Security

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



  • 1.  SRX cluster active/active load sharing two ISP

    Posted 08-18-2021 05:23
    Hello,

    I'd please like to clarify if below method is doable for load sharing between two ISPs connected directly to SRX cluster nodes respectively? I understand load sharing can be achieved through FBF filter base forwarding, however, requirement is to find a way to load share without FBF. The ISP links are not BGP peering link, it is standard leased line with /29 subnets allocated to each ISP link.  Therefore I thought of having ibgp peering between SRX and EX, can ECMP (equalcost multi path) work in this scenario?

    Please can you advise how, if at all, is it possible to load share in this scenario ?

    Many thanks.




  • 2.  RE: SRX cluster active/active load sharing two ISP

     
    Posted 08-18-2021 05:36
    See if this configuration example covers your scenario.

    https://www.juniper.net/documentation/en_US/release-independent/nce/topics/example/chassis-cluster-srx-full-mesh-configuring.html

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------



  • 3.  RE: SRX cluster active/active load sharing two ISP

    Posted 08-22-2021 05:29
    Thanks Steve for the reference, however that example of active/active doesn't use load sharing between two ISPs, the static route set there is primary ISP-A and ISP-B as qualified next hop.


  • 4.  RE: SRX cluster active/active load sharing two ISP

    Posted 08-22-2021 13:05
    Would load-balancing policy and then applying that policy to forwarding table, not work on cluster-mode?


  • 5.  RE: SRX cluster active/active load sharing two ISP

    Posted 08-25-2021 11:02
      |   view attached
    Hello Steve,

    Hope you are doing well.

    I've followed this KB  and managed to configure ECMP on SRX HA Active/Active cluster. However, the one client laptop used for testing on LAN side seems to be only taking ISP-1 route. Is there any way to further verify that SRX is indeed using both the routes ?

    Another thing i noticed, I'm unable to ping 8.8.8.8 from srx if i source from the interface connected to ISP-1 but I'm able to ping 8.8.8.8 if I source from the interface connected to ISP-2.

    please could you guide me where i've made mistake in the config?

    many thanks
    Regards


    Attachment(s)

    txt
    srx_ecmp.txt   10 KB 1 version


  • 6.  RE: SRX cluster active/active load sharing two ISP

     
    Posted 08-25-2021 19:35
    ECMP will be flow based to avoid breaking connections.  So you really cannot test it using just one source device as the flow will pin to only one path.

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------



  • 7.  RE: SRX cluster active/active load sharing two ISP

    Posted 08-26-2021 05:23
    Thanks Steve for your response. I'll try to add more clients and then try to test.

    on the second thing "Another thing i noticed, I'm unable to ping 8.8.8.8 from srx if i source from the interface connected to ISP-1 but I'm able to ping 8.8.8.8 if I source from the interface connected to ISP-2."  Please can you advise if this is due to a wrong configuration? or default behavior?

    Appreciate your assistance.

    Regards,



  • 8.  RE: SRX cluster active/active load sharing two ISP

     
    Posted 08-26-2021 05:38
    For the ISP not reaching google dns confirm via trace route that the issue is on the SRX.

    Get the route table and forwarding table to see if the routes and forwarding are installed for both ISP.

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------



  • 9.  RE: SRX cluster active/active load sharing two ISP

    Posted 09-06-2021 12:02
    hello Steve/All,

    I've hit another blocker with RPM / IP-monitoring.

    I was testing RPM for indirect ISP failures. I've noticed, once I simulated ISP-1 indirect failure the RPM applies the action of preferred route with preferred-metric 4. However, upon restoring ISP-1, the cluster doesn't return back to load balancing.

    services{
    rpm {
        probe ISP-1 {
            test google_dns {
                probe-type icmp-ping;
                target address 8.8.8.8;
                probe-count 12;
                probe-interval 5;
    	    source-address 192.168.0.10;
                thresholds {
                    successive-loss 4;
                    total-loss 6;
                }
    
            }
        }
        probe ISP-2 {
            test google_dns {
                probe-type icmp-ping;
                target address 8.8.8.8;
                probe-count 12;
                probe-interval 5;
    	    source-address 192.168.2.10;
                thresholds {
                    successive-loss 4;
                    total-loss 6;
                }
    
            }
        }
    }
    ip-monitoring {
        policy if_ISP-1_indirect_failure {
            match {
                rpm-probe ISP-1;
            }
            then {
                preferred-route {
                    route 0.0.0.0/0 {
                        next-hop 192.168.2.1;
                        preferred-metric 4;
                    }
                }
            }
        }
        policy if_ISP-2_indirect_failure {
            match {
                rpm-probe ISP-2;
            }
            then {
                preferred-route {
                    route 0.0.0.0/0 {
                        next-hop 192.168.0.1;
                        preferred-metric 4;
                    }
                }
            }
        }
    }
    }
    ​

    below is the route table even after ISP-1 is restored.

    root@srx320-poe-01# run show route | no-more
    
    inet.0: 16 destinations, 18 routes (16 active, 0 holddown, 0 hidden)
    + = Active Route, - = Last Active, * = Both
    
    0.0.0.0/0          *[Static/4] 00:54:12, metric2 0
                        >  to 192.168.2.1 via ge-3/0/5.0
                        [Static/5] 05:13:31
                        >  to 192.168.2.1 via ge-3/0/5.0
                           to 192.168.0.1 via ge-0/0/5.0
    

    I'd highly appreciate any assistance or any KB pointing to solution for this.

    many thanks
    Regards




  • 10.  RE: SRX cluster active/active load sharing two ISP

    Posted 08-26-2021 09:07
      |   view attached
    from ISP-1 trace route isn't going to ISP router on 192.168.0.1 Please see attached.

    I'm really not able to see what the issue is with ECMP.

    When I was testing with FBF, i was able to ping 8.8.8.8 through each routing instance.

    Thanks for your assistance.

    Attachment(s)



  • 11.  RE: SRX cluster active/active load sharing two ISP

    Posted 08-30-2021 05:32

    Hello,

    So, I researched a further more on google and came up to this KB , this was exactly the issue why load balancing wasn't happening with ECMP. Once I applied this command set security flow no-local-favor-ecmp that single client on LAN side started taking ISP-2. Also, now I'm able to ping 8.8.8.8 sourcing each interface connected to ISPs.