Yes, my apologies if I wasn't clear in my original email. The "hack" involved to get ECMP and any real security functionality working with the SRX involves multiple virtual routers.
On Wed, Sep 7, 2011 at 7:32 AM, Chen Jiang <iloveb...@gmail.com> wrote: > you can use routing-instance to achieve ECMP/NAT in SRX. > > On Sun, Aug 28, 2011 at 1:22 AM, Daniel Daloia <daniel.dal...@yahoo.com> > wrote: >> >> If that's true then that's horrible news. The data sheet for the sex >> branch series lines says that it can do ECMP, but says nothing about mixing >> it with advanced services. This seems so trivial. Going to spend some time >> in the lab. >> >> Thanks! >> >> On Aug 27, 2011, at 3:02 AM, Tim Eberhard <xmi...@gmail.com> wrote: >> >> > ECMP doesn't work as of today in branch series SRX's if "advanced" >> > security features are enabled such as NAT, IDP, ALG's, and such. The >> > problem is with the flow module and where routing decisions take >> > place. >> > >> > It will work if the both destination interfaces are in the same zone >> > and you're using basic security policies. If you require any form of >> > NAT (which is typical with two ISP links) then this will not load >> > balance across the two paths. >> > >> > I've tested this in my lab and it's a known limitation within Juniper. >> > The forwarding table shows both routes (creating two static default >> > routes will do the trick) then enabling layer 3 load balancing but the >> > routing table will always prefer one route and send traffic down only >> > that route. >> > >> > There are hacks (and not very clean ones to be honest) involving >> > multiple routers one to terminate the inbound traffic and nat it, then >> > the second to do the ECMP. This is not ideal and I wouldn't ever >> > recommend it for a customer environment. >> > >> > Best of luck. I hope the branch guys can get this fixed. ScreenOS has >> > been able to do this for a while. I'm told this may get addressed in >> > 12.1 but nothing is official. >> > -Tim Eberhard >> > >> > >> > >> > On Fri, Aug 26, 2011 at 10:33 AM, Daniel M Daloia Jr >> > <daniel.dal...@yahoo.com> wrote: >> >> Thanks Ben. This would be the case with two separate virtual routers >> >> since they would have to be in different security zones which why I didn't >> >> think that would work. I would like to keep the firewall in flow mode. >> >> >> >> >> >> I found some information on multipath which I am going to lab up soon. >> >> I can keep the interfaces in the same security zone if that is the case >> >> and >> >> create a peer group for the two neighbours. >> >> >> >> >> >> >> >> http://www.juniper.net/techpubs/en_US/junos10.4/topics/reference/configuration-statement/multipath-edit-protocols-bgp.html >> >> >> >> Thanks! >> >> >> >> >> >> >> >> >> >> ________________________________ >> >> From: Ben Boyd <b...@sinatranetwork.com> >> >> To: Daniel M Daloia Jr <daniel.dal...@yahoo.com> >> >> Cc: "juniper-nsp@puck.nether.net" <juniper-nsp@puck.nether.net> >> >> Sent: Friday, August 26, 2011 10:44 AM >> >> Subject: Re: [j-nsp] Multihome SRX650 2 default routes >> >> >> >> >> >> If you install both routes in the forwarding table you'll probably end >> >> up dropping a lot of your traffic. >> >> >> >> The SRX is a stateful firewall, so if you sent traffic to one provider >> >> and got it back on another it would drop the traffic. >> >> >> >> It would be best to do this in a router or to load balance per prefix >> >> with as path prepending going out and local pref coming in. >> >> >> >> Anyway, here's how you would do it, but be careful. >> >> root# show >> >> policy-statement TestLBOut { >> >> then { >> >> load-balance per-packet; >> >> } >> >> } >> >> >> >> lroot# show routing-options >> >> forwarding-table { >> >> export TestLBOut; >> >> } >> >> >> >> >> >> >> >> Thanks, >> >> Ben Boyd >> >> ---------------------- >> >> Sent from my iPhone >> >> >> >> On Aug 25, 2011, at 11:09, Daniel M Daloia Jr <daniel.dal...@yahoo.com> >> >> wrote: >> >> >> >> >> >> Hi Folks, >> >>> >> >>> Is it possible to install 2 BGP default routes from 2 ISPs to provide >> >>> load balancing with an SRX650 cluster? Both ISPs are same speed. I was >> >>> thinking this may be possible with importing the routes into inet.0 from >> >>> separate virtual routers which have the interfaces facing the 2 ISPs in >> >>> them, but the ISP interfaces would have to be in separate security zones >> >>> which wouldn't agree with the security policy and NAT. Anyone have any >> >>> ideas >> >>> or can point me to some documentation that will help? I suppose I can >> >>> buy a >> >>> separate set of routers to run BGP and use an IGP to load balance, but >> >>> doing >> >>> it with the single cluster would be nice. >> >>> >> >>> Thanks! >> >>> _______________________________________________ >> >>> juniper-nsp mailing list juniper-nsp@puck.nether.net >> >>> https://puck.nether.net/mailman/listinfo/juniper-nsp >> >>> >> >> _______________________________________________ >> >> juniper-nsp mailing list juniper-nsp@puck.nether.net >> >> https://puck.nether.net/mailman/listinfo/juniper-nsp >> >> >> >> _______________________________________________ >> juniper-nsp mailing list juniper-nsp@puck.nether.net >> https://puck.nether.net/mailman/listinfo/juniper-nsp > > > > -- > BR! > > > > James Chen > _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp