Support Support Downloads Knowledge Base Service Request Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] IP monitoring with FBF (filter-based forwarding in a dual ISP scenario)

0

0

Article ID: KB22052 KB Last Updated: 26 May 2015Version: 8.0
Summary:

The IP monitoring with a route failover feature is available with the 11.2 release. This article provides information about the specific configuration of this feature that is used to perform a route-failover in a typical dual ISP scenario.

Symptoms:

  • Two ISPs are present; one terminates on ge-0/0/0 and the other on ge-0/0/1.

  • The primary default gateway for the traffic is via ge-0/0/0.

  • Additionally, filter-based forwarding (FBF) has to be performed for the 10.10.10.0/24 subnet. For this subnet, the default primary gateway should be via ge-0/0/1.

  • Also, a failover has to be performed in each of the instances (inet.0 and the routing-instance), depending on the reach via the respective interfaces.
Solution:

RPM probe tests and the corresponding action for each instance will be configured.

Routing-Instance Configuration
:

set routing-instances FBF-1 instance-type forwarding >> First routing-instance
set routing-instances FBF-1 routing-options static route 0.0.0.0/0 next-hop 1.1.1.1

set routing-instances FBF-2 instance-type forwarding >> Second routing-instance
set routing-instances FBF-2 routing-options static route 0.0.0.0/0 next-hop 2.2.2.2
Interfaces and RIB Configuration:
set interfaces ge-0/0/0 unit 0 family inet address 1.1.1.2/24 >> First ISP network
set interfaces ge-0/0/1 unit 0 family inet address 2.2.2.1/24 >> Second ISP network

set interfaces ge-0/0/2 unit 0 family inet filter input F1
set interfaces ge-0/0/2 unit 0 family inet address 10.10.10.1/24 > LAN network

As the two ISPs are part of inet.0, the rib-group configuration is required to import the directly connected routes of the ISP into the routing-instance.

set routing-options interface-routes rib-group inet IMPORT-PHY
set routing-options rib-groups IMPORT-PHY import-rib inet.0
set routing-options rib-groups IMPORT-PHY import-rib FBF-1.inet.0
set routing-options rib-groups IMPORT-PHY import-rib FBF-2.inet.0

Firewall Filter Configuration:
set firewall filter F1 term 1 from source-address 10.10.10.2/32
set firewall filter F1 term 1 then routing-instance FBF-2

set firewall filter F1 term 2 from source-address 0.0.0.0/0
set firewall filter F1 term 2 then routing-instance FBF-1

RPM Configuration
set services rpm probe Probe-Server test testsvr target address 1.1.1.1 >> RPM Probes test for the target in first ISP.
set services rpm probe Probe-Server test testsvr probe-count 10
set services rpm probe Probe-Server test testsvr probe-interval 5
set services rpm probe Probe-Server test testsvr test-interval 10
set services rpm probe Probe-Server test testsvr thresholds successive-loss 10
set services rpm probe Probe-Server test testsvr thresholds total-loss 5
set services rpm probe Probe-Server test testsvr destination-interface ge-0/0/0.0
set services rpm probe Probe-Server test testsvr next-hop 1.1.1.1

set services rpm probe Probe-Server1 test testsvr target address 2.2.2.2 >> RPM Probes test for the target in second ISP.
set services rpm probe Probe-Server1 test testsvr probe-count 10
set services rpm probe Probe-Server1 test testsvr probe-interval 5
set services rpm probe Probe-Server1 test testsvr test-interval 10
set services rpm probe Probe-Server1 test testsvr thresholds successive-loss 10
set services rpm probe Probe-Server1 test testsvr thresholds total-loss 5
set services rpm probe Probe-Server1 test testsvr destination-interface ge-0/0/1.0
set services rpm probe Probe-Server1 test testsvr next-hop 2.2.2.2
IP-Monitoring Configuration
set services ip-monitoring policy Server-Tracking match rpm-probe Probe-Server
set services ip-monitoring policy Server-Tracking then preferred-route routing-instances FBF-1 route 0.0.0.0/0 next-hop 2.2.2.2 >> Installs route in the first routing-instance

set services ip-monitoring policy Server-Tracking1 match rpm-probe Probe-Server1
set services ip-monitoring policy Server-Tracking1 then preferred-route routing-instances FBF-2 route 0.0.0.0/0 next-hop 1.1.1.1
>> Installs route in the second routing-instance
Security Zone:
set security-zone security-zone <zone-name> interface <interface-name> host-inbound-traffic system-services rpm
set security-zone security-zone <zone-name> interface <interface-name> host-inbound-traffic system-services ping
system-services rpm and ping should be enabled under the zone hierarchy to have RPM statistics by sending out probes to a specified probe target, which is identified by an IP address or URL.

Notes:
  • To change only the route in inet.0 (and not in the customized routing-instance), remove routing-instance <instance-name> from the IP monitoring configuration.

  • In the above solution, two RPM probes are created, one for each forwarding type routing-instance, namely FBF-1 and FBF-2. When the RPM probes 1.1.1.1 (which is the next-hop of the ge-0/0/0.0 interface) fails, the 0.0.0.0/0 next-hop 2.2.2.2 route gets installed in the FBF-1 routing-instance.

    Similarly, the 0.0.0.0/0 next-hop 1.1.1.1  route will be installed in the FBF-2 routing-instance if the probes to 2.2.2.2 fail.

  • This solution works for reth interfaces as well.

  • The target IP can be any IP that is reachable from the particular link that needs to be monitored. It is preferable to keep it as the ISP's network.

  • It is assumed that the rest of the configuration that is required for a stateful firewall to work ( for example, Security Zones, Policies, and so on) is already done. To configure the rest of the SRX features, refer to KB15694 - SRX Getting Started - Configuration Examples & Troubleshooting (JumpStation).

  • The timings and intervals that are mentioned in the above example are indicative only. You can set these according to the network requirements.

  • For additional information on how IP monitoring route failover works, refer to the Junos® OS 11.2 Release Notes.

Verification:

To verify, run the following command:
user@SRX> show services ip-monitoring status all >>(when probe for ISP-2 has failed)

Policy - Payment-Server-Tracking
RPM Probes:
Probe name                    Address    Status
---------------------- ---------------- ---------
Probe-Server                 1.1.1.1      PASS >> Result of the RPM
Route-Action:
route-instance      route               next-hop      State
----------------- ----------------- ---------------- -------------
FBF-1            0.0.0.0/0         2.2.2.2           NOT-APPLIED  >> Action taken

Policy - Payment-Server-Tracking1
RPM Probes:
Probe name                  Address     Status
---------------------- ---------------- ---------
Probe-Server1           192.168.1.109  Failed >> RESULT of the RPM
Route-Action:
route-instance          route          next-hop        State
----------------- ----------------- ----------------   -------------
FBF-2                 0.0.0.0/0         1.1.1.1         APPLIED >> Action taken

The output of the route table will be:

> show route |no-more

inet.0: 6 destinations, 6 routes (6 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

10.10.10.0/24 *[Direct/0] 00:24:56
> via ge-0/0/2.0
10.10.10.1/32 *[Local/0] 00:25:04
Local via ge-0/0/2.0
1.1.1.0/24 *[Direct/0] 00:00:09
> via ge-0/0/0.0
1.1.1.2/32 *[Local/0] 00:25:04
Local via ge-0/0/0.0
2.2.2.0/24 *[Direct/0] 00:05:17
> via ge-0/0/1.0
2.2.2.1/32 *[Local/0] 00:25:04

Local via ge-0/0/1.0

FBF-1.0: 7 destinations, 7 routes (7 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0 *[Static/5] 00:00:09
> to 1.1.1.1 via ge-0/0/0.0 >> No change in the route
10.10.10.0/24 *[Direct/0] 00:24:56
> via ge-0/0/2.0
10.10.10.1/32 *[Local/0] 00:25:04
Local via ge-0/0/2.0
1.1.1.0/24 *[Direct/0] 00:00:09
> via ge-0/0/0.0
1.1.1.2/32 *[Local/0] 00:25:04
Local via ge-0/0/0.0
2.2.2.0/24 *[Direct/0] 00:05:17
> via ge-0/0/1.0
2.2.2.1/32 *[Local/0] 00:25:04
Local via ge-0/0/1.0

FBF-2.inet.0: 7 destinations, 7 routes (7 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0 *[Static/1] 00:00:10  >> Note that this route has a preference value of 1; instead of 5 (default for static).
> to 1.1.1.1 via ge-0/0/0.0 >> Change in installed route
10.10.10.0/24 *[Direct/0] 00:24:56
> via ge-0/0/2.0
10.10.10.1/32 *[Local/0] 00:25:04
Local via ge-0/0/2.0
1.1.1.0/24 *[Direct/0] 00:00:09
> via ge-0/0/0.0
1.1.1.2/32 *[Local/0] 00:25:04
Local via ge-0/0/0.0
2.2.2.0/24 *[Direct/0] 00:05:17
> via ge-0/0/1.0
2.2.2.1/32 *[Local/0] 00:25:04
Local via ge-0/0/1.0

> show route forwarding-table table FBF-1.inet

Routing table: FBF-1.inet

Internet:
Destination Type RtRef Next hop Type Index NhRef Netif
default perm 0 rjct 36 2
default user 0 indr 262143 2
0:26:88:e6:d2:0 ucst 539 3 ge-0/0/0.0
1.1.1.0/24 intf 0 rslv 582 1 ge-0/0/0.0
1.1.1.0/32 dest 0 1.1.1.0 recv 580 1 ge-0/0/0.0
1.1.1.1/32 dest 0 0:26:88:e6:d2:0 ucst 539 3 ge-0/0/0.0
1.1.1.2/32 intf 0 1.1.1.2 locl 581 3
1.1.1.2/32 dest 0 1.1.1.2 locl 581 3
1.1.1.255/32 dest 0 1.1.1.255 bcst 579 1 ge-0/0/0.0
2.2.2.0/24 intf 0 rslv 586 1 ge-0/0/1.0
2.2.2.0/32 dest 0 2.2.2.0 recv 584 1 ge-0/0/1.0
2.2.2.1/32 intf 0 2.2.2.1 locl 585 3
2.2.2.1/32 dest 0 2.2.2.1 locl 585 3
2.2.2.2/32 dest 0 2.2.2.2 hold 540 1 ge-0/0/1.0
2.2.2.255/32 dest 0 2.2.2.255 bcst 583 1 ge-0/0/1.0
10.10.10.0/24 intf 0 rslv 590 1 ge-0/0/2.0
10.10.10.0/32 dest 0 10.10.10.0 recv 588 1 ge-0/0/2.0
10.10.10.1/32 dest 0 00:24:dc:24:f9:f0 ucst 36 2
10.10.10.2/32 intf 0 10.10.10.2 locl 589 2
10.10.10.2/32 dest 0 10.10.10.2 locl 589 2
10.10.10.255/32 dest 0 10.10.10.255 bcst 587 1 ge-0/0/2.0
224.0.0.0/4 perm 0 mdsc 35 1
224.0.0.1/32 perm 0 224.0.0.1 mcst 31 1
255.255.255.255/32 perm 0 bcst 32 1

>show route forwarding-table table FBF-2.inet
Routing table: FBF-2.inet
Internet:
Destination Type RtRef Next hop Type Index NhRef Netif
default user 0 indr 262143 2
0:26:88:e6:d2:0 ucst 539 3 ge-0/0/0.0
default perm 0 rjct 545 2
0.0.0.0/32 perm 0 dscd 543 1
1.1.1.0/24 user 0 rtbl 1 3
1.1.1.2/32 user 0 1.1.1.2 locl 581 3
2.2.2.0/24 user 0 rtbl 1 3
2.2.2.1/32 user 0 2.2.2.1 locl 585 3
10.10.10.1/32 user 0 rjct 545 2
224.0.0.0/4 perm 0 mdsc 544 1
224.0.0.1/32 perm 0 224.0.0.1 mcst 517 1
255.255.255.255/32 perm 0 bcst 541 1

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Security Alerts and Vulnerabilities

Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search