SRX Services Gateway
Highlighted
SRX Services Gateway

Same subnet static route to two next-hopes

‎04-20-2014 05:30 AM

Hi experts,

 

Need your expert opinon. i am deploying two SRX550 firewall in active/passive for reth0 and reth1 and active/active for ge-0/0/6(trust) and ge-0/0/7(untrust). i have attached sample topology.

 

for active/active interfaces i.e. ge-0/0/6.518(trust) and ge-0/0/7.621(untrust) on FWL01 and ge-9/0/6.519(trust) and ge-9/0/7.622(untrust) on FWL01.

 

my issue is only for active/active interfaces.

 

IPs are as below.

FWL01

------------

ge-0/0/6.518(10.11.34.34/30)

ge-0/0/0/7.621(10.25.0.119/24)

 

FWL02

----------------

ge-9/0/6.519(10.11.34.38/30)

ge-0/0/0/7.621(10.25.1.119/24)

 

RTR01

--------

ae1.621(10.25.0.254/24)

 

RTR02

---------

ae1.622(10.25.1.254/24)

 

now i want to configure static route on SRX untrust-vr  for 10.25.0.0/26 subnet towards both RTR getway i.e. 10.25.0.254 and 10.25.1.254

 

but only one static got active in routing table as shown below.

10.25.0.0/16       *[Static/5] 03:00:03
                    > to 10.25.0.254 via ge-0/0/7.621
                      to 10.25.1.254 via ge-9/0/7.622

 

i want to route traffic for this subnet towards both next-hope. i have attached SRX550 and SSG550 configuration as we are migrating traffic from SSG550 to SRX550.

 

kindly hlep. for any ambiguity in topology understanding let me know.

 

Attachments

2 REPLIES 2
Highlighted
SRX Services Gateway

Re: Same subnet static route to two next-hopes

‎04-20-2014 09:45 AM

In order to have both next-hops active in the same VR, you would need to enable equal-cost multipath routing, which I believe requires a fairly recent version of 12.1 code.  

 

http://kb.juniper.net/InfoCenter/index?page=content&id=KB23417&smlogin=true

 

Ron

JNCIE-SEC #127
JNCIE-ENT #489
Highlighted
SRX Services Gateway

Re: Same subnet static route to two next-hopes

‎04-24-2014 10:59 AM

Thanks Ron for the recommandation,

 

but our issue is, we want both firewall act active active for both gateways. our current configuration on SSG firewall as below

 

as we have not configured NSRP for these interfaces. i.e. no vsd

FWL01:

set route 10.25.0.0/16 interface ethernet0/1.2 gateway 10.25.0.254

 

FWL02:

set route 10.25.0.0/16 interface ethernet0/1.3 gateway 10.25.1.254

 

both gateway in SSG are working as active as interfces are mentioned in static route

 

now in SRX we have configured both routes in untrust-vr but current one route is active and other passive.

 

10.25.0.0/16       *[Static/5] 02:46:20
                            > to 10.25.0.254 via ge-0/0/7.621
                               to 10.25.1.254 via ge-9/0/7.622

 

we want traffic from 10.25.1.0 subnet should be forwarded to gateway 10.25.1.254 and 10.25.0.0/24 should leave gatway 10.25.0.254 and vise versa.

 

 

 

 

Feedback