Overview
Automatically switch between the primary and alternate next hop based on the ping result returned from a remote host. This applies to SLAX version 1.0 and higher.
Description
Use real-time performance monitoring (RPM) to automatically use an alternate next-hop path to reach a remote host when it becomes unreachable, and re-establish the original path when the remote host becomes reachable again.
When a device has been pingable for the last few tries and then the ping test fails, a script is triggered that enables an alternate next hop for the device, temporarily disabling the interface associated with the primary next hop to the non-pingable device. When the ping test is again successful, the temporary next hop is disabled and the original route is re-established.
System Requirements
All platforms; JUNOS Software 9.3 and above.
Set Up
- Copy the scripts enable-primary-nexthop-metric.slax and enable-alternate-nexthop-metric.slax to /var/db/scripts/event directory on the router.
- Use a text editor to create two configuration sections: one for the real-time monitoring of the target address, and one for the event-related configuration to enable the next hop.
- For the RPM-related configuration, create and save the configuration shown below. In the area marked EDIT HERE, enter the valid IP address that can be pinged as the target address. This is the address for which you will have the system enable the primary or alternate next-hop routes as needed.
01 services {
02 rpm {
03 probe icmp-ping-probe {
04 test ping-probe-test {
05 probe-type icmp-ping;
06 target address 10.63.0.50; /* EDIT HERE */
07 test-interval 60;
08 }
09 }
10 }
11 }
- For the event-related configuration, create and save the configuration shown below. In the areas marked EDIT HERE, enter the name of the primary next-hop interface that will be enabled or disabled based on the ping test event.
01 event-options {
02 policy enable-primary-nexthop {
03 events ping_test_completed;
04 within 60 {
05 trigger on 1;
06 }
07 within 120 events ping_test_failed;
08 then {
09 event-script enable-primary-nexthop.slax {
10 arguments {
11 next-hop-interface <interface-name>; /* EDIT HERE */
12 }
13 output-filename foo;
14 destination foo;
15 }
16 }
17 }
18 policy enable-alternate-nexthop{
19 events ping_test_failed;
20 within 60 {
21 trigger on 1;
22 }
23 within 120 events ping_test_completed;
24 then {
25 event-script enable-alternate-nexthop.slax {
26 arguments {
27 next-hop-interface <interface-name>; /* EDIT HERE */
28 }
29 output-filename zoo;
30 destination foo;
31 }
32 }
33 }
34 destinations {
35 foo {
36 archive-sites {
37 /var/tmp;
38 }
39 }
40 }
41 }
- Enable the scripts by adding the file statement and script filenames to the [edit event-options event-script] hierarchy level as shown below. Only superusers can enable event scripts in the configuration.
1 [edit event-options event-script]
2 user@host# set file enable-primary-nexthop.slax
1 [edit event-options event-script]
2 user@host# set file enable-alternate-nexthop.slax
- Load the configuration information:
- Use the text editor to open the configuration file that was created previously, and copy its contents to the clipboard. Make sure you have copied both configuration sections, the RPM-related and the event-related.
- On the device, enter configuration mode:
1 user@host% cli
2 user@host> configure
3 Entering configuration mode
4
5 [edit]
6 user@host#
- Use the load merge terminal command to load the configuration information and merge it with the current configuration:
1 [edit]
2 user@host# load merge terminal
3 [Type ^D at a new line to end input]
4 > Paste the contents of the clipboard here <
- At the prompt, past the contents of the clipboard.
- Press Enter.
- Press Ctrl+D.
- Commit the configuration:
1 [edit]
2 user@host# commit and-quit
How to Run
Once the scripts and configurations have been loaded, the script enable-alternate-nexthop.slax is launched upon event ping_test_failed—when the remote destination was pingable in the last few tries and is not pingable in the latest try. The next hop for the default route is added as dl2.0 and the interface passed to this script as an argument is disabled.
The script enable-primary-nexthop.slax is launched upon event ping_test_completed—when the remote destination was not pingable in the last few tries and now is pingable in the latest try. The next hop for the default route is added, the interface is passed as an argument to it, and that interface gets enabled.
001 version 11.1R1.10;
002 system {
003 scripts {
004 op {
005 file enable-alternate-nexthop-metric.slax;
006 file enable-primary-nexthop-metric.slax;
007 }
008 }
009 }
010 interfaces {
011 ge-0/0/0 {
012 unit 0 {
013 family inet {
014 address 10.254.1.1/30;
015 }
016 }
017 }
018 ge-0/0/1 {
019 unit 0 {
020 family inet {
021 address 172.16.1.1/30;
022 }
023 }
024 }
025 fe-0/0/2 {
026 unit 0 {
027 family inet {
028 address 192.168.10.1/24;
029 }
030 }
031 }
032 st0 {
033 unit 0 {
034 family inet;
035 }
036 }
037 }
038 event-options {
039 policy enable-primary-nexthop-metric {
040 events ping_test_completed;
041 within 10 {
042 trigger on 1;
043 }
044 then {
045 execute-commands {
046 commands {
047 "clear security ipsec security-associations";
048 "clear security ike security-associations";
049 }
050 }
051 event-script enable-primary-nexthop-metric.slax;
052 }
053 }
054 policy enable-alternate-nexthop-metric {
055 events ping_test_failed;
056 within 10 {
057 trigger on 1;
058 }
059 then {
060 execute-commands {
061 commands {
062 "clear security ipsec security-associations";
063 "clear security ike security-associations";
064 }
065 }
066 event-script enable-alternate-nexthop-metric.slax;
067 }
068 }
069 }
070 routing-options {
071 static {
072 route 192.168.0.0/24 next-hop st0.0;
073 route 0.0.0.0/0 {
074 qualified-next-hop 10.254.1.2 {
075 metric 100;
076 }
077 qualified-next-hop 172.16.1.2 {
078 metric 150;
079 }
080 }
081 }
082 }
083 security {
084 ike {
085 proposal phase1-proposal {
086 authentication-method pre-shared-keys;
087 dh-group group2;
088 authentication-algorithm sha1;
089 encryption-algorithm aes-128-cbc;
090 }
091 policy phase1-policy {
092 mode aggressive;
093 proposals phase1-proposal;
094 pre-shared-key ascii-text "$9$km5FCtOcyKn/yKM8dVqmf"; ## SECRET-DATA
095 }
096 gateway gw1 {
097 ike-policy phase1-policy;
098 address 172.31.1.1;
099 local-identity hostname srx210;
100 external-interface ge-0/0/0.0;
101 }
102 }
103 ipsec {
104 proposal phase2-proposal {
105 protocol esp;
106 authentication-algorithm hmac-sha1-96;
107 encryption-algorithm aes-128-cbc;
108 }
109 policy phase2-policy {
110 perfect-forward-secrecy {
111 keys group2;
112 }
113 proposals phase2-proposal;
114 }
115 vpn pix525-1 {
116 bind-interface st0.0;
117 ike {
118 gateway gw1;
119 proxy-identity {
120 local 192.168.10.0/24;
121 remote 192.168.0.0/24;
122 }
123 ipsec-policy phase2-policy;
124 }
125 establish-tunnels immediately;
126 }
127 }
128 policies {
129 from-zone trust to-zone vpn {
130 policy default-permit {
131 match {
132 source-address any;
133 destination-address any;
134 application any;
135 }
136 then {
137 permit;
138 }
139 }
140 }
141 from-zone vpn to-zone trust {
142 policy default-permit {
143 match {
144 source-address any;
145 destination-address any;
146 application any;
147 }
148 then {
149 permit;
150 }
151 }
152 }
153 from-zone trust to-zone untrust {
154 policy default-permit {
155 match {
156 source-address any;
157 destination-address any;
158 application any;
159 }
160 then {
161 permit;
162 }
163 }
164 }
165 }
166 zones {
167 security-zone untrust {
168 host-inbound-traffic {
169 system-services {
170 ike;
171 ping;
172 ssh;
173 http;
174 }
175 }
176 interfaces {
177 ge-0/0/0.0;
178 ge-0/0/1.0;
179 }
180 }
181 security-zone trust {
182 host-inbound-traffic {
183 system-services {
184 any-service;
185 }
186 protocols {
187 all;
188 }
189 }
190 interfaces {
191 fe-0/0/2.0;
192 }
193 }
194 security-zone vpn {
195 host-inbound-traffic {
196 system-services {
197 any-service;
198 }
199 protocols {
200 all;
201 }
202 }
203 interfaces {
204 st0.0;
205 }
206 }
207 }
208 }
209 services {
210 rpm {
211 probe icmp-ping-probe {
212 test ping-probe-test {
213 probe-type icmp-ping;
214 target address 10.254.1.2;
215 test-interval 1;
216 source-address 10.254.1.1;
217 }
218 }
219 }
220 }
Enable Primary SLAX Script Contents
01 /*
02 * Author : Robert Lemm
03 * Version : 1.0
04 * Last Modified :
05 * Release : 9.3 and above
06 * Platform : all
07 *
08 * Description : enable-primary-nexthop.slax
09 * This script changes the metric on an existing route entry for a remote host.
10 * This script will get executed on the occurrence of event 'ping_test_completed'.
11 */
12
13 version 1.0;
14
15 ns junos = "http://xml.juniper.net/junos/*/junos";
16 ns xnm = "http://xml.juniper.net/xnm/1.1/xnm";
17 ns jcs = "http://xml.juniper.net/junos/commit-scripts/1.0";
18
19 import "../import/junos.xsl";
20 match / {
21 <event-script-results> {
22 /*
23 * Open connection with mgd.
24 */
25 var $con = jcs:open();
26 if (not($con)) {
27 <xnm:error> {
28 <message> "Not able to connect with local mgd";
29 }
30 }
31 /*
32 * Change Metric for primary-path to 100 and secondary-path to 150.
33 */
34 var $change-route = {
35 <configuration> {
36 <routing-options> {
37 <static> {
38 <route> {
39 <name> "0.0.0.0/0";
40 <qualified-next-hop> {
41 <name> "10.254.1.2";
42 <metric> "100";
43 }
44 <qualified-next-hop> {
45 <name> "172.16.1.2";
46 <metric> "150";
47 }
48 }
49 }
50 }
51 <security> {
52 <ike> {
53 <gateway> {
54 <name> "gw1";
55 <ike-policy> "phase1-policy";
56 <address> "172.31.1.1";
57 <local-identity> {
58 <hostname> {
59 <identity-hostname> "srx210";
60 }
61 }
62 <external-interface> "ge-0/0/0.0";
63 }
64 }
65 }
66 }
67 }
68 var $change-route-results = {
69 call jcs:load-configuration($connection = $con, $configuration = $change-route);
70 }
71 }
72 }
Enable Alternate SLAX Script Contents
01 /*
02 * Author : Robert Lemm
03 * Version : 1.0
04 * Last Modified :
05 * Release : 9.3 and above
06 * Platform : all
07 *
08 * Description : enable-alternate-nexthop.slax
09 * This script changes the metric on an existing route entry for a remote host.
10 * This script will get executed on the occurrence of event 'ping_test_failed'.
11 */
12
13 version 1.0;
14
15 ns junos = "http://xml.juniper.net/junos/*/junos";
16 ns xnm = "http://xml.juniper.net/xnm/1.1/xnm";
17 ns jcs = "http://xml.juniper.net/junos/commit-scripts/1.0";
18
19 import "../import/junos.xsl";
20 match / {
21 <event-script-results> {
22 /*
23 * Open connection with mgd.
24 */
25 var $con = jcs:open();
26 if (not($con)) {
27 <xnm:error> {
28 <message> "Not able to connect with local mgd";
29 }
30 }
31 /*
32 * Change Metric for primary-path to 150 and secondary-path to 100.
33 */
34 var $change-route = {
35 <configuration> {
36 <routing-options> {
37 <static> {
38 <route> {
39 <name> "0.0.0.0/0";
40 <qualified-next-hop> {
41 <name> "10.254.1.2";
42 <metric> "150";
43 }
44 <qualified-next-hop> {
45 <name> "172.16.1.2";
46 <metric> "100";
47 }
48 }
49 }
50 }
51 <security> {
52 <ike> {
53 <gateway> {
54 <name> "gw1";
55 <ike-policy> "phase1-policy";
56 <address> "172.31.1.1";
57 <local-identity> {
58 <hostname> {
59 <identity-hostname> "srx210";
60 }
61 }
62 <external-interface> "ge-0/0/1.0";
63 }
64 }
65 }
66 }
67 }
68 var $change-route-results = {
69 call jcs:load-configuration($connection = $con, $configuration = $change-route);
70 }
71 }
72 }
Enable Primary XML Script Contents
01 <?xml version="1.0"?>
02 <script>
03 <title>enable-primary-nexthop-metric.slax</title>
04 <alternate>enable-alternate-nexthop-metric.slax</alternate>
05 <author>rlemm</author>
06 <synopsis>
07 An event script that disabled an IPSec Tunnel based on a timeout from an RPM probe
08 </synopsis>
09 <coe>op</coe>
10 <type>display</type>
11
12 <description>
13 This script changes the metric on an existing route entry for a remote host.
14 This script will get executed on the occurrence of event 'ping_test_completed'.
15
16 </description>
17
18 <example>
19 <config>example-1.conf</config>
20 </example>
21
22 <xhtml:script xmlns:xhtml="http://www.w3.org/1999/xhtml"
23 src="../../../../../web/leaf.js"
24 type="text/javascript"/>
25 </script>