There are different methods for load balancing internet traffic in Juniper SRX series devices. Two of them are per flow load balancing and filter based load balancing. You can use any method to load balance dual ISP internet in Juniper SRX or MX series or J series devices. Here, I will load balance dual ISP internet in Juniper SRX device using per flow load balancing method.
Load Balance Dual ISP Internet in Juniper SRX
The diagram below shows our existing scenario. We have two ISPs that we want to load balance the internet traffic to. Two internet links are in UNTRUST zone whereas the internal network is in TRUST zone. I have already configured required security policies.
The first step is to define routing policy. Configure the following policy under [edit-policy-options] hierarchy.
[edit policy-options]root@SRX240# set policy-statement LOAD-BALANCE then load-balance per-packet [Here, from clause is not used, so it means from any source then load-balance per-packet.] [edit policy-options]
root@SRX240# show
policy-statement LOAD-BALANCE { then { load-balance per-packet; } }
The second step is to configure the routing option. Configure the following routing information under [edit routing-options] hierarchy.
[edit routing-options]root@SRX240# set static route 0.0.0.0/0 next-hop 1.1.1.1
[edit routing-options]
root@SRX240# set static route 0.0.0.0/0 next-hop 2.2.2.1
Now, configure the routing policy called LOAD-BALANCE under the routing option.
[edit routing-options]root@SRX240#set forwarding-table export LOAD-BALANCE
Type show command to view the configuration.
[edit routing-options]root@SRX# show static { route 0.0.0.0/0 next-hop [ 1.1.1.1 2.2.2.1 ]; }
forwarding-table { export LOAD-BALANCE; }
You can now view route forwarding table to verify.
root@SRX> show route forwarding-tableYou will see two next-hop MAC addresses for default destination network.
By default JunOS include only layer 3 IP address to determine the flow but you can change this behavior and include both layer 3 and layer 4 information. To do so, hit the following command under [edit forwarding-options] hierarchy.
[edit forwarding-options]root@SRX#set hash-key family inet layer-3
[edit forwarding-options]
root@SRX# set hash-key family inet layer-4 [edit forwarding-options]
root@SRX# show hash-key { family inet { layer-3; layer-4; } }
You can now see the logs or even do tracert from client PC and test the load sharing. You can test from a single PC in the network.
