SRX

Hi,

i try to configure the load balancing between 2 isp  in SRX 650, one must be actif and the over in backup,

i found a lot of example of configuration in kb , but i want to understand the concept of the load balancing in srx

and how configure it step by step , for example i didn't indestant by what we should start ( routing instance, filer based , ....)

can any one please explain it to me step by step

thank's in advance

best regards

and also i want to know what the goal of creating the inside routing instance

routing-instances {
    TRUST-VRF {
        instance-type forwarding;
        routing-options {
            static {
                route 192.168.1.0/24 next-hop 192.168.1.1;
                route 10.10.10.0/24 next-hop 10.10.10.1;
            }
        }
    }
    INSIDE {
        instance-type virtual-router;
        interface ge-0/0/0.0;
        interface ge-0/0/1.0;
        routing-options {
            interface-routes {
                rib-group inet inside;
            }
            static {
                route 0.0.0.0/0 next-table inet.0;
            }
        }
    }
    ISP2 {
        instance-type virtual-router;
        interface fe-0/0/7.0;
        routing-options {
            interface-routes {
                rib-group inet inside;
            }

Hi Sarah,

Have a read here:

http://kb.juniper.net/InfoCenter/index?page=content&id=KB17223

 thank's for your reply 

i have read this article, but when i read this

http://kb.juniper.net/InfoCenter/index?page=content&id=KB15545&smlogin=true

i get confused, i didn't inderstand the step of configuration knowing that i have the same scénario to configure

Hi Sarah,

Are you using a DMZ in your configuration?  The overall setup would all depend on your requirements really.

If you are using a DMZ it will be more complicated, like the KB you posted. 

What part is confusing you?  Also, what is your setup?

Hi,

well i have 4 zones, 3 lan and a dmz

so i have to  allow destination nat for mag wich is in the dmz, and mail server wish is in the lan

all zones should egress out isp 1 with source nat  and when isp 1 goes down they sould egress out isp 2

what i didn't inderstant is

1 the step of configuration

2- rib-groups { inside *

{ import-rib [ inet.0 TRUST-VRF.inet.0 INSIDE.inet.0 ISP2.inet.0 ]; }

what is inet.0 and inside.inet.0

3- in nat source rule

 nat {
        source {
            rule-set interface-nat-out {
                from routing-instance INSIDE;
                to routing-instance [ ISP2 default ];
                rule interface-nat-out {
                    match {
                        source-address 0.0.0.0/0;
                        destination-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }

why he choose routing instance isp2 default

4- in firewall filter

why he select from destination adress , why not the source adress

firewall {
    filter isp1-in {
        term 1 {
            from {
                destination-address {
                    1.1.1.0/29;
                }
            }
            then {
                routing-instance TRUST-VRF;
            }
        }
        term 2 {
            then {
                accept;
            }
        }
    }
    filter isp2-in {
        term 1 {
            from {
                destination-address {
                    2.2.2.0/29;
                }
            }
            then {
                routing-instance TRUST-VRF;
            }
        }
        term 2 {
            then {
                accept;
            }
        }
    }

5-in the routing instance, the trust-vr

i didn't inderstand why the route is like this

routing-instances {
    TRUST-VRF {
        instance-type forwarding;
        routing-options {
            static {
                route 192.168.1.0/24 next-hop 192.168.1.1;
                route 10.10.10.0/24 next-hop 10.10.10.1;
            }
        }
    }

 and why we create an inside routing instance

thank's in advance for your help

2.

inet.0 is the default routing table and inside.inet.0 as the routing instance linking the DMZ and the Internal LAN.  These are basically just the names used to identify each routing table.


3.

In the example 1.1.1.1 is the default route and 2.2.2.1 is the backup route with a preference of 10, 7 being the default route preference.  

The "to routing-instance [ ISP2 default ];" part, is just basically saying that traffic destined for either the ISP 2 instance of the ISP 1 instance (which is the default) will be natted.


4.

These filters are just catching traffic entering the routing fe5 and fe6 interfaces destined for the ISP IP addresses, it is distrubuting the traffic into the TRUST-VRF.

TRUST-VRF is just a virtual routing and forwarding instance and uses the static routes to direct the traffic into the DMZ or Inside zones.

5.

As above, this is a Virtual Routing and Forwarding instance, it could be seen as a basic routing table with the routes chosen selecting the next hop for traffic, in your case the Trust and DMZ Zones



Suggested reading:

http://www.juniper.net/techpubs/en_US/junos10.0/information-products/topic-collections/config-guide-routing/routing-configuring-filter-based-forwarding.html

thank you very much for this useful help 🙂

best regards

sarah