[j-nsp] Multihome SRX650 2 default routes

Chen Jiang ilovebgp4 at gmail.com
Wed Sep 7 08:32:44 EDT 2011


you can use routing-instance to achieve ECMP/NAT in SRX.

On Sun, Aug 28, 2011 at 1:22 AM, Daniel Daloia <daniel.daloia at yahoo.com>wrote:

> If that's true then that's horrible news. The data sheet for the sex branch
> series lines says that it can do ECMP, but says nothing about mixing it with
> advanced services. This seems so trivial. Going to spend some time in the
> lab.
>
> Thanks!
>
> On Aug 27, 2011, at 3:02 AM, Tim Eberhard <xmin0s at gmail.com> wrote:
>
> > ECMP doesn't work as of today in branch series SRX's if "advanced"
> > security features are enabled such as NAT, IDP, ALG's, and such. The
> > problem is with the flow module and where routing decisions take
> > place.
> >
> > It will work if the both destination interfaces are in the same zone
> > and you're using basic security policies. If you require any form of
> > NAT (which is typical with two ISP links) then this will not load
> > balance across the two paths.
> >
> > I've tested this in my lab and it's a known limitation within Juniper.
> > The forwarding table shows both routes (creating two static default
> > routes will do the trick) then enabling layer 3 load balancing but the
> > routing table will always prefer one route and send traffic down only
> > that route.
> >
> > There are hacks (and not very clean ones to be honest) involving
> > multiple routers one to terminate the inbound traffic and nat it, then
> > the second to do the ECMP. This is not ideal and I wouldn't ever
> > recommend it for a customer environment.
> >
> > Best of luck. I hope the branch guys can get this fixed. ScreenOS has
> > been able to do this for a while. I'm told this may get addressed in
> > 12.1 but nothing is official.
> > -Tim Eberhard
> >
> >
> >
> > On Fri, Aug 26, 2011 at 10:33 AM, Daniel M Daloia Jr
> > <daniel.daloia at yahoo.com> wrote:
> >> Thanks Ben. This would be the case with two separate virtual routers
> since they would have to be in different security zones which why I didn't
> think that would work. I would like to keep the firewall in flow mode.
> >>
> >>
> >> I found some information on multipath which I am going to lab up soon. I
> can keep the interfaces in the same security zone if that is the case and
> create a peer group for the two neighbours.
> >>
> >>
> >>
> http://www.juniper.net/techpubs/en_US/junos10.4/topics/reference/configuration-statement/multipath-edit-protocols-bgp.html
> >>
> >> Thanks!
> >>
> >>
> >>
> >>
> >> ________________________________
> >> From: Ben Boyd <ben at sinatranetwork.com>
> >> To: Daniel M Daloia Jr <daniel.daloia at yahoo.com>
> >> Cc: "juniper-nsp at puck.nether.net" <juniper-nsp at puck.nether.net>
> >> Sent: Friday, August 26, 2011 10:44 AM
> >> Subject: Re: [j-nsp] Multihome SRX650 2 default routes
> >>
> >>
> >> If you install both routes in the forwarding table you'll probably end
> up dropping a lot of your traffic.
> >>
> >> The SRX is a stateful firewall, so if you sent traffic to one provider
> and got it back on another it would drop the traffic.
> >>
> >> It would be best to do this in a router or to load balance per prefix
> with as path prepending going out and local pref coming in.
> >>
> >> Anyway, here's how you would do it, but be careful.
> >> root# show
> >> policy-statement TestLBOut {
> >>     then {
> >>         load-balance per-packet;
> >>     }
> >> }
> >>
> >> lroot# show routing-options
> >> forwarding-table {
> >>     export TestLBOut;
> >> }
> >>
> >>
> >>
> >> Thanks,
> >> Ben Boyd
> >> ----------------------
> >> Sent from my iPhone
> >>
> >> On Aug 25, 2011, at 11:09, Daniel M Daloia Jr <daniel.daloia at yahoo.com>
> wrote:
> >>
> >>
> >> Hi Folks,
> >>>
> >>> Is it possible to install 2 BGP default routes from 2 ISPs to provide
> load balancing with an SRX650 cluster? Both ISPs are same speed. I was
> thinking this may be possible with importing the routes into inet.0 from
> separate virtual routers which have the interfaces facing the 2 ISPs in
> them, but the ISP interfaces would have to be in separate security zones
> which wouldn't agree with the security policy and NAT. Anyone have any ideas
> or can point me to some documentation that will help? I suppose I can buy a
> separate set of routers to run BGP and use an IGP to load balance, but doing
> it with the single cluster would be nice.
> >>>
> >>> Thanks!
> >>> _______________________________________________
> >>> juniper-nsp mailing list juniper-nsp at puck.nether.net
> >>> https://puck.nether.net/mailman/listinfo/juniper-nsp
> >>>
> >> _______________________________________________
> >> juniper-nsp mailing list juniper-nsp at puck.nether.net
> >> https://puck.nether.net/mailman/listinfo/juniper-nsp
> >>
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>



-- 
BR!



           James Chen


More information about the juniper-nsp mailing list