Eliminating asymmetric routing in Juniper SRX
In this article, I will describe how using Juniper SRX native tools you can really easily and elegantly handle some annoying routing schemes. It will be about using a virtual router, or rather, in terms of Junipers, routing-instance virtual-router.
Briefly, the problem can be formulated as follows: there are two or more external Internet channels (ISP1 and ISP2) and there is a web server inside the network. On the gateway, the source NAT is raised, which gives the page to both external interfaces. It is necessary for the clients of both providers to see the web page. The problem is that if, say, the main gateway is ISP1, then web requests from the ISP2 network come to our server and go through the main gateway to the ISP1 network, which, of course, is blocking this business.
The problem, in general, is as old as the world and there are many ways to solve it. I will describe, in my opinion, the simplest and least time- and resource-intensive. I’ll say right away that it’s not me that’s the brain that I’ve read and doped — they just told me how to do it the easiest way. I myself would definitely invent something terrible!
Let the main gateway ISP1 we will be 1.2.3.1, and the gateway ISP2 will be 5.6.7.1. Create a routing-instance:
Now import the routes into the routing table in the ISP2 network.
What have we done? And what is this virtual-router? In fact, a virtual router is almost a full-fledged router with its routing table and its interfaces. We created it with the first series of commands, indicated that the ge-0/0/2 interface is now its interface, and also indicated that its main gateway is the ISP2 gateway. At this stage, a new routing table ISP2_route.inet.0 was created with just one entry (main gateway)
The second series of commands allowed importing so-called interface routes into the new routing table, i.e. local routes to Juniper interfaces. Without them, the virtual router could not see the web server. Interface routes were taken from the default routing table, which in Juniper is called inet.0.
That's all!
')
PS I do not rummage in web design. Someone tell me how to put the picture in the center?
Briefly, the problem can be formulated as follows: there are two or more external Internet channels (ISP1 and ISP2) and there is a web server inside the network. On the gateway, the source NAT is raised, which gives the page to both external interfaces. It is necessary for the clients of both providers to see the web page. The problem is that if, say, the main gateway is ISP1, then web requests from the ISP2 network come to our server and go through the main gateway to the ISP1 network, which, of course, is blocking this business.
The problem, in general, is as old as the world and there are many ways to solve it. I will describe, in my opinion, the simplest and least time- and resource-intensive. I’ll say right away that it’s not me that’s the brain that I’ve read and doped — they just told me how to do it the easiest way. I myself would definitely invent something terrible!
Let the main gateway ISP1 we will be 1.2.3.1, and the gateway ISP2 will be 5.6.7.1. Create a routing-instance:
root@srx# set routing-instances ISP2_route instance-type virtual-routerroot@srx# set routing-instances ISP2_route interface ge-0/0/2root@srx# set routing-instances ISP2_route routing-options static route 0/0 next-hop 5.6.7.1
Now import the routes into the routing table in the ISP2 network.
That's all! By applying this configuration, packets coming from the network, ISP2 will go back to the ISP2 network.root@srx# set routing-options interface-routes rib-group inet ISP2root@srx# set routing-options rib-groups ISP2 import-rib ISP2_route.inet.0root@srx# set routing-options rib-groups ISP2 import-rib inet.0
What have we done? And what is this virtual-router? In fact, a virtual router is almost a full-fledged router with its routing table and its interfaces. We created it with the first series of commands, indicated that the ge-0/0/2 interface is now its interface, and also indicated that its main gateway is the ISP2 gateway. At this stage, a new routing table ISP2_route.inet.0 was created with just one entry (main gateway)
The second series of commands allowed importing so-called interface routes into the new routing table, i.e. local routes to Juniper interfaces. Without them, the virtual router could not see the web server. Interface routes were taken from the default routing table, which in Juniper is called inet.0.
That's all!
')
PS I do not rummage in web design. Someone tell me how to put the picture in the center?
Source: https://habr.com/ru/post/167213/
All Articles