11-01-2010 10:24 AM
I am having a hard time finding direct step by step instructions on how to configure load balancing with my SSG-140. Is it even possible?
I have an ADSL connection and a T1 Connection. The ADSL is new and that is what we are using right now; however, we are still in contract for another year on our T1 and I would like to make use of it with Load Balancing if possible. The assumption here is that if I can get load balancing configured with the T1 and the ADSL that after the T1 contract expires we can replace it with another ADSL line.
Some sites have talked about policy based routing where I select what type of traffic I want to send over each interface, but a true load balancer would be nice if the Juniper can do it.
If anyone can point me to a good source of documentation that would be greatly appreciated or if you have any suggestions on how I can make this work the best that would also be appreciated.
11-02-2010 03:57 AM
True loadbalancing is not in the SSG feature set. But you can get an approximation of this by setting up both internet services with a default route that has the same metric and preference. The firewall will round robin the connections then that use these two services.
Senior IP Engineer - DQE Communications Pittsburgh, PA
JNCIA-ER JNCIA-EX JNCIS-SEC JNCIP-SEC JNCSP-SEC
JNCDA JNCDS-DC JNCDS-SEC
ACE PanOS 6
11-02-2010 05:56 AM
Do you use BGP and your own IP adresses ?
Then you could perhaps use BGP to decide on IP level what goes were.
Else divide services up per ISP.
JNCIS-ENT, FWV, SEC, SA, WLAN
11-02-2010 06:04 AM
You should also enable Equal Cost Multipath for this to work:
set vrouter <name> max-ecmp-routes 2 (up to 4 routes with the same pref/metric are supported).
I do not recommend to use ECM on the NATted connections, because:
"When ECMP is enabled and the outgoing interfaces are different and in NAT mode (apparently they mean not the interface mode but NAT as such. EC) , applications, such as HTTP, that create multiple sessions will not work correctly. Applications, such as telnet or SSH, that create one session should work correctly." (C&E, Routing)
"If the outgoing interfaces do not belong to the same zone and the return packet goes to a zone other than the intended one, a session match cannot occur and the traffic may not go through." (C&E, Routing)
I would recommend to use both connections as an Active/Standby with some load sharing using SBR (is simpler) and/or PBR.