Configuring Track Ips - Juniper NETWORK AND SECURITY MANAGER 2010.4 - CONFIGURING SCREENOS DEVICES GUIDE REV 01 Manual

Configuring ScreenOS Devices Guide

Configuring Track IPs

376
NOTE: Each vsys cluster device can see all VSDs in the cluster, even VSDs
that the Vsys cluster device does not use. This means that you could configure
a vsys cluster device to monitor a VSD group that the device does not use. If
this monitored VSD group failed, the vsys cluster device that does use that
VSD group would failover—not the vsys cluster device that was configured
to monitor the VSD group.
For each device or VSD group, you can monitor:
Specific target IP addresses—The device sends ping or ARP requests to up to 16
specified IP addresses at specified intervals and then monitors responses from the
targets. All the IP addresses configured on the device or for a specified VSD group
constitute a single monitored object.
Physical interfaces—The device uses NSRP to check that the physical ports are active
and connected to other devices.
Zones—The device uses NSRP to check that all physical ports in a zone are active.
For each monitored object, you must configure a threshold, which is the total weight of
failed monitored objects required to cause the device or VSD group to step down as
master. If the cumulative weight of the failures of all monitored objects exceeds the
monitored object failure threshold and the monitor threshold, then the device or VSD
group fails over to the backup device or VSD group. You can set the monitored object
failover threshold to a value from 1 to 255. The default threshold is 255.
You must also configure a failure weight, which is the weight that the failure of the
monitored object contributes towards the device or VSD group failover threshold, which
is known as the monitor threshold. You can set the object failure weight at a value from
1 to 255. The default failure weight for monitored objects is 255. If you want to monitor
an object but do not want the failure of the object to affect failover of the device or VSD
group, set the failure weight of the object to 0 (all failures are logged, even if the failure
weight of the object is 0).
For tracked IP addresses, you specify individual IP addresses, how they are to be
monitored, what constitutes the failure of each tracked IP address (the threshold), and
the weight that each failed address carries. When IP tracking is enabled, the device sends
a request on the selected interface to target IP addresses at specified intervals, and then
monitors the targets for responses. If the device does not receive a response from a target
for a specified number of times, the device considers that IP address to be unreachable.
You configure the threshold (the number of acceptable consecutive response failures)
for each IP address within the IP Option dialog box. The default threshold for each IP
address is 3; acceptable values are from 1 to 200.
If the device does not receive a response from a specified number of targets, the device
can deactivate routes associated with the selected interface. This threshold, known as
the failure threshold, is the sum of the weights of all failed tracked IP addresses required
for the tracked IP object to be considered failed. You configure the interface threshold
Copyright © 2010, Juniper Networks, Inc.