The post Configure IP Monitoring in SRX Cluster appeared first on MustBeGeek.
There might be case in our network where we want to fail-over to secondary node when the Internet connection breaks or link breaks. In Juniper SRX cluster, you can configure fail-over of redundancy groups if a specific IP address is unreachable. Interface monitor feature configured in redundancy group is unable to accomplish such failover, so there is other feature called IP monitor. IP monitoring allows you to monitor specific IP address and when the specified IP address is unreachable, the fail-over is initiated. You can easily configure IP monitoring in SRX cluster. Generally, the IP to be monitored is the gateway IP address.
Configure IP Monitoring in SRX Cluster
In our scenario, we have active/passive SRX cluster configured already. As seen in the diagram below, we have SRX node 0 as primary and node 1 as secondary. The public IP address configured on Reth0 is 2.2.2.2/29 and the gateway is 2.2.2.1 to reach the Internet. In case as shown below if one of the internet link between switch and ISP fails, then the Internet connection will not be available. So IP monitoring feature must be configured in order to switch the SRX cluster node if one of the link between switch and Internet fails.
The SRX redundancy groups configuration looks like this,
{primary:node0}[edit chassis cluster] root@SRX_NODE01# showcontrol-link-recovery;
reth-count 3;
redundancy-group 0 { node 0 priority 254; node 1 priority 1; }
redundancy-group 1 { node 0 priority 200; node 1 priority 150; gratuitous-arp-count 15; interface-monitor { ge-0/0/3 weight 255; ge-5/0/3 weight 255; ge-0/0/4 weight 255;
ge-5/0/4 weight 255; } }
Now, let’s configure IP Monitoring. Our goal is to configure SRX node failover such that if primary Internet link between switch and ISP fails, then node 1 will be primary node for redundancy group 1 and Internet traffic will pass from secondary link.
{primary:node0}[edit chassis cluster]
root@SRXNODE01# set redundancy-group 1 ip-monitoring global-weight 255 [This command will set global weight of 255]
{primary:node0}[edit chassis cluster]
root@SRXNODE01# set redundancy-group 1 ip-monitoring global-threshold 80 [This command will set global threshold of 80]
{primary:node0}[edit chassis cluster]
root@SRXNODE01# set redundancy-group 1 ip-monitoring retry-interval 3 [This command will set retry interval of 3 seconds. This means the device will ping the monitored IP once every 3 seconds.]
{primary:node0}[edit chassis cluster]
root@SRXNODE01# set redundancy-group 1 ip-monitoring retry-count 6 [This command will set retry count of 6 times. If the gateway is unreachable, the device will ping 6 times every 3 seconds before it declares the monitored IP address is unreachable. So the wait is total 18 seconds.]
{primary:node0}[edit chassis cluster]
root@SRXNODE01# set redundancy-group 1 ip-monitoring family inet 2.2.2.1 weight 80 [This is the monitored IP address. This IP is generally the gateway IP address. If the gateway address is declared unreachable, then this weight is deducted from global-threshold weight. So, if the result is 0 then failover is initiated, otherwise not. In our case, failover is initiated.]
To view the configuration type show under the same hierarchy.
{primary:node0}[edit chassis cluster] root@SRX_NODE01# showcontrol-link-recovery;
reth-count 3;
redundancy-group 0 { node 0 priority 254; node 1 priority 1; }
redundancy-group 1 { node 0 priority 200; node 1 priority 150; gratuitous-arp-count 15; interface-monitor { ge-0/0/3 weight 255; ge-5/0/3 weight 255; ge-0/0/4 weight 255;
ge-5/0/4 weight 255; } ip-monitoring { global-weight 255;
global-threshold 80;
retry-interval 3;
retry-count 6;
family { inet { 2.2.2.1{ weight 80; } } } } }
Now commit the configuration.
To view the IP monitoring status type the following command.
{primary:node0}
root@SRXNODE01> show chassis cluster ip-monitoring status redundancy-group 1
node0: -------------------------------------------------------------------------- Redundancy group: 1 IP address Status Failure count Reason 2.2.2.1 reachable 0 n/a node1: -------------------------------------------------------------------------- Redundancy group: 1 IP address Status Failure count Reason 2.2.2.1 unreachable 0 unknown
As you can see node 0 is reachable but node 1 is not reachable. This is because node 1 is not sending any pings for the default gateway address. But you can also configure node1 to send ping request to the gateway which I haven’t showed here. Now, in our scenario, if the primary Internet link between switch and ISP fails, then node1 will become primary for the chassis cluster and the Internet traffic will now be sent by node 1 via secondary Internet link. In this way you can configure IP monitoring in SRX Cluster depending upon your scenario.
For more information visit Juniper.net,
The post Configure IP Monitoring in SRX Cluster appeared first on MustBeGeek.