ISP Failover: Configure J-Series/SRX for dual ISP without dynamic routing protocols

This article contains a sample configuration for J-Series and SRX Branch with dual ISP connection. This will allow for ISP failover without dynamic routing protocols such as OSPF or BGP.

Topology Assumptions

Trust zone network is 192.168.1.0/24 on ge-0/0/0
DMZ zone network is 10.10.10.0/24 on ge-0/0/1

ISP1 zone network is 1.1.1.0/29 on fe-0/0/6
ISP2 zone network is 2.2.2.0/29 on fe-0/0/7

Note: ISP1 is in the default routing instance. ISP2 is in the ISP2 routing instance.

Requirements

  • Trust and DMZ zones should egress out ISP1 with source-nat.
  • If ISP1 interface goes down, then Trust and DMZ zones should egress out ISP2 instead with source-nat.
  • If ISP1 interface returns, then Trust and DMZ zones should revert back to using ISP1 again.
  • ISP1 must allow destination NAT for web server in Trust zone and mail server in DMZ zone.
  • ISP2 also has destination NAT for same web and mail servers.
  • When both ISPs are up, destination NAT addresses should be available from both ISPs for both web and mail servers.

This is possible using a combination of multiple routing-instance with filter-based forwarding and qualified-next-hop on the default route. Below is a sample working configurations for above scenario.

 

About the author

Prasanna

1 Comment

  • Why the next-hop IP addresses in below config part are 192.168.1.1 and 10.10.10.1 ?? they should be 192.168.1.254 and 10.10.10.254, right ??

    routing-instances {
    TRUST-VRF {
    instance-type forwarding;
    routing-options {
    static {
    route 192.168.1.0/24 next-hop 192.168.1.1;
    route 10.10.10.0/24 next-hop 10.10.10.1;
    }
    }
    }

Leave a Comment