Scribd
Upload
603 views7 pages

Juniper RPM and Event Policy

This document describes a lab exercise to configure RPM and event policies on a Juniper vSRX device. The objective is to monitor connectivity to a primary ISP using RPM probes, and trigger a route change through an event policy if connectivity fails. Specifically: - RPM probes monitor connectivity from the vSRX to the primary ISP router. - An event policy is configured to change the default route to the backup ISP if 3 probe failures occur within 1 minute. - Another policy changes the route back if connectivity is restored within the next 5 minutes. - The document verifies the configuration works as intended when the primary link is shut down.

Uploaded by

Alex Machado
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
603 views7 pages

Juniper RPM and Event Policy

This document describes a lab exercise to configure RPM and event policies on a Juniper vSRX device. The objective is to monitor connectivity to a primary ISP using RPM probes, and trigger a route change through an event policy if connectivity fails. Specifically: - RPM probes monitor connectivity from the vSRX to the primary ISP router. - An event policy is configured to change the default route to the backup ISP if 3 probe failures occur within 1 minute. - Another policy changes the route back if connectivity is restored within the next 5 minutes. - The document verifies the configuration works as intended when the primary link is shut down.

Uploaded by

Alex Machado
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 7

Download PNETLab Platform

PNETLAB Store
PNETLab.com

Juniper RPM and Event Policy


Lab Topology:
The lab network topology is illustrated below:

https://user.pnetlab.com/store/labs/detail?id=16036296249670
Lab Objective:
The objective of this lab exercise is for you to learn and understand RPM and Event Policy on
Junos.
Task:
We have 4 devices: R1 and vSRX are our DC, R3 is ISP 1 and R4 is ISP2. We will setup ISP1 is Primary
Path to reach prefix 8.8.8.8/32, Path to ISP2 will be disable. When ISP 1 down, vSRX will automatic
enable ISP2. That we will do.

Solution

Basic Configuration:

1
Download PNETLab Platform
PNETLAB Store
PNETLab.com

Router R1 R3 R4
Configuration interface Ethernet0/0 interface Loopback0 interface Loopback0
no shutdown no shutdown no shutdown
ip address 10.1.12.1 ip address 8.8.8.8 ip address 8.8.8.8
255.255.255.0 255.255.255.255 255.255.255.255
! ! !
ip route 0.0.0.0 0.0.0.0 interface Ethernet0/0 interface Ethernet0/0
10.1.12.2 no shutdown no shutdown
ip address 10.1.23.3 ip address 10.1.24.4
255.255.255.0 255.255.255.0
! !
ip route 0.0.0.0 0.0.0.0 ip route 0.0.0.0 0.0.0.0
10.1.23.2 10.1.24.2

Router vSRX
Configuration set system host-name vSRX
set system root-authentication encrypted-password
"$1$xUFvoveE$x5BHW/vKO/pJy18MH4BRv0"
set system login user baolhq uid 2004
set system login user baolhq class super-user
set system login user baolhq authentication encrypted-password
"$1$i2JCd1Oc$/7oTkR0uzS6zppbfJnvZ60"
set interfaces ge-0/0/0 unit 0 family inet address 10.1.12.2/24
set interfaces ge-0/0/1 unit 0 family inet address 10.1.23.2/24
set interfaces ge-0/0/2 unit 0 family inet address 10.1.24.2/24
set routing-options static route 8.8.8.8/32 next-hop 10.1.23.3
set security policies from-zone TRUST to-zone TRUST policy 1 match source-
address any
set security policies from-zone TRUST to-zone TRUST policy 1 match destination-
address any
set security policies from-zone TRUST to-zone TRUST policy 1 match application
any
set security policies from-zone TRUST to-zone TRUST policy 1 then permit
set security zones security-zone TRUST host-inbound-traffic system-services all
set security zones security-zone TRUST host-inbound-traffic protocols all
set security zones security-zone TRUST interfaces ge-0/0/0.0
set security zones security-zone TRUST interfaces ge-0/0/1.0
set security zones security-zone TRUST interfaces ge-0/0/2.0

Username/ Password of SRX: baolhq/123456a@ and root/123456a@

2
Download PNETLab Platform
PNETLAB Store
PNETLab.com

The real-time performance monitoring (RPM) feature allows network operators to accurately
measure the performance between two network endpoints. RPM is configured on vSRX which
sends ICMP echoes to R3:

set services rpm probe icmp-ping-probe test ping-probe-test probe-type icmp-ping


set services rpm probe icmp-ping-probe test ping-probe-test target address 10.1.23.3
set services rpm probe icmp-ping-probe test ping-probe-test test-interval 5
set services rpm probe icmp-ping-probe test ping-probe-test thresholds successive-loss 3
set system syslog file syslog-event-daemon-info daemon info
We have a RPM with probe name: icmp-ping-probe, test name: ping-probe-test. It’s a simple
configuration where vRSX will keep sending ICMP echoes to R3 forever and all log of this RPM will
be sent to syslog-event-daemon-info. To combine RPM with Event Policy, we’ll need to configure
Event Policy match witch RPM:

set event-options policy enable-on-ping-failure events PING_TEST_FAILED


set event-options policy enable-on-ping-failure within 60 trigger on
set event-options policy enable-on-ping-failure within 60 trigger 3
set event-options policy enable-on-ping-failure within 65 trigger until
set event-options policy enable-on-ping-failure within 65 trigger 4
set event-options policy enable-on-ping-failure attributes-match PING_TEST_FAILED.test-
owner matches icmp-ping-probe
set event-options policy enable-on-ping-failure attributes-match PING_TEST_FAILED.test-
name matches ping-probe-test
set event-options policy enable-on-ping-failure then change-configuration commands "delete
routing-options static route 8.8.8.8/32 next-hop 10.1.23.3"
set event-options policy enable-on-ping-failure then change-configuration commands "set
routing-options static route 8.8.8.8/32 next-hop 10.1.24.4"
set event-options policy enable-on-ping-failure then change-configuration user-name baolhq
set event-options policy enable-on-ping-failure then change-configuration commit-options
log "updating configuration from event policy enable-on-ping-failure"
Above we created a Event Policy when our ping is failure:

- First, if system have more than 3 times of failure log in 1 mins, event policy
PING_TEST_FAILED will be active and the command will be configured by System via
baolhq account.

- The log PING_TEST_FAILED will match with test-owner icmp-ping-probe and test-name
ping-probe-test

3
Download PNETLab Platform
PNETLAB Store
PNETLab.com

- After event active, the system will push a log: updating configuration from event policy
enable-on-ping-failure

Now, we will also configure an action when our ping is oke.

set event-options policy disable-on-ping-ok events PING_TEST_COMPLETED


set event-options policy disable-on-ping-ok within 60 trigger on
set event-options policy disable-on-ping-ok within 60 trigger 3
set event-options policy disable-on-ping-ok within 65 trigger until
set event-options policy disable-on-ping-ok within 65 trigger 4
set event-options policy disable-on-ping-ok attributes-match PING_TEST_COMPLETED.test-
owner matches icmp-ping-probe
set event-options policy disable-on-ping-ok attributes-match PING_TEST_COMPLETED.test-
name matches ping-probe-test
set event-options policy disable-on-ping-ok then change-configuration commands "set
routing-options static route 8.8.8.8/32 next-hop 10.1.23.3"
set event-options policy disable-on-ping-ok then change-configuration commands "delete
routing-options static route 8.8.8.8/32 next-hop 10.1.24.4"
set event-options policy disable-on-ping-ok then change-configuration user-name baolhq
set event-options policy disable-on-ping-ok then change-configuration commit-options log
"updating configuration from event policy disable-on-ping-ok"
Let’s verify on vSRX:

baolhq@vSRX> show log syslog-event-daemon-info | last 10


Oct 25 12:05:29 last message repeated 5 times
Oct 25 12:06:44 last message repeated 15 times
Oct 25 12:06:45 rpd[1159]: RPD_TASK_REINIT: Reinitializing
Oct 25 12:06:45 rpd[1159]: Read ddl top handle 0x0 for logical-router default
Oct 25 12:06:45 rpd[1159]: task state: <ReConfig Foreground ParseConfig>
Oct 25 12:06:45 rpd[1159]: task_reconfigure reinitializing done
Oct 25 12:06:46 rpd[1159]: Decode ifd sp-0/0/0 index 138: ifdm_flags 0xc010
Oct 25 12:06:46 rpd[1159]: krt_inherit_ifd_aps_flags sp-0/0/0 index 138: <> from self
Oct 25 12:06:49 vSRX rmopd[2267]: PING_TEST_COMPLETED: pingCtlOwnerIndex = icmp-ping-
probe, pingCtlTestName = ping-probe-test
We need to check route from R1 to the prefix 8.8.8.8/32:

R1#traceroute 8.8.8.8
Type escape sequence to abort.
Tracing the route to 8.8.8.8
VRF info: (vrf in name/id, vrf out name/id)

4
Download PNETLab Platform
PNETLAB Store
PNETLab.com

1 10.1.12.2 2 msec 1 msec 0 msec


2 10.1.23.3 1 msec 3 msec *
So, it is running via R3. I ‘ll shutdown interface e0/0 of R3 in order to simulate a failure. Now we
will shutdown the interface e0/0 on R3:

R3(config)#interface ethernet 0/0


R3(config-if)#shutdown
Here’s what happens on vSRX:

baolhq@vSRX> show log messages | last 60


Oct 25 12:09:54 vSRX file[3090]: UI_JUNOSCRIPT_CMD: User 'baolhq' used JUNOScript client
to run command 'commit-configuration log=updating configuration from event policy enable-
on-ping-failure'
Oct 25 12:09:54 vSRX file[3090]: UI_COMMIT: User 'baolhq' requested 'commit' operation
(comment: updating configuration from event policy enable-on-ping-failure)
Oct 25 12:09:57 vSRX file[3090]: UI_COMMIT_PROGRESS: Commit operation in progress: ssync
ends
Oct 25 12:09:57 vSRX file[3090]: UI_COMMIT_PROGRESS: Commit operation in progress:
commit complete
Oct 25 12:09:57 vSRX file[3090]: UI_COMMIT_PROGRESS: Commit operation in progress:
signaling 'Alarm control process', pid 1155, signal 30, status 0 with notification errors enabled
Oct 25 12:09:57 vSRX file[3090]: UI_JUNOSCRIPT_CMD: User 'baolhq' used JUNOScript client
to run command 'unlock-configuration'
Oct 25 12:09:57 vSRX eventd: EVENTD_CONFIG_CHANGE_SUCCESS: Configuration change
successful: while executing policy enable-on-ping-failure with user baolhq privileges
Oct 25 12:09:57 vSRX file[3090]: UI_LOGOUT_EVENT: User 'baolhq' logout
Oct 25 12:10:00 vSRX cron[3371]: (root) CMD ( /usr/libexec/atrun)

baolhq@vSRX> show log syslog-event-daemon-info | last 30


Oct 25 12:09:37 vSRX rmopd[2267]: PING_TEST_FAILED: pingCtlOwnerIndex = icmp-ping-
probe, pingCtlTestName = ping-probe-test
Oct 25 12:09:54 vSRX last message repeated 2 times
Oct 25 12:09:57 vSRX rpd[1159]: RPD_TASK_REINIT: Reinitializing
Oct 25 12:09:57 vSRX rpd[1159]: Read ddl top handle 0x0 for logical-router default
Oct 25 12:09:57 vSRX rpd[1159]: task state: <ReConfig Foreground ParseConfig>
Oct 25 12:09:57 vSRX rpd[1159]: task_reconfigure reinitializing done
Oct 25 12:10:02 vSRX rmopd[2267]: PING_TEST_FAILED: pingCtlOwnerIndex = icmp-ping-
probe, pingCtlTestName = ping-probe-test
Oct 25 12:10:26 vSRX last message repeated 3 times

5
Download PNETLab Platform
PNETLAB Store
PNETLab.com

You can see that after we shutdown interface e0/0 of R3, the event policy PING_TEST_FAILED was
active and the system login via baolhq account in order to configure the new route. Let check
route on vRSX :

baolhq@vSRX> show route 8.8.8.8

inet.0: 7 destinations, 7 routes (7 active, 0 holddown, 0 hidden)


+ = Active Route, - = Last Active, * = Both

8.8.8.8/32 *[Static/5] 00:06:57


> to 10.1.24.4 via ge-0/0/2.0
Now, vSRX learn 8.8.8.8/32 via R4. I will enable R3 again and see what happens:

R3(config)#interface ethernet 0/0


R3(config-if)#no shutdown

baolhq@vSRX> show log messages | last 60


Oct 25 12:18:10 vSRX file[3400]: UI_JUNOSCRIPT_CMD: User 'baolhq' used JUNOScript client
to run command 'commit-configuration log=updating configuration from event policy disable-
on-ping-ok'
Oct 25 12:18:10 vSRX file[3400]: UI_COMMIT: User 'baolhq' requested 'commit' operation
(comment: updating configuration from event policy disable-on-ping-ok)
Oct 25 12:18:14 vSRX file[3400]: UI_COMMIT_PROGRESS: Commit operation in progress: ssync
begins
Oct 25 12:18:14 vSRX file[3400]: UI_COMMIT_PROGRESS: Commit operation in progress: ssync
ends
Oct 25 12:18:14 vSRX file[3400]: UI_COMMIT_PROGRESS: Commit operation in progress:
commit complete
Oct 25 12:18:14 vSRX file[3400]: UI_COMMIT_PROGRESS: Commit operation in progress:
signaling 'Alarm control process', pid 1155, signal 30, status 0 with notification errors enabled
Oct 25 12:18:14 vSRX file[3400]: UI_JUNOSCRIPT_CMD: User 'baolhq' used JUNOScript client
to run command 'unlock-configuration'
Oct 25 12:18:14 vSRX eventd: EVENTD_CONFIG_CHANGE_SUCCESS: Configuration change
successful: while executing policy disable-on-ping-ok with user baolhq privileges
Oct 25 12:18:14 vSRX file[3400]: UI_LOGOUT_EVENT: User 'baolhq' logout
Event Policy is working again. Let’s verify:

R1#traceroute 8.8.8.8
Type escape sequence to abort.
Tracing the route to 8.8.8.8
6
Download PNETLab Platform
PNETLAB Store
PNETLab.com

VRF info: (vrf in name/id, vrf out name/id)


1 10.1.12.2 0 msec 1 msec 1 msec
2 10.1.23.3 1 msec 2 msec *

baolhq@vSRX> show route 8.8.8.8

inet.0: 7 destinations, 7 routes (7 active, 0 holddown, 0 hidden)


+ = Active Route, - = Last Active, * = Both

8.8.8.8/32 *[Static/5] 00:03:55


> to 10.1.23.3 via ge-0/0/1.0
Now, it go via R3. That’s great!

You might also like