SRX

Expand all | Collapse all

ISP link failover from SRX firewall to SRX router

Jump to Best Answer
  • 1.  ISP link failover from SRX firewall to SRX router

    Posted 05-10-2018 23:39

    Hi,

    Please find below Network topology and suggest suitable option to achieve ISP link failover/traffic diversion on firewallNetwork topology.PNG

    1) For internet request core switch has default route towards SRX340

    2)For MPLS request core switch has static route towards SRX240

    3) SRX340 (HA) has default route towards ISP

    4) SRX240 (packet mode - Primary and secondary) has VRF configuration to achieve ISP link failover

    Here my query is - On SRX340 if ISP link failed internet traffic should routed to SRX240. If i tracert from internet router towards SRX240, first hop is SRX240 ge-0/0/3 interface IP.

     

    We can directly connect one more cable from SRX240 to SRX340 or RPM configuration with next hop ge-0/0/3 interface. My main concern is routing. how packet will be traverse.

     

    Thank you...

     

     

     

     

     

     



  • 2.  RE: ISP link failover from SRX firewall to SRX router

     
    Posted 05-13-2018 06:48

    If you can add the direct link from the SRX340 to the SRX240 and treat that as if it were a second ISP.  then use the rpm failover between this new link and your local ISP.

     

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB22052

     



  • 3.  RE: ISP link failover from SRX firewall to SRX router

    Posted 05-13-2018 22:51

    Thank you Steve,

     

    As per your suggestion if i made required changes, while network traffic returning back (which was initiated through core --> srx340 -->srx240--> towards MPLS network) what will be complete path...

    From MPLS network --> srx240 --> srx340 --> core switch   or MPLS network --> srx240 --> core switch

    Please remember SRX240(Packet mode) already have return traffic route for internal network traffic through core switch. I hope asynchronous routing issue will not occur.

     

    Thank you..



  • 4.  RE: ISP link failover from SRX firewall to SRX router

     
    Posted 05-15-2018 03:29

    I was assuming you would source nat the traffic going out the iterface towards the mpls links.  This would resolve the return path assymetrical routing issue. 

     

    The idea is treat it as if it were another ISP link.

     



  • 5.  RE: ISP link failover from SRX firewall to SRX router

    Posted 05-15-2018 10:17

    Hi Steve,

    Sorry for incomplete info provided from my side. Please find below network topology and configuration details.

    Network topology.PNG

    1) BGP is configured for SRX340 ISP

    2) On SRX240 for ISP1 and ISP2 BGP is configured

    3) ISP1 and ISP2(/30 subnet) is part of untrust vrf, static route next hope is untrust vrf, as prepend configured on SRX240

    4) If we assigned 192.168.50.1(reth2) and 192.168.50.2(ge-0/0/6)  Where i need to configure natting (router or firewall side/interface)

    5) Do i need to advertise static route into BGP

    6) There is another same setup to the next branch so traffic path will be ... Core switch --> SRX340 --> SRX240 ---> SRX240(other branch location) --> MX5 (Internet router) --> ISP

     

    Thank you...

     



  • 6.  RE: ISP link failover from SRX firewall to SRX router
    Best Answer

     
    Posted 05-16-2018 04:35

    Thanks for the detailed information.

     

    Make sure the ip address used for the routed link is part of what is advertised to the remote mpls sites.  Then configuring the ip address on the routed link from the srx240 to srx340.

     

    Make sure the mpls isp links advertise down a default route for this internet traffic to go to the remote sites once they hit the srx240.

     

    On the SRX340 check there is an existing source nat interface policy for the existing isp from reth1 to reth0 traffic.  Simply place reth2 into the same zone as reth0 on the srx340.  

     

    Your normal routing will remain in place for the ISP link on the srx340

    when rpm detects the failure it will install the default route to the srx240

    the nat policy will make sure the return traffic comes to that link.