Hi, I've been at this for a few days now and I can't get to the bottom of it. I'm trying to configure filter based forwarding and redundancy on a srx210H cluster.
reth0 Lan
reth2 WAN Dedicated BW
reth3 WAN Shared BW
reth4 WAN Backup
What I'm trying to do is route trafic with destination ports 5060 8200 1853 49104-65534 3478 22 80 through reth2 and the rest through reth3 I managed to do this but the problem is that if reth2 is down, traffic won't get redirected to reth3, being the next qualified hop. I tried setining it up with an rpm probe and ip monitoring but it didn't work.
reth4 needs to be backup in case reth2 and reth3 are down. Anyone have any ideeas?
Any info would be much appreciated. Please see my config below:
{primary:node0}
root@JN-FW-01> show configuration
## Last commit: 2016-03-11 17:59:43 GMT by root
version 12.1X46-D35.1;
groups {
node0 {
system {
host-name JN-FW-01;
}
interfaces {
fxp0 {
unit 0 {
family inet {
address 10.10.11.1/24;
}
}
}
}
}
node1 {
system {
host-name JN-FW-02;
}
interfaces {
fxp0 {
unit 0 {
family inet {
address 10.10.11.2/24;
}
}
}
}
}
}
apply-groups "${node}";
system {
time-zone Europe/London;
root-authentication {
}
name-server {
208.67.222.222;
208.67.220.220;
}
services {
ssh;
xnm-clear-text;
web-management {
https {
system-generated-certificate;
interface [ reth0.0 reth2.0 reth3.0 ];
}
}
dhcp {
maximum-lease-time 345600;
default-lease-time 259200;
name-server {
8.8.8.8;
8.8.4.4;
}
router {
10.20.0.254;
}
pool 10.20.0.0/24 {
address-range low 10.20.0.1 high 10.20.0.253;
maximum-lease-time 345600;
default-lease-time 259200;
name-server {
208.67.222.222;
208.67.220.220;
}
router {
10.20.0.254;
}
}
}
}
syslog {
archive size 100k files 3;
inactive: user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
ntp {
server 94.228.40.3;
}
}
chassis {
cluster {
control-link-recovery;
reth-count 6;
redundancy-group 0 {
node 0 priority 100;
node 1 priority 1;
}
redundancy-group 1 {
node 0 priority 100;
node 1 priority 1;
interface-monitor {
ge-0/0/0 weight 255;
ge-2/0/0 weight 255;
ge-0/0/1 weight 255;
ge-2/0/1 weight 255;
fe-0/0/2 weight 255;
fe-2/0/2 weight 255;
fe-0/0/3 weight 255;
fe-2/0/3 weight 255;
fe-0/0/4 weight 255;
fe-2/0/4 weight 255;
}
}
}
}
interfaces {
ge-0/0/0 {
gigether-options {
redundant-parent reth0;
}
}
ge-0/0/1 {
gigether-options {
redundant-parent reth1;
}
}
fe-0/0/2 {
fastether-options {
redundant-parent reth2;
}
}
fe-0/0/3 {
fastether-options {
redundant-parent reth3;
}
}
fe-0/0/4 {
fastether-options {
redundant-parent reth4;
}
}
ge-2/0/0 {
gigether-options {
redundant-parent reth0;
}
}
ge-2/0/1 {
gigether-options {
redundant-parent reth1;
}
}
fe-2/0/2 {
fastether-options {
redundant-parent reth2;
}
}
fe-2/0/3 {
fastether-options {
redundant-parent reth3;
}
}
fe-2/0/4 {
fastether-options {
redundant-parent reth4;
}
}
fab0 {
fabric-options {
member-interfaces {
fe-0/0/5;
}
}
}
fab1 {
fabric-options {
member-interfaces {
fe-2/0/5;
}
}
}
reth0 {
redundant-ether-options {
redundancy-group 1;
}
unit 0 {
description Lan;
family inet {
filter {
input Load-Balence;
}
address 10.20.0.254/24;
}
}
}
reth1 {
redundant-ether-options {
redundancy-group 1;
}
unit 0;
}
reth2 {
redundant-ether-options {
redundancy-group 1;
}
unit 0 {
description Dedicated-BW;
family inet {
address 192.168.2.100/24;
}
}
}
reth3 {
redundant-ether-options {
redundancy-group 1;
}
unit 0 {
description Shared-BW;
family inet {
address 172.16.0.100/16;
}
}
}
reth4 {
redundant-ether-options {
redundancy-group 1;
}
unit 0 {
description Backup-WAN;
family inet {
address 192.168.1.100/24;
}
}
}
reth5 {
redundant-ether-options {
redundancy-group 1;
}
}
reth6 {
redundant-ether-options {
redundancy-group 1;
}
}
}
routing-options {
interface-routes {
rib-group inet import;
}
static {
route 0.0.0.0/0 next-hop [ 172.16.0.253 192.168.2.254 192.168.1.254 ];
}
rib-groups {
import {
import-rib [ inet.0 Dedicated.inet.0 Shared.inet.0 Backup.inet.0 ];
}
}
}
protocols {
stp;
}
security {
alg {
sip {
retain-hold-resource;
application-screen {
unknown-message {
permit-nat-applied;
permit-routed;
}
}
}
}
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set Outgoing {
from zone trust;
to zone untrust;
rule rule1 {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}
policies {
from-zone trust to-zone untrust {
policy Allow-Outbound-Traffic {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone trust {
policy Allow-Internal-Mgnt {
match {
source-address any;
destination-address any;
application junos-ssh;
}
then {
permit;
}
}
}
from-zone untrust to-zone junos-host {
policy management-3 {
match {
source-address any;
destination-address any;
application [ junos-https junos-ssh junos-ping junos-icmp-ping ];
}
then {
permit;
}
}
}
from-zone untrust to-zone trust {
policy management-4 {
match {
source-address any;
destination-address any;
application [ junos-ping junos-ssh junos-https ];
}
then {
permit;
}
}
}
}
zones {
security-zone trust {
host-inbound-traffic {
system-services {
https;
ping;
ssh;
}
protocols {
all;
}
}
interfaces {
reth0.0 {
host-inbound-traffic {
system-services {
dhcp;
https;
ssh;
ping;
}
}
}
}
}
security-zone untrust {
screen untrust-screen;
host-inbound-traffic {
system-services {
https;
ssh;
ping;
}
protocols {
all;
}
}
interfaces {
reth2.0 {
host-inbound-traffic {
system-services {
ping;
ssh;
https;
}
}
}
reth3.0 {
host-inbound-traffic {
system-services {
ping;
ssh;
https;
}
}
}
reth4.0 {
host-inbound-traffic {
system-services {
ping;
ssh;
https;
}
}
}
}
}
security-zone junos-host;
}
}
firewall {
filter Load-Balence {
term mgmt {
from {
destination-address {
10.20.0.254/32;
172.16.0.100/32;
}
}
then accept;
}
term Dedicated-BW {
from {
destination-port [ 5060 8200 1853 49104-65534 3478 22 80 ];
}
then {
routing-instance Dedicated;
}
}
term Shared-BW {
then {
routing-instance Shared;
}
}
}
}
routing-instances {
Backup {
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 next-hop 192.168.1.254;
}
}
}
Dedicated {
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 {
next-hop 192.168.2.254;
qualified-next-hop 172.16.0.253 {
preference 100;
}
}
}
}
}
Shared {
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 {
next-hop 172.16.0.253;
qualified-next-hop 192.168.2.254 {
preference 100;
}
}
}
}
}
}
Kind regards,
Adrian