SRX Services Gateway
SRX Services Gateway

Two Residential circuits SRX failover solution? Possible?

[ Edited ]
‎12-25-2017 01:57 PM

I currently have 2 different ISPs residental circuts and one SRX 240 when I work from home.

My goal is to utilize the 2 different carrier circuits for continuous connectivity and/or separate traffic, if possible.

Since they are residential circuits the SRX receives a DHCP address which it can hold forever as long as device is on, which it is (with UPS).

 

1. Can I have a failover solution for two ISPs on the same SRX device? (let's say ISP A on ge0/0 and ISP B on ge0/1)

 

2. Furhtermore, can i route heavy traffic like streaming, music, games, etc through one circuit and light traffic like VOIP, email, web throught the other? (Lets say Zone: Phone, Web, DMZ, LAN, Email)

 

Any suggestions are greatly appreciated.

Thanks.

 

7 REPLIES 7
Highlighted
SRX Services Gateway

Re: Two Residential circuits SRX failover solution? Possible?

‎12-25-2017 08:44 PM

Hi Clubber, 

 

It is possible to have two ISPs terminating on 2 individual interfaces on the SRX by configuring Filter Based Forwarding and have them to route different type of traffic. They can also act as primary and backup ISPs and hence providing redundancy. 

 

Please refer to this KB artcile which explains this with example. -> https://kb.juniper.net/InfoCenter/index?page=content&id=KB17223 

 

Let me know if you have any queries

Highlighted
SRX Services Gateway

Re: Two Residential circuits SRX failover solution? Possible?

‎12-26-2017 10:25 AM

Hi Folks,

 

My 2 cents on this…

 

Please find some interesting pointers..

 

https://www.safaribooksonline.com/library/view/junos-security/9781449381721/ch01s03.html

 

Books to read,

 

Juniper SRX Series

A Comprehensive Guide to Security Services on the SRX Series

By Brad Woodberg, Rob Cameron

 

Junos Security: A Guide to Junos for the SRX Services Gateways & Security Certification

Authors: Rob Cameron, Brad Woodberg, Patricio Giecco, Tim Eberhard, and James Quinn

 

 

-Python JNCIE 3X [SP|DC|ENT] JNCIP-SEC JNCDS 3X [ WAN | DC|SEC] JNCIS-Cloud JNCIS-DevOps CCIP ITIL
#Please mark my solution as accepted if it helped, Kudos are appreciated as well.
Highlighted
SRX Services Gateway

Re: Two Residential circuits SRX failover solution? Possible?

[ Edited ]
‎12-26-2017 05:35 PM

It would be nice to have a physical diagram attached to the article KB17223  so one can see how things are connected.

In addition, one must remember that these are DHCP interfaces. If one interfaice fails, in order to reset the connection one must break the lease with ISP.

 

Does the solution requires the use of another device like switch? What's happening here:

fe-0/0/2 {
        unit 0 {
            description ISP1;
            family inet {
                address 10.1.1.1/24;
            }
        }
    }
    fe-0/0/3 {
        unit 0 {
            description ISP2;
            family inet {
                address 10.2.2.1/24;   

 

I am not sure I understand the redundancy aspect in this article since some traffic is routed on one ISP and the rest on the other. If one ISP goes doesn what happens to its traffic?

 

 

Highlighted
SRX Services Gateway

Re: Two Residential circuits SRX failover solution? Possible?

‎12-26-2017 07:05 PM

with regards to 'In addition, one must remember that these are DHCP interfaces. If one interfaice fails, in order to reset the connection one must break the lease with ISP.', this can be accomplished using RPM and FBF as in KB22052.

 

https://kb.juniper.net/KB22052 -[SRX] IP monitoring with FBF (filter-based forwarding in a dual ISP scenario) 

Thanks,
Suraj
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too
Highlighted
SRX Services Gateway

Re: Two Residential circuits SRX failover solution? Possible?

‎12-26-2017 08:21 PM

Hi Clubber, 

 

Thanks for your reply. We will integrate a diagram to the kb article to make things clear . I have attached a representational image here. 

 

"Does the solution requires the use of another device like switch? What's happening here: "

 

Fe-0/0/2 is connected to ISP1's router , a l3 device and fe-0/0/3 is connected to ISP1's router which is another physical device. There is no switch required in the upstream direction unless the SRX is a HA cluster . 

 

"I am not sure I understand the redundancy aspect in this article since some traffic is routed on one ISP and the rest on the other. If one ISP goes doesn what happens to its traffic?"

 

The redundancy aspect is also covered in this configuration by the rib groups . Rib groups help to share routes between the routing instances. 

 

In this example in the routing-instance routing-table-ISP1 , default route will be pointing out to next-hop 10.1.1.2 (ISP1's gateway IP)which is most preferred route and then next preferred route is via 10.2.2.2 (ISP2's gateway IP). So when the interface fe-0/0/2 goes down, the default route will point to  10.2.2.2 . And similarly in the routing-table-ISP2 also the routing preference is configured for the ISP1 route to take over when fe-0/0/3 goes down. 

 

 

Attachments

Highlighted
SRX Services Gateway

Re: Two Residential circuits SRX failover solution? Possible?

‎12-27-2017 12:04 AM

Thank you. The diagram helps a lot.

Just to clarify, how does failover works if one circuit goes down since that same circuit only handles part of the traffic i.e. 8080 etc.

 

Please explain Rib groups and their purpose.

Highlighted
SRX Services Gateway

Re: Two Residential circuits SRX failover solution? Possible?

‎01-02-2018 01:25 AM

Hi Clubber, 

 

Welcome. 

Both your queries are answered by the existence of rib groups in this config sample. 

 

Rib groups are defined to share routes between the routing instances. 

 

In this case there are 3 routing-instances invovled , one if the default inet.0 and 2 are the configured forwarding instances routing-table-ISP1 and routing-table-ISP2. 

 

Going by the rib-groups in the configuration, we are sharing the  interface-routes or the directly connected routes accross all the routing-instance tables. This will ensure that all the routing tables have reachability to reach both the ISP gateway IPs. 

 

And second point to note is that when you are configuring the default route under both configured forwarding routing instances, you are definining a qualified next hop with a higher preference value of 100. By default the static route will have a preference of 5 which is most preferred. 

 

In routing instance routing-table-ISP1 , default route points to 10.1.1.2 as most preferred route and second preferred route is via 10.2.2.2 .

 

So in a scenario when ISP1 fails, even inside the  routing-table-ISP1 , the second preferred route via 10.1.1.2  will become active and due to the rib group config, there is the direct route also to reach 10.1.1.2 . Hence even if the traffic is matching the firewall filter that is routing specifc traffic to routing-table-ISP1  , the reachability is still via the ISP2 gateway  10.1.1.2. 

 

Hope you were able to understand my explanation. Same logic applies to second scenario when ISP2 fails, all traffic will be routed via ISP1. 

 

So the config example will act as a configuration for different application to use both 2 ISPs as long as both ISP routes are up, and when one of them fails, all the traffic will flow via the active ISP. 

 

 

Feedback