Need your expert opinon. i am deploying two SRX550 firewall in active/passive for reth0 and reth1 and active/active for ge-0/0/6(trust) and ge-0/0/7(untrust). i have attached sample topology.
for active/active interfaces i.e. ge-0/0/6.518(trust) and ge-0/0/7.621(untrust) on FWL01 and ge-9/0/6.519(trust) and ge-9/0/7.622(untrust) on FWL01.
my issue is only for active/active interfaces.
IPs are as below.
now i want to configure static route on SRX untrust-vr for 10.25.0.0/26 subnet towards both RTR getway i.e. 10.25.0.254 and 10.25.1.254
but only one static got active in routing table as shown below.
10.25.0.0/16 *[Static/5] 03:00:03 > to 10.25.0.254 via ge-0/0/7.621 to 10.25.1.254 via ge-9/0/7.622
i want to route traffic for this subnet towards both next-hope. i have attached SRX550 and SSG550 configuration as we are migrating traffic from SSG550 to SRX550.
kindly hlep. for any ambiguity in topology understanding let me know.
In order to have both next-hops active in the same VR, you would need to enable equal-cost multipath routing, which I believe requires a fairly recent version of 12.1 code.
Thanks Ron for the recommandation,
but our issue is, we want both firewall act active active for both gateways. our current configuration on SSG firewall as below
as we have not configured NSRP for these interfaces. i.e. no vsd
set route 10.25.0.0/16 interface ethernet0/1.2 gateway 10.25.0.254
set route 10.25.0.0/16 interface ethernet0/1.3 gateway 10.25.1.254
both gateway in SSG are working as active as interfces are mentioned in static route
now in SRX we have configured both routes in untrust-vr but current one route is active and other passive.
10.25.0.0/16 *[Static/5] 02:46:20 > to 10.25.0.254 via ge-0/0/7.621 to 10.25.1.254 via ge-9/0/7.622
we want traffic from 10.25.1.0 subnet should be forwarded to gateway 10.25.1.254 and 10.25.0.0/24 should leave gatway 10.25.0.254 and vise versa.