Skip to content

Instantly share code, notes, and snippets.

@Jamesits

Jamesits/srx_ip_monitoring.txt

Last active June 22, 2023 02:51
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save Jamesits/f8d0f88e2ab02ccf5dd8c1f7030e13ad to your computer and use it in GitHub Desktop.
Save Jamesits/f8d0f88e2ab02ccf5dd8c1f7030e13ad to your computer and use it in GitHub Desktop.
Download ZIP
Example: monitor the availability of the same internet IP address with different upstream ISPs, and select the default route for access users based on ip monitoring result. (Junos OS, Juniper SRX)
Raw
srx_ip_monitoring.txt
groups {
ri_vr_defaults {
routing-instances {
<*> {
instance-type virtual-router;
routing-options {
static {
defaults {
install;
resolve;
}
}
auto-export;
forwarding-table {
unicast-reverse-path feasible-paths;
}
}
}
}
}
zones_access_default {
security {
zones {
security-zone <*> {
tcp-rst;
host-inbound-traffic {
system-services {
dhcp;
dhcpv6;
ping;
traceroute;
ntp;
}
protocols {
router-discovery;
}
}
}
}
}
}
zones_uplink_default {
security {
zones {
security-zone <*> {
screen untrust-screen;
host-inbound-traffic {
system-services {
dhcp;
dhcpv6;
ping;
traceroute;
}
protocols {
router-discovery;
}
}
}
}
}
}
}
services {
rpm {
probe UPLINK_CT_1 {
test 223 {
target address 223.5.5.5;
probe-count 3;
probe-interval 5;
test-interval 15;
routing-instance UPLINK_CT_1;
thresholds {
successive-loss 3;
rtt 20;
}
}
}
probe UPLINK_CU_1 {
test 223 {
target address 223.5.5.5;
probe-count 3;
probe-interval 5;
test-interval 15;
routing-instance UPLINK_CU_1;
thresholds {
successive-loss 3;
rtt 20;
}
}
}
}
ip-monitoring {
policy UPLINK_CT_1 {
match {
rpm-probe UPLINK_CT_1;
}
then {
preferred-route {
withdraw;
routing-instances UPLINK_CT_1 {
route 0.0.0.0/0 {
next-hop pp0.0;
preferred-metric 5;
}
}
}
}
}
policy UPLINK_CU_1 {
match {
rpm-probe UPLINK_CU_1;
}
then {
preferred-route {
withdraw;
routing-instances UPLINK_CU_1 {
route 0.0.0.0/0 {
next-hop pp0.1;
preferred-metric 5;
}
}
}
}
}
}
}
security {
flow {
tcp-mss {
all-tcp {
mss 1452;
}
}
}
nat {
source {
pool-default-port-range 4096 to 63487;
interface {
port-overloading off;
}
rule-set default-masquerade {
from routing-instance [ ACCESS default ];
to routing-instance [ UPLINK_CT_1 UPLINK_CU_1 ];
rule masquerade {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface {
persistent-nat {
permit target-host;
inactivity-timeout 60;
max-session-number 65536;
}
}
}
}
}
}
}
}
policies {
default-policy {
permit-all;
}
}
zones {
security-zone ACCESS {
apply-groups zones_access_default;
host-inbound-traffic {
system-services {
ssh;
}
}
interfaces {
reth0.100;
}
}
security-zone UPLINK_CT_1 {
apply-groups zones_uplink_default;
interfaces {
reth0.2102;
pp0.0;
}
}
security-zone UPLINK_CU_1 {
apply-groups zones_uplink_default;
interfaces {
reth0.2101;
pp0.1;
}
}
}
}
interfaces {
interface-range trunk {
member ge-0/0/1;
member ge-7/0/1;
ether-options {
redundant-parent reth0;
}
}
lo0 {
unit 0 {
family inet {
address 127.0.0.1/32;
}
}
}
pp0 {
unit 0 {
description UPLINK_CT_1;
ppp-options {
pap {
local-name 114514;
local-password ""; ## SECRET-DATA
passive;
}
on-demand-ip-address;
initiate-ncp {
ip;
}
}
pppoe-options {
underlying-interface reth0.2102;
idle-timeout 0;
auto-reconnect 1;
client;
}
family inet {
negotiate-address;
}
}
unit 1 {
description UPLINK_CU_1;
ppp-options {
pap {
local-name "114514";
local-password ""; ## SECRET-DATA
passive;
}
on-demand-ip-address;
initiate-ncp {
ip;
ipv6;
}
}
pppoe-options {
underlying-interface reth0.2101;
idle-timeout 0;
auto-reconnect 1;
client;
}
family inet {
negotiate-address;
}
}
}
reth0 {
flexible-vlan-tagging;
native-vlan-id 1;
redundant-ether-options {
redundancy-group 1;
}
unit 100 {
description ACCESS;
vlan-id 2200;
family inet {
address 192.168.1.1/24;
}
}
unit 2101 {
description uplink-cu-1;
encapsulation ppp-over-ether;
vlan-id 2101;
}
unit 2102 {
description uplink-ct-1;
encapsulation ppp-over-ether;
vlan-id 2102;
}
}
}
policy-options {
policy-statement VR:REJECT {
term final {
then reject;
}
}
policy-statement VR:TEMPLATE:IMPORT_ALL_UPLINK {
term 1 {
from {
instance UPLINK_CU_1;
protocol static;
preference 5;
}
then {
metric 10;
accept;
}
}
term 2 {
from {
instance UPLINK_CT_1;
protocol static;
preference 5;
}
then {
metric 20;
accept;
}
}
}
}
routing-instances {
UPLINK_CT_1 {
apply-groups ri_vr_defaults;
routing-options {
static {
route 0.0.0.0/0 next-hop pp0.0;
}
}
interface pp0.0;
interface reth0.2102;
}
UPLINK_CU_1 {
apply-groups ri_vr_defaults;
routing-options {
static {
route 0.0.0.0/0 next-hop pp0.1;
}
}
interface pp0.1;
interface reth0.2101;
}
ACCESS {
apply-groups ri_vr_defaults;
routing-options {
instance-import [ VR:TEMPLATE:IMPORT_ALL_UPLINK VR:REJECT ];
}
interface reth0.100;
}
}
routing-options {
nonstop-routing;
forwarding-table {
unicast-reverse-path feasible-paths;
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment