반응형
SMALL
NSRP Monitor Track IP Configuration Examples
Summary:
NSRP IP Tracking proves to be absolutely vital to achieving a successful failover event in scenarios when the primary Juniper firewall stops passing traffic, but the monitored interfaces remain up.
Problem or Goal:
Why configure NSRP Monitor track-ip and how does it work?
Solution:
The NSRP Monitor Track-IP option can be utilized to monitor IP address reachability in an NSRP environment. When used in conjunction with NSRP interface monitoring, one can obtain much more reliable and robust NSRP failover. Essentially, track-IP functions by sending ICMP (or ARP) heartbeats to one or more configurable hosts. If a (configurable) threshold of consecutive heartbeats is lost, the host is deemed down and the NSRP failover event is triggered
One must allot a certain amount of time for planning and testing to create a Track-IP configuration that minimizes both false-positives (failover events when the network is not down) and false-negatives (absence of failover events when the network is down). One needs to determine one or more hosts that can reliably respond to ICMP/ARP traffic (an example would be the firewall’s next-hop gateway IP). For situations requiring multiple Track-IP hosts, one may need to adjust the weight values to ensure failover occurs when intended.
See below for five IP tracking configuration examples for monitoring one and two hosts.
---------------------------------------
Configuration example 1
NSRP track-ip config commands for monitoring one Reliable Host:
Configuration Example 2
NSRP track-ip config commands for monitoring two Reliable Hosts:
Note: In this example, when both hosts (Host1 and Host2) are unreachable, a firewall failover will be triggered.
2a. When the firewall is receiving ICMP Echo responses from both track IP addresses note the output of “
----------------------------------------
Configuration Example 3
NSRP track-ip config commands for monitoring two Reliable Hosts:
Note: In this example, when only one Host is unreachable (Host1 or Host2), a firewall failover will be triggered.
----------------------------------------
Configuration example 4
NSRP track-ip configuration commands for monitoring one host/gateway that doesn’t respond to ICMP ECHO packets. Therefore this example is using the ARP IP tracking method and requires configuring a manage-ip address on the firewall.
Important Note: The ARP method only works if the other device belongs to same L2 broadcast domain.
4a. When a manage-ip is configured and the firewall is receiving the ARP response, note the output of “
Configuration Example 5
NSRP track-ip configuration per VSD commands for monitoring two Reliable Hosts. This example is similar to Example 3, except the monitoring is done from VSD 1.
Note: In this example, when only one Host is unreachable (Host1 or Host2), a firewall failover will be triggered.
5a. When the firewall is receiving ICMP Echo responses from both track IP addresses, note the output of “
One must allot a certain amount of time for planning and testing to create a Track-IP configuration that minimizes both false-positives (failover events when the network is not down) and false-negatives (absence of failover events when the network is down). One needs to determine one or more hosts that can reliably respond to ICMP/ARP traffic (an example would be the firewall’s next-hop gateway IP). For situations requiring multiple Track-IP hosts, one may need to adjust the weight values to ensure failover occurs when intended.
See below for five IP tracking configuration examples for monitoring one and two hosts.
---------------------------------------
Configuration example 1
NSRP track-ip config commands for monitoring one Reliable Host:
# Send ICMP packet every 3 seconds
set nsrp monitor track-ip ip 192.168.1.100 interval 3
# 5 consecutive packets without a response will trigger failover
set nsrp monitor track-ip ip 192.168.1.100 threshold 5
# The interface these packets will be sourced from
set nsrp monitor track-ip ip 192.168.1.100 interface ethernet1
# The weight of this particular track-ip failure (only this IP must be unreachable to trigger the failover event)
set nsrp monitor track-ip ip 192.168.1.100 weight 255
---------------------------------------Configuration Example 2
NSRP track-ip config commands for monitoring two Reliable Hosts:
Note: In this example, when both hosts (Host1 and Host2) are unreachable, a firewall failover will be triggered.
# Configure IP addresses of VSI interfaces
set interface ethernet1/2 ip 2.2.9.2/24
set interface ethernet1/3 ip 1.1.9.2/24
# Configure manage-ip for VSI interfaces
set interface ethernet1/2 manage-ip 2.2.9.4
set interface ethernet1/3 manage-ip 1.1.9.4
# Enable IP tracking
set nsrp monitor track-ip
Commands to monitor Host1:# Use PING as IP tracking method
set nsrp monitor track-ip ip 2.2.9.3 method ping
# Send ICMP echo request packet every 3 seconds
set nsrp monitor track-ip ip 2.2.9.3 interval 3
# 5 consecutive packets without a response will trigger failover
set nsrp monitor track-ip ip 2.2.9.3 threshold 5
# The weight of this particular track-ip failure (both IPs must be unreachable to trigger the failover event)
set nsrp monitor track-ip ip 2.2.9.3 weight 128
Commands to monitor Host2:# Use ping as IP tracking method
set nsrp monitor track-ip ip 1.1.9.1 method ping
# Send ICMP echo request packet every 3 seconds
set nsrp monitor track-ip ip 1.1.9.1 interval 3
# 5 consecutive packets without a response will trigger failover
set nsrp monitor track-ip ip 1.1.9.1 threshold 5
# The weight of this particular track-ip failure (both IPs must be unreachable to trigger the failover event)
set nsrp monitor track-ip ip 1.1.9.1 weight 128
To verify configuration:get nsrp monitor
device based nsrp monitoring threshold: 255, weighted sum: 0, not failed
device based nsrp monitor interface:
device based nsrp monitor zone:
device based nsrp track ip: (weight: 255, enabled, not failed)
get nsrp monitor track-ip
ip address interval threshold wei interface meth fail-count success-rate
2.2.9.3 3 5 128 auto ping 0 100%
1.1.9.1 3 5 128 auto ping 0 100%
failure weight: 255, threshold: 255, not failed: 0 ip(s) failed, weighted sum = 0
Debug analysis:2a. When the firewall is receiving ICMP Echo responses from both track IP addresses note the output of “
debug icmp all
” and “debug trackip basic
” commands:## 2001-01-24 13:58:09 : track ip: track 1.1.9.1
## 2001-01-24 13:58:09 : trackip set SELF_APP_CLT_TRACK and out
## 2001-01-24 13:58:09 : build icmp: 8/0,1c999cc8/32
## 2001-01-24 13:58:09 : insert 1.1.9.1 (1024/34284)
## 2001-01-24 13:58:09 : ping to 1.1.9.1, 8/1024/34284, 32 bytes from src 0.0.0.0, if N/A, tnl ffffffff
## 2001-01-24 13:58:09 : icmp: handing over icmp(type 0) pak to raw socket
## 2001-01-24 13:58:09 : received raw icmp pak from 1.1.9.1 thro ethernet1/3
## 2001-01-24 13:58:09 : Rcv ICMP Echo Rsp: src=1.1.9.1, dst=1.1.9.4, data=40
## 2001-01-24 13:58:09 : search 1.1.9.1 (1024/34284)
## 2001-01-24 13:58:09 : age/delete 1.1.9.1 (1024/34284) time 0
## 2001-01-24 13:58:11 : track ip: track 2.2.9.3
## 2001-01-24 13:58:11 : trackip set SELF_APP_CLT_TRACK and out
## 2001-01-24 13:58:11 : build icmp: 8/0,1c999cc8/32
## 2001-01-24 13:58:11 : insert 2.2.9.3 (1024/34384)
## 2001-01-24 13:58:11 : ping to 2.2.9.3, 8/1024/34384, 32 bytes from src 0.0.0.0, if N/A, tnl ffffffff
## 2001-01-24 13:58:11 : icmp: handing over icmp(type 0) pak to raw socket
## 2001-01-24 13:58:11 : received raw icmp pak from 2.2.9.3 thro ethernet1/2
## 2001-01-24 13:58:11 : Rcv ICMP Echo Rsp: src=2.2.9.3, dst=2.2.9.4, data=40
## 2001-01-24 13:58:11 : search 2.2.9.3 (1024/34384)
## 2001-01-24 13:58:11 : age/delete 2.2.9.3 (1024/34384) time 0
----------------------------------------
Configuration Example 3
NSRP track-ip config commands for monitoring two Reliable Hosts:
Note: In this example, when only one Host is unreachable (Host1 or Host2), a firewall failover will be triggered.
Commands to monitor Host1:
# Send ICMP packet every 3 seconds
set nsrp monitor track-ip ip 192.168.1.100 interval 3
# 5 consecutive packets without a response will trigger failover
set nsrp monitor track-ip ip 192.168.1.100 threshold 5
# The interface these packets will be sourced from
set nsrp monitor track-ip ip 192.168.1.100 interface ethernet1
# The weight of this particular track-ip failure (only one IP must be unreachable to trigger the failover event)
set nsrp monitor track-ip ip 192.168.1.100 weight 255
Commands to monitor Host2:
# Send ICMP packet every 3 seconds
set nsrp monitor track-ip ip 10.10.1.100 interval 3
# 5 consecutive packets without a response will trigger failover
set nsrp monitor track-ip ip 10.10.1.100 threshold 5
# The interface these packets will be sourced from
set nsrp monitor track-ip ip 10.10.1.100 interface ethernet2
# The weight of this particular track-ip failure (only one IP must be unreachable to trigger the failover event)
set nsrp monitor track-ip ip 10.10.1.100 weight 255
----------------------------------------
Configuration example 4
NSRP track-ip configuration commands for monitoring one host/gateway that doesn’t respond to ICMP ECHO packets. Therefore this example is using the ARP IP tracking method and requires configuring a manage-ip address on the firewall.
Important Note: The ARP method only works if the other device belongs to same L2 broadcast domain.
# Configure IP address of VSI interface
set interface ethernet1/1 ip 172.19.51.20/23
# Configure manage-ip for VSI interface. If firewall is in inoperable state, it will fail to build ARP packet because link of interface is inactive.
set interface ethernet1/1 manage-ip 172.19.51.65
# Enable IP tracking
set nsrp monitor track-ip
# Use ARP as IP tracking method
set nsrp monitor track-ip ip 172.19.50.1 method arp
# Send ARP request packet every 3 seconds
set nsrp monitor track-ip ip 172.19.50.1 interval 3
# 5 consecutive packets without a response will trigger failover
set nsrp monitor track-ip ip 172.19.50.1 threshold 5
# The weight of this particular track-ip failure (only this IP must be unreachable to trigger the failover event)
set nsrp monitor track-ip ip 172.19.50.1 weight 255
To verify configuration:get nsrp monitor
device based nsrp monitoring threshold: 255, weighted sum: 0, not failed
device based nsrp monitor interface:
device based nsrp monitor zone:
device based nsrp track ip: (weight: 255, enabled, not failed)
get nsrp monitor track-ip
ip address interval threshold wei interface meth fail-count success-rate
172.19.50.1 3 5 255 auto arp 0 64%
failure weight: 255, threshold: 255, not failed: 0 ip(s) failed, weighted sum = 0
Debug analysis:4a. When a manage-ip is configured and the firewall is receiving the ARP response, note the output of “
debug arp task
” and “debug trackip basic
” commands:## 2008-03-23 05:30:48 : track ip: track 172.19.50.1
## 2008-03-23 05:30:48 : Build ARP Req: src=172.19.51.65, dest=172.19.50.1, etype 0x0806(0x806), intf=ethernet1/1, flag=0x10020000
## 2008-03-23 05:30:48 : Send ARP Req: src=0.0.0.0, dest=172.19.50.1, interface=7, flag=0x10020000
## 2008-03-23 05:30:48 : Sending packet to ffffffffffff from 0010db865f87 thro raw socket 2305 bound to interface=ethernet1/1
## 2008-03-23 05:30:48 : received raw arp pak from 0010dbff2090 thro ethernet1/1
## 2008-03-23 05:30:48 : Receive ARP Rsp: src=172.19.50.1, dst=172.19.51.65, interface=ethernet1/1
## 2008-03-23 05:30:48 : update ethernet1/1: 172.19.50.1/0010dbff2090 to arp
## 2008-03-23 05:30:48 : find arp: for 172.19.50.1 vsys Root
## 2008-03-23 05:30:48 : found arp: 172.19.50.1/0010dbff2090 in vsys Root
4b. If the manage-ip is not configured, note the output of the “debug arp task
” and “debug trackip basic
” commands:## 2008-03-23 12:59:47 : track ip: track 172.19.50.1
## 2008-03-23 12:59:47 : arp_pak_build: cannot decide src ip to send arp
## 2008-03-23 12:59:47 : failed to build arp pak for src 0.0.0.0, dst 172.19.50.1, opcode 1, ifp ethernet1/1
4c. When no ARP response is received, note the output of “debug arp task
” and “debug trackip basic
” commands:----------------------------------------## 2008-03-23 14:22:26 : track ip: track 172.19.50.1
## 2008-03-23 14:22:26 : Build ARP Req: src=172.19.51.65, dest=172.19.50.1, etype 0x0806(0x806), intf=ethernet1/1, flag=0x10020000
## 2008-03-23 14:22:26 : Send ARP Req: src=0.0.0.0, dest=172.19.50.1, interface=7, flag=0x10020000
## 2008-03-23 14:22:26 : Sending packet to ffffffffffff from 0010db865f87 thro raw socket 2305 bound to interface=ethernet1/1
## 2008-03-23 14:22:26 : Add new arp entry at 16 for 172.19.50.1
## 2008-03-23 14:22:28 : Give up retry
## 2008-03-23 14:22:28 : arp free entry
Configuration Example 5
NSRP track-ip configuration per VSD commands for monitoring two Reliable Hosts. This example is similar to Example 3, except the monitoring is done from VSD 1.
Note: In this example, when only one Host is unreachable (Host1 or Host2), a firewall failover will be triggered.
To verify configuration:# Configure IP addresses of VSI interfaces
set interface ethernet1/2:1 ip 2.2.9.2/24
set interface ethernet1/3:1 ip 1.1.9.2/24
# Configure IP address of physical interfaces
set interface ethernet1/2 ip 2.2.9.4/24
set interface ethernet1/3 ip 1.1.9.4/24
# Enable IP tracking
set nsrp vsd-group id 1 monitor track-ip ip
Commands to monitor Host1:# Send ICMP packet every 3 seconds
set nsrp vsd id 1 monitor track-ip ip 2.2.9.3 interval 3
# 5 consecutive packets without a response will trigger failover
set nsrp vsd id 1 monitor track-ip ip 2.2.9.3 threshold 5
# The weight of this particular track-ip failure (only one IP must be unreachable to trigger the failover event)
set nsrp vsd-group id 1 monitor track-ip ip 2.2.9.3 weight 255
Commands to monitor Host2:# Send ICMP packet every 3 seconds
set nsrp vsd id 1 monitor track-ip ip 1.1.9.1 interval 3
# 5 consecutive packets without a response will trigger failover
set nsrp vsd id 1 monitor track-ip ip 1.1.9.1 threshold 5
# The weight of this particular track-ip failure (only one IP must be unreachable to trigger the failover event)
set nsrp vsd-group id 1 monitor track-ip ip 1.1.9.1 weight 255
get nsrp vsd-group id 1 monitor
VSD group 1 based nsrp monitoring threshold: 255, weighted sum: 0, not failed
VSD group 1 monitor interface:
VSD group 1 monitor zone:
VSD group 1 based nsrp track ip: (weight: 255, enabled, not failed)
get nsrp vsd-group id 1 monitor track-ip
ip address interval threshold wei interface meth fail-count success-rate
2.2.9.3 3 5 255 auto ping 0 100% (no manage-ip address)
1.1.9.1 3 5 255 auto ping 0 100% (no manage-ip address)
failure weight: 255, threshold: 255, not failed: 0 ip(s) failed, weighted sum = 0
Debug Analysis:5a. When the firewall is receiving ICMP Echo responses from both track IP addresses, note the output of “
debug icmp all
” and “debug trackip basic”
commands:## 2001-01-24 14:36:55 : track ip: track 2.2.9.3
## 2001-01-24 14:36:55 : trackip set SELF_APP_CLT_TRACK and out
## 2001-01-24 14:36:55 : build icmp: 8/0,1c999cc8/32
## 2001-01-24 14:36:55 : insert 2.2.9.3 (1024/32712)
## 2001-01-24 14:36:55 : ping to 2.2.9.3, 8/1024/32712, 32 bytes from src 0.0.0.0, if N/A, tnl ffffffff
## 2001-01-24 14:36:55 : icmp: handing over icmp(type 0) pak to raw socket
## 2001-01-24 14:36:55 : received raw icmp pak from 2.2.9.3 thro ethernet1/2
## 2001-01-24 14:36:55 : Rcv ICMP Echo Rsp: src=2.2.9.3, dst=2.2.9.4, data=40
## 2001-01-24 14:36:55 : search 2.2.9.3 (1024/32712)
## 2001-01-24 14:36:55 : age/delete 2.2.9.3 (1024/32712) time 0
## 2001-01-24 14:36:56 : track ip: track 1.1.9.1
## 2001-01-24 14:36:56 : trackip set SELF_APP_CLT_TRACK and out
## 2001-01-24 14:36:56 : build icmp: 8/0,1c999cc8/32
## 2001-01-24 14:36:56 : insert 1.1.9.1 (1024/32812)
## 2001-01-24 14:36:56 : ping to 1.1.9.1, 8/1024/32812, 32 bytes from src 0.0.0.0, if N/A, tnl ffffffff
## 2001-01-24 14:36:56 : icmp: handing over icmp(type 0) pak to raw socket
## 2001-01-24 14:36:56 : received raw icmp pak from 1.1.9.1 thro ethernet1/3
## 2001-01-24 14:36:56 : Rcv ICMP Echo Rsp: src=1.1.9.1, dst=1.1.9.4, data=40
## 2001-01-24 14:36:56 : search 1.1.9.1 (1024/32812)
## 2001-01-24 14:36:56 : age/delete 1.1.9.1 (1024/32812) time 0
반응형
LIST
'업무이야기 > Security' 카테고리의 다른 글
FutureSystem GateAdmin Pro Manual (0) | 2012.01.12 |
---|---|
Safezone IPS 뚜껑따다 (0) | 2011.11.21 |
Juniper Firewall Transparent mode config (Example) (0) | 2011.11.04 |
Juniper Firewall TroubleShooting Command (0) | 2011.11.04 |
Juniper ISG Series Integrated Security Gateways (0) | 2011.09.27 |