[j-nsp] Loadbalancing traffic
Alex
alex.arseniev at gmail.com
Mon May 10 14:26:38 EDT 2010
Hello,
If you have ECMP _AND_ configure load-balancing via forwarding-table export
_AND_ if you don't explicitly configure hash-key _AND_ if your IPSec VPN
uses only 1 IP address for tunnel termination on both M7i then
-- your IPSec VPN traffic will be sent over 2 links _only_ if there is
enough diversity in src.IPs and dst.IPs since the default inet hash-key is
layer-3+ifIndex.
-- the choice of link will look like random to human eye
-- if one link goes down the remaining link will pick up all traffic.
HTH
Regards
Alex
----- Original Message -----
From: "Muhammad Rehan" <rehanrehman45 at gmail.com>
To: <juniper-nsp at puck.nether.net>
Sent: Monday, May 10, 2010 2:44 PM
Subject: [j-nsp] Loadbalancing traffic
> Dear all,
>
> Currently I have M7i router on the edge of the network and SSG 550
> firewall
> behind the M7i.I have one internet link terminated on M7i router and
> Couple
> of VPN configured on SSG550 firewall,
>
> If i terminated another internet link on M7i and configured M7i to load
> balance the traffic by using the following configuration.
>
> routing-options {
> forwarding-table {
> export load-balancing;
> }
> }
>
>
> policy-options {
> policy-statement load-balancing {
> term 1 {
> from {
> route-filter 0.0.0.0/0 exact;
> }
> then {
> load-balance per-packet;
> }
> }
> }
> }
>
> So my VPN traffic is redundant on both the links or not?
>
> As my M7i and SSG550 firewall is connected thorugh /29 public IP subnet
> and both the internet links is of /30 subnet.
>
> Regards
>
> M.Rehan
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
More information about the juniper-nsp
mailing list