06-01-2012 10:44 AM
* I have a SRX220h cluster with two ISP connections, each providing several IP blocks.
* I am setting up static NAT to assign services from my internal servers to public IPs provided by one ISP or the other.
* There is one default route that goes to one of the two ISPs.
This seems to work so far but I just realized that this probably creates asymmetricrouting. Incoming traffic is coming in via which ever ISP provides the particular public IP, but all the return traffic is going out via just the one ISP. Even though the first service I setup on the second ISP seems to work, I think its not idea and I would rather that return traffic leave on the interface that it came in on.
On a multihomed linux box I would create a routing table for each interface and use rules to route to one table or the other based on the source IP of the traffic. That way the server can provide services on each interface without creating asymmetric routing.
How do I do that on the SRX?
Solved! Go to Solution.
06-01-2012 12:37 PM
06-01-2012 03:47 PM
check this link it will give you what do you need exactly.
JNCIE-M/T # 1059, CCNP & CCIP
If this post was helpful, please mark this post as an "Accepted Solution".Kudos are always appreciated!
06-02-2012 01:07 PM
Thank you both for your replies, particularly the link to the KB.
I am glad to see that adding a routing instance is not as complicated as I first assumed it would be. I was conjuring images of a ompletely separate virtual routers, eah with a lot of dulicate config.
Maybe its the use of the "forwarding" type router instance that makes it light and easy. This KB shows that it is realy similar to how I am alrady familar with on a linux box.
BTW, I also found this KB which is very similar to the one you linked. http://kb.juniper.net/InfoCenter/index?page=conten
06-04-2012 09:49 AM
I am wondering now about traffic generated by the SRX, i.e. services it provides like a VPN tunnel. If the SRX service is on ISP1, the return traffic should be on ISP1, and likewise for ISP2. I think the config in the KBs mentioned above will only cover traffic that passes through the SRX. I don't think there is a place to put a firewall filter that will apply to the return traffic generated by the SRX. Is there?
Is that why, email@example.com, you suggested using router instances of "virtual router" instead of "forwarding"? Does anybody know of a KB that covers this use of "virtual router" routing instances?