ScreenOS Firewalls (NOT SRX)
ScreenOS Firewalls (NOT SRX)

Two Dual ISP by one ISG1000

‎11-06-2019 09:04 PM

Greeting All, 

I need your support for the below subject.

 

I have dual ISP, the first ISP (Speed 70 Mbps) already connected with ISG1000 and working correctly, 

my organization needs to install & configure  another ISP (Speed 1Gbps) as upgrade the throughput 

and as you can see by the figure, I need to know how to configure this case by only one ISG1000 and only one Up-link with the core switch.

I really appreciate your reply.

Dual ISP Design.png

 

 

7 REPLIES 7
ScreenOS Firewalls (NOT SRX)

Re: Two Dual ISP by one ISG1000

‎11-07-2019 02:45 AM

What is the scenario you are looking at?

 

Replace current ISP with new one

Keep both ISP in primary and secondary role

Keep and use both ISP in some fashion

 

Do you have inbound destination nat traffic for internal services?

If so, will these move to the new ISP and change ip address?

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
ScreenOS Firewalls (NOT SRX)

Re: Two Dual ISP by one ISG1000

a month ago

Thanks Steve for your reply,

 

Actually we have 300 Building, half them connected already by ISP1 (70Mbps) and another building we are planning to connect it to the new ISP(1Gbps).

 

Scenario 01, I need to know how to keep and use both ISP in some fashion as you mentioned.

 

Scenario 02,  I need to know how to make it (ISP2) for the remaining building where we want to activate the Internet.

 

Regarding your questions:

Do you have inbound destination nat traffic for internal services? yes which connected already to the existing ISP1

 

 

ScreenOS Firewalls (NOT SRX)

Re: Two Dual ISP by one ISG1000

a month ago

So if seems like you best option would be to add new virtual router.

Routing > virtual routers

 

Put the new ISP interface into this virtual router and also the interfaces connecting to the buildings that will be served by this ISP.

 

Virtual routers will then keep the two ISPs and the buildings they service separate in the same ISG box.  Each group will operate on their own.  And no configuration for your existing setup will need to change.

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
ScreenOS Firewalls (NOT SRX)

Re: Two Dual ISP by one ISG1000

3 weeks ago

Thanks a Lot, Spuluka for your solution.

before closing this case, could you  share with me the configuration steps, because I am still new with ISG1000

 

thank you.

ScreenOS Firewalls (NOT SRX)

Re: Two Dual ISP by one ISG1000

3 weeks ago

Create the objects you need in this order.

 

  • Virtual router - Routing > Virtual Router
  • Zones - Network > Zones 
    • assign the new internet and business zones to your virtual routers
  • Interfaces - Network > interfaces
    • Create the interfaces and sub interfaces that you are using on the ISG and assign them to the zone you need them to be created above
  • Security Policy - Policy > Policies
    • Create the business to internet zone policy and add nat for their outbound access
    • If inbound access is needed create the reverse zone policies and destination nat

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
ScreenOS Firewalls (NOT SRX)

Re: Two Dual ISP by one ISG1000

2 weeks ago

Thanks a lot for your advice.

actually we have installed new ISG1000 and connected it to  the New ISP 

but I cannot ping to the new ISP, I have done the configuration It is the same configuration as on the old ISG

also when I connect the New ISP line to the old ISG i can ping the ISP Gateway

 

could you share your experience, please  

ScreenOS Firewalls (NOT SRX)

Re: Two Dual ISP by one ISG1000

2 weeks ago

When running commands like ping for a virtual router you need to specify the interface you want to use for the source address of the ping request.  This will be the interface you connected to the ISP in the virtual router in this case.

example:

ping 8.8.8.8 from ethernet0/0

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home