Eliminate asymmetric routing in Juniper SRX
- Tutorial
In this article, I will describe how, using native Juniper SRX tools, you can really easily and elegantly resolve some annoying routing schemes. It will be about using a virtual router, or rather, in terms of Junipers, routing-instance virtual-router.
Briefly, the problem can be formulated as follows: there are two or more external Internet channels (ISP1 and ISP2) and there is a web server inside the network. The source NAT is raised on the gateway, which gives the page to both external interfaces. Customers of both providers must see the web page. The problem is that, for example, if ISP1 is the main gateway for us, then web requests from the ISP2 network come to our server and go through the main gateway to the network to ISP1, which, of course, blocks this business.
The problem, in general, is as old as the world and there are many ways to solve it. I will describe, in my opinion, the simplest and least time- and resource-intensive. I must say right away that it’s not me that brain that I read and dopped - they just told me how to do this most easily. I myself would definitely invent something terrible!
Let the main gateway ISP1 be 1.2.3.1, and the gateway ISP2 will be 5.6.7.1. Create a routing-instance:
Now we import the routes into the routing table in the ISP2 network.
What have we done? And what is this virtual-router in general? In fact, a virtual router is an almost complete router with its own routing table and its interfaces. The first series of commands we created it, indicated that the ge-0/0/2 interface is now its interface, and also indicated that its main gateway is the ISP2 gateway. At this stage, a new routing table ISP2_route.inet.0 was created with only one entry (main gateway)
The second series of commands allowed importing into the new routing table the so-called interface routes, i.e. local routes to Juniper interfaces. Without them, the virtual router could not see the web server. Interface routes were taken from the default routing table, which in Junipers has the name inet.0.
That's all!
PS I do not rummage in web design. Someone tell me how to put a picture in the center?
Briefly, the problem can be formulated as follows: there are two or more external Internet channels (ISP1 and ISP2) and there is a web server inside the network. The source NAT is raised on the gateway, which gives the page to both external interfaces. Customers of both providers must see the web page. The problem is that, for example, if ISP1 is the main gateway for us, then web requests from the ISP2 network come to our server and go through the main gateway to the network to ISP1, which, of course, blocks this business.
The problem, in general, is as old as the world and there are many ways to solve it. I will describe, in my opinion, the simplest and least time- and resource-intensive. I must say right away that it’s not me that brain that I read and dopped - they just told me how to do this most easily. I myself would definitely invent something terrible!
Let the main gateway ISP1 be 1.2.3.1, and the gateway ISP2 will be 5.6.7.1. Create a routing-instance:
root@srx# set routing-instances ISP2_route instance-type virtual-routerroot@srx# set routing-instances ISP2_route interface ge-0/0/2root@srx# set routing-instances ISP2_route routing-options static route 0/0 next-hop 5.6.7.1
Now we import the routes into the routing table in the ISP2 network.
That's all! Applying this config, packets coming from the network, ISP2 will go back to the ISP2 network.root@srx# set routing-options interface-routes rib-group inet ISP2root@srx# set routing-options rib-groups ISP2 import-rib ISP2_route.inet.0root@srx# set routing-options rib-groups ISP2 import-rib inet.0
What have we done? And what is this virtual-router in general? In fact, a virtual router is an almost complete router with its own routing table and its interfaces. The first series of commands we created it, indicated that the ge-0/0/2 interface is now its interface, and also indicated that its main gateway is the ISP2 gateway. At this stage, a new routing table ISP2_route.inet.0 was created with only one entry (main gateway)
The second series of commands allowed importing into the new routing table the so-called interface routes, i.e. local routes to Juniper interfaces. Without them, the virtual router could not see the web server. Interface routes were taken from the default routing table, which in Junipers has the name inet.0.
That's all!
PS I do not rummage in web design. Someone tell me how to put a picture in the center?