Scribd
Upload
95 views

Configure Filter Based Load Balancing in Juniper SRXMustBeGeek

Uploaded by

samuela
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
95 views

Configure Filter Based Load Balancing in Juniper SRXMustBeGeek

Uploaded by

samuela
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 13

Configure Filter Based Load Balancing in Juniper SRXMustBeGeek 11/06/24, 8:02 AM

Configure Filter Based Load Balancing in


Juniper SRX
Published: September 11, 2013 ·
Bipin

Spread the love

There are various tricks to configure load balancing in JunOS devices. Filter based forwarding and per
flow load balancing methods are quite popular. These type of load balancing can be configured in many
Juniper devices like, MX series, J series, SRX series, etc. Here, I will show steps to configure filter based
load balancing in Juniper SRX device. In filter based forwarding, two routing tables are configured. Each
table will have different ISP as their primary gateway and remaining opposite ISP as secondary gateway.

Configure Filter Based Load Balancing in Juniper SRX


We want to balance the traffic coming from internal network to the Internet using both ISP links. At first, we
need to create two routing tables. Then, create firewall filter and create RIB groups. I will show the step by
step process of the configuration. Below shown diagram is our scenario. We have two ISP links and two
internal networks. We want to route 192.168.1.0/24 network via ISP A and ISP B will be the backup.
Similarly, route 192.168.2.0/24 via ISP B and ISP A will be it’s backup.

https://www.mustbegeek.com/configure-filter-based-load-balancing-in-juniper-srx/ Page 1 of 13
Configure Filter Based Load Balancing in Juniper SRXMustBeGeek 11/06/24, 8:02 AM

Step 1: Create Routing Tables

At first, let’s create some routing tables. We need to create two routing tables. Routing tables are
configured under [edit routing-instances] hierarchy. We will create routing tables named ISPA and ISPB.

Read this free detailed gui


Digital Asset Management

ImageKit.io

[edit routing-instances]
root@SRX# set ISPA instance-type forwarding
[edit routing-instances]
root@SRX# set ISPA routing-options static route 0.0.0.0/0 next-hop 1.1.1.1
[edit routing-instances]
root@SRX# set ISPA routing-options static route 0.0.0.0/0 qualified-next-hop 2.2.2.1 preference 7

https://www.mustbegeek.com/configure-filter-based-load-balancing-in-juniper-srx/ Page 2 of 13
Configure Filter Based Load Balancing in Juniper SRXMustBeGeek 11/06/24, 8:02 AM

Type show to view the configuration.


[edit routing-instances]
root@SRX# show
ISPA {
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 {
next-hop 1.1.1.1;
qualified-next-hop 2.2.2.1 {
preference 7;
}
}
}
}
}

Now let’s configure ISPB routing instance.


[edit routing-instances]
root@SRX# set ISPB instance-type forwarding
[edit routing-instances]
root@SRX# set ISPB routing-options static route 0.0.0.0/0 next-hop 2.2.2.1
[edit routing-instances]
root@SRX# set ISPB routing-options static route 0.0.0.0/0 qualified-next-hop 1.1.1.1 preference 7

Type show to view the configuration.


[edit routing-instances]
root@SRX# show
ISPB{
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 {
next-hop 2.2.2.1;
qualified-next-hop 1.1.1.1 {
preference 7;
}
}
}

https://www.mustbegeek.com/configure-filter-based-load-balancing-in-juniper-srx/ Page 3 of 13
Configure Filter Based Load Balancing in Juniper SRXMustBeGeek 11/06/24, 8:02 AM

}
}

Step 2: Create Firewall Filters

Now, let’s create firewall filters.


[edit firewall family inet]
root@SRX# set filter ISPA-FILTER term FOR-ISPA from source-address 192.168.1.0/24
[edit firewall family inet]
root@SRX# set filter ISPA-FILTER term FOR-ISPA then routing-instance ISPA
[edit firewall family inet]
root@SRX# set filter ISPB-FILTER term FOR-ISPB from source-address 192.168.2.0/24
[edit firewall family inet]
root@SRX# set filter ISPB-FILTER term FOR-ISPB then routing-instance ISPB

Type show to view the firewall filter.


[edit firewall family inet]
root@SRX# show
filter ISPA-FILTER {
term FOR-ISPA {
from {
source-address {
192.168.1.0/24;
}
}
then {
routing-instance ISPA;
}
}
}
filter ISPB-FILTER {
term FOR-ISPB {
from {
source-address {
192.168.2.0/24;
}
}
then {
routing-instance ISPB;

https://www.mustbegeek.com/configure-filter-based-load-balancing-in-juniper-srx/ Page 4 of 13
Configure Filter Based Load Balancing in Juniper SRXMustBeGeek 11/06/24, 8:02 AM

}
}
}

Now apply the filter in for each internal interface.


[edit interface]
root@SRX# set ge-0/0/2 unit 0 family inet filter input ISPA-FILTER
[edit interface]
root@SRX# set ge-0/0/3 unit 0 family inet filter input ISPB-FILTER
[edit interface]
root@SRX# show
ge-0/0/2 {
unit 0 {
family inet {
filter {
input ISPA-FILTER;
}
address 192.168.1.1/24;
}
}
}
ge-0/0/3 {
unit 0 {
family inet {
filter {
input ISPB-FILTER;
}
address 192.168.2.1/24;
}
}
}

Step 3: Create RIB Group

RIB (Routing Information Base) group is created to share route information from master routing table to
other custom routing tables. For inet family, master routing table is inet.o. As of now, routing tables ISPA
and ISPB only knows the routes that have been configured while creating the routing instance. That is, the
default route only. We need to copy all the routes from inet.0 to ISPA and ISPB routing tables to make the
routing work properly. RIB group is configured under [edit routing-options] hierarchy.

https://www.mustbegeek.com/configure-filter-based-load-balancing-in-juniper-srx/ Page 5 of 13
Configure Filter Based Load Balancing in Juniper SRXMustBeGeek 11/06/24, 8:02 AM

[edit routing-options]
root@SRX# set rib-groups LOAD-BALANCE-RIB import-rib inet.0
[edit routing-options]
root@SRX# set rib-groups LOAD-BALANCE-RIB import-rib ISPA.inet.0
[edit routing-options]
root@SRX# set rib-groups LOAD-BALANCE-RIB import-rib ISPB.inet.0
[edit routing-options]
root@SRX# show
rib-groups {
LOAD-BALANCE-RIB {
import-rib [ inet.0 ISPA.inet.0 ISPB.inet.0 ];
}
}

You can verify the configuration by running traceroute from client PC in both network. You can also check
the routing tables. To view the routing tables, type
root@SRX> show route table ISPA.inet.0

This is how you configure filter based load balancing.

Steps to Create a DAM Strateg

How to decide on the best so!ware, "le orga


collaboration features? Learn here

ImageKit.io

https://www.mustbegeek.com/configure-filter-based-load-balancing-in-juniper-srx/ Page 6 of 13
Configure Filter Based Load Balancing in Juniper SRXMustBeGeek 11/06/24, 8:02 AM

You may also like -

Configure IP Configure High JunOS SRX High Configure Logging Configure Configure SRX
Monitoring in SRX Availability Cluster Availability in Juniper Firewall Dynamic (Remote Mode to Packet
Cluster in Juniper SRX Concepts Filter Access) VPN in Mode from Flow
Juniper SRX Mode

SRX 240 Error!


Install Package
Version 11.4R5 or
Higher!

Bio Latest Posts

Bipin
Bipin is a freelance Network and System Engineer with expertise on Cisco, Juniper,
Microsoft, VMware, and other technologies. You can hire him on UpWork. Bipin enjoys
writing articles and tutorials related to Network technologies. Some of his certifications
are, MCSE:Messaging, JNCIP-SEC, JNCIS-ENT, and others.

https://www.mustbegeek.com/configure-filter-based-load-balancing-in-juniper-srx/ Page 7 of 13
Configure Filter Based Load Balancing in Juniper SRXMustBeGeek 11/06/24, 8:02 AM

ALSO ON MUSTBEGEEK

100% Free Share AI Analysis


Uristock.com Learn More

Steps to How to Move


Con5gure
4 IP
years ago • 1 comment Desktop
4 Folder in
years ago • 1 comment

Steps to How to Move


Con5gure IP Desktop Folder in

https://www.mustbegeek.com/configure-filter-based-load-balancing-in-juniper-srx/ Page 8 of 13
Configure Filter Based Load Balancing in Juniper SRXMustBeGeek 11/06/24, 8:02 AM

Sponsored

Tell You When to Buy or Sell


Uristock.com Learn More

See How a $249 Amazon Investment Can Benefit You (Apply Today)
CPX

Without a transplant, 9-YO Dhriti will not survive long


Donate For Health Donate Now

Play War Thunder now for free


War Thunder Play Now

Kanchipuram - Finally, a hearing aid for real conversations at a surprising cost!


Hear.com

The New Jeep Grand Cherokee 2024 Is Utter Perfection - See The Prices
2024 Jeep Grand Cherokee

12 Comments 1 Login

G Join the discussion…

LOG IN WITH OR SIGN UP WITH DISQUS ?

https://www.mustbegeek.com/configure-filter-based-load-balancing-in-juniper-srx/ Page 9 of 13
Configure Filter Based Load Balancing in Juniper SRXMustBeGeek 11/06/24, 8:02 AM

Name

 Share Best Newest Oldest

J
Joe McSparin − ⚑
8 years ago

Is the /lter based load balance recommended over the other way that uses the forwarding-
table?

0 0 Reply ⥅

B
binoy − ⚑
9 years ago

does this work with SRX cluster setup , has anyone checked the same .

0 0 Reply ⥅

Manjit Singh − ⚑
9 years ago

Hello,

So in this case how my security policy lookup will happen.


let say when a packet from Internet arrives on my srx on ge-0/0/0.
Then it will check the security policy for that zone in which ge-0/0/0 will be
Then simultaneously it will see the reverse route for the source ? which is now not there in
inet.0 or in some case it can pick the other ISP link and will install in the session as
outgoing interface....
How this can be solved

0 0 Reply ⥅

Muko − ⚑
10 years ago

Thank you. Your articles are a great help.

I have a question on the above /lter based forwarding scenario.


When you ping to both 1.1.1.2 and 2.2.2.2 from the Internet, either one interface replies but
not both (is it because the default destination is designated as, for example, ge-0/0/0.0 or
ge-0/0/0.1 in the default.inet forwarding table?).

What is a way for both WAN interfaces to be able to reply to Ping requests from the
Internet?

https://www.mustbegeek.com/configure-filter-based-load-balancing-in-juniper-srx/ Page 10 of 13
Configure Filter Based Load Balancing in Juniper SRXMustBeGeek 11/06/24, 8:02 AM

Could it be a solution to use both the Filter Based forwarding and per Vow load balancing
(on your another article) on the same SRX box?

Best regards,
Muko

0 0 Reply ⥅

Bigyan > Muko


− ⚑
8 years ago

@Muko you can use virtual router instead, i did ran into the same kind of
situation couple of months ago. Refer to KB15545. @Bipin Giri your articles are
supposed to be rather responsive, not like some sorta
painting hanging on the wall put out on display. Try responding to visitors queries
every once in a while.

0 0 Reply ⥅

S
sven − ⚑
10 years ago

If I use the Firewall /lter as described, the /lter has only one "then" clause, the banace to
the Routing-instance. When this con/g is running, the pakets are'nt going through the srx.
but a /lter can only have one "then" clause. the example is not working.
as you wrote, I've to add the "then accept" clause, why isn't it part of the example, and how
can I add it.
thx

0 0 Reply ⥅

Bipin Giri Mod > sven


− ⚑
10 years ago edited

send me message via contact form.

0 0 Reply ⥅

S
sven − ⚑
10 years ago

and, there is only one route table (inet.0). Im not able to command "show route table
ISPA.inet.0" , its not present :\

0 0 Reply ⥅

S
sven − ⚑
10 years ago

im getting ping answers from 1.1.1.1 and 2.2.2.1. but when I try to ping 8.8.8.8, the srx
https://www.mustbegeek.com/configure-filter-based-load-balancing-in-juniper-srx/ Page 11 of 13
Configure Filter Based Load Balancing in Juniper SRXMustBeGeek 11/06/24, 8:02 AM

im getting ping answers from 1.1.1.1 and 2.2.2.1. but when I try to ping 8.8.8.8, the srx
log/le (traceoptions) says: Destination lookup failed, no route to host :\

0 0 Reply ⥅

S
sven − ⚑
10 years ago

if i'm not adding "accept" into the /rewall /lter "then" clause, no tra`c is passing.
is this my fault?

0 0 Reply ⥅

Bipin Giri Mod > sven


− ⚑
10 years ago edited

Yes, because you have to add then clause with accept keyword in /rewall /lter to
allow tra`c. Because /lters have implicit deny which means if you don't
con/gure /lters to accept tra`c it will deny. By the way to be speci/c about your
problem, can you paste your /lter here?

0 0 Reply ⥅

J
Johnny Wahlen > Bipin Giri
− ⚑
9 years ago edited

Any example how to do this? This is crucial for inbound NAT to have the
routing instance but without accept it stops working. I do have a term
right after with then accept on it. Here is one of the /lters:

term For-ISP2{
from {
source-address {
1.1.1.1/29;
}
}

https://www.mustbegeek.com/configure-filter-based-load-balancing-in-juniper-srx/ Page 12 of 13
Configure Filter Based Load Balancing in Juniper SRXMustBeGeek 11/06/24, 8:02 AM

Steps to Create a DAM Strategy Lear

https://www.mustbegeek.com/configure-filter-based-load-balancing-in-juniper-srx/ Page 13 of 13

You might also like