ScreenOS Firewalls (NOT SRX)
ScreenOS Firewalls (NOT SRX)

Load Balancing with SSG-140

11.01.10   |  
‎11-01-2010 10:24 AM

I am having a hard time finding direct step by step instructions on how to configure load balancing with my SSG-140.  Is it even possible?  

 

I have an ADSL connection and a T1 Connection.  The ADSL is new and that is what we are using right now; however, we are still in contract for another year on our T1 and I would like to make use of it with Load Balancing if possible.  The assumption here is that if I can get load balancing configured with the T1 and the ADSL that after the T1 contract expires we can replace it with another ADSL line.  

 

Some sites have talked about policy based routing where I select what type of traffic I want to send over each interface, but a true load balancer would be nice if the Juniper can do it. 

 

If anyone can point me to a good source of documentation that would be greatly appreciated or if you have any suggestions on how I can make this work the best that would also be appreciated. 

6 REPLIES
ScreenOS Firewalls (NOT SRX)

Re: Load Balancing with SSG-140

11.02.10   |  
‎11-02-2010 03:57 AM

True loadbalancing is not in the SSG feature set.  But you can get an approximation of this by setting up both internet services with a default route that has the same metric and preference.  The firewall will round robin the connections then that use these two services.

Steve Puluka BSEET
Juniper Ambassador
Senior IP Engineer - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
JNCIA-Junos JNCIS-SEC JNCIP-SEC JNCSP-SEC
JNCIS-FWV
JNCDA JNCDS-DC JNCDS-SEC
JNCIS-SP
ACE PanOS 6 ACE PanOS 7
http://puluka.com/home
ScreenOS Firewalls (NOT SRX)

Re: Load Balancing with SSG-140

11.02.10   |  
‎11-02-2010 05:56 AM

Do you use BGP and your own IP adresses ?

Then you could perhaps use BGP to decide on IP level what goes were.

 

Else divide services up per ISP.

 

 


Best Regards

Tom Roholm
JNCIS-ENT, FWV, SEC, SA, WLAN
ScreenOS Firewalls (NOT SRX)

Re: Load Balancing with SSG-140

11.02.10   |  
‎11-02-2010 06:04 AM

Hi,

 

You should also enable Equal Cost Multipath for this to work:

 

set vrouter <name> max-ecmp-routes 2 (up to 4 routes with the same pref/metric are supported).

 

I do not recommend to use ECM on the NATted connections, because:

 

"When ECMP is enabled and the outgoing interfaces are different and in NAT mode (apparently they mean not the interface mode but NAT as such. EC) , applications, such as HTTP, that create multiple sessions will not work correctly. Applications, such as telnet or SSH, that create one session should work correctly." (C&E, Routing)

 

Also:

"If the outgoing interfaces do not belong to the same zone and the return packet goes to a zone other than the intended one, a session match cannot occur and the traffic may not go through." (C&E, Routing)

 

I would recommend to use both connections as an Active/Standby with some load sharing using SBR (is simpler) and/or PBR.

 

Kind regards,

Edouard

Kind regards,
Edouard
ScreenOS Firewalls (NOT SRX)

Re: Load Balancing with SSG-140

01.09.12   |  
‎01-09-2012 03:17 PM

Is this is supported in a HA configuration of two SSG 140?

ScreenOS Firewalls (NOT SRX)

Re: Load Balancing with SSG-140

01.09.12   |  
‎01-09-2012 11:50 PM

Hi,

 

ECM/SBR/PBR will work the same way on a NSRP-cluster.

Kind regards,
Edouard
ScreenOS Firewalls (NOT SRX)

Re: Load Balancing with SSG-140

01.10.12   |  
‎01-10-2012 03:09 AM

It is the same, unless you are talking active/active, that requires a different design approach.

 

 


Best Regards

Tom Roholm
JNCIS-ENT, FWV, SEC, SA, WLAN