SRX

 View Only
last person joined: 13 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

SRX300 dual ISP with fail over, both ISP interfaces DHCP

  • 1.  SRX300 dual ISP with fail over, both ISP interfaces DHCP

    Posted 03-11-2023 07:41
    Edited by spuluka 03-12-2023 06:52

    I have two SRX300s in a chassis cluster (working fine) with two ISP feeds and I want to have fail over between the ISPs.  Both ISP interfaces are DHCP with DHCP assigned gateways.  I have the ISP connections working and I have assigned them to routing instances.  I also have RPM probes working for each ISP connection.  

    I am stuck on how to do fail over between ISPs since the ISP interface IP addresses are dynamically assigned by DHCP.  I would also like to be able to do filter based forwarding (most hosts on the network will use the first ISP, but some hosts on the network will use the second ISP, unless the second ISP is down). 

    Any help on getting this working is appreciated.

    Here is my current configuration:

    version 22.4R1.10;
    groups {
        node0 {
            system {
                host-name srx300-1;
            }
        }
        node1 {
            system {
                host-name srx300-2;
            }
        }
    }
    apply-groups "${node}";
    chassis {
        cluster {
            reth-count 4;
            redundancy-group 0 {
                node 0 priority 200;
                node 1 priority 100;
            }
            redundancy-group 1 {
                node 0 priority 200;
                node 1 priority 100;
                preempt;
                interface-monitor {
                    reth0 weight 255;
                }
            }
        }
    }
    services {
        rpm {
            probe ISP1-probe {
                test ISP1-test {
                    target address 1.1.1.1;
                    probe-count 3;
                    probe-interval 2;
                    test-interval 2;
                    thresholds {
                        successive-loss 3;
                        total-loss 3;
                    }
                    destination-interface reth0.296;
                }
            }
            probe ISP2-probe {
                test ISP2-test {
                    target address 8.8.8.8;
                    probe-count 3;
                    probe-interval 2;
                    test-interval 2;
                    thresholds {
                        successive-loss 3;
                        total-loss 3;
                    }
                    destination-interface reth0.297;
                }
            }
        }
        ip-monitoring {
            policy Test-ISP1 {
                match {
                    rpm-probe ISP1-probe;
                }
            }
            policy Test-ISP2 {
                match {
                    rpm-probe ISP2-probe;
                }
            }
        }
    }
    security {
    security zones, policies, etc. deleted for brevity
    }
    interfaces {
        ge-0/0/2 {
            gigether-options {
                redundant-parent reth0;
            }
        }
        ge-0/0/3 {
            gigether-options {
                redundant-parent reth0;
            }
        }
        ge-0/0/4 {
            gigether-options {
                redundant-parent reth0;
            }
        }
        ge-0/0/5 {
            gigether-options {
                redundant-parent reth0;
            }
        }
        ge-1/0/2 {
            gigether-options {
                redundant-parent reth0;
            }
        }
        ge-1/0/3 {
            gigether-options {
                redundant-parent reth0;
            }
        }
        ge-1/0/4 {
            gigether-options {
                redundant-parent reth0;
            }
        }
        ge-1/0/5 {
            gigether-options {
                redundant-parent reth0;
            }
        }
        fab0 {
            fabric-options {
                member-interfaces {
                    ge-0/0/7;
                }
            }
        }
        fab1 {
            fabric-options {
                member-interfaces {
                    ge-1/0/7;
                }
            }
        }
        lo0 {
            unit 0 {
                family inet {
                    address 127.0.0.1/32;
                }
            }
        }
        reth0 {
            vlan-tagging;
            redundant-ether-options {
                redundancy-group 1;
                no-flow-control;
                minimum-links 2;
                lacp {
                    active;
                    periodic fast;
                }
            }
            unit 66 {
                vlan-id 66;
                family inet {
                    address 10.200.66.3/24;
                }
            }
            unit 67 {
                vlan-id 67;
                family inet {
                    address 10.200.67.3/24;
                }
            }
            unit 68 {
                vlan-id 68;
                family inet {
                    address 10.200.68.3/24;
                }
            }
            unit 296 {
                description ISP1;
                vlan-id 296;
                family inet {
                    dhcp;
                }
            }
            unit 297 {
                vlan-id 297;
                description ISP2;
                family inet {
                    dhcp;
                }
            }
        }
    }
    routing-instances {
        ISP1 {
            interface reth0.296;
            instance-type virtual-router;
            routing-options {
                interface-routes {
                    rib-group inet from-ISP1;
                }
            }
        }
        ISP2 {
            interface reth0.297;
            instance-type virtual-router;
            routing-options {
                interface-routes {
                    rib-group inet from-ISP2;
                }
            }
        }
    }
    protocols {
        l2-learning {
            global-mode switching;
        }
    }
    routing-options {
        interface-routes {
            rib-group inet to-ISPs;
        }
        rib-groups {
            to-ISPs {
                import-rib [ inet.0 ISP1.inet.0 ISP2.inet.0 ];
            }
            from-ISP1 {
                import-rib [ ISP1.inet.0 inet.0 ];
            }
            from-ISP2 {
                import-rib [ ISP2.inet.0 inet.0 ];
            }
        }
    }
    

    Here are the routing tables:

    srx300-1> show route 
    
    inet.0: 11 destinations, 11 routes (10 active, 0 holddown, 1 hidden)
    + = Active Route, - = Last Active, * = Both
    
    10.200.66.0/24     *[Direct/0] 5d 00:38:14
                        >  via reth0.66
    10.200.66.3/32     *[Local/0] 5d 00:38:14
                           Local via reth0.66
    10.200.67.0/24     *[Direct/0] 5d 00:38:14
                        >  via reth0.67
    10.200.67.3/32     *[Local/0] 5d 00:38:14
                           Local via reth0.67
    10.200.68.0/24     *[Direct/0] 5d 00:38:14
                        >  via reth0.68
    10.200.68.3/32     *[Local/0] 5d 00:38:14
                           Local via reth0.68
    75.231.238.248/29  *[Direct/0] 2d 05:49:18
                        >  via reth0.297
    75.231.238.251/32  *[Local/0] 2d 05:49:18
                           Local via reth0.297
    192.168.200.0/24   *[Direct/0] 3d 00:22:37
                        >  via reth0.296
    192.168.200.101/32 *[Local/0] 3d 00:22:37
                           Local via reth0.296
    
    ISP1.inet.0: 10 destinations, 10 routes (9 active, 0 holddown, 1 hidden)
    + = Active Route, - = Last Active, * = Both
    
    0.0.0.0/0          *[Access-internal/12] 2d 05:49:18, metric 0
                        >  to 75.231.238.252 via reth0.297
    10.200.66.0/24     *[Direct/0] 00:28:19
                        >  via reth0.66
    10.200.66.3/32     *[Local/0] 00:28:19
                           Local via reth0.66
    10.200.67.0/24     *[Direct/0] 00:28:19
                        >  via reth0.67
    10.200.67.3/32     *[Local/0] 00:28:19
                           Local via reth0.67
    10.200.68.0/24     *[Direct/0] 00:28:19
                        >  via reth0.68
    10.200.68.3/32     *[Local/0] 00:28:19
                           Local via reth0.68
    75.231.238.248/29  *[Direct/0] 2d 05:49:18
                        >  via reth0.297
    75.231.238.251/32  *[Local/0] 2d 05:49:18
                           Local via reth0.297
    
    ISP2.inet.0: 10 destinations, 10 routes (9 active, 0 holddown, 1 hidden)
    + = Active Route, - = Last Active, * = Both
    
    0.0.0.0/0          *[Access-internal/12] 3d 00:22:37, metric 0
                        >  to 192.168.200.1 via reth0.296
    10.200.66.0/24     *[Direct/0] 00:28:19
                        >  via reth0.66
    10.200.66.3/32     *[Local/0] 00:28:19
                           Local via reth0.66
    10.200.67.0/24     *[Direct/0] 00:28:19
                        >  via reth0.67     
    10.200.67.3/32     *[Local/0] 00:28:19
                           Local via reth0.67
    10.200.68.0/24     *[Direct/0] 00:28:19
                        >  via reth0.68
    10.200.68.3/32     *[Local/0] 00:28:19
                           Local via reth0.68
    192.168.200.0/24   *[Direct/0] 3d 00:22:37
                        >  via reth0.296
    192.168.200.101/32 *[Local/0] 3d 00:22:37
                           Local via reth0.296

    And here is a simple network diagram: