ECMP doesn't work as of today in branch series SRX's if "advanced" security features are enabled such as NAT, IDP, ALG's, and such. The problem is with the flow module and where routing decisions take place.
It will work if the both destination interfaces are in the same zone and you're using basic security policies. If you require any form of NAT (which is typical with two ISP links) then this will not load balance across the two paths. I've tested this in my lab and it's a known limitation within Juniper. The forwarding table shows both routes (creating two static default routes will do the trick) then enabling layer 3 load balancing but the routing table will always prefer one route and send traffic down only that route. There are hacks (and not very clean ones to be honest) involving multiple routers one to terminate the inbound traffic and nat it, then the second to do the ECMP. This is not ideal and I wouldn't ever recommend it for a customer environment. Best of luck. I hope the branch guys can get this fixed. ScreenOS has been able to do this for a while. I'm told this may get addressed in 12.1 but nothing is official. -Tim Eberhard On Fri, Aug 26, 2011 at 10:33 AM, Daniel M Daloia Jr <daniel.dal...@yahoo.com> wrote: > Thanks Ben. This would be the case with two separate virtual routers since > they would have to be in different security zones which why I didn't think > that would work. I would like to keep the firewall in flow mode. > > > I found some information on multipath which I am going to lab up soon. I can > keep the interfaces in the same security zone if that is the case and create > a peer group for the two neighbours. > > > http://www.juniper.net/techpubs/en_US/junos10.4/topics/reference/configuration-statement/multipath-edit-protocols-bgp.html > > Thanks! > > > > > ________________________________ > From: Ben Boyd <b...@sinatranetwork.com> > To: Daniel M Daloia Jr <daniel.dal...@yahoo.com> > Cc: "juniper-nsp@puck.nether.net" <juniper-nsp@puck.nether.net> > Sent: Friday, August 26, 2011 10:44 AM > Subject: Re: [j-nsp] Multihome SRX650 2 default routes > > > If you install both routes in the forwarding table you'll probably end up > dropping a lot of your traffic. > > The SRX is a stateful firewall, so if you sent traffic to one provider and > got it back on another it would drop the traffic. > > It would be best to do this in a router or to load balance per prefix with as > path prepending going out and local pref coming in. > > Anyway, here's how you would do it, but be careful. > root# show > policy-statement TestLBOut { > then { > load-balance per-packet; > } > } > > lroot# show routing-options > forwarding-table { > export TestLBOut; > } > > > > Thanks, > Ben Boyd > ---------------------- > Sent from my iPhone > > On Aug 25, 2011, at 11:09, Daniel M Daloia Jr <daniel.dal...@yahoo.com> wrote: > > > Hi Folks, >> >>Is it possible to install 2 BGP default routes from 2 ISPs to provide load >>balancing with an SRX650 cluster? Both ISPs are same speed. I was thinking >>this may be possible with importing the routes into inet.0 from separate >>virtual routers which have the interfaces facing the 2 ISPs in them, but the >>ISP interfaces would have to be in separate security zones which wouldn't >>agree with the security policy and NAT. Anyone have any ideas or can point me >>to some documentation that will help? I suppose I can buy a separate set of >>routers to run BGP and use an IGP to load balance, but doing it with the >>single cluster would be nice. >> >>Thanks! >>_______________________________________________ >>juniper-nsp mailing list juniper-nsp@puck.nether.net >>https://puck.nether.net/mailman/listinfo/juniper-nsp >> > _______________________________________________ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
