Many small-businesses and branch offices have 2 ISP connections and 1 Juniper SRX. The branch office Juniper SRX is awesome for anti-virus, anti-spam, intrusion detection, VPNs, and just plain firewalling, but one of the downsides is the fact that per-packet or per-flow load-balancing isn’t possible on a stateful Juniper SRX.
You won’t be able to “truly” load balance unless you put the SRX in packet-mode and disable the stateful firewall. Which we don’t want to do, because security is AWESOME!
You could fix this issue with OSPF or RPM (realtime performance monitoring), but there are a couple reasons among many not to:
- ISP’s will not run OSPF with you, so that’s not really choice.
- RPM is a crude way to accomplish this and will end up being a lot of JUNOS scripting :/
Here’s what I do in order to send some traffic out of one interface and other traffic out of the another interface. I setup routes using one or the other as a gateway and have them back each other up.
Internet Link #1 – (SRX) 192.168.1.2 ——- 192.168.1.1 (ISP #1)
Internet Link #2 – (SRX) 192.168.2.2 ——- 192.168.2.1 (ISP #2)
The following configuration will split the internet into 4 subnets and send all traffic for 2 subnets down one link and 2 subnets down another link
Default Route with failover for gateway of last resort
set routing-options static route 0.0.0.0/0 next-hop 192.168.1.1
set routing-options static route 0.0.0.0/0 qualified-next-hop 192.168.2.1 preference 9
0.0.0.0 – 220.127.116.11 out of interface #1
set routing-options static route 0/2 next-hop 192.168.1.1
set routing-options static route 0/2 qualified-next-hop 192.168.2.1 preference 9
18.104.22.168 – 127.255.255.255 out of interface #2
set routing-options static route 64/2 next-hop 192.168.2.1
set routing-options static route 64/2 qualified-next-hop 192.168.1.1 preference 9
22.214.171.124 – 126.96.36.199 out of interface #1
set routing-options static route 128/2 next-hop 192.168.1.1
set routing-options static route 128/2 qualified-next-hop 192.168.2.1 preference 9
192.0.0.0 – 255.255.255.255 out of interface #2
set routing-options static route 192/2 next-hop 192.168.2.1
set routing-options static route 192/2 qualified-next-hop 192.168.1.1 preference 9
You could cut it down further (/3’s or /4’s), but i’ve had good success (65-35% load balancing) with this strategy.