SRX

last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  KB15545 Configure J-Series/SRX for dual ISP with exception

    Posted 10-04-2011 01:08

    Looking at the configuration example, i was wondering if i can have several clients always go out to ISP2:

     

            from-zone trust to-zone isp1 {
                policy allow-trust-out-isp1 {
                    match {
                        source-address any except 192.168.1.192/32;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
            from-zone trust to-zone isp2 {
                policy allow-trust-out-isp2 {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }

    so client with 192.168.1.192 will always use ISP2 to access the internet.

     

    Is this achievable?

     

    Thanks inadvance,

     

    Bob



  • 2.  RE: KB15545 Configure J-Series/SRX for dual ISP with exception

    Posted 10-04-2011 11:28
    @APESMA wrote:

    Looking at the configuration example, i was wondering if i can have several clients always go out to ISP2:

     

    < ... cut ... >

     

    so client with 192.168.1.192 will always use ISP2 to access the internet.

     

    Is this achievable?

    Hi Bob,

     

    This decision would be made with routing, not with security policies.

     

    You would need to set up Filter-Based Forwarding rules to select which traffic you'd like to send out which routes.  FBF can be a little difficult at times, so search around for posts here and KB articles to help get you going.



  • 3.  RE: KB15545 Configure J-Series/SRX for dual ISP with exception

    Posted 10-04-2011 13:39

    Hi Keith,

     

    thanks for your reply.

     

    I understand that KB17223 provides example on how to config FBF for dual ISP. The solution I am after is mainly based on KB15545 with few exception by client IP.

     

    I am new with Junos and not sure if the combined solution (KB15545+KB17223) would be achievable as well as make things too complicated.

     

    Regards,

     

    Bob



  • 4.  RE: KB15545 Configure J-Series/SRX for dual ISP with exception
    Best Answer

    Posted 10-04-2011 15:19

    The important thing to remember is that routing decisions can't be made by security policies in the SRX.

     

    KB 15545 takes you through setting up two virtual routing instances to be used for your dual ISPs.  From there, KB 17223 shows an example of using FBF, but it's separating egress traffic based on destination port.  You could use that example to instead build a filter that matches based on your desired internal source IPs and direct that traffic to the appropriate routing instance that you already have configured from KB 15545.



  • 5.  RE: KB15545 Configure J-Series/SRX for dual ISP with exception

    Posted 10-04-2011 17:57

    thanks, I will give it a try.



  • 6.  RE: KB15545 Configure J-Series/SRX for dual ISP with exception

    Posted 11-26-2013 06:00

    In  configuration I see  such addresses 192.168.1.1 and 10.10.10.1.   The  IP addresses of interfaces are 192.168.1.254 and 10.10.10.254.  What devices or interfaces have addresses 192.168.1.1 and 10.10.10.1? 

     

    routing-instances {
    TRUST-VRF {
        instance-type forwarding;
        routing-options {
            static {
                route 192.168.1.0/24 next-hop 192.168.1.1;
                route 10.10.10.0/24 next-hop 10.10.10.1;