Log in to ask questions, share your expertise, or stay connected to content you value. Don’t have a login? Learn how to become a member.
My question is how can i do load balancing with Juniper Firewalls in those cases:
- One SSG 20 with 2 ADSL interfaces (and i want to load balance 50% 50% between them).
- 2 SSG 20 one with ADSL and the other with E1 and i want to load balance 50% traffic in ADSL and 50% trafffic in E1.
Is there any protocols dedicated for this, i know that we can do it using OSPF but i didn't want to use routing protocol to load balance, i want to use dedicated ones with rules and policies.
Thank you very much
Q1) One SSG 20 with 2 ADSL interfaces and i want to load balance 50% 50% between them?
Ans) Use source based routing u can force:
a) one network (say network A on trust) pass through ISP1 with metric 1 and through ISP2 with metric 2 (for failover)
b) other network (say network B on DMZ) pass through ISP2 with metric 1 and through ISP1 with metric 2 (for failover)
c) Monitor each ISP gateway IP so that if one ISP is down ur all traffic switch to other ISP
set interface ethernet0/0 monitor track-ip ipset interface ethernet0/0 monitor track-ip threshold 10set interface ethernet0/0 monitor track-ip ip "gw to ISP1" interval 3set interface ethernet0/0 monitor track-ip ip "gw to ISP1" threshold 10set interface ethernet0/1 monitor track-ip ipset interface ethernet0/1 monitor track-ip threshold 10set interface ethernet0/1 monitor track-ip ip "gw to ISP2" interval 3set interface ethernet0/1 monitor track-ip ip "gw to ISP2" threshold 10
If u have one flat network say 10.1.1.0/24 then you can divide that into four /27 networks: 10.1.1.0/27, 10.1.1.32/27, 10.1.1.64/27, 10.1.1.96/27 and 10.1.1.128/27.
a) You can route all traffic coming from 10.1.1.0/27 and 10.1.1.64/27 to ISP1 with metric 1 and and also ISP2 with metric 2 (for failover )
b) You can route all traffic coming from 10.1.1.32/27 and 10.1.1.128/27 to ISP2 with metric 1 and also ISP2 with metric 2 (for failover)
Note: Refer to http://kb.juniper.net/KB4246 and http://kb.juniper.net/KB4273 for configuring source based routing
Q2) 2 SSG 20 one with ADSL and the other with E1 and i want to load balance 50% traffic in ADSL and 50% trafffic in E1?
ANS) U can configure both ssg-20 in active/active mode (for load balancing traffic) with NSRP (Netscreen redundancy protocol)
Note: Refer to http://kb.juniper.net/ui.jsp?ui_mode=paging&charset=UTF-8&language=en-US&prior_transaction_id=1644014816&navigation_purpose=ANSWER&searchWithin=337641707&page=search_within_doc_page for configuring Active/Active NSRP
I hope this post will helpful for you and u accept my solution!!!
The honest answer to your question is that you can't realy load balance using the firewalls. What we are talking about here is playing with routing to try and distribute the sources to the two devices you have connected. This is not a guarantee of splitting the traffic load. The other issue to keep in mind is that you can only effect this flow outbound, inbound traffic will be restricted by your ISPs.
As per the answer from Kashif you can use source based routing but you can use this in both cases.
NSRP will require you to configure two gateways out of the network to split the traffic so again it's not going to give you a perfect split of actual traffic but it will allow you to distribute the sources over the two gateways.
Thank you very much for your detailed answer Kashif and for your honest answer Benjaminc.
Both answers are clear and consise but i have some comments if you don't mind :
-In case of one SSG 20 with 2 ADSL interfaces, i can use ECMP to do equal cost load balancing between the 2 interfaces but only with one session applications, so il i have to load balance HTTP for exemple, can OSPF do the job (i know that ospf didn't do equal cost but can he load balance multisession traffic ?).
-Can OSPF assign routes with equal cost with a round robin manner like ECMP ? if no how then ?
-Can i use PBR in case of one SSG 20 with 2 ADSL interfaces without the need of gateways for example:
HTTP traffic will go through ADSL 1 interface and Telnet will go through ADSL 2
Can i do this inbound and outbound ? and if so what's the difference between OSPF with source based routing and a PBR ?
With source based routing u can control this source ip or source network will forward though which outgoing interface and gatway.
With PBR u can control which traffic pass though which outgoing interface and gateway.
With above two u can load balance ur traffic basis on source ip or type of traffic. But important thing is that as my friend Benjaminc said these procedures do not make sure that both links load balance traffic 50% 50% because it is firewall not loadbalancer. But by above technique u can load balance with some extent and utilize ur both links with back up of each other.
With ECMP u can not load balance multisession traffic.
Thank you very much for your answer.
can i follow the same procedure if have 3 internet connection, and do i need to enable ecmp ?
I need to load balance the incoming traffic between two web servers in the DMZ. If that is not possible, a fail over would also be useful - meaning if one IP fails, it switches to the second IP.
Even the possibility of switching manually would be useful when there is planned maintenance, we thought we could do this with VIP or MIP but it said it was in use, so that was not possible.