11月 072014
 

Summary:

This article contains a sample configuration for J-Series and SRX Branch with dual ISP connection. This will allow for ISP failover without dynamic routing protocols such as OSPF or BGP.

Problem or Goal:

Topology Assumptions Trust zone network is 192.168.1.0/24 on ge-0/0/0
DMZ zone network is 10.10.10.0/24 on ge-0/0/1

ISP1 zone network is 1.1.1.0/29 on fe-0/0/6
ISP2 zone network is 2.2.2.0/29 on fe-0/0/7

Note:  ISP1 is in the default routing instance.  ISP2 is in the ISP2 routing instance.

Requirements

  • Trust and DMZ zones should egress out ISP1 with source-nat.
  • If ISP1 interface goes down, then Trust and DMZ zones should egress out ISP2 instead with source-nat.
  • If ISP1 interface returns, then Trust and DMZ zones should revert back to using ISP1 again.
  • ISP1 must allow destination NAT for web server in Trust zone and mail server in DMZ zone.
  • ISP2 also has destination NAT for same web and mail servers.
  • When both ISPs are up, destination NAT addresses should be available from both ISPs for both web and mail servers.

Cause:

Solution:

This is possible using a combination of multiple routing-instance with filter-based forwarding and qualified-next-hop on the default route. Below is a sample working configurations for above scenario.

interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                address 192.168.1.254/24;
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
            family inet {
                address 10.10.10.254/24;
            }
        }
    }
    fe-0/0/6 {
        unit 0 {
            family inet {
                filter {
                    input isp1-in;
                }
                address 1.1.1.2/29;
            }
        }
    }
    fe-0/0/7 {
        unit 0 {
            family inet {
                filter {
                    input isp2-in;
                }
                address 2.2.2.2/29;
            }
        }
    }
}
routing-options {
    interface-routes {
        rib-group inet inside;
    }
    static {
        route 0.0.0.0/0 {
            next-hop 1.1.1.1;
            qualified-next-hop 2.2.2.1 {
                preference 10;
            }
        }
    }
    rib-groups {
        inside {
            import-rib [ inet.0 TRUST-VRF.inet.0 INSIDE.inet.0 ISP2.inet.0 ];
        }
    }
}
security {
    nat {
        source {
            rule-set interface-nat-out {
                from routing-instance INSIDE;
                to routing-instance [ ISP2 default ];
                rule interface-nat-out {
                    match {
                        source-address 0.0.0.0/0;
                        destination-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
        destination {
            pool web-server-trust {
                address 192.168.1.5/32 port 80;
            }
            pool mail-server-dmz {
                address 10.10.10.5/32 port 25;
            }
            rule-set isp1-to-trust {
                from interface fe-0/0/6.0;
                rule isp1-http-in {
                    match {
                        source-address 0.0.0.0/0;
                        destination-address 1.1.1.5/32;
                        destination-port 80;
                    }
                    then {
                        destination-nat pool web-server-trust;
                    }
                }
                rule isp1-mail-in {
                    match {
                        source-address 0.0.0.0/0;
                        destination-address 1.1.1.5/32;
                        destination-port 25;
                    }
                    then {
                        destination-nat pool mail-server-dmz;
                    }
                }
            }
            rule-set isp2-to-dmz {
                from interface fe-0/0/7.0;
                rule isp2-http-in {
                    match {
                        source-address 0.0.0.0/0;
                        destination-address 2.2.2.5/32;
                        destination-port 80;
                    }
                    then {
                        destination-nat pool web-server-trust;
                    }
                }
                rule isp2-mail-in {
                    match {
                        source-address 0.0.0.0/0;
                        destination-address 2.2.2.5/32;
                        destination-port 25;
                    }
                    then {
                        destination-nat pool mail-server-dmz;
                    }
                }
            }
        }
        proxy-arp {
            interface fe-0/0/6.0 {
                address {
                    1.1.1.5/32;
                }
            }
            interface fe-0/0/7.0 {
                address {
                    2.2.2.5/32;
                }
            }
        }
    }
    zones {
        security-zone trust {
            address-book {
                address web-server 192.168.1.5/32;
            }
            interfaces {
                ge-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                    }
                }
            }
        }
        security-zone dmz {
            address-book {
                address mail-server 10.10.10.5/32;
            }
            interfaces {
                ge-0/0/1.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                    }
                }
            }
        }
        security-zone isp1 {
            interfaces {
                fe-0/0/6.0 {
                    host-inbound-traffic {
                        system-services {
                            ssh;
                            https;
                            ping;
                        }
                    }
                }
            }
        }
        security-zone isp2 {
            interfaces {
                fe-0/0/7.0 {
                    host-inbound-traffic {
                        system-services {
                            ssh;
                            https;
                            ping;
                        }
                    }
                }
            }
        }
    }
    policies {
        from-zone trust to-zone dmz {
            policy allow-trust-to-dmz {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone trust to-zone isp1 {
            policy allow-trust-out-isp1 {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone trust to-zone isp2 {
            policy allow-trust-out-isp2 {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone dmz to-zone trust {
            policy allow-dmz-to-trust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone dmz to-zone isp1 {
            policy allow-dmz-out-isp1 {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone dmz to-zone isp2 {
            policy allow-dmz-out-isp2 {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone isp1 to-zone trust {
            policy isp1-http-incoming {
                match {
                    source-address any;
                    destination-address web-server;
                    application junos-http;
                }
                then {
                    permit;
                }
            }
        }
        from-zone isp1 to-zone dmz {
            policy isp1-mail-incoming {
                match {
                    source-address any;
                    destination-address mail-server;
                    application junos-mail;
                }
                then {
                    permit;
                }
            }
        }
        from-zone isp2 to-zone trust {
            policy isp2-http-incoming {
                match {
                    source-address any;
                    destination-address web-server;
                    application junos-http;
                }
                then {
                    permit;
                }
            }
        }
        from-zone isp2 to-zone dmz {
            policy isp2-mail-incoming {
                match {
                    source-address any;
                    destination-address mail-server;
                    application junos-mail;
                }
                then {
                    permit;
                }
            }
        }
    }
}
firewall {
    filter isp1-in {
        term 1 {
            from {
                destination-address {
                    1.1.1.0/29;
                }
            }
            then {
                routing-instance TRUST-VRF;
            }
        }
        term 2 {
            then {
                accept;
            }
        }
    }
    filter isp2-in {
        term 1 {
            from {
                destination-address {
                    2.2.2.0/29;
                }
            }
            then {
                routing-instance TRUST-VRF;
            }
        }
        term 2 {
            then {
                accept;
            }
        }
    }
}
routing-instances {
    TRUST-VRF {
        instance-type forwarding;
        routing-options {
            static {
                route 192.168.1.0/24 next-hop 192.168.1.1;
                route 10.10.10.0/24 next-hop 10.10.10.1;
            }
        }
    }
    INSIDE {
        instance-type virtual-router;
        interface ge-0/0/0.0;
        interface ge-0/0/1.0;
        routing-options {
            interface-routes {
                rib-group inet inside;
            }
            static {
                route 0.0.0.0/0 next-table inet.0;
            }
        }
    }
    ISP2 {
        instance-type virtual-router;
        interface fe-0/0/7.0;
        routing-options {
            interface-routes {
                rib-group inet inside;
            }
            static {
                route 0.0.0.0/0 {
                    next-hop 2.2.2.1;
                    qualified-next-hop 1.1.1.1 {
                        preference 10;
                    }
                }
            }
        }
    }
}

相关引用:

http://kb.juniper.net/InfoCenter/index?page=content&id=KB15545

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

(required)

(required)

此站点使用Akismet来减少垃圾评论。了解我们如何处理您的评论数据