Routing

Hi, I've been at this for a few days now and I can't get to the bottom of it. I'm trying to configure filter based forwarding and redundancy on a srx210H cluster.

reth0 Lan

reth2 WAN Dedicated BW

reth3 WAN Shared BW

reth4 WAN Backup

What I'm trying to do is route trafic with destination ports 5060 8200 1853 49104-65534 3478 22 80 through reth2 and the rest through reth3 I managed to do this but the problem is that if reth2 is down, traffic won't get redirected to reth3, being the next qualified hop. I tried setining it up with an rpm probe and ip monitoring but it didn't work.

reth4 needs to be backup in case reth2 and reth3 are down. Anyone have any ideeas?

Any info would be much appreciated. Please see my config below:

{primary:node0}
root@JN-FW-01> show configuration
## Last commit: 2016-03-11 17:59:43 GMT by root
version 12.1X46-D35.1;
groups {
node0 {
system {
host-name JN-FW-01;
}
interfaces {
fxp0 {
unit 0 {
family inet {
address 10.10.11.1/24;
}
}
}
}
}
node1 {
system {
host-name JN-FW-02;
}
interfaces {
fxp0 {
unit 0 {
family inet {
address 10.10.11.2/24;
}
}
}
}
}
}
apply-groups "${node}";
system {
time-zone Europe/London;
root-authentication {
}
name-server {
208.67.222.222;
208.67.220.220;
}
services {
ssh;
xnm-clear-text;
web-management {
https {
system-generated-certificate;
interface [ reth0.0 reth2.0 reth3.0 ];
}
}
dhcp {
maximum-lease-time 345600;
default-lease-time 259200;
name-server {
8.8.8.8;
8.8.4.4;
}
router {
10.20.0.254;
}
pool 10.20.0.0/24 {
address-range low 10.20.0.1 high 10.20.0.253;
maximum-lease-time 345600;
default-lease-time 259200;
name-server {
208.67.222.222;
208.67.220.220;
}
router {
10.20.0.254;
}
}
}
}
syslog {
archive size 100k files 3;
inactive: user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
ntp {
server 94.228.40.3;
}
}
chassis {
cluster {
control-link-recovery;
reth-count 6;
redundancy-group 0 {
node 0 priority 100;
node 1 priority 1;
}
redundancy-group 1 {
node 0 priority 100;
node 1 priority 1;
interface-monitor {
ge-0/0/0 weight 255;
ge-2/0/0 weight 255;
ge-0/0/1 weight 255;
ge-2/0/1 weight 255;
fe-0/0/2 weight 255;
fe-2/0/2 weight 255;
fe-0/0/3 weight 255;
fe-2/0/3 weight 255;
fe-0/0/4 weight 255;
fe-2/0/4 weight 255;
}
}
}
}
interfaces {
ge-0/0/0 {
gigether-options {
redundant-parent reth0;
}
}
ge-0/0/1 {
gigether-options {
redundant-parent reth1;
}
}
fe-0/0/2 {
fastether-options {
redundant-parent reth2;
}
}
fe-0/0/3 {
fastether-options {
redundant-parent reth3;
}
}
fe-0/0/4 {
fastether-options {
redundant-parent reth4;
}
}
ge-2/0/0 {
gigether-options {
redundant-parent reth0;
}
}
ge-2/0/1 {
gigether-options {
redundant-parent reth1;
}
}
fe-2/0/2 {
fastether-options {
redundant-parent reth2;
}
}
fe-2/0/3 {
fastether-options {
redundant-parent reth3;
}
}
fe-2/0/4 {
fastether-options {
redundant-parent reth4;
}
}
fab0 {
fabric-options {
member-interfaces {
fe-0/0/5;
}
}
}
fab1 {
fabric-options {
member-interfaces {
fe-2/0/5;
}
}
}
reth0 {
redundant-ether-options {
redundancy-group 1;
}
unit 0 {
description Lan;
family inet {
filter {
input Load-Balence;
}
address 10.20.0.254/24;
}
}
}
reth1 {
redundant-ether-options {
redundancy-group 1;
}
unit 0;
}
reth2 {
redundant-ether-options {
redundancy-group 1;
}
unit 0 {
description Dedicated-BW;
family inet {
address 192.168.2.100/24;
}
}
}
reth3 {
redundant-ether-options {
redundancy-group 1;
}
unit 0 {
description Shared-BW;
family inet {
address 172.16.0.100/16;
}
}
}
reth4 {
redundant-ether-options {
redundancy-group 1;
}
unit 0 {
description Backup-WAN;
family inet {
address 192.168.1.100/24;
}
}
}
reth5 {
redundant-ether-options {
redundancy-group 1;
}
}
reth6 {
redundant-ether-options {
redundancy-group 1;
}
}
}
routing-options {
interface-routes {
rib-group inet import;
}
static {
route 0.0.0.0/0 next-hop [ 172.16.0.253 192.168.2.254 192.168.1.254 ];
}
rib-groups {
import {
import-rib [ inet.0 Dedicated.inet.0 Shared.inet.0 Backup.inet.0 ];
}
}
}
protocols {
stp;
}
security {
alg {
sip {
retain-hold-resource;
application-screen {
unknown-message {
permit-nat-applied;
permit-routed;
}
}
}
}
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set Outgoing {
from zone trust;
to zone untrust;
rule rule1 {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}
policies {
from-zone trust to-zone untrust {
policy Allow-Outbound-Traffic {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone trust {
policy Allow-Internal-Mgnt {
match {
source-address any;
destination-address any;
application junos-ssh;
}
then {
permit;
}
}
}
from-zone untrust to-zone junos-host {
policy management-3 {
match {
source-address any;
destination-address any;
application [ junos-https junos-ssh junos-ping junos-icmp-ping ];
}
then {
permit;
}
}
}
from-zone untrust to-zone trust {
policy management-4 {
match {
source-address any;
destination-address any;
application [ junos-ping junos-ssh junos-https ];
}
then {
permit;
}
}
}
}
zones {
security-zone trust {
host-inbound-traffic {
system-services {
https;
ping;
ssh;
}
protocols {
all;
}
}
interfaces {
reth0.0 {
host-inbound-traffic {
system-services {
dhcp;
https;
ssh;
ping;
}
}
}
}
}
security-zone untrust {
screen untrust-screen;
host-inbound-traffic {
system-services {
https;
ssh;
ping;
}
protocols {
all;
}
}
interfaces {
reth2.0 {
host-inbound-traffic {
system-services {
ping;
ssh;
https;
}
}
}
reth3.0 {
host-inbound-traffic {
system-services {
ping;
ssh;
https;
}
}
}
reth4.0 {
host-inbound-traffic {
system-services {
ping;
ssh;
https;
}
}
}
}
}
security-zone junos-host;
}
}
firewall {
filter Load-Balence {
term mgmt {
from {
destination-address {
10.20.0.254/32;
172.16.0.100/32;
}
}
then accept;
}
term Dedicated-BW {
from {
destination-port [ 5060 8200 1853 49104-65534 3478 22 80 ];
}
then {
routing-instance Dedicated;
}
}
term Shared-BW {
then {
routing-instance Shared;
}
}
}
}
routing-instances {
Backup {
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 next-hop 192.168.1.254;
}
}
}
Dedicated {
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 {
next-hop 192.168.2.254;
qualified-next-hop 172.16.0.253 {
preference 100;
}
}
}
}
}
Shared {
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 {
next-hop 172.16.0.253;
qualified-next-hop 192.168.2.254 {
preference 100;
}
}
}
}
}
}

Kind regards,

Adrian

I'm not sure I follow your configuration.  But it looks like your filter is such that all LAN traffic is going to use the dedicated for the selected ports and the shared for everything else.  So there does not seem to be any way any traffic will every leave the filter.  

typically I see these filters steer the specific traffic then end with a term just accept which then allows the rest of the traffic to fall out of the filter and follow the normal forwarding rules from there.

Hi Steve,

Thank you for your reply. I ended the filter with the Shared term and seems that traffic gets forwarded the normal route. The only problem that I have now is that if the Dedicated WAN is down, traffic with destination port 5060 8200 1853 49104-65534 3478 22 80 gets dropped. Anthing else works fine. Is there a way arround this?

Please find below the firewall filter config:

firewall {
filter Load-Balence {
term mgmt {
from {
destination-address {
10.20.0.254/32;
172.16.0.100/32;
}
}
then accept;
}
term Dedicated-BW {
from {
destination-port [ 5060 8200 1853 49104-65534 3478 22 80 ];
}
then {
routing-instance Dedicated;
}
}
term Shared-BW {
then accept;
}
}
}
routing-instances {
Backup {
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 next-hop 192.168.1.254;
}
}
}
Dedicated {
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 {
next-hop 192.168.2.254;
qualified-next-hop 172.16.0.253 {
preference 100;
}
}
}
}
}
Shared {
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 {
next-hop 172.16.0.253;
qualified-next-hop 192.168.2.254 {
preference 100;
}
}
}
}
}
}
services {
rpm {
probe INTERNET-SHARED {
test INTERNET-GATEWAY-SHARED {
probe-type icmp-ping;
target address 172.16.0.253;
probe-count 3;
probe-interval 3;
test-interval 1;
source-address 172.16.0.100;
thresholds {
successive-loss 3;
total-loss 3;
}
}
}
probe INTERNET-DEDICATED {
test INTERNET-GATEWAY-DEDICATED {
probe-type icmp-ping;
target address 192.168.2.254;
probe-count 3;
probe-interval 3;
test-interval 1;
source-address 192.168.2.100;
thresholds {
successive-loss 3;
total-loss 3;
}
}
}
}
ip-monitoring {
policy WAN-FAILOVER-SHARED {
match {
rpm-probe INTERNET-SHARED;
}
then {
preferred-route {
route 0.0.0.0/0 {
next-hop 192.168.1.254;
}
}
}
}
policy WAN-FAILOVER-DEDICATED {
match {
rpm-probe INTERNET-DEDICATED;
}
then {
preferred-route {
route 0.0.0.0/0 {
next-hop 192.168.1.254;
}
}
}
}
}
}

{primary:node0}[edit]
root@JN-FW-01#

Kind regards,

Adrian

You can use the RPM feature for failure detection on your upstream links.  This is an example configuration.

https://kb.juniper.net/InfoCenter/index?page=content&id=KB22052

Hi Steve,

Thank you for your help. I configuread RPM and IP-Monitoring as in the link and it's all now working. 

Thank you again for your help. Much appreciated

Adrian