Juniper SRX – Route-failover in a typical DUAL ISP scenario

http://www.juniperlab.info/p/route-failover-in-typical-dual-isp.html

Interface Configuration on Edge Router 

set interfaces em0 unit 0 family inet address 192.168.0.1/24
set interfaces em1 unit 0 family inet address 192.168.1.2/24
set interfaces em2 unit 0 family inet address 192.168.2.1/24

Interface Configuration on ISP1 Router 

set interfaces em0 unit 0 family inet address 192.168.0.4/24
set interfaces em1 unit 0 family inet address 192.168.1.3/24
set interfaces em2 unit 0 family inet address 192.168.20.1/24


Interface Configuration on ISP2 Router 

set interfaces em0 unit 0 family inet address 192.168.0.5/24
set interfaces em1 unit 0 family inet address 192.168.2.2/24
set interfaces em2 unit 0 family inet address 172.16.1.1/24

Interface Configuration on Destination Router 

set interfaces em0 unit 0 family inet address 192.168.0.6/24
set interfaces em1 unit 0 family inet address 192.168.20.2/24
set interfaces em2 unit 0 family inet address 172.16.1.2/24
set interfaces lo0 unit 0 family inet address 192.168.163.1/24  ->loopback interface we gonna ping

 Static Routes Configuration on Edge Router

set routing-options static route 192.168.20.0/24 next-hop 192.168.1.3 ->Main Route to 192.168.20.0 subnet
set routing-options static route 172.16.1.0/24 next-hop 192.168.2.2  ->Route to 172.16.1.0 subnet
set routing-options static route 192.168.163.0/24 qualified-next-hop 192.168.1.3 preference 8 -> Backup Route to destination router
*Here you can see the preference number to indicate which route should be a backup.
set routing-options static route 192.168.163.0/24 qualified-next-hop 192.168.2.2 bfd-liveness-detection version automatic
set routing-options static route 192.168.163.0/24 qualified-next-hop 192.168.2.2 bfd-liveness-detection minimum-interval 200
set routing-options static route 192.168.163.0/24 qualified-next-hop 192.168.2.2 bfd-liveness-detection transmit-interval minimum-interval 200

*As you can see we have configured the Bidirectional Forwarding Detection (BFD) - the protocol that was created to detect link failures very quickly. In a routed environment, this is especially useful when two Layer 3 devices are connected to a Layer 2 device in the middle. The problem is that the ISP2 Router link could go down on Edge Router, but IPS1 would not detect the failure until the protocol timed out as a result of its local link remaining up. See more about BFD configuration in Juniper docs. 

Static Routes Configuration on ISP1 Router

set routing-options static route 192.168.163.0/24 next-hop 192.168.20.2 ->or
set routing-options static route 0.0.0.0/0 next-hop 192.168.20.2

Static Routes Configuration on ISP2 Router

set routing-options static route 192.168.163.0/24 next-hop 172.16.1.2
set routing-options static route 192.168.2.0/24 next-hop 192.168.2.1 ->Route to 192.168.2.0 subnet on Edge Router
set routing-options static route 192.168.2.0/24 bfd-liveness-detection version automatic
set routing-options static route 192.168.2.0/24 bfd-liveness-detection minimum-interval 200
set routing-options static route 192.168.2.0/24 bfd-liveness-detection transmit-interval minimum-interval 200

*Note: If BFD is configured only on one end of a static route (Edge Router), the route is removed from the routing table. BFD establishes a session when BFD is configured on both ends of the static route. Therefore we have indicated the route to Edge Router and applied bfd on ISP2.
Get more information about Configuring Bidirectional Forwarding Detection on http://www.getgreennetworking.com/techpubs/en_US/junos11.1/information-products/topic-collections/config-guide-routing/index.html?topic-36024.html.

Static Routes Configuration on Destination Router

set routing-options static route 192.168.20.0/24 next-hop 192.168.20.1 ->test route
set routing-options static route 192.168.1.0/24 qualified-next-hop 192.168.20.1 preference 8 ->Backup Route to 192.168.1.0 subnet
set routing-options static route 172.16.1.0/24 next-hop 172.16.1.1 ->test route
set routing-options static route 192.168.2.0/24 qualified-next-hop 172.16.1.1 preference 7 ->Main Route to 192.168.2.0 subnet

IP MONITORING WITH FBF (FILTER BASED FORWARDING IN A DUAL ISP SCENARIO)

THE IP MONITORING WITH ROUTE FAILOVER FEATURE IS AVAILABLE FROM 11.2 RELEASE. THIS ARTICLE DEALS WITH THE SPECIFIC CONFIGURATION OF THIS FEATURE TO PERFORM A ROUTE-FAILOVER IN A TYPICAL DUAL ISP SCENARIO. 

    • We have two ISPs one terminating on ge-0/0/0 & the other on ge-0/0/1.

 

  • The primary default gateway for the traffic is via ge-0/0/0. 

We will configure RPM probe tests & corresponding action for each instance.

Routing-Instance Configuration

set routing-instances FBF-1 instance-type forwarding —————> First Routing Instance
set routing-instances FBF-1 routing-options static route 0.0.0.0/0 next-hop 1.1.1.1

set routing-instances FBF-2 instance-type forwarding —————> Second Routing Instance
set routing-instances FBF-2 routing-options static route 0.0.0.0/0 next-hop 2.2.2.2

Interfaces

set interfaces ge-0/0/0 unit 0 family inet address 1.1.1.2/24 ------------> First ISP Network
set interfaces ge-0/0/1 unit 0 family inet address 2.2.2.1/24 ------------> Second ISP Network

set interfaces ge-0/0/2 unit 0 family inet filter input F1
set interfaces ge-0/0/2 unit 0 family inet address 10.10.10.1/24 ——–> LAN Network

 Firewall Filter Configuration


set firewall filter F1 term 1 from source-address 10.10.10.2/32
set firewall filter F1 term 1 then routing-instance FBF-2

set firewall filter F1 term 2 from source-address 0.0.0.0/0
set firewall filter F1 term 2 then routing-instance FBF-1

RPM Configuration

set services rpm probe Probe-Server test testsvr target address 1.1.1.1 ---------> RPM Probes test for the target in First ISP.
set services rpm probe Probe-Server test testsvr probe-count 10
set services rpm probe Probe-Server test testsvr probe-interval 5
set services rpm probe Probe-Server test testsvr test-interval 10
set services rpm probe Probe-Server test testsvr thresholds successive-loss 10
set services rpm probe Probe-Server test testsvr thresholds total-loss 5
set services rpm probe Probe-Server test testsvr destination-interface ge-0/0/0.0
set services rpm probe Probe-Server test testsvr next-hop 1.1.1.1

set services rpm probe Probe-Server1 test testsvr target address 2.2.2.2 ———> RPM Probes test for the target in Second ISP.
set services rpm probe Probe-Server1 test testsvr probe-count 10
set services rpm probe Probe-Server1 test testsvr probe-interval 5
set services rpm probe Probe-Server1 test testsvr test-interval 0
set services rpm probe Probe-Server1 test testsvr thresholds successive-loss 10
set services rpm probe Probe-Server1 test testsvr thresholds total-loss 5
set services rpm probe Probe-Server1 test testsvr destination-interface ge-0/0/1.0
set services rpm probe Probe-Server1 test testsvr next-hop 2.2.2.2

IP-Monitoring Configuration

set services ip-monitoring policy Server-Tracking match rpm-probe Probe-Server
set services ip-monitoring policy Server-Tracking then preferred-route routing-instances FBF-1 route 0.0.0.0/0 next-hop 2.2.2.2 ------> Installs route in the First Routing Instance

set services ip-monitoring policy Server-Tracking1 match rpm-probe Probe-Server1
set services ip-monitoring policy Server-Tracking1 then preferred-route routing-instances FBF-2 route 0.0.0.0/0 next-hop 1.1.1.1 ------> Installs route in Second Routing Instance

To verify, run the following command: 

user@SRX> show services ip-monitoring status all   [  WHEN Probe for ISP-2 has failed  ]

Policy - Payment-Server-Tracking
RPM Probes:
Probe name                    Address    Status
---------------------- ---------------- ---------
Probe-Server           1.1.1.1   PASS        ----------------------------------> Result of the RPM
Route-Action:
route-instance      route               next-hop      State
----------------- ----------------- ---------------- -------------
FBF-1            0.0.0.0/0         2.2.2.2           NOT-APPLIED    -----------------------------------> Action Taken

Policy - Payment-Server-Tracking1
RPM Probes:
Probe name                  Address     Status
---------------------- ---------------- ---------
Probe-Server1    192.168.1.109  Failed      -----------------------------------> RESULT of the RPM 
Route-Action:
route-instance          route          next-hop        State
----------------- ----------------- ----------------   -------------
FBF-2                 0.0.0.0/0         1.1.1.1         APPLIED    
----------———————————-> Action Taken

The Output of the route table will be as under:

> show route |no-more

inet.0: 6 destinations, 6 routes (6 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

10.10.10.0/24 *[Direct/0] 00:24:56
> via ge-0/0/2.0
10.10.10.1/32 *[Local/0] 00:25:04
Local via ge-0/0/2.0
1.1.1.0/24 *[Direct/0] 00:00:09
> via ge-0/0/0.0
1.1.1.2/32 *[Local/0] 00:25:04
Local via ge-0/0/0.0
2.2.2.0/24 *[Direct/0] 00:05:17
> via ge-0/0/1.0
2.2.2.1/32 *[Local/0] 00:25:04

Local via ge-0/0/1.0

FBF-1.0: 7 destinations, 7 routes (7 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0 *[Static/5] 00:00:09
> to 1.1.1.1 via ge-0/0/0.0 -----------------> NO Change in ROUTE
10.10.10.0/24 *[Direct/0] 00:24:56
> via ge-0/0/2.0
10.10.10.1/32 *[Local/0] 00:25:04
Local via ge-0/0/2.0
1.1.1.0/24 *[Direct/0] 00:00:09
> via ge-0/0/0.0
1.1.1.2/32 *[Local/0] 00:25:04
Local via ge-0/0/0.0
2.2.2.0/24 *[Direct/0] 00:05:17
> via ge-0/0/1.0
2.2.2.1/32 *[Local/0] 00:25:04
Local via ge-0/0/1.0

FBF-2.inet.0: 7 destinations, 7 routes (7 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0 *[Static/1] 00:00:10 ------------> Note that this route has a preference value of 1 instead of 5 [default for static].
> to 1.1.1.1 via ge-0/0/0.0 --------------> CHANGE in INSTALLED ROUTE
10.10.10.0/24 *[Direct/0] 00:24:56
> via ge-0/0/2.0
10.10.10.1/32 *[Local/0] 00:25:04
Local via ge-0/0/2.0
1.1.1.0/24 *[Direct/0] 00:00:09
> via ge-0/0/0.0
1.1.1.2/32 *[Local/0] 00:25:04
Local via ge-0/0/0.0
2.2.2.0/24 *[Direct/0] 00:05:17
> via ge-0/0/1.0
2.2.2.1/32 *[Local/0] 00:25:04
Local via ge-0/0/1.0

> show route forwarding-table table FBF-1.inet

Routing table: FBF-1.inet

Internet:
Destination Type RtRef Next hop Type Index NhRef Netif
default perm 0 rjct 36 2
default user 0 indr 262143 2
0:26:88:e6:d2:0 ucst 539 3 ge-0/0/0.0
1.1.1.0/24 intf 0 rslv 582 1 ge-0/0/0.0
1.1.1.0/32 dest 0 1.1.1.0 recv 580 1 ge-0/0/0.0
1.1.1.1/32 dest 0 0:26:88:e6:d2:0 ucst 539 3 ge-0/0/0.0
1.1.1.2/32 intf 0 1.1.1.2 locl 581 3
1.1.1.2/32 dest 0 1.1.1.2 locl 581 3
1.1.1.255/32 dest 0 1.1.1.255 bcst 579 1 ge-0/0/0.0
2.2.2.0/24 intf 0 rslv 586 1 ge-0/0/1.0
2.2.2.0/32 dest 0 2.2.2.0 recv 584 1 ge-0/0/1.0
2.2.2.1/32 intf 0 2.2.2.1 locl 585 3
2.2.2.1/32 dest 0 2.2.2.1 locl 585 3
2.2.2.2/32 dest 0 2.2.2.2 hold 540 1 ge-0/0/1.0
2.2.2.255/32 dest 0 2.2.2.255 bcst 583 1 ge-0/0/1.0
10.10.10.0/24 intf 0 rslv 590 1 ge-0/0/2.0
10.10.10.0/32 dest 0 10.10.10.0 recv 588 1 ge-0/0/2.0
10.10.10.1/32 dest 0 00:24:dc:24:f9:f0 ucst 36 2
10.10.10.2/32 intf 0 10.10.10.2 locl 589 2
10.10.10.2/32 dest 0 10.10.10.2 locl 589 2
10.10.10.255/32 dest 0 10.10.10.255 bcst 587 1 ge-0/0/2.0
224.0.0.0/4 perm 0 mdsc 35 1
224.0.0.1/32 perm 0 224.0.0.1 mcst 31 1
255.255.255.255/32 perm 0 bcst 32 1

>show route forwarding-table table FBF-2.inet
Routing table: FBF-2.inet
Internet:
Destination Type RtRef Next hop Type Index NhRef Netif
default user 0 indr 262143 2
0:26:88:e6:d2:0 ucst 539 3 ge-0/0/0.0
default perm 0 rjct 545 2
0.0.0.0/32 perm 0 dscd 543 1
1.1.1.0/24 user 0 rtbl 1 3
1.1.1.2/32 user 0 1.1.1.2 locl 581 3
2.2.2.0/24 user 0 rtbl 1 3
2.2.2.1/32 user 0 2.2.2.1 locl 585 3
10.10.10.1/32 user 0 rjct 545 2
224.0.0.0/4 perm 0 mdsc 544 1
224.0.0.1/32 perm 0 224.0.0.1 mcst 517 1
255.255.255.255/32 perm 0 bcst 541 1

 

http://kb.juniper.net/InfoCenter/

 

 

This entry was posted in Uncategorized and tagged , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s