SRX Services Gateway
Highlighted
SRX Services Gateway

SRX 210 Dual ISP link load balancing

‎02-23-2012 01:46 AM

Hello,

 

I have one SRX 210 router at branch office with two ISP link connected with ge-0/0/0 & ge-0/0/1

 

I need to configure load balancing all traffic through two link . And Automatic failover- when one link goes down the

traffic can pass through secondary link automatically.

 

Please guide configuration.

 

 

12 REPLIES 12
Highlighted
SRX Services Gateway

Re: SRX 210 Dual ISP link load balancing

‎02-23-2012 09:51 AM

You have two options to do that

 

1. OSPF

2. Real Time Performance Monitoring.

 http://www.juniper.net/techpubs/software/junos-security/junos-security10.0/junos-security-admin-guid...

 

Decide your option and then we can solve any issues further.

 

Thanks,

Rakesh

Thanks,
Rakesh
----------------------------------------------------------------------------------------------------
[JNCIP-Sec, JNCIS-Sec]
Please mark this as a Solution if your question is answered or your issue is resolved.

Please be sure to visit these great resources:

Knowledge Base - http://kb.juniper.net
JNET forums - http://forums.juniper.net/jnet/

NOTE: Any information that has been provided is to the best of my knowledge and may not reflect the actual information from Juniper.
SRX Services Gateway

Re: SRX 210 Dual ISP link load balancing

[ Edited ]
‎02-23-2012 10:23 AM

You won't be able to "truly" load balance unless you put the SRX in packet-mode and disable the stateful firewall.

 

  • ISP's will not run OSPF with you, so that's not a choice.
  • RPM is a crude way to accomplish this and will end up being a lot of JUNOS scripting 😕

 

Here's what I do in order to send some traffic out of one interface and other traffic out of the another interface.  I  setup routes using one or the other as a gateway and have them back each other up.

 

For example:

 

The following configuration will split the internet into 4 subnets and send all traffic for 2 subnets down one link and 2 subnets down another link


Default Route with failover for gateway of last resort 
set routing-options static route 0.0.0.0/0 next-hop 192.168.1.1
set routing-options static route 0.0.0.0/0 qualified-next-hop 192.168.2.1 preference 9 

 

0.0.0.0 - 63.255.255.255 out of interface #1
set routing-options static route 0/2 next-hop 192.168.1.1
set routing-options static route 0/2 qualified-next-hop 192.168.2.1 preference 9

 

64.0.0.0 - 127.255.255.255 out of interface #2
set routing-options static route 64/2 next-hop 192.168.2.1
set routing-options static route 64/2 qualified-next-hop 192.168.1.1 preference 9

 

128.0.0.0 - 191.255.255.255 out of interface #1
set routing-options static route 128/2 next-hop 192.168.1.1
set routing-options static route 128/2 qualified-next-hop 192.168.2.1 preference 9

 

192.0.0.0 - 255.255.255.255 out of interface #2
set routing-options static route 192/2 next-hop 192.168.2.1
set routing-options static route 192/2 qualified-next-hop 192.168.1.1 preference 9

 

 

You could cut it down farther (/3's or /4's), but i've had good success (60-40% load balance) with this strategy.

 

 

-------------------------------------------------------------------------------
Ben Boyd
Sr. Solutions Architect
Integration Partners (http://www.integrationpartners.com)
JNCIE-M, JNCIE-ENT, JNCIP-SEC, JNCIA-EX
Twitter - @ozark46
Highlighted
SRX Services Gateway

Re: SRX 210 Dual ISP link load balancing

‎02-24-2012 03:39 AM

Hi,

 

you could check this link it is very helpful if you are using static-default scenario. If using BGP you have to adjust also BGP attributes like LP and as-path-prepend.

 

http://kb.juniper.net/InfoCenter/index?page=content&id=KB17223&actp=RSS

 

Regards,

 

Mohamed Elhariry

 

JNCIE-M/T # 1059, CCNP & CCIP

 

----------------------------------------------------------------------------------------------------------------------------------------

If this post was helpful, please mark this post as an "Accepted Solution".Kudos are always appreciated!

Regards,
Mohamed Elhariry
2* JNCIE (SEC # 159, SP # 1059),JNCIP-ENT

[Click the "Star" for Kudos if you think I earned it!
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]
Highlighted
SRX Services Gateway

Re: SRX 220 single ISP link

‎06-15-2015 11:54 PM

require basic configuration guide with single ISP , any one help me for this . req web guide not cli.

Highlighted
SRX Services Gateway

Re: SRX 220 single ISP link

‎06-15-2015 11:58 PM

my wan ip is 10.10.10.10/255.255.255.252

 

and my lan ip is 192.168.10.0/24 now i wanted to pass internet with the help of juniper firewall

Highlighted
SRX Services Gateway

Re: SRX 220 single ISP link

‎06-15-2015 11:59 PM

Hello Kajal ,

 

There is no special configuration needed for Single ISP . Just assign the Static Public IP to the WAN interface and give a static route under [routing-option ] .

 

Also the doccumentation will be availible only for CLi commands . Its difficult to get Web instruction KBs .


Thanks,
Sam

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too .....
Highlighted
SRX Services Gateway

Re: SRX 220 single ISP link

[ Edited ]
‎06-16-2015 12:00 AM

Hello ,

 

To add to the above update . Creat security policy also from LAN to WAN permitting the traffic .

 

Check out this link for basic configurations : http://kb.juniper.net/InfoCenter/index?page=content&id=KB15694


Thanks,
Sam

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too .....
Highlighted
SRX Services Gateway

Re: SRX 220 single ISP link

‎06-16-2015 12:18 AM

Don't forget to add a nat setup to allow traffic from the lan to be natted to the internet

Marc



-----------------------------------------------------------------
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too
-----------------------------------------------------------------
Highlighted
SRX Services Gateway

Re: SRX 220 single ISP link

‎06-16-2015 12:25 AM

i am new at security field so please help me by step step configuration guide anyone, i am sorry for this type of help i am asking.

Highlighted
SRX Services Gateway

Re: SRX 220 single ISP link

‎06-16-2015 12:30 AM

another problem i have face please help me anyone.

i have a sw of 4200 and configure 5 vlan there, 172.16.20.1, 30.1 and so on..... and intervlan comunication is ok and working fine at all. now customer req a new vlan which ip is 192.168.1.1 and this network (192.168.1.0/24) only communicate with 172.16.20.0/24 network but other network that is 30.1 ; 40.1 ; 50.1 are not communicate how i am configure on the sw, please help me......

Highlighted
SRX Services Gateway

Re: SRX 220 single ISP link

‎06-16-2015 12:53 AM

 

Hi,

 

For the nat part :

 

set security nat source rule-set trust from zone trust
set security nat source rule-set trust to zone untrust
set security nat source rule-set trust rule trust-nat match source-address 192.168.10.0/24
set security nat source rule-set trust rule trust-nat match destination-address 0.0.0.0/0
set security nat source rule-set trust rule trust-nat then source-nat interface

 

Security policy from trust to untrust

 

set security zone security-zone address-book address NET-LAN 192.168.10.0/24

 

set security policies from-zone trust to-zone untrust policy default-permit match source-address NET-LAN
set security policies from-zone trust to-zone untrust policy default-permit match destination-address any
set security policies from-zone trust to-zone untrust policy default-permit match application any
set security policies from-zone trust to-zone untrust policy default-permit then permit

Marc



-----------------------------------------------------------------
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too
-----------------------------------------------------------------
Highlighted
SRX Services Gateway

Re: SRX 220 single ISP link

‎06-16-2015 12:54 AM

Can you share the switch config with us so we can have a look at the problems you are facing

Marc



-----------------------------------------------------------------
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too
-----------------------------------------------------------------
Feedback