How to Juniper SRX static route failover
February 22, 2020 Leave a comment
Za normalnych okolnosti by sa routing failover mal realizovat na urovni dynamickych protokolov v sieti a nie na endpointoch. Niekedy sa vsak takemuto stavu nevyhneme a vtedy nam pride vhod funkcia RPM na SRX boxoch.
V nasom prostredi sa hodi na failover staitckeho routingu medzi lokalimtami BA-KE. Ked spadne konekt niekde po ceste a endpointy maju interfacy stale hore nevieme vyuzit funkcionalitu qualified-next-hop nakolko povodna cesta bude stale v routovacej tabulke a zariadenie nevie o vypadku po ceste. Pomocou RPM nastavime monitoring linky (ICMP) medzi boxami a ked na primarnej linke nebudu schopne komunikovat prehodia staticke cesty na backup linku.
Nastavime potrebne staticke cesty cez primarnu linku.
#route 192.168.0.0/24 next-hop 192.168.254.9; #route 192.168.201.0/24 next-hop 192.168.254.9;
Vytvorime RPM probe ktory monitoruje druhu stranku IPsec tunela a ked neprejdu 3 ping v ramci casovych intervalov je test vyhodnoteny ako FAILED. V nasom pripade to bude 35s.
# run show configuration services rpm probe BA-KE-LINK test PRIMARY { target address 192.168.254.9; probe-count 3; probe-interval 5; test-interval 10; source-address 192.168.254.10; thresholds { successive-loss 3; total-loss 3; } }
Tento stav je monitorovany serviceom ip-monitoring, ktoru pri FAILED stave prida staticku cestu cez backup linku.
# run show configuration services ip-monitoring policy BA-KE-PRIMARY { match { rpm-probe BA-KE-LINK; } then { preferred-route { route 192.168.0.0/24 { next-hop 192.168.254.1; } route 192.168.201.0/24 { next-hop 192.168.254.1; } } } }
A mozeme skontrolovat
# run show services ip-monitoring status Policy - BA-KE-PRIMARY (Status: PASS) RPM Probes: Probe name Test Name Address Status ---------------------- --------------- ---------------- --------- BA-KE-LINK PRIMARY 192.168.254.9 PASS Route-Action: route-instance route next-hop state ----------------- ----------------- ---------------- ------------- inet.0 192.168.0.0/24 192.168.254.1 NOT-APPLIED inet.0 192.168.201.0/24 192.168.254.1 NOT-APPLIED