Lab SLA Cisco kết hợp IP Monitoring trên Juniper SRX

R1:

interface Ethernet0/0

 ip address 192.168.1.1 255.255.255.0

 duplex auto

 vrrp 1 ip 192.168.1.10

 vrrp 1 priority 110

 vrrp 1 track 1 ##track 1 cấu hình ở dưới

!

interface Ethernet0/1

 ip address 10.1.4.1 255.255.255.0

 no shutdown

!

ip route 0.0.0.0 0.0.0.0 10.1.4.4 ##set route đi sang đối tác

ip sla 1 

 icmp-echo 10.1.4.4 source-interface Ethernet0/1

 frequency 5

ip sla schedule 1 life forever start-time now

!

track 1 ip sla 1 reachability

R2:

interface Ethernet0/0

 ip address 192.168.1.2 255.255.255.0

vrrp 1 ip 192.168.1.10

 vrrp 1 priority 105 ##Độ ưu tiên 105 nhỏ hơn nhánh R1

!

interface Ethernet0/1

 ip address 10.2.3.2 255.255.255.0

no shutdown

!

ip route 0.0.0.0 0.0.0.0 10.2.3.3 ##set route đi qua đối tác

show vrrp

ping sang 2 nhánh đối tác sau khi đối tác cấu hình xong

ping về VPC 192.168.1.100

R3:

interface Ethernet0/0

 ip address 10.2.3.3 255.255.255.0

no shutdown

!

interface Ethernet0/1

 ip address 10.3.5.3 255.255.255.0

no shutdown

!

ip route 0.0.0.0 0.0.0.0 10.2.3.2

ip route 192.168.5.0 255.255.255.0 10.3.5.5

R4:

interface Ethernet0/0

 ip address 10.1.4.4 255.255.255.0

 no shutdown

!

interface Ethernet0/1

 ip address 10.4.5.4 255.255.255.0

no shutdown

!

ip route 0.0.0.0 0.0.0.0 10.1.4.1

ip route 192.168.5.0 255.255.255.0 10.4.5.5

Juniper SRX:

#############Đặt IP##############

set interfaces ge-0/0/0 unit 0 family inet address 10.3.5.5/24

set interfaces ge-0/0/1 unit 0 family inet address 10.4.5.5/24

set interfaces ge-0/0/2 unit 0 family inet address 192.168.5.1/24

set routing-options static route 0.0.0.0/0 next-hop 10.4.5.4

#############Đặt Zone##############

set security zones security-zone trust interfaces ge-0/0/2.0 host-inbound-traffic system-services all

set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services all

set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic system-services all

#############Mở rule cho ping từ LAN CISCO sang##############

set security address-book global address CISCO_LAN 192.168.1.0/24

set security address-book global address LOCAL_LAN 192.168.5.0/24

!

set security policies from-zone untrust to-zone trust policy allow_ping_from_CISCO match source-address CISCO_LAN

set security policies from-zone untrust to-zone trust policy allow_ping_from_CISCO match destination-address LOCAL_LAN

set security policies from-zone untrust to-zone trust policy allow_ping_from_CISCO match application junos-ping

set security policies from-zone untrust to-zone trust policy allow_ping_from_CISCO then permit

set security policies from-zone untrust to-zone trust policy allow_ping_from_CISCO then log session-init

#############Khai SLA##############

set services rpm probe haiprobe test ping-to-R2 target address 10.1.4.1

set services rpm probe haiprobe test ping-to-R2 probe-count 5

set services rpm probe haiprobe test ping-to-R2 probe-interval 3

set services rpm probe haiprobe test ping-to-R2 thresholds successive-loss 3

!

set services ip-monitoring policy hai-policy match rpm-probe haiprobe

set services ip-monitoring policy hai-policy then preferred-route route 0.0.0.0/0 next-hop 10.3.5.3 ##đường phụ

set routing-options static route 10.1.4.1/32 next-hop 10.4.5.4