SLA Labs post about Cisco and IP monitoring on Juniper SRX
Require:
– The planned device IP configurations for R1-R4 are 10.1.4.1 and 10.1.4.4
– Configure the VRRP priority on the Cisco branch as shown in the figure, the VRRP address is 192.168.1.10
– Use SLA tracking to monitor the main WAN branch for outages and traffic flowing through the upper branch
– Configure Juniper SRX to give priority to the lower branch, and if the lower branch fails, use IP monitoring to jump to the upper branch (similar to SLA)
Configuration:
left:
R1:
Interface Ethernet 0/0
IP address 192.168.1.1 255.255.255.0
Duplex automatic
VRRP 1 IP 192.168.1.10
VRRP 1 priority 110
VRRP 1 track 1 ##Track 1 configuration below
!
Interface Ethernet 0/1
IP address 10.1.4.1 255.255.255.0
Do not shut down
!
ip route 0.0.0.0 0.0.0.0 10.1.4.4 ##Set the route to the partner
IP Service Level Agreement 1
icmp-echo 10.1.4.4 source interface Ethernet0/1
Frequency 5
ip sla schedule 1 eternal life starts now
!
Track 1 IP SLA 1 Reachability
R2:
Interface Ethernet 0/0
IP address 192.168.1.2 255.255.255.0
VRRP 1 IP 192.168.1.10
VRRP 1 priority 105 ##Priority 105 is less than branch R1
!
Interface Ethernet 0/1
IP address 10.2.3.2 255.255.255.0
Do not shut down
!
ip route 0.0.0.0 0.0.0.0 10.2.3.3 ##Set route via partners
Verify:
Show VRRP
After the partner completes the configuration, ping 2 partner branches
Ping to VPC 192.168.1.100
correct:
This branch will not be able to configure VRRP because there are no switches, only firewall SRX
R3:
Interface Ethernet 0/0
IP address 10.2.3.3 255.255.255.0
Do not shut down
!
Interface Ethernet 0/1
IP address 10.3.5.3 255.255.255.0
Do not shut down
!
ip route 0.0.0.0 0.0.0.0 10.2.3.2
IP routing 192.168.5.0 255.255.255.0 10.3.5.5
R4:
Interface Ethernet 0/0
IP address 10.1.4.4 255.255.255.0
Do not shut down
!
Interface Ethernet 0/1
IP address 10.4.5.4 255.255.255.0
Do not shut down
!
ip route 0.0.0.0 0.0.0.0 10.1.4.1
IP routing 192.168.5.0 255.255.255.0 10.4.5.5
Juniper SRX:
############Set IP##############
Set interface ge-0/0/0 unit 0 series inet address 10.3.5.5/24
Set interface ge-0/0/1 unit 0 series inet address 10.4.5.5/24
Set interface ge-0/0/2 unit 0 series inet address 192.168.5.1/24
Set routing options static route 0.0.0.0/0 next hop 10.4.5.4
############Setting area################
Set security zone security zone trust interface ge-0/0/2.0 host inbound traffic system service all
Set security zone security zone untrust interface ge-0/0/0.0 host inbound traffic system service all
Set security zone security zone untrust interface ge-0/0/1.0 host inbound traffic system service all
############ Open rules for pinging from CISCO LAN to ##############
Set the secure address book global address CISCO_LAN 192.168.1.0/24
Set the global address of the secure address book LOCAL_LAN 192.168.5.0/24
!
Set security policy From regional distrust to regional trust Policy allow_ping_from_CISCO matches the source address CISCO_LAN
Set security policy From regional distrust to regional trust Policy allow_ping_from_CISCO matches the target address LOCAL_LAN
Set security policy From regional distrust to regional trust Policy allow_ping_from_CISCO matches application junos-ping
Set the security policy from zone distrust to zone trust policy allow_ping_from_CISCO and then allow
Set the security policy from zone distrust to zone trust policy allow_ping_from_CISCO, and then log the session initialization
############State SLA##############
put Service rpm probe haiprobe test ping to R2 Destination address 10.1.4.1
Set service rpm probe haiprobe test ping-to-R2 probe count 5
Set service rpm probe haiprobe test ping-to-R2 probe interval 3
Set service rpm probe haiprobe to test ping-to-R2 threshold continuous loss 3
!
Setup service IP monitoring Strategy two strategy matching rpm-probe haiprobe
Set the service ip monitoring policy and two policies, then the preferred route route 0.0.0.0/0 next hop 10.3.5.3 ##Secondary Road
Set routing options static route 10.1.4.1/32 next hop 10.4.5.4
Verify:
Ping from VPC_1 to VPC_2
Try shutting down the R1-R4 link and check for a few seconds to see if the ping switches to upstream.
Xem tiếp...
