SRX Services Gateway
SRX Services Gateway

Dual Load balance and Source base route

‎01-22-2019 05:59 AM

Dear All,

I am beginner in Juniper FW.Now i am using SRX340 and fail over clustering.

i have two ISP links.So i want to use one network (1.1.10.0/24) always user ISP 1 and the rest are using ISP 2.

 

ISP1----->|                                                                        |--------1.1.10.0/24

                  |-----SRX340 cluster---->L3 Switches------|

ISP2----->|                                                                        |---------other networks

 

i also default route in L3 switches because i am connect one cable L3 switch to SRX firewall.

How should i do source base route for my design. Please give me some sample links

6 REPLIES 6
SRX Services Gateway

Re: Dual Load balance and Source base route

‎01-22-2019 03:33 PM

In Junos the operation is referred to as FBF - Filter Based Forwarding - as it can be used for any criteria not just the source address.  This is a general kb on how to steer traffic between two ISP using FBF.

 

In your case you will simply subsitite the port steering in the example with a match on source ip address instead.

 

https://kb.juniper.net/InfoCenter/index?page=content&id=KB17223

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
SRX Services Gateway

Re: Dual Load balance and Source base route

‎01-25-2019 08:55 AM

Hi,

let me know below my configuration is wrong because it is doesn’t work? All traffice form the my network are using 1.1.1.1 ( ISP). why where is wrong ?

 

interfaces {                          

    reth3{

        unit 0 {

            family inet {

                filter {

                    input DEMO-ISP;

                }

                address 192.168.10.128/24;

            }

        }

    }

 

 

 

 

firewall {

    family inet {

        filter DEMO-ISP {

            term 0 {

                from {

                    source-address {

                        10.1.10.0/24;

                    }

                }

                then {

                    routing-instance DEMO-ROUTER;

                }

            }

            term 1 {

                then accept;

            }

        }

    }

  

}

routing-instances {

    DEMO-ROUTER {

        instance-type forwarding;

        routing-options {              

            static {

                route 0.0.0.0/0 next-hop 1.1.1.1;

            }

        }

    }

}

routing-options {

    interface-routes {

        rib-group inet DEMO-ROUTER;

    }

    static {

         route 0.0.0.0/0 next-hop 2.2.2.1 ;

    }

    rib-groups {

         DEMO-ROUTER {

            import-rib [inet.0  DEMO-ROUTER.inet.0];

        }

    }

}

 

SRX Services Gateway

Re: Dual Load balance and Source base route

‎01-25-2019 03:12 PM

Are you sure the packets are crossing the reth3.0 interface?

add the count parameter to the filter to verify it is being seen and tracked

 

https://www.juniper.net/documentation/en_US/junos/topics/example/firewall-filter-stateless-example-c...

 

Also do a show route to verify the forwarding instance route is up and active installed in the table, that the next hop is reachable to the instance.

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
SRX Services Gateway

Re: Dual Load balance and Source base route

‎01-25-2019 10:47 PM

Hello,

Given the constraints (SRX does routing but then L3 switch also does routing along its 0.0.0.0/0 route) this is impossible to achieve with CONFIGURATION ON SRX ONLY.

You also need to configure L3 switch to do source-based/PBR/FBF/whatever acronym this L3 switch vendor uses for its flavor of routing "other than longest dest.ip match"

Otherwise whatever SRX does with packet forwarding will be overridden by L3 switch action.

HTH

Thx

Alex

_____________________________________________________________________

Please ask Your Juniper account team about Juniper Professional Services offerings.
Juniper PS can design, test & build the network/part of the network as per Your requirements

+++++++++++++++++++++++++++++++++++++++++++++

Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
SRX Services Gateway

Re: Dual Load balance and Source base route

‎01-26-2019 03:35 AM

Hi I am using l3 switch is default route 0.0.0.0/0 to firewall reth3.0 IP.

I apply my filter to firewall reth3 but it show filter is inactive please below message. i tried to apply other physical interface with l2 switch. but doesn't work.

 

root@FW1_NETe2Asia# show
description INTERNAL_NET;
redundant-ether-options {
redundancy-group 1;
}
unit 0 {
family inet {
filter {
inactive: input RoutePath;
}
address 10.1.7.2/29;
}
}

{primary:node0}[edit interfaces reth3]
root@FW1_NETe2Asia#

SRX Services Gateway

Re: Dual Load balance and Source base route

‎01-26-2019 02:47 PM

The inactive flag means the configuration is present but not in use.  To turn it back on you use activate and turn it off using deactivate

 

activate interfaces reth3 unit 0 family inet filter input

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home