Hello!
Currently running a SRX240 with multiple GRE over IPsec tunnels to some small industrial routers.
Topology is as follows:
SRX LAN --- SRX --- (ISP cloud #1) --- IndRouter --- IR LAN
SRX LAN --- SRX --- (ISP cloud #2) --- IndRouter --- IR LAN
(SRX and IR in both lines are the same devices, just connected via different ISPs. So both SRX and IR hosts 2 GRE over IPsec tunnels)
Traffic to IR LAN is routed via static routes with qualified-next-hops and different preference, smaller one for main tunnel, bigger one for backup. Tricky part is, IR can't do OSPF and BFD, only static routing. So I need a mechanism to failover from main tunnel to backup. And statics over GRE are always up, since the tunnel is always up as well, so failover never happens, even when IPsec / GRE pair is down.
The solution I came up with is services RPM probe directed at ISP interface of IR that manually injects are more preferred static route to IR LAN via backup gateway.
Config below:
set services rpm probe gre-failover test gre-failover probe-type icmp-ping set services rpm probe gre-failover test gre-failover target address <IR_ISP_ADDRESS> set services rpm probe gre-failover test gre-failover probe-count 5 set services rpm probe gre-failover test gre-failover probe-interval 5 set services rpm probe gre-failover test gre-failover test-interval 3 set services rpm probe gre-failover test gre-failover source-address <SRX_ISP_ADDRESS> set services rpm probe gre-failover test gre-failover thresholds successive-loss 3 set services rpm probe gre-failover test gre-failover thresholds total-loss 3 set services rpm probe gre-failover test gre-failover destination-interface reth0.251 set services rpm probe gre-failover test gre-failover hardware-timestamp set services ip-monitoring policy gre-failover match rpm-probe gre-failover set services ip-monitoring policy gre-failover then preferred-route route <IR_LAN> next-hop <BACKUP_GRE_PEER_ADDRESS> My question: what solution would you suggest for this routing scenario? I'm just curious and want to expand my knowledge and share experience with fellow network engineers.
Cheers!
No comments:
Post a Comment