SRX

last person joined: 3 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Controlling inbound and outbound traffic using BGP

    Posted 04-29-2014 14:10

    I am redesigning a network where there are two SRX650 firewalls at two different locations, each connecting externally to two different ISPs. internally, the firewalls will be connecting to two EX core switches that comprise a routed core.  I will be peering with each of the service providers using EBGP and want to control the outbound and inbound path of ALL Internet traffic.  I plan to only accept a default route from each of my service providers.  The default route will be advertised into my core switches via OSPF, so my internal network will have to routes out of the network.

     

    Since these are firewalls, not routers, and they are not being clustered, I can't have traffic exiting through one ISP and entering via the other ISP.  Asymmetric routing, even in a clustered firewall architecture, can be problematic, as I have learned painfully in the past.

     

    I thought I could set the BGP local-preference to control the outboud path.  If I set the local preference on the preferred ISP configuration to a number higher than 100, the firewalls should share this information via IBGP and make this the preferred outbound path.  And, if I adjust the Community attribute via an export policy, I can control the inbound path that is used.  In the past I have sent a community attribute of 70 to the least preferred ISP.

     

    Could I alternatively manipulate the OSPF advertisements into my cores to make one default route preferred and use as-path prepend to control inbound routing?  I want dynamic failover of the inbound and outbound path into and out of my network.

     

            ISP1                                                      ISP2

               |                                                            |

               |                                                            |

               |                                                            |

            SRX-----------------IBGP---------------------SRX

               |                                                            |

           OSPF                                                   OSPF

               |                                                            |

           Core1----------------OSPF-------------------Core2

     

     

    Regards,

     

     

     



  • 2.  RE: Controlling inbound and outbound traffic using BGP

    Posted 05-01-2014 01:39

    Hello,

    I'd give it a stab...

    @CNIDog wrote:

     

     

    Could I alternatively manipulate the OSPF advertisements into my cores to make one default route preferred and use as-path prepend to control inbound routing?  I want dynamic failover of the inbound and outbound path into and out of my network.

     

        

     


    I assume You want to announce 0/0 route coming via eBGP into Your core. Yes You can manipulate OSPF route metric, last time I checked on MX with a relatively new JUNOS (12.3ish) the BGP MED is directly translated into route metric. Don't know if this works on SRX. So assuming this works on SRX, you want to set MED in Your eBGP import policy and then export eBGP 0/0 into OSPF.

     

    "as-path prepend" is proven concept and it works until it does not. If majority of Your traffic goes to, say, Facebook, and crosses 10 ASNs via primary provider, and crosses 2 ASNs via secondary, then You have to prepend at least 9 times to make secondary inattractive. So You have to find out where the majority of Your traffic goes to, and how many ASNs it crosses. Then there may be prepends done by Your own ISPs or any ASN in between. 

    All in all, there is no rock-solid 100% bulletproof method to control inbound traffic. Even deaggregation (i.e. You announce 198.18.0/23 to secondary ISP and 198.18.0/24+198.18.1/24 to primary) can be broken by someone aggregating in between You and Your traffic destination.

    HTH

    Thanks

    Alex

     



  • 3.  RE: Controlling inbound and outbound traffic using BGP

    Posted 05-07-2014 05:17 
    Since these are firewalls, not routers, and they are not being clustered, I can't have traffic exiting through one ISP and entering via the other ISP.  Asymmetric routing, even in a clustered firewall architecture, can be problematic, as I have learned painfully in the past.

     For this outbound traffic situation, I would setup a different nat pool for use at each ISP.  And only advertise those addresses to that single ISP.  This way no matter how the traffic finds its way out of your network there is only one path back to that nat address.

     

    Ideally, these outbound nat addresses would be ones provided by the ISP for that particular link.