[j-nsp] SSG Loadbalancing

GIULIANO (UOL) giulianocm at uol.com.br
Mon Jan 7 13:24:49 EST 2008 

Look:

Juniper Networks security devices support equal cost
multipath (ECMP) routing on a
per-session basis. Routes of equal cost have the same
preference and metric values.
Once a security device associates a session with a route,
the security device uses
that route until a better route is learned or the current
route becomes unusable. The
eligible routes must have outgoing interfaces that belong to
the same zone.

If the outgoing interfaces do not belong to the same zone
and the return packet
goes to a zone other than the intended one, a session match
cannot occur and the
traffic may not go through.

When ECMP is enabled and the outgoing interfaces are
different and in NAT
mode, applications, such as HTTP, that create multiple
sessions will not work
correctly. Applications, such as telnet or SSH, that create
one session should work
correctly.

ECMP assists with load-balancing among two to four routes to
the same destination
or increases the effective bandwidth usage among two or more
destinations. When
ECMP is enabled, security devices use the statically defined
routes or dynamically
learn multiple routes to the same destination through a
routing protocol. 

The security device assigns routes of equal cost in rotating
(round-robin) fashion. <-----

Without ECMP, the security device only uses the first
learned or defined route.
Other routes that are of equal cost remain unused until the
currently active route is
no longer active.

When using ECMP, if you have two security devices in a
neighbor relationship and
you notice packet loss and improper load-balancing, check
the Address Resolution
Protocol (ARP) configuration of the neighbor device to make
sure the arp
always-on-dest feature is disabled (default).

... from:

http://www.juniper.net/techpubs/software/screenos/screenos6.
0.0/CE_v7.pdf

Att,

Giuliano

-----Original Message-----
From: Sven Juergensen (KielNET)
[mailto:s.juergensen at kielnet.de] 
Sent: Monday, January 07, 2008 1:35 PM
To: giulianocm at uol.com.br
Cc: juniper-nsp at puck.nether.net
Subject: Re: [j-nsp] SSG Loadbalancing

Hi Giuliano,

this actually works, thank you.

What kind of algorithm is
happening behind the scenes,
do you have any idea?

Starting a download from one
machine followed by another
one sometimes uses the same
uplink, which is somewhat
suboptimal but I reckon that
this is by design.

Thanks and regards,

sven03

Mit freundlichen Gruessen

i. A. Sven Juergensen

-- 
Fachbereich
Informationstechnologie

KielNET GmbH
Gesellschaft fuer Kommunikation
Preusserstr. 1-9, 24105 Kiel

Telefon : 0431 / 2219-053
Telefax : 0431 / 2219-005
E-Mail  : s.juergensen at kielnet.de
Internet: http://www.kielnet.de

AS# 25295
Key fingerprint:
65B6 90FC 010A 39CE DCA5  336D 9C45 3B7A B02D E132

"221 2.7.0 Error: I can break rules, too. Goodbye."

Geschaeftsfuehrer Eberhard Schmidt
HRB 4499 (Amtsgericht Kiel)


GIULIANO (UOL) wrote:
> Sven,
> 
> It is possible.
> 
> You have to configure the related VROUTER to support it:
> 
> FW_PAVAN_SJP-> 
> FW_PAVAN_SJP-> 
> FW_PAVAN_SJP-> 
> FW_PAVAN_SJP-> set vrouter trust-vr
> FW_PAVAN_SJP(trust-vr)-> set max-em
> FW_PAVAN_SJP(trust-vr)-> set max-ec
> max-ecmp-routes      maximum ecmp routes searched during
> ECMP route lookup in this vrouter
> FW_PAVAN_SJP(trust-vr)-> set max-ecmp-routes ?
> <number>             route number (range: 1 - 4)
> FW_PAVAN_SJP(trust-vr)-> set max-ecmp-routes 2 [ENTER]
> 
> 
> Att,
> 
> 
> -----Original Message-----
> From: juniper-nsp-bounces at puck.nether.net
> [mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of
> Sven Juergensen (KielNET)
> Sent: Monday, January 07, 2008 8:57 AM
> To: juniper-nsp at puck.nether.net
> Subject: [j-nsp] SSG Loadbalancing
> 
> Hi list,
> 
> is it possible to have an SSG5
> connected to two xDSL modems
> loadbalance traffic across both
> of them? Redundancy works but
> it appears that a loadbalancing
> mechanism does not exist.
> 
> Thanks in advance.
> 
> Regards,
> 
> sven03
> 
> Mit freundlichen Gruessen
> 
> i. A. Sven Juergensen
> 
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

__________ NOD32 2769 (20080107) Information __________

This message was checked by NOD32 antivirus system.
http://www.eset.com



__________ NOD32 2770 (20080107) Information __________

This message was checked by NOD32 antivirus system.
http://www.eset.com

More information about the juniper-nsp mailing list