SRX

last person joined: 4 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  SRX220 - two ISPs -- how to prevent asymmetric return traffic from services

    Posted 06-01-2012 10:45

    * I have a SRX220h cluster with two ISP connections, each providing several IP blocks.

    * I am setting up static NAT to assign services from my internal servers to public IPs provided by one ISP or the other.

    * There is one default route that goes to one of the two ISPs.

     

    This seems to work so far but I just realized that this probably creates asymmetricrouting.  Incoming traffic is coming in via which ever ISP provides the particular public IP, but all the return traffic is going out via just the one ISP. Even though the first service I setup on the second ISP seems to work, I think its not idea and I would rather that return traffic leave on the interface that it came in on.

     

    On a multihomed  linux box I would create a routing table for each interface and use rules to route to one table or the other based on the source IP of the traffic. That way the server  can provide services on each interface without creating asymmetric routing.

     

    How do I do that on the SRX?

     

    --BobG

     

     



  • 2.  RE: SRX220 - two ISPs -- how to prevent asymmetric return traffic from services

    Posted 06-01-2012 12:38
    In order to do that on the SRX, you would create a seperate routing-instance of type virtual-router, and place the appropriate internal and external interfaces into each. Ron


  • 3.  RE: SRX220 - two ISPs -- how to prevent asymmetric return traffic from services
    Best Answer

    Posted 06-01-2012 15:47

    Hi,

     

    check this link it will give you what do you need exactly.

     

    http://kb.juniper.net/InfoCenter/index?page=content&id=KB17223&actp=RSS

     

     

    Regards,

     

    Mohamed Elhariry

     

    JNCIE-M/T # 1059, CCNP & CCIP

     

     

     

    ----------------------------------------------------------------------------------------------------------------------------------------

    If this post was helpful, please mark this post as an "Accepted Solution".Kudos are always appreciated!



  • 4.  RE: SRX220 - two ISPs -- how to prevent asymmetric return traffic from services

    Posted 06-02-2012 13:08

    Thank you both for your replies, particularly the link to the KB.

     

    I am glad to see that adding a routing instance is not as complicated as I first assumed it would be. I was conjuring images of a ompletely separate virtual routers, eah with a lot of dulicate config.

     

    Maybe its the use of the "forwarding" type router instance that makes it light and easy. This KB shows that it is realy similar to how I am alrady familar with on a linux box.

     

    BTW, I also found this KB which is very similar to the one you linked. http://kb.juniper.net/InfoCenter/index?page=content&id=KB23300&cat=OBSOLETE&actp=LIST&smlogin=true

     

    --BobG



  • 5.  RE: SRX220 - two ISPs -- how to prevent asymmetric return traffic from services

    Posted 06-04-2012 09:50

    I am wondering now about traffic generated by the SRX, i.e. services it provides like a VPN tunnel. If the SRX service is on ISP1, the return traffic should be on ISP1, and likewise for ISP2. I think the config in the KBs mentioned above will only cover traffic that passes through the SRX. I don't think there is a place to put a firewall filter that will apply to the return traffic generated by the SRX. Is there? 

     

    Is that why, ron@mandstech.com, you suggested using router instances of "virtual router" instead of "forwarding"?  Does anybody know of  a KB that covers this use of "virtual router" routing instances?

     

    --BobG