Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

Question

help configure dual isp on juniper srx

by Feb 21, 2019 11:14AM PST

hi. i'm a newbie at networks,
i am trying to configure a juniper srx to work with 2 diffrent isp.
i want to have redundancy is one fails, and also to do some load balancing for the network.
the trafic on the network is mostly composed of some pc's that stream live on different servers: youtube twitch, etc. i found that youtube works better with one isp and twitch with other one, but it could be the same pc that runs 2 gaming streams one on youtube and one on twitch for example so i don't want to do a simple failover, if one isp fails the traffic goes to the second one.

one isp router is 192.168.1.1 and the other one is 192.169.1.1 and they are dhcp enabled
i tryed to inspire from :
http://www.mustbegeek.com/configure-filter-based-load-balancing-in-juniper-srx/

but i am doing something wrong,don't know what
on interfaces ge-0/0/0 and ge-0/0/1 it will be the 2 isp, and on others it will be conected one pc, so the rest of the ports have to have dhcp enabled.

Discussion is locked

2 Posts
- Collapse + Expand Details
- Collapse -
Answer
this is the configuration that i have, but it does not work
by Feb 21, 2019 11:16AM PST

## Last commit xxxxxxxx:
version xxxxxx;
system {
host-name juniper;
root-authentication {
encrypted-password "xxxxxxxx";
}
name-server {
1.1.1.1;
1.0.0.1;
}
services {
ssh;
telnet;
xnm-clear-text;
web-management {
http {
interface vlan.0;
}
https {
system-generated-certificate;
interface vlan.0;
}
}
dhcp {
maximum-lease-time 43000;
default-lease-time 40000;
router {
192.167.1.1;
}
pool 192.167.1.0/24 {
address-range low 192.167.1.3 high 192.167.1.254;
}
propagate-settings "set fe-0/0/7.0";
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
dhcp;
}
}
}
ge-0/0/1 {
unit 0 {
family inet {
dhcp;
}
}
}
fe-0/0/2 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
fe-0/0/3 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
fe-0/0/4 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
fe-0/0/5 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
fe-0/0/6 {
unit 0 {
family inet {
filter {
input ISPA-FILTER;
}
address 192.166.1.1/24;
}
}
}
fe-0/0/7 {
unit 0 {
family inet {
filter {
input ISPB-FILTER;
}
address 192.167.1.1/24;
}
}
}
vlan {
unit 0 {
family inet {
address 192.168.1.1/24;
}
}
}
}
routing-options {
static {
route 192.167.1.0/24 next-hop 192.169.1.1;
route 192.166.1.0/24 next-hop 192.168.1.1;
}
rib-groups {
LOAD-BALANCE-RIB {
import-rib [ inet.0 ISPA.inet.0 ISPB.inet.0 ];
}
}
}
protocols {
stp;
}
security {
nat {
source {
rule-set trust-to-untrust {
from zone trust;
to zone untrust;
rule source-nat-rule {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
rule-set movistar {
from interface ge-0/0/0.0;
to interface [ fe-0/0/3.0 fe-0/0/4.0 ];
}
}
}
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
zones {
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
vlan.0;
}
}
security-zone untrust {
screen untrust-screen;
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
dhcp;
tftp;
}
}
}
}
}
}
policies {
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
}
firewall {
family inet {
filter ISPA-FILTER {
term FOR-ISPA {
from {
source-address {
192.166.1.0/24;
}
}
then {
routing-instance ISPA;
}
}
}
filter ISPB-FILTER {
term FOR-ISPB {
from {
source-address {
192.167.1.0/24;
}
}
then {
routing-instance ISPB;
}
}
}
}
}
routing-instances {
ISPA {
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 {
next-hop 192.168.1.1;
qualified-next-hop 192.169.1.1 {
preference 7;
}
}
}
}
}
ISPB {
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 {
next-hop 192.169.1.1;
qualified-next-hop 192.168.1.1 {
preference 7;
}
}
}
}
}
}
vlans {
vlan-trust {
vlan-id 3;
l3-interface vlan.0;
}
}

- Collapse -
Answer
This sort of work is by your IT or back to the maker.
by Forum moderator Feb 21, 2019 12:03PM PST

I advise you contact Juniper directly. I've only worked Cisco and even with that and my background of router code in the 90's must be steeped in the model and system to get into this. Juniper will either have your answer or know where support can be found.

Back to Networking & Wireless forum

CNET Forums

Operating Systems
Software
Electronics & Gadgets
Hardware
Tablets & Mobile Devices
General Help
Brand Forums
Roadshow Autos
Off Topic

Other Forums

Forum Info