SRX Services Gateway
Highlighted
SRX Services Gateway

dual isp srx550

‎08-28-2015 11:39 PM

 

 

i have configuration

int ge-0/0/0 ISP1 200.4.4.4

int ge-0/0/3 TRUST 10.0.0.0/20  user 10.0.0.60/32

int ge-0/0/5 ISP2 110.5.5.5

 

 

can we divided trafic in trust zone throush ISP1 or ISP2,

im already setting routing instance

root@NFI-SRX-01# show routing-instances
routing-table-ISP1 {
    instance-type virtual-router;
    routing-options {
        static {
            route 0.0.0.0/0 {
                next-hop 200.4.4.4;
                qualified-next-hop 110.5.5.5 {
                    preference 100;
                }
            }
        }
    }
}
routing-table-ISP2 {
    instance-type virtual-router;
    routing-options {
        static {
            route 0.0.0.0/0 {
                next-hop 110.5.5.5;
                qualified-next-hop 200.4.4.4 {
                    preference 100;
                }
            }
        }                               
    }
}

[edit]

 

 

root@NFI-SRX-01# show routing-options
interface-routes {
    rib-group inet IMPORT-PHY;
}
static {
    route 0.0.0.0/0 {
        qualified-next-hop 110.5.5.5 {
            metric 15;
        }
        qualified-next-hop 200.4.4.4 {
            metric 10;
        }
    }
 
 
}
rib-groups {
    IMPORT-PHY {
        import-rib [ inet.0 routing-table-ISP1.inet.0 routing-table-ISP2.inet.0 ];
    }
}                                       

[edit]

 

 

root@NFI-SRX-01# show firewall
filter CFLOWD {
    term 1 {
        then {
            sample;
            accept;
        }
    }
}
filter FILTER2 {
    term TERM1 {
        from {
            source-address {
                10.0.0.60/32;
            }
        }
        then {
            routing-instance routing-table-ISP2;
        }
    }
    term TERM2 {
        then {
            routing-instance routing-table-ISP1;
        }
    }                                   
    term default {
        then accept;
    }
}

[edit]
root@NFI-SRX-01#

 

 

im try to enforce traffic from 10.0.0.60/32 to route ISP2

but the actual result traffic through ISP1

 

what should i do

 

 

for routing instance what different we used instance-type virtual-router // forwarding

 

3 REPLIES 3
Highlighted
SRX Services Gateway

Re: dual isp srx550

‎08-28-2015 11:49 PM

Hi,

 

You need to do FBF with instance type forwarding.

 

Not sure if you followed the FBF guide, but here is the juniper one;

 

http://kb.juniper.net/InfoCenter/index?page=content&id=KB17223

 

Tim

Highlighted
SRX Services Gateway

Re: dual isp srx550

‎08-28-2015 11:53 PM

hi tim,

 

 

i just read the KB, but my topology in my customer very complex,

after we aplly this Knowledge base

some user can not connect the server so, i roll back the configuratin,

because this devices is live production,

 

hi tim

what different if we used forwarding ratherthan virtual-router

 

Highlighted
SRX Services Gateway

Re: dual isp srx550

‎08-29-2015 03:48 AM

Hello,

 

Few things that you need to address:

 

1) When you configure virtual-routers, ideally you assign interfaces to it. In your scenario it would be:

 

set routing-instance routing-table-ISP1  interface ge-0/0/3.0

set routing-instance routing-table-ISP2 interface ge-0/0/5.0

 

2) With the help of rib groups, you have exported inet.0's interface routes to routing-table-ISP1.inet.0 & routing-table-ISP2.inet.0 which is sufficient for basic functionality. However if ISP1 goes down, once traffic reaches routing-table-ISP1.inet.0 routing instance, it will not be able to go to routing-table-ISP2.inet.0. For that you will need configuration like the one given below:

 

a) Define rib-group in each VR as below:

 

set routing-instance routing-table-ISP1 routing-options interface-routes rib-group inet ISP1-ISP2

set routing-instance routing-table-ISP2 routing-options interface-routes rib-group inet ISP1-ISP2

 

b) Import these routes to each other's VR:

 

set routing-options rin-groups ISP1-ISP2 import-rib [routing-table-ISP1.inet.0 routing-table-ISP2.inet.0]

 

3) I am assuming that following configuration exists on the box:

 

a) Firewall filter applied to ge-0/0/3.0 interface correctly.

b) NATing configured properly between Trust-ISP1 zones & between Trust-ISP2 zones.

 

Regards,

 

Rushi

 

 

 

Feedback