SRX

 View Only
last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  SRX with multiple ISP and different public IP subnets

    Posted 09-06-2018 05:12
      |   view attached

    We have the SRX320 device and several Internet providers connected to it.

     

    Inked20180906_141400_orn-printer-01_000292-1_LI.jpg

     

    Interfaces ge-0/0/0 and ge-0/0/1 actually connected to one provider “ISP-1”. Two different links used because contract with two different organizations. ISP-1 in each link provides multiple public IP addresses from different subnets. Each subnet uses its own gateway. ISP-1 uses same subnets in the both links. These subnets are marked blue and yellow markers on the scheme.

     

    Interface ge-0/0/2 connected to the second provider “ISP-2”. This is a backup channel with only one public IP address. It marked green marker on the scheme.

     

    What do we want?

     

    1. Use all IP addresses provided by ISP-1 for source NAT used for Internet access. The ability to use any of that IP addresses as external by firewall filters. Additionally load balance traffic to the both channels, if possible.
    2. Use all IP addresses provided by ISP-1 for destination NATs used to access to a trusted intranet resources from the Internet. Ability to use any of that IP addresses as destination IP.
    3. Use ISP-2 only as backup channel to the Internet with automatic failover and fallback.

    Please tell me is it possible to configure all above on the SRX device? How can I do this using the minimum number of routing instances?



  • 2.  RE: SRX with multiple ISP and different public IP subnets

    Posted 09-06-2018 06:26

    Hello,

    Your SRX config would be tremendously simpler if You do just one of the following:

    1/ combine ge-0/0/0 and ge-0/0/1 into a LAG (Etherchannel in CSCO speak) - requires LAG support from ISP1 as well

    2/ assign single subnet to a given interface, i.e.

    - use 1.1.1.0/24 only on ge-0/0/0 and no more subnets on ge-0/0/0, and

    - use 1.1.2.0/24 only on ge-0/0/1 and no more subnets on ge-0/0/1

    HTH

    Thx

    Alex



  • 3.  RE: SRX with multiple ISP and different public IP subnets

    Posted 09-07-2018 00:04

     

     

    There is one more thing you need know. In fact, there is only one physical link from ISP-1. This physical link is connected to the trunk port of the switch, controlled by us. Inside link are two VLANs, for example 100 and 101. And the ge-0/0/0 and ge-0/0/1 ports of the SRX are connected to untagged switch ports with VLAN IDs 100 and 101.

     

    Should we use aggregated interfaces in this scenario? Will the configuration be simplified if the physical link from the ISP-1 with tagged Internets connects to the SRX directly?



  • 4.  RE: SRX with multiple ISP and different public IP subnets
    Best Answer

    Posted 09-07-2018 02:24

    Hello,

    Thanks for additional info. Yes, it makes sense to enable LAG between Your SRX and Your switch for better LB on this hop only.

    However,  vlan 100 & 101 will be seen on SRX side as 2 separate logical subinterfaces, and in this case I'd recommend to use option [2] in my previous post since ISP link redundancy is really 1:1 in this scenario, not 2:1 as Your OP implies.

    In simple words - if Your ISP1 link fails, You only have 1 choice remaining - that is, ISP2 link - irrespective of how many VLANs You may have configured on ISP1 link.

    HTH

    Thx

    Alex