Configure Filter Based Load Balancing in Juniper SRX

Share This Article: Share on Facebook0Share on Google+0Tweet about this on TwitterShare on LinkedIn1Pin on Pinterest0Email this to someone

There are various tricks to configure load balancing in JunOS devices. Filter based forwarding and per flow load balancing methods are quite popular. These type of load balancing can be configured in many Juniper devices like, MX series, J series, SRX series, etc. Here, I will show steps to configure filter based load balancing in Juniper SRX device. In filter based forwarding, two routing tables are configured. Each table will have different ISP as their primary gateway and remaining opposite ISP as secondary gateway.

Configure Filter Based Load Balancing in Juniper SRX

We want to balance the traffic coming from internal network to the Internet using both ISP links. At first, we need to create two routing tables. Then, create firewall filter and create RIB groups. I will show the step by step process of the configuration. Below shown diagram is our scenario. We have two ISP links and two internal networks. We want to route 192.168.1.0/24 network via ISP A and ISP B will be the backup. Similarly, route 192.168.2.0/24 via ISP B and ISP A will be it’s backup.

Configure Filter Based Load Balancing in Juniper SRX

Step 1: Create Routing Tables

At first, let’s create some routing tables. We need to create two routing tables. Routing tables are configured under [edit routing-instances] hierarchy. We will create routing tables named ISPA and ISPB.

[edit routing-instances]
root@SRX# set ISPA instance-type forwarding
[edit routing-instances]
root@SRX# set ISPA routing-options static route 0.0.0.0/0 next-hop 1.1.1.1
[edit routing-instances]
root@SRX# set ISPA routing-options static route 0.0.0.0/0 qualified-next-hop 2.2.2.1 preference 7

Type show to view the configuration.

[edit routing-instances]
root@SRX# show
ISPA {
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 {
next-hop 1.1.1.1;
qualified-next-hop 2.2.2.1 {
preference 7;
}
}
}
}
}

Now let’s configure ISPB routing instance.

[edit routing-instances]
root@SRX# set ISPB instance-type forwarding
[edit routing-instances]
root@SRX# set ISPB routing-options static route 0.0.0.0/0 next-hop 2.2.2.1
[edit routing-instances]
root@SRX# set ISPB routing-options static route 0.0.0.0/0 qualified-next-hop 1.1.1.1 preference 7

Type show to view the configuration.

[edit routing-instances]
root@SRX# show
ISPB{
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 {
next-hop 2.2.2.1;
qualified-next-hop 1.1.1.1 {
preference 7;
}
}
}
}
}

Step 2: Create Firewall Filters

Now, let’s create firewall filters.

[edit firewall family inet]
root@SRX# set filter ISPA-FILTER term FOR-ISPA from source-address 192.168.1.0/24
[edit firewall family inet]
root@SRX# set filter ISPA-FILTER term FOR-ISPA then routing-instance ISPA
[edit firewall family inet]
root@SRX# set filter ISPB-FILTER term FOR-ISPB from source-address 192.168.2.0/24
[edit firewall family inet]
root@SRX# set filter ISPB-FILTER term FOR-ISPB then routing-instance ISPB

Type show to view the firewall filter.

[edit firewall family inet]
root@SRX# show
filter ISPA-FILTER {
term FOR-ISPA {
from {
source-address {
192.168.1.0/24;
}
}
then {
routing-instance ISPA;
}
}
}
filter ISPB-FILTER {
term FOR-ISPB {
from {
source-address {
192.168.2.0/24;
}
}
then {
routing-instance ISPB;
}
}
}

Now apply the filter in for each internal interface.

[edit interface]
root@SRX# set ge-0/0/2 unit 0 family inet filter input ISPA-FILTER
[edit interface]
root@SRX# set ge-0/0/3 unit 0 family inet filter input ISPB-FILTER
[edit interface]
root@SRX# show
ge-0/0/2 {
unit 0 {
 family inet {
filter {
input ISPA-FILTER;
}
address 192.168.1.1/24;
}
}
}
ge-0/0/3 {
unit 0 {
family inet {
filter {
input ISPB-FILTER;
}
address 192.168.2.1/24;
}
}
}

Step 3: Create RIB Group

RIB (Routing Information Base) group is created to share route information from master routing table to other custom routing tables. For inet family, master routing table is inet.o. As of now, routing tables ISPA and ISPB only knows the routes that have been configured while creating the routing instance. That is, the default route only. We need to copy all the routes from inet.0 to ISPA and ISPB routing tables to make the routing work properly. RIB group is configured under [edit routing-options] hierarchy.

[edit routing-options]
root@SRX# set rib-groups LOAD-BALANCE-RIB import-rib inet.0
[edit routing-options]
root@SRX# set rib-groups LOAD-BALANCE-RIB import-rib ISPA.inet.0
[edit routing-options]
root@SRX# set rib-groups LOAD-BALANCE-RIB import-rib ISPB.inet.0
[edit routing-options]
root@SRX# show
rib-groups {
LOAD-BALANCE-RIB {
import-rib [ inet.0 ISPA.inet.0 ISPB.inet.0 ];
}
}

You can verify the configuration by running traceroute from client PC in both network. You can also check the routing tables. To view the routing tables, type

root@SRX> show route table ISPA.inet.0 

This is how you configure filter based load balancing.

The following two tabs change content below.
Bipin is a freelance Network and System Engineer with expertise on Cisco, Juniper, Microsoft, VMware, and other technologies. You can hire him on UpWork . Follow Bipin Giri on Google+. Bipin enjoys writing articles and tutorials related to Network technologies. Some of his certifications are, MCSE:Messaging, JNCIP-SEC, JNCIS-ENT, and others.