[j-nsp] Policy based routing on SRX 210

Pavel Lunin plunin at senetsy.ru
Fri Oct 1 03:47:47 EDT 2010


Hi Bikash,

I addition to everything, you also have to keep in mind that SRX is a
stateful device and performs a reverse route lookup when establishing a new
session. Unfortunately you can't enable something like "use the iface and
mac address from where the packet came" for traffic in backward direction.

Be aware of this, because in some case of FBF the reverse route will point
to a different interface than the first packet came through, and such an
asymmetric scheme is something to be very carefully planned when you use
stateful devices.

If this happens you first must to have both of the interfaces in the same
security zone, second if you use NAT, it's not bad to think of which IPs
will have the packets and which IPS they go to. I did not look deeply into
your config, maybe it's not your case, but just keep in mind, that if you
send packets to an ISP1 with src-ip dedicated by ISP2,  you have quite good
chance to be blocked by uRPF check of ISP1.

--
Regards,
Pavel


More information about the juniper-nsp mailing list