Thursday, May 25, 2017

load-balancing based on source-ip

Our scenario is below








 
 
 
 
 
 
 
 
 
 
firewall {
    family inet {
        filter source-based-lb {
            term even {
                from {
                    source-address {
                        10.32.0.0/255.255.0.1;
                    }
                }
                then {
                    routing-instance fbf-prefer-isp1;
                }
            }
            term odd {
                from {
                    source-address {
                        10.32.0.1/255.255.0.1;
                    }
                }
                then {
                    routing-instance fbf-prefer-isp2;
                }
            }
            term default {
                then accept;
            }
        }
    }
}
Posted by at No comments:

2 ISP fail over with juniper SRX

We have two ISPs, ISP A and ISP B.
What we want to accomplish is, if primary ISP’s link fail, then switch the link through secondary link to ISP B. So, let’s get started.

Configure Dual ISP Link Failover in Juniper SRX

We need to configure the routing table under [routing-options] hierarchy.
[edit routing-options]
 
user@SRX240# set static route 0.0.0.0/0 next-hop 1.1.1.1 preference 5 [Next hop 1.1.1.1 is the primary next-hop for 0.0.0.0/0 destination network. Note, 0.0.0.0/0 means default gateway. Preference 5 is the default preference for static routes. Even if you don’t put preference 5 in this command, it is automatically there.
 
[edit routing-options]
user@SRX240# set static route 0.0.0.0/0 qualified-next-hop 2.2.2.1 preference 7 [Now next-hop 2.2.2.1 is the secondary next-hop for 0.0.0.0/0 network. It has the preference of 7. If the primary link is to go down, this link will be the gateway for the default route.
[edit routing-options]
user@SRX240# show
static {
route 0.0.0.0/0 {
next-hop 1.1.1.1;
qualified-next-hop 2.2.2.1 {
preference 7;
}
preference 5;
}
}
Posted by at 1 comment:

2 ISP load balancing with Juniper SRX


We have two ISPs that we want to load balance the internet traffic to. Two internet links are in UNTRUST zone whereas the internal network is in TRUST zone.

I have already configured required security policies.




The first step is to define routing policy. Configure the following policy under [edit-policy-options] hierarchy.
[edit policy-options]
root@SRX240# set policy-statement LOAD-BALANCE then load-balance per-packet [Here, from clause is not used, so it means from any source then load-balance per-packet.]
[edit policy-options]
root@SRX240# show
policy-statement LOAD-BALANCE {
then {
load-balance per-packet;
}
}
The second step is to configure the routing option. Configure the following routing information under [edit routing-options] hierarchy.
[edit routing-options]
root@SRX240# set static route 0.0.0.0/0 next-hop 1.1.1.1
[edit routing-options]
root@SRX240# set static route 0.0.0.0/0 next-hop 2.2.2.1
Now, configure the routing policy called LOAD-BALANCE under the routing option.
[edit routing-options]
root@SRX240#set forwarding-table export LOAD-BALANCE
Type show command to view the configuration.
[edit routing-options]
root@SRX# show
static {
route 0.0.0.0/0 next-hop [ 1.1.1.1 2.2.2.1 ];
}
forwarding-table {
export LOAD-BALANCE;
}

You can now view route forwarding table to verify.
 
root@SRX> show route forwarding-table

You will see two next-hop MAC addresses for default destination network.
By default JunOS include only layer 3 IP address to determine the flow but you can change this behavior and include both layer 3 and layer 4 information. To do so, hit the following command under [edit forwarding-options] hierarchy.
[edit forwarding-options]
root@SRX#set hash-key family inet layer-3
[edit forwarding-options]
root@SRX# set hash-key family inet layer-4
[edit forwarding-options]
root@SRX# show
hash-key {
family inet {
layer-3;
layer-4;
}
}


You can now see the logs or even do tracert from client PC and test the load sharing. 
You can test from a single PC in the network.
Posted by at No comments:
Subscribe to: Posts (Atom)