SRX Services Gateway
Highlighted
SRX Services Gateway

SRX cluster with dual ISP routing question

‎11-18-2014 07:33 AM

I am working on a configuration that I believe is possible, but I have not been able to find clarification for one component of the design.  I have an SRX240 cluster with two different service providers and I want to be able to provide internal and external failover.  I have attached a diagram of the configuration.  The following KB article gives me some indication as to what is and is not supported in terms of EX-to-SRX connectivity, but doesn't answer one question: how do I configure the default routing (http://kb.juniper.net/InfoCenter/index?page=content&id=KB22474).  Typically, the EX switches behind the firewall would have a default route that points at the SRX.  But, in this case, there are two different default routes: one via ae1 and one via ae2 (see diagram).  Do I need to use dynamic routing between the trusted EX switches and the SRX firewalls?  Or IP monitoring with route failover?  Or some other mechanism to make this work?

 

Regards,

DAK

Attachments

2 REPLIES 2
Highlighted
SRX Services Gateway

Re: SRX cluster with dual ISP routing question

‎11-18-2014 06:35 PM

If the 2 ISP links are terminating on different nodes (ISP1 on Node0 and ISP2 and Node1), cluster failover will not help us . We may need to use IP-monitoring feature to chnage the defaulte orute on SRX.

 

I dont understand why do you need 2 default routes on EX switches?

If you can give onlye one defaulte route on EX poiniting to SRX and use RPM on SRX to change routes the scenario may work.

 

Let me know if I have missed anything here.

 

Thanks,

Suraj

 

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too

Thanks,
Suraj
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too
Highlighted
SRX Services Gateway

Re: SRX cluster with dual ISP routing question

‎11-20-2014 06:43 AM

So you are not really using a SRX cluster, just have an active box and a backup?  If you set the SRXs as a true cluster you can then have security zones for each ISP connection.  That would also make the routing easier as well.  That may not suuit your environment though.  I have 3 ISP connections on our cluster and each one iis in a separate zone and then point upsteam to an EX switch for each ISP.  I use qualified next hops on the routing for failover and firefall filters to direct source traffic out different ISP connections as needed..

Feedback