[j-nsp] SRX 650 reth interface load balancing

Walaa Abdel razzak walaaez at bmc.com.sa
Thu Mar 17 02:53:14 EDT 2011

Hi Stefan

I was testing the load balance by generating two flows through the
firewall using ping to two different IP's and I was expecting to load
balance each flow on each link as I am using per-packet approach without
modifying the default has function.


-----Original Message-----
From: Stefan Fouant [mailto:sfouant at shortestpathfirst.net] 
Sent: Wednesday, March 16, 2011 6:35 PM
To: Walaa Abdel razzak; juniper-nsp at puck.nether.net
Subject: RE: [j-nsp] SRX 650 reth interface load balancing

> -----Original Message-----
> From: juniper-nsp-bounces at puck.nether.net [mailto:juniper-nsp- 
> bounces at puck.nether.net] On Behalf Of Walaa Abdel razzak
> Sent: Wednesday, March 16, 2011 8:31 AM
> To: juniper-nsp at puck.nether.net
> Subject: [j-nsp] SRX 650 reth interface load balancing
> I tried to verify load balancing on the reth interface for SRX 650 
> connected to logical router, but I can see that SRX always use one 
> link although we have two physical links between the router and the 
> active node and one link between the router and the passive node. I am

> pinging directly from router to the FW. I need to load balance through

> the active links. The configuration is as follows:

How are you testing your load-balancing Walaa?  Because Juniper uses a
hash algorithm such that traffic matching a given set of constraints
(Source Address, Destination Address, Source Port, Dest Port, incoming
interface) will always hash to the same path.

In order to properly evaluate if the load-balancing is working properly,
you really need to simulate a large number of diverse flows.

> And the load balance policy:
> test at FW1# show routing-options
> forwarding-table {
>     export ECMP;
> }
> test at FW1# show policy-options policy-statement ECMP term load-balance 
> {
>     then {
>         load-balance per-packet;
>     }
> }

I already mentioned to you previously that you don't need a load-balance
policy to effect load-balancing on a LAG or RETH interface since these
types of interfaces appear to the system as a single logical interface,
other mechanisms apply.  The above configuration is completely

Stefan Fouant, CISSP, JNCIEx2
GPG Key ID: 0xB4C956EC

More information about the juniper-nsp mailing list