Upload
ennaessa2014
View
72
Download
1
Embed Size (px)
Citation preview
JIR Lab Guide
Page 1
In this activity, you will complete the following objectives.
Part 1: Configure and test VRRP.
LLaabb 77--11::
VVRRRRPP CCoonnffiigguurraattiioonn aanndd
MMoonniittoorriinngg
JIR Lab Guide
Page 2
Part 1: Configure and test VRRP.
Step 1.1
Load JIR.BASIC.3R as basic topology.
[edit]
admin@SRXP# load override JIR.BASIC.3R
load complete
[edit]
admin@SRXP# commit
commit complete
Step 1.2 Configure IP address for interfaces connected to routing instances.
[edit]
admin@SRXP# delete interfaces
[edit]
admin@SRXP# edit interfaces
[edit interfaces]
admin@SRXP# set ge-0/0/8 unit 0 family inet address 10.0.P.254/24
[edit interfaces]
admin@SRXP# set ge-0/0/10 unit 0 family inet address 10.0.P.253/24
[edit interfaces]
admin@SRXP# set ge-0/0/12 unit 0 family inet address 192.168.P.254/24
[edit interfaces]
admin@SRXP# set ge-0/0/14 unit 0 family inet address 192.168.P.253/24
Step 1.3 Modify logical topology and default route for routing instance RA.
[edit interfaces]
admin@SRXP# top
JIR Lab Guide
Page 3
[edit]
admin@SRXP# edit routing-instances RA
[edit routing-instances RA]
admin@SRXP# delete
Delete everything under this level? [yes,no] (no) yes
[edit routing-instances RA]
admin@SRXP# set instance-type virtual-router
[edit routing-instances RA]
admin@SRXP# set interface ge-0/0/8.0
[edit routing-instances RA]
admin@SRXP# set interface ge-0/0/12.0
[edit routing-instances RA]
admin@SRXP# set routing-options static route 0.0.0.0/0 next-hop 192.168.P.1
[edit routing-instances RA]
admin@SRXP# show
instance-type virtual-router;
interface ge-0/0/8.0;
interface ge-0/0/12.0;
routing-options {
static {
route 0.0.0.0/0 next-hop 192.168.P.1;
}
Step 1.4 Modify logical topology and default route for routing instance RB.
[edit routing-instances RA]
admin@SRXP# top
[edit]
admin@SRXP# edit routing-instances RB
[edit routing-instances RB]
admin@SRXP# delete
Delete everything under this level? [yes,no] (no) yes
JIR Lab Guide
Page 4
[edit routing-instances RB]
admin@SRXP# set instance-type virtual-router
[edit routing-instances RB]
admin@SRXP# set interface ge-0/0/10.0
[edit routing-instances RB]
admin@SRXP# set interface ge-0/0/14.0
[edit routing-instances RB]
admin@SRXP# set routing-options static route 0.0.0.0/0 next-hop 192.168.P.1
[edit routing-instances RB]
admin@SRXP# show
instance-type virtual-router;
interface ge-0/0/10.0;
interface ge-0/0/14.0;
routing-options {
static {
route 0.0.0.0/0 next-hop 192.168.P.1;
}
}
Step 1.5
Configure VLAN for both inside(10.0.P.0/24) and outside(192.168.P.0/24) subnets.
[edit routing-instances RB]
admin@SRXP# top
[edit]
admin@SRXP# set vlans INSIDE vlan-id 10
[edit]
admin@SRXP# set vlans OUTSIDE vlan-id 192
[edit]
admin@SRXP# edit interfaces
[edit interfaces]
admin@SRXP# set ge-0/0/9 unit 0 family ethernet-switching vlan members INSIDE
[edit interfaces]
JIR Lab Guide
Page 5
admin@SRXP# set ge-0/0/5 unit 0 family ethernet-switching vlan members INSIDE
[edit interfaces]
admin@SRXP# set ge-0/0/11 unit 0 family ethernet-switching vlan members INSIDE
[edit interfaces]
admin@SRXP# set ge-0/0/13 unit 0 family ethernet-switching vlan members OUTSIDE
[edit interfaces]
admin@SRXP# set ge-0/0/2 unit 0 family ethernet-switching vlan members OUTSIDE
[edit interfaces]
admin@SRXP# set ge-0/0/15 unit 0 family ethernet-switching vlan members OUTSIDE
[edit interfaces]
admin@SRXP# commit and-quit
commit complete
Exiting configuration mode
Step 1.6 Verify network connectivity for both INSIDE and OUTSIDE subnets.
admin@SRXP> ping 10.0.P.10 count 3 routing-instance RA
PING 10.0.P.10 (10.0.P.10): 56 data bytes
64 bytes from 10.0.P.10: icmp_seq=0 ttl=128 time=2.380 ms
64 bytes from 10.0.P.10: icmp_seq=1 ttl=128 time=7.254 ms
64 bytes from 10.0.P.10: icmp_seq=2 ttl=128 time=1.297 ms
--- 10.0.P.10 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 1.297/3.644/7.254/2.591 ms
admin@SRXP> ping 10.0.P.11 count 3 routing-instance RA
PING 10.0.P.11 (10.0.P.11): 56 data bytes
64 bytes from 10.0.P.11: icmp_seq=0 ttl=128 time=1.426 ms
64 bytes from 10.0.P.11: icmp_seq=1 ttl=128 time=1.168 ms
64 bytes from 10.0.P.11: icmp_seq=2 ttl=128 time=1.217 ms
--- 10.0.P.11 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 1.168/1.270/1.426/0.112 ms
admin@SRXP> ping 10.0.P.253 count 3 routing-instance RA
JIR Lab Guide
Page 6
PING 10.0.P.253 (10.0.P.253): 56 data bytes
64 bytes from 10.0.P.253: icmp_seq=0 ttl=64 time=31.143 ms
64 bytes from 10.0.P.253: icmp_seq=1 ttl=64 time=0.966 ms
64 bytes from 10.0.P.253: icmp_seq=2 ttl=64 time=0.927 ms
--- 10.0.P.253 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.927/11.012/31.143/14.235 ms
admin@SRXP> ping 192.168.P.1 count 3 routing-instance RA
PING 192.168.P.1 (192.168.P.1): 56 data bytes
64 bytes from 192.168.P.1: icmp_seq=0 ttl=255 time=1.884 ms
64 bytes from 192.168.P.1: icmp_seq=1 ttl=255 time=1.638 ms
64 bytes from 192.168.P.1: icmp_seq=2 ttl=255 time=1.760 ms
--- 192.168.P.1 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 1.638/1.761/1.884/0.100 ms
admin@SRXP> ping 192.168.P.253 count 3 routing-instance RA
PING 192.168.P.253 (192.168.P.253): 56 data bytes
64 bytes from 192.168.P.253: icmp_seq=0 ttl=64 time=4.353 ms
64 bytes from 192.168.P.253: icmp_seq=1 ttl=64 time=0.960 ms
64 bytes from 192.168.P.253: icmp_seq=2 ttl=64 time=1.021 ms
--- 192.168.P.253 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.960/2.111/4.353/1.585 ms
admin@SRXP> ping 172.26.26.P count 3 routing-instance RA
PING 172.26.26.P (172.26.26.P): 56 data bytes
64 bytes from 172.26.26.P: icmp_seq=0 ttl=127 time=2.176 ms
64 bytes from 172.26.26.P: icmp_seq=1 ttl=127 time=1.845 ms
64 bytes from 172.26.26.P: icmp_seq=2 ttl=127 time=2.198 ms
--- 172.26.26.P ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 1.845/2.073/2.198/0.161 ms
admin@SRXP> ping 172.26.26.P count 3 routing-instance RB
PING 172.26.26.P (172.26.26.P): 56 data bytes
64 bytes from 172.26.26.P: icmp_seq=0 ttl=127 time=1.721 ms
64 bytes from 172.26.26.P: icmp_seq=1 ttl=127 time=1.620 ms
64 bytes from 172.26.26.P: icmp_seq=2 ttl=127 time=1.658 ms
JIR Lab Guide
Page 7
--- 172.26.26.P ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 1.620/1.666/1.721/0.042 ms
Step 1.7 Configure VRRP Group 10:
RA: Priority 110
Virtual IP address 10.0.P.1
Track interface ge-0/0/12 priority cost 20
Auth. key juniper123
RB: Priority 100 (default)
Virtual IP address 10.0.P.1
Auth. key juniper123
admin@SRXP> configure
Entering configuration mode
[edit]
admin@SRXP# edit interfaces ge-0/0/8 unit 0 family inet address 10.0.P.254/24
[edit interfaces ge-0/0/8 unit 0 family inet address 10.0.P.254/24]
admin@SRXP# set vrrp-group 10 virtual-address 10.0.P.1
[edit interfaces ge-0/0/8 unit 0 family inet address 10.0.P.254/24]
admin@SRXP# set vrrp-group 10 priority 110
[edit interfaces ge-0/0/8 unit 0 family inet address 10.0.P.254/24]
admin@SRXP# set vrrp-group 10 track interface ge-0/0/12 priority-cost 20
[edit interfaces ge-0/0/8 unit 0 family inet address 10.0.P.254/24]
admin@SRXP# set vrrp-group 10 authentication-type md5 authentication-key
juniper123
[edit interfaces ge-0/0/8 unit 0 family inet address 10.0.P.254/24]
admin@SRXP# top
[edit]
admin@SRXP# edit interfaces ge-0/0/10 unit 0 family inet address 10.0.P.253/24
JIR Lab Guide
Page 8
[edit interfaces ge-0/0/10 unit 0 family inet address 10.0.P.253/24]
admin@SRXP# set vrrp-group 10 virtual-address 10.0.P.1
[edit interfaces ge-0/0/10 unit 0 family inet address 10.0.P.253/24]
admin@SRXP# set vrrp-group 10 authentication-type md5 authentication-key
juniper123
[edit interfaces ge-0/0/10 unit 0 family inet address 10.0.P.253/24]
admin@SRXP# top
Step 1.8
Configure VRRP Group 192:
RA: Priority 110
Virtual IP address 192.168.P.2
Track interface ge-0/0/8 priority cost 20
Auth. key juniper123
RB: Priority 100 (default)
Virtual IP address 192.168.P.2
Auth. key juniper123
[edit]
admin@SRXP# edit interfaces ge-0/0/12 unit 0 family inet address 192.168.P.254/24
[edit interfaces ge-0/0/12 unit 0 family inet address 192.168.P.254/24]
admin@SRXP# set vrrp-group 192 virtual-address 192.168.P.2
[edit interfaces ge-0/0/12 unit 0 family inet address 192.168.P.254/24]
admin@SRXP# set vrrp-group 192 priority 110
[edit interfaces ge-0/0/12 unit 0 family inet address 192.168.P.254/24]
admin@SRXP# set vrrp-group 192 track interface ge-0/0/8 priority-cost 20
[edit interfaces ge-0/0/12 unit 0 family inet address 192.168.P.254/24]
admin@SRXP# set vrrp-group 192 authentication-type md5 authentication-key
juniper123
[edit interfaces ge-0/0/12 unit 0 family inet address 192.168.P.254/24]
admin@SRXP# top
[edit]
JIR Lab Guide
Page 9
admin@SRXP# edit interfaces ge-0/0/14 unit 0 family inet address 192.168.P.253/24
[edit interfaces ge-0/0/14 unit 0 family inet address 192.168.P.253/24]
admin@SRXP# set vrrp-group 192 virtual-address 192.168.P.2
[edit interfaces ge-0/0/14 unit 0 family inet address 192.168.P.253/24]
admin@SRXP# set vrrp-group 192 authentication-type md5 authentication-key
juniper123
[edit interfaces ge-0/0/14 unit 0 family inet address 192.168.P.253/24]
admin@SRXP# commit and-quit
commit complete
Exiting configuration mode
Step 1.7
Verify VRRP Status.
admin@SRXP> show vrrp summary Interface State Group VR state VR Mode Type
Address
ge-0/0/10.0 up 10 backup Active lcl
10.0.P.253
vip
10.0.P.1
ge-0/0/12.0 up 192 master Active lcl
192.168.P.254
vip
192.168.P.2
ge-0/0/14.0 up 192 backup Active lcl
192.168.P.253
vip
192.168.P.2
ge-0/0/8.0 up 10 master Active lcl
10.0.P.254
vip
10.0.P.1
admin@SRXP> show vrrp track Track Int State Speed VRRP Int Group VR State
Current prio
ge-0/0/12.0 up 1g ge-0/0/8.0 10 master
110
ge-0/0/8.0 up 1g ge-0/0/12.0 192 master
110
admin@SRXP> show vrrp interface ge-0/0/8 | match "Auth|VIP|Mode" Invalid VRRP authentication type received:0
JIR Lab Guide
Page 10
Interface state: up, Group: 10, State: master, VRRP Mode: Active
Priority: 110, Advertisement interval: 1, Authentication type: md5
Preempt: yes, Accept-data mode: no, VIP count: 1, VIP: 10.0.P.1
Group VRRP PDU error statistics
Bad authentication Type received :0
Bad VIP count received :0
Bad VIPADDR received :0
admin@SRXP> show vrrp interface ge-0/0/10 | match "Auth|VIP|Mode" Invalid VRRP authentication type received:0
Interface state: up, Group: 10, State: backup, VRRP Mode: Active
Priority: 100, Advertisement interval: 1, Authentication type: md5
Preempt: yes, Accept-data mode: no, VIP count: 1, VIP: 10.0.P.1
Group VRRP PDU error statistics
Bad authentication Type received :0
Bad VIP count received :0
Bad VIPADDR received :0
admin@SRXP> show vrrp interface ge-0/0/12 | match "Auth|VIP|Mode" Invalid VRRP authentication type received:0
Interface state: up, Group: 192, State: master, VRRP Mode: Active
Priority: 110, Advertisement interval: 1, Authentication type: md5
Preempt: yes, Accept-data mode: no, VIP count: 1, VIP: 192.168.P.2
Group VRRP PDU error statistics
Bad authentication Type received :0
Bad VIP count received :0
Bad VIPADDR received :0
admin@SRXP> show vrrp interface ge-0/0/14 | match "Auth|VIP|Mode" Invalid VRRP authentication type received:0
Interface state: up, Group: 192, State: backup, VRRP Mode: Active
Priority: 100, Advertisement interval: 1, Authentication type: md5
Preempt: yes, Accept-data mode: no, VIP count: 1, VIP: 192.168.P.2
Group VRRP PDU error statistics
Bad authentication Type received :0
Bad VIP count received :0
Bad VIPADDR received :0
Step 1.8
Verify and test VRRP Redundancy using sub-steps as below:
a. Go to your INSIDE-PA, open a command line window and execute the command
below:
Ping 172.26.26.P –t
The ping session should be able to reach the destination.
JIR Lab Guide
Page 11
b. Disable interface ge-0/0/12 with command below and verify the ping session will
still reachable with few packet dropped.
admin@SRXP> configure
Entering configuration mode
[edit]
admin@SRXP# set interfaces ge-0/0/12 disable
[edit]
admin@SRXP# commit
commit complete
c. Verify the VRRP status again. You should see the Master role is switched to RB.
[edit]
admin@SRXP# run show vrrp summary Interface State Group VR state VR Mode Type Address
ge-0/0/12.0 down 192 init Active lcl
192.168.P.254
vip
192.168.P.2
ge-0/0/10.0 up 10 master Active lcl
10.0.P.253
vip 10.0.P.1
ge-0/0/14.0 up 192 master Active lcl
192.168.P.253
vip
192.168.P.2
ge-0/0/8.0 up 10 backup Active lcl
10.0.P.254
vip 10.0.P.1
d. Enable interface ge-0/0/12 by rolloback to previous configuration as below:
[edit]
admin@SRXP# rollback 1
coload complete
[edit]
admin@SRXP# commit
commit complete
e. Verify the VRRP status again. The Master role should now be switched back to RA.
admin@SRXP# run show vrrp summary
JIR Lab Guide
Page 12
Interface State Group VR state VR Mode Type Address
ge-0/0/10.0 up 10 backup Active lcl
10.0.P.253
vip 10.0.P.1
ge-0/0/12.0 up 192 master Active lcl
192.168.P.254
vip
192.168.P.2
ge-0/0/14.0 up 192 backup Active lcl
192.168.P.253
vip
192.168.P.2
ge-0/0/8.0 up 10 master Active lcl
10.0.P.254
vip 10.0.P.1
Step 1.9
Configure VRRP Parameters.
Question: You should unable to ping to VIP address (10.0.P.1) from INSIDE-PA? Why?
How to fix this problem?
Answer: ____________________________________________________________________________
[edit]
admin@SRXP# edit interfaces
[edit interfaces]
admin@SRXP# set ge-0/0/8 unit 0 family inet address 10.0.P.254/24 vrrp-group 10
accept-data
[edit interfaces]
admin@SRXP# set ge-0/0/10 unit 0 family inet address 10.0.P.253/24 vrrp-group 10
accept-data
[edit interfaces]
admin@SRXP# commit
commit complete
You should be able to ping to VIP address (10.0.P.1) from INSIDE-PA now.
Step 1.10
Save the current configuration to admin’s home directory.
[edit interfaces]
JIR Lab Guide
Page 13
admin@SRXP# up
[edit]
admin@SRXP# save JIR.LAB71
Wrote 185 lines of configuration to 'JIR.LAB71'
[edit]
admin@SRXP# run file list
/cf/var/home/admin/:
.ssh/
JIR.BASIC.3R
JIR.LAB21
JIR.LAB22
JIR.LAB23
JIR.LAB31
JIR.LAB41
JIR.LAB51
JIR.LAB61
JIR.LAB71
By saving your current configuration, you are able to rollback at anytime.
For Example:
[edit]
admin@SRXP# load override JIR.LAB71
load complete
[edit]
admin@SRXP# commit
commit complete
Tell your instructor that you have completed this lab.