We have two ISPs that we want to load balance the internet traffic to. Two internet links are in UNTRUST zone whereas the internal network is in TRUST zone.
I have already configured required security policies.
The first step is to define routing policy. Configure the following policy under [edit-policy-options] hierarchy.
root@SRX240# set policy-statement LOAD-BALANCE then load-balance per-packet [Here, from clause is not used, so it means from any source then load-balance per-packet.] [edit policy-options]
root@SRX240# show
policy-statement LOAD-BALANCE { then { load-balance per-packet; } }
The second step is to configure the routing option. Configure the following routing information under [edit routing-options] hierarchy.
[edit routing-options]root@SRX240# set static route 0.0.0.0/0 next-hop 1.1.1.1
[edit routing-options]
root@SRX240# set static route 0.0.0.0/0 next-hop 2.2.2.1
Now, configure the routing policy called LOAD-BALANCE under the routing option.
[edit routing-options]root@SRX240#set forwarding-table export LOAD-BALANCE
Type show command to view the configuration.
[edit routing-options]root@SRX# show static { route 0.0.0.0/0 next-hop [ 1.1.1.1 2.2.2.1 ]; }
forwarding-table { export LOAD-BALANCE; }
You can now view route forwarding table to verify.
You will see two next-hop MAC addresses for default destination network.
By default JunOS include only layer 3 IP
address to determine the flow but you can change this behavior and
include both layer 3 and layer 4 information. To do so, hit the
following command under [edit forwarding-options] hierarchy.
[edit forwarding-options]root@SRX#set hash-key family inet layer-3
[edit forwarding-options]
root@SRX# set hash-key family inet layer-4 [edit forwarding-options]
root@SRX# show hash-key { family inet { layer-3; layer-4; } }
You can now see the logs or even do tracert from client PC and test the load sharing.
You can test from a
single PC in the network.
No comments:
Post a Comment