Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  load balancing or multi homing with two ISP's on ISG 2000

    Posted 09-03-2012 23:22

    Hi all ,

     

    we  have two links  from two different service providers.

     

    ISG 2000  series firewalls are in HA mode. ie two physical firewalls .

     

    we need to accomplish load balancing , we currently has one default route to one provider .

     

    however for we are unable to achieve load balancing  . Please if any one has done multi homing , load balancing etc need your advice and any links will be highly appreciated .

     

     

    Do i need to put two default routes ? if  ISG routes packet from ISP A another ISP B for same tcp session , it will result in out of order delivery on destination ?

     

     



  • 2.  RE: load balancing or multi homing with two ISP's on ISG 2000

     
    Posted 09-03-2012 23:29

    There is no perfect way to load balancing on firewalls, so what I would suggest is two ways to achieve this :

     

    1. Use source based routing where you can route half of your LAN to one ISP and other half to second ISP

    2. Configure PBR (Policy based routing) to route one type of traffic ( e.g http, ftp etc) on one ISP and some other traffic type ( https, voip etc) on  

         the   other ISP.

     

     

    Sarab [ JNCIS-FWV , JNCIA-SEC , CCIP , CCSA ]
    ------------------------------------------------------------------------------------

    [If it helped please mark it as "Accepted Solution".]



  • 3.  RE: load balancing or multi homing with two ISP's on ISG 2000

    Posted 09-04-2012 00:17

    Hi sarab,

     

    we  have over 150 subnets withing 10.0.0.0/8 space , how can i achieve source based routing here .

     

    we have aroung 2500 users campus wide

     

     . Further i cant go with PBR beacuse 80 % of traffic correspond to http . it will make other ISP underutilised.

     

     



  • 4.  RE: load balancing or multi homing with two ISP's on ISG 2000

     
    Posted 09-04-2012 00:40
    Hello, Are all these 150 subnets connected on single firewall interface ? And I agree if 80 % is http then PBR to classify traffic on the type basis will not help. Please give me a brief idea about your network so that I can suggest based on that.


  • 5.  RE: load balancing or multi homing with two ISP's on ISG 2000

    Posted 09-04-2012 02:14

    we have a trust zone with 10.1.0.0 /16  , one dmz and untrust zone .

     

    Also do i need to create untrust 1 and untrust 2 for two isp's or i can put them in same untrust zone.

     

    we dont have flat network ...hierarchial network ..access---distribution---core---fw---router---isp

     

     



  • 6.  RE: load balancing or multi homing with two ISP's on ISG 2000
    Best Answer

     
    Posted 09-04-2012 02:44
    So If I understand correctly you have 10.1.0.0/16 network behind trust zone interface. What you can do is configure source route for traffic coming on trust zone interface to route traffic from 10.1.0.0/17 to one ISP and 10.1.128.0/17 to second ISP. About your another question, you can keep both ISPs in same untrust zone. Please let me know if you have any other questions.


  • 7.  RE: load balancing or multi homing with two ISP's on ISG 2000

     
    Posted 09-04-2012 18:28

    Missed to mention the config suggested in my previous update can also be done via PBR if you want.