[j-nsp] Multihome SRX650 2 default routes

Tim Eberhard xmin0s at gmail.com
Wed Sep 7 08:51:54 EDT 2011 

Yes, my apologies if I wasn't clear in my original email. The "hack"
involved to get ECMP and any real security functionality working with
the SRX involves multiple virtual routers.

On Wed, Sep 7, 2011 at 7:32 AM, Chen Jiang <ilovebgp4 at gmail.com> wrote:
> you can use routing-instance to achieve ECMP/NAT in SRX.
>
> On Sun, Aug 28, 2011 at 1:22 AM, Daniel Daloia <daniel.daloia at yahoo.com>
> wrote:
>>
>> If that's true then that's horrible news. The data sheet for the sex
>> branch series lines says that it can do ECMP, but says nothing about mixing
>> it with advanced services. This seems so trivial. Going to spend some time
>> in the lab.
>>
>> Thanks!
>>
>> On Aug 27, 2011, at 3:02 AM, Tim Eberhard <xmin0s at gmail.com> wrote:
>>
>> > ECMP doesn't work as of today in branch series SRX's if "advanced"
>> > security features are enabled such as NAT, IDP, ALG's, and such. The
>> > problem is with the flow module and where routing decisions take
>> > place.
>> >
>> > It will work if the both destination interfaces are in the same zone
>> > and you're using basic security policies. If you require any form of
>> > NAT (which is typical with two ISP links) then this will not load
>> > balance across the two paths.
>> >
>> > I've tested this in my lab and it's a known limitation within Juniper.
>> > The forwarding table shows both routes (creating two static default
>> > routes will do the trick) then enabling layer 3 load balancing but the
>> > routing table will always prefer one route and send traffic down only
>> > that route.
>> >
>> > There are hacks (and not very clean ones to be honest) involving
>> > multiple routers one to terminate the inbound traffic and nat it, then
>> > the second to do the ECMP. This is not ideal and I wouldn't ever
>> > recommend it for a customer environment.
>> >
>> > Best of luck. I hope the branch guys can get this fixed. ScreenOS has
>> > been able to do this for a while. I'm told this may get addressed in
>> > 12.1 but nothing is official.
>> > -Tim Eberhard
>> >
>> >
>> >
>> > On Fri, Aug 26, 2011 at 10:33 AM, Daniel M Daloia Jr
>> > <daniel.daloia at yahoo.com> wrote:
>> >> Thanks Ben. This would be the case with two separate virtual routers
>> >> since they would have to be in different security zones which why I didn't
>> >> think that would work. I would like to keep the firewall in flow mode.
>> >>
>> >>
>> >> I found some information on multipath which I am going to lab up soon.
>> >> I can keep the interfaces in the same security zone if that is the case and
>> >> create a peer group for the two neighbours.
>> >>
>> >>
>> >>
>> >> http://www.juniper.net/techpubs/en_US/junos10.4/topics/reference/configuration-statement/multipath-edit-protocols-bgp.html
>> >>
>> >> Thanks!
>> >>
>> >>
>> >>
>> >>
>> >> ________________________________
>> >> From: Ben Boyd <ben at sinatranetwork.com>
>> >> To: Daniel M Daloia Jr <daniel.daloia at yahoo.com>
>> >> Cc: "juniper-nsp at puck.nether.net" <juniper-nsp at puck.nether.net>
>> >> Sent: Friday, August 26, 2011 10:44 AM
>> >> Subject: Re: [j-nsp] Multihome SRX650 2 default routes
>> >>
>> >>
>> >> If you install both routes in the forwarding table you'll probably end
>> >> up dropping a lot of your traffic.
>> >>
>> >> The SRX is a stateful firewall, so if you sent traffic to one provider
>> >> and got it back on another it would drop the traffic.
>> >>
>> >> It would be best to do this in a router or to load balance per prefix
>> >> with as path prepending going out and local pref coming in.
>> >>
>> >> Anyway, here's how you would do it, but be careful.
>> >> root# show
>> >> policy-statement TestLBOut {
>> >>     then {
>> >>         load-balance per-packet;
>> >>     }
>> >> }
>> >>
>> >> lroot# show routing-options
>> >> forwarding-table {
>> >>     export TestLBOut;
>> >> }
>> >>
>> >>
>> >>
>> >> Thanks,
>> >> Ben Boyd
>> >> ----------------------
>> >> Sent from my iPhone
>> >>
>> >> On Aug 25, 2011, at 11:09, Daniel M Daloia Jr <daniel.daloia at yahoo.com>
>> >> wrote:
>> >>
>> >>
>> >> Hi Folks,
>> >>>
>> >>> Is it possible to install 2 BGP default routes from 2 ISPs to provide
>> >>> load balancing with an SRX650 cluster? Both ISPs are same speed. I was
>> >>> thinking this may be possible with importing the routes into inet.0 from
>> >>> separate virtual routers which have the interfaces facing the 2 ISPs in
>> >>> them, but the ISP interfaces would have to be in separate security zones
>> >>> which wouldn't agree with the security policy and NAT. Anyone have any ideas
>> >>> or can point me to some documentation that will help? I suppose I can buy a
>> >>> separate set of routers to run BGP and use an IGP to load balance, but doing
>> >>> it with the single cluster would be nice.
>> >>>
>> >>> Thanks!
>> >>> _______________________________________________
>> >>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> >>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>> >>>
>> >> _______________________________________________
>> >> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> >> https://puck.nether.net/mailman/listinfo/juniper-nsp
>> >>
>>
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
>
>
> --
> BR!
>
>
>
>            James Chen
>

More information about the juniper-nsp mailing list