SRX Services Gateway
Showing results for 
Search instead for 
Do you mean 
Reply
Contributor
Posts: 32
Registered: ‎10-19-2016
0 Kudos

Secondary internet line config

[ Edited ]

Hi guys, we have two srx 550s set up with vrrp for failover, we have a main internet line and its taken a while for the business to order the second one.

 

So now i have to get the two working, i think i have most of the config in place but i just want to check things like vpn tunnels and how they will be routed once the other line is in place.

 

VRRP set up on FW1

 

set interfaces vlan unit 10 family inet address 10.64.10.2/23 vrrp-group 10 virtual-address 10.64.10.1
set interfaces vlan unit 10 family inet address 10.64.10.2/23 vrrp-group 10 priority 200
set interfaces vlan unit 10 family inet address 10.64.10.2/23 vrrp-group 10 preempt
set interfaces vlan unit 10 family inet address 10.64.10.2/23 vrrp-group 10 accept-data
set interfaces vlan unit 10 family inet address 10.64.10.2/23 vrrp-group 10 track interface ge-0/0/5 priority-cost 100

VRRP set up on FW2

 

set interfaces vlan unit 10 family inet address 10.64.10.3/23 vrrp-group 10 virtual-address 10.64.10.1
set interfaces vlan unit 10 family inet address 10.64.10.3/23 vrrp-group 10 priority 150
set interfaces vlan unit 10 family inet address 10.64.10.3/23 vrrp-group 10 accept-data

 

ge-0/0/5 is the interface of the external ip, im pretty sure that the VRRP side of things is fine but what im not so sure about is the BGP tunnels that we have to AWS.

 

FW1 BGP config

 

We have two tunnels and to avoid asymmetric routing we have manipulated traffic via prepending the path

 

set protocols bgp group AWS neighbor 169.**.**.193 import AWS1-import
set protocols bgp group AWS neighbor 169.**.**.193 export AWS1-export
set protocols bgp group AWS neighbor 169.**.**.193 peer-as 9059
set protocols bgp group AWS neighbor 169.**.**.193 local-as 65510

set protocols bgp group AWS neighbor 169.**.**.205 export AWS2-export
set protocols bgp group AWS neighbor 169.**.**.205 peer-as 9059
set protocols bgp group AWS neighbor 169.**.**.205 local-as 65510

 

set policy-options policy-statement AWS1-export term 1 from route-filter 10.64.0.0/16 exact
set policy-options policy-statement AWS1-export term 1 then accept
set policy-options policy-statement AWS1-export then reject
set policy-options policy-statement AWS1-import term 1 from protocol bgp set policy-options policy-statement AWS1-import term 1 then local-preference 200 set policy-options policy-statement AWS1-import term 1 then accept set policy-options policy-statement AWS2-export term 1 from route-filter 10.64.0.0/16 exact set policy-options policy-statement AWS2-export term 1 then as-path-prepend " 65510 65510 " set policy-options policy-statement AWS2-export term 1 then accept set policy-options policy-statement AWS2-export then reject

FW2 BGP config

 

set policy-options policy-statement AWS3-export term 1 from route-filter 10.64.0.0/16 exact
set policy-options policy-statement AWS3-export term 1 then as-path-prepend " 65010 65010 65010 "
set policy-options policy-statement AWS3-export term 1 then accept
set policy-options policy-statement AWS3-export then reject

any help would be appreciated as the policy option side isn't my strong point at the moment

 

 

 

Distinguished Expert
Posts: 562
Registered: ‎08-23-2015
0 Kudos

Re: Secondary internet line config

Hello,

 

Logically AWS1-export, AWS2-export & AWS-export will make sure that peer will prefer AWS1 over AWS2 over AWS3.

So looks ok to me.

 

Regards,

 

Rushi

Contributor
Posts: 32
Registered: ‎10-19-2016
0 Kudos

Re: Secondary internet line config

Thanks for taking the time to reply,

 

My only other question is, if aws1 and aws2 are on fw01 and that goes down then will aws3 on fw02 automatically take over?