Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Example: Configure IP Monitoring on SRX5000 line

This example shows how to monitor SRX Series Firewalls with chassis cluster enabled.

Requirements

  • You need two SRX5800 Services Gateways with identical hardware configurations, one SRX Series Firewall and one EX8208 Ethernet Switch.

  • Physically connect the two SRX5800 devices (back-to-back for the fabric and control ports) and ensure that they are the same models. Configure/add these two devices in a cluster.

Overview

IP address monitoring checks end-to-end reachability of configured IP address and allows a redundancy group to automatically fail over when not reachable through the child link of redundant Ethernet interface (known as a reth) interface. Redundancy groups on both devices in a cluster can be configured to monitor specific IP addresses to determine whether an upstream device in the network is reachable.

When you configure multiple IP addresses on the reth Interface in a chassis cluster setup, IP monitoring uses the first IP address from the list of IP addresses configured for that reth interface on the primary node, and the first IP address from the list of secondary IP addresses configured for that reth interface on the backup node. The first IP address is the one with smallest prefix (netmask).

This example shows how to set up IP monitoring on an SRX Series Firewall.

Note:

IP monitoring is not supported on an NP-IOC card.

Note:

IP monitoring does not support MIC online/offline status on SRX Series Firewalls.

Topology

Figure 1 shows the topology used in this example.

Figure 1: IP Monitoring on an SRX Series Firewall Topology ExampleIP Monitoring on an SRX Series Firewall Topology Example

In this example, two SRX5800 devices in a chassis cluster are connected to an SRX1500 device through an EX8208 Ethernet Switch. The example shows how the redundancy groups can be configured to monitor key upstream resources reachable through redundant Ethernet interfaces on either node in a cluster.

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Configuring IP Monitoring on SRX Series Firewall

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide .

To configure IP monitoring on an SRX Series Firewall:

  1. Specify the number of redundant Ethernet interfaces.

  2. Specify a redundancy group's priority for primacy on each node of the cluster. The higher number takes precedence.

  3. Configure the redundant Ethernet interfaces to redundancy-group 1.

  4. Assign child interfaces for the redundant Ethernet interfaces from node 0 and node 1.

  5. Configure the static route to the IP address that is to be monitored.

  6. Configure IP monitoring under redundancy-group 1 with global weight and global threshold.

  7. Specify the retry interval.

  8. Specify the retry count.

  9. Assign a weight to the IP address to be monitored, and configure a secondary IP address that will be used to send ICMP packets from the secondary node to track the IP being monitored.

    Note:
    • The redundant Ethernet (reth0) IP address, 192.0.2.1/24, is used to send ICMP packets from node 0 to check the reachability of the monitored IP.

    • The secondary IP address, 192.0.2.2, should belong to the same network as the reth0 IP address.

    • The secondary IP address is used to send ICMP packets from node 1 to check the reachability of the monitored IP.

Verification

Confirm the configuration is working properly.

Verifying Chassis Cluster Status— Before Failover

Purpose

Verify the chassis cluster status, failover status, and redundancy group information before failover.

Action

From operational mode, enter the show chassis cluster status command.

Verifying Chassis Cluster IP Monitoring Status— Before Failover

Purpose

Verify the IP status being monitored from both nodes and the failover count for both nodes before failover.

Action

From operational mode, enter the show chassis cluster ip-monitoring status redundancy-group 1 command.

Verifying Chassis Cluster Status— After Failover

Purpose

Verify the chassis cluster status, failover status, and redundancy group information after failover.

Note:

If the IP address is not reachable, the following output will be displayed.

Action

From operational mode, enter the show chassis cluster status command.

Verifying Chassis Cluster IP Monitoring Status— After Failover

Purpose

Verify the IP status being monitored from both nodes and the failover count for both nodes after failover.

Action

From operational mode, enter the show chassis cluster ip-monitoring status redundancy-group 1 command.