Thanks Ben. This would be the case with two separate virtual routers since they would have to be in different security zones which why I didn't think that would work. I would like to keep the firewall in flow mode.
I found some information on multipath which I am going to lab up soon. I can keep the interfaces in the same security zone if that is the case and create a peer group for the two neighbours. http://www.juniper.net/techpubs/en_US/junos10.4/topics/reference/configuration-statement/multipath-edit-protocols-bgp.html Thanks! ________________________________ From: Ben Boyd <b...@sinatranetwork.com> To: Daniel M Daloia Jr <daniel.dal...@yahoo.com> Cc: "juniper-nsp@puck.nether.net" <juniper-nsp@puck.nether.net> Sent: Friday, August 26, 2011 10:44 AM Subject: Re: [j-nsp] Multihome SRX650 2 default routes If you install both routes in the forwarding table you'll probably end up dropping a lot of your traffic. The SRX is a stateful firewall, so if you sent traffic to one provider and got it back on another it would drop the traffic. It would be best to do this in a router or to load balance per prefix with as path prepending going out and local pref coming in. Anyway, here's how you would do it, but be careful. root# show policy-statement TestLBOut { then { load-balance per-packet; } } lroot# show routing-options forwarding-table { export TestLBOut; } Thanks, Ben Boyd ---------------------- Sent from my iPhone On Aug 25, 2011, at 11:09, Daniel M Daloia Jr <daniel.dal...@yahoo.com> wrote: Hi Folks, > >Is it possible to install 2 BGP default routes from 2 ISPs to provide load >balancing with an SRX650 cluster? Both ISPs are same speed. I was thinking >this may be possible with importing the routes into inet.0 from separate >virtual routers which have the interfaces facing the 2 ISPs in them, but the >ISP interfaces would have to be in separate security zones which wouldn't >agree with the security policy and NAT. Anyone have any ideas or can point me >to some documentation that will help? I suppose I can buy a separate set of >routers to run BGP and use an IGP to load balance, but doing it with the >single cluster would be nice. > >Thanks! >_______________________________________________ >juniper-nsp mailing list juniper-nsp@puck.nether.net >https://puck.nether.net/mailman/listinfo/juniper-nsp > _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
