes:
Probe name                    Address    Status
---------------------- ---------------- ---------
Probe-Server                 1.1.1.1      PASS >> Result of the RPM
Route-Action:
route-instance      route               next-hop      State
----------------- ----------------- ---------------- -------------
FBF-1            0.0.0.0/0         2.2.2.2           NOT-APPLIED  >> Action taken

Policy - Payment-Server-Tracking1
RPM Probes:
Probe name                  Address     Status
---------------------- ---------------- ---------
Probe-Server1           192.168.1.109  Failed >> RESULT of the RPM
Route-Action:
route-instance          route          next-hop        State
----------------- ----------------- ----------------   -------------
FBF-2                 0.0.0.0/0         1.1.1.1         APPLIED >> Action taken

The output of the route table will be:

> show route |no-more

inet.0: 6 destinations, 6 routes (6 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

10.10.10.0/24 *[Direct/0] 00:24:56
> via ge-0/0/2.0
10.10.10.1/32 *[Local/0] 00:25:04
Local via ge-0/0/2.0
1.1.1.0/24 *[Direct/0] 00:00:09
> via ge-0/0/0.0
1.1.1.2/32 *[Local/0] 00:25:04
Local via ge-0/0/0.0
2.2.2.0/24 *[Direct/0] 00:05:17
> via ge-0/0/1.0
2.2.2.1/32 *[Local/0] 00:25:04

Local via ge-0/0/1.0

FBF-1.0: 7 destinations, 7 routes (7 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0 *[Static/5] 00:00:09
> to 1.1.1.1 via ge-0/0/0.0 >> No change in the route
10.10.10.0/24 *[Direct/0] 00:24:56
> via ge-0/0/2.0
10.10.10.1/32 *[Local/0] 00:25:04
Local via ge-0/0/2.0
1.1.1.0/24 *[Direct/0] 00:00:09
> via ge-0/0/0.0
1.1.1.2/32 *[Local/0] 00:25:04
Local via ge-0/0/0.0
2.2.2.0/24 *[Direct/0] 00:05:17
> via ge-0/0/1.0
2.2.2.1/32 *[Local/0] 00:25:04
Local via ge-0/0/1.0

FBF-2.inet.0: 7 destinations, 7 routes (7 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0 *[Static/1] 00:00:10  >> Note that this route has a preference value of 1; instead of 5 (default for static).
> to 1.1.1.1 via ge-0/0/0.0 >> Change in installed route
10.10.10.0/24 *[Direct/0] 00:24:56
> via ge-0/0/2.0
10.10.10.1/32 *[Local/0] 00:25:04
Local via ge-0/0/2.0
1.1.1.0/24 *[Direct/0] 00:00:09
> via ge-0/0/0.0
1.1.1.2/32 *[Local/0] 00:25:04
Local via ge-0/0/0.0
2.2.2.0/24 *[Direct/0] 00:05:17
> via ge-0/0/1.0
2.2.2.1/32 *[Local/0] 00:25:04
Local via ge-0/0/1.0

> show route forwarding-table table FBF-1.inet

Routing table: FBF-1.inet

Internet:
Destination Type RtRef Next hop Type Index NhRef Netif
default perm 0 rjct 36 2
default user 0 indr 262143 2
0:26:88:e6:d2:0 ucst 539 3 ge-0/0/0.0
1.1.1.0/24 intf 0 rslv 582 1 ge-0/0/0.0
1.1.1.0/32 dest 0 1.1.1.0 recv 580 1 ge-0/0/0.0
1.1.1.1/32 dest 0 0:26:88:e6:d2:0 ucst 539 3 ge-0/0/0.0
1.1.1.2/32 intf 0 1.1.1.2 locl 581 3
1.1.1.2/32 dest 0 1.1.1.2 locl 581 3
1.1.1.255/32 dest 0 1.1.1.255 bcst 579 1 ge-0/0/0.0
2.2.2.0/24 intf 0 rslv 586 1 ge-0/0/1.0
2.2.2.0/32 dest 0 2.2.2.0 recv 584 1 ge-0/0/1.0
2.2.2.1/32 intf 0 2.2.2.1 locl 585 3
2.2.2.1/32 dest 0 2.2.2.1 locl 585 3
2.2.2.2/32 dest 0 2.2.2.2 hold 540 1 ge-0/0/1.0
2.2.2.255/32 dest 0 2.2.2.255 bcst 583 1 ge-0/0/1.0
10.10.10.0/24 intf 0 rslv 590 1 ge-0/0/2.0
10.10.10.0/32 dest 0 10.10.10.0 recv 588 1 ge-0/0/2.0
10.10.10.1/32 dest 0 00:24:dc:24:f9:f0 ucst 36 2
10.10.10.2/32 intf 0 10.10.10.2 locl 589 2
10.10.10.2/32 dest 0 10.10.10.2 locl 589 2
10.10.10.255/32 dest 0 10.10.10.255 bcst 587 1 ge-0/0/2.0
224.0.0.0/4 perm 0 mdsc 35 1
224.0.0.1/32 perm 0 224.0.0.1 mcst 31 1
255.255.255.255/32 perm 0 bcst 32 1

>show route forwarding-table table FBF-2.inet
Routing table: FBF-2.inet
Internet:
Destination Type RtRef Next hop Type Index NhRef Netif
default user 0 indr 262143 2
0:26:88:e6:d2:0 ucst 539 3 ge-0/0/0.0
default perm 0 rjct 545 2
0.0.0.0/32 perm 0 dscd 543 1
1.1.1.0/24 user 0 rtbl 1 3
1.1.1.2/32 user 0 1.1.1.2 locl 581 3
2.2.2.0/24 user 0 rtbl 1 3
2.2.2.1/32 user 0 2.2.2.1 locl 585 3
10.10.10.1/32 user 0 rjct 545 2
224.0.0.0/4 perm 0 mdsc 544 1
224.0.0.1/32 perm 0 224.0.0.1 mcst 517 1
255.255.255.255/32 perm 0 bcst 541 1

Related Links: