In this activity, you will complete the following objectives.

Page 1

In this activity, you will complete the following objectives. Part 1: Configure load balancing.

Part 2: Configure filter based forwarding.

L

L

a

a

b

b

3

3

-

-

1

1

:

:

L

L

o

o

a

a

d

d

B

B

a

a

l

l

a

a

n

n

c

c

i

i

n

n

g

g

a

a

n

n

d

d

F

F

i

i

l

l

t

t

e

e

r

r

-

-

B

B

a

a

s

s

e

e

d

d

F

F

o

o

r

r

w

w

a

a

r

r

d

d

i

i

n

n

g

g

Page 2

Part 1: Configure load balancing

Step 1.1

Reload the LAB2-1 configuration. This will remove all configured routes from your device.

[edit]

admin@SRXP# load override JIR.LAB21 load complete

[edit]

admin@SRXP# commit commit complete

Step 1.2

Go to your DMZ-P, add an additional IP addresses to NIC (Local Area Connection):

Leave the original address unchanged.

IP address: 172.16.P.10 255.255.255.0 Default gateway: 172.16.P.1

Add additional IP as below:

172.26.26.P 255.255.255.0

Open an IE browser and browser to the newly added address to make sure you see the DMZ-P web page displayed.

Step 1.3

Configure equal cost static routes for both RA and Master routing instances. [edit]

admin@SRXP# edit routing-instances RA routing-options [edit routing-instances RA routing-options]

admin@SRXP# set static route 172.26.26.0/24 next-hop 192.168.P.1 [edit routing-instances RA routing-options]

admin@SRXP# set static route 172.26.26.0/24 next-hop 172.16.P.10 [edit routing-instances RA routing-options]

Page 3

admin@SRXP# set static route 10.0.P.0/24 next-hop 172.16.1P.1 [edit routing-instances RA routing-options]

admin@SRXP# set static route 10.0.P.0/24 next-hop 172.16.2P.1 [edit routing-instances RA routing-options]

admin@SRXP# top [edit]

admin@SRXP# edit routing-options [edit routing-options]

admin@SRXP# set static route 0.0.0.0/0 next-hop 172.16.1P.2

[edit routing-options]

admin@SRXP# set static route 0.0.0.0/0 next-hop 172.16.2P.2

[edit routing-options] admin@SRXP# commit

commit complete [edit routing-options]

admin@SRXP# run show route protocol static table RA.inet.0

RA.inet.0: 11 destinations, 11 routes (11 active, 0 holddown, 0 hidden)

+ = Active Route, - = Last Active, * = Both 10.0.P.0/24 *[Static/5] 00:01:14 > to 172.16.1P.1 via lt-0/0/0.2 to 172.16.2P.1 via lt-0/0/0.4 172.26.26.0/24 *[Static/5] 00:01:14 to 192.168.P.1 via ge-0/0/2.0 > to 172.16.P.10 via ge-0/0/3.0 [edit routing-options]

admin@SRXP# run show route protocol static table inet.0

inet.0: 8 destinations, 8 routes (8 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both

0.0.0.0/0 *[Static/5] 00:01:23

to 172.16.1P.2 via lt-0/0/0.1 > to 172.16.2P.2 via lt-0/0/0.3

Page 4

Step 1.4

Configure policy statement and enable load-balancing to 172.26.26.0 subnet. [edit routing-options]

admin@SRXP# top [edit]

admin@SRXP# edit policy-options policy-statement POLICY:LB [edit policy-options policy-statement POLICY:LB]

admin@SRXP# set term 1 from protocol static route-filter 172.26.26.0/24 exact

[edit policy-options policy-statement POLICY:LB]

admin@SRXP# set term 1 then load-balance per-packet

[edit policy-options policy-statement POLICY:LB] admin@SRXP# show term 1 { from { protocol static; route-filter 172.26.26.0/24 exact; } then { load-balance per-packet; } }

[edit policy-options policy-statement POLICY:LB] admin@SRXP# top

[edit]

admin@SRXP# edit routing-options forwarding-table [edit routing-options forwarding-table]

admin@SRXP# set export POLICY:LB [edit routing-options forwarding-table] admin@SRXP# commit

commit complete

Step 1.4

Page 5

Question: How to verify the load balancing from the forwarding-table?

Answer: ____________________________________________________________________________ [edit routing-options forwarding-table]

admin@SRXP# run show route table RA.inet.0 | find 172.26

172.26.26.0/24 *[Static/5] 00:09:08 to 192.168.P.1 via ge-0/0/2.0 > to 172.16.P.10 via ge-0/0/3.0 192.168.P.0/24 *[Direct/0] 1d 03:30:18 > via ge-0/0/2.0 192.168.P.2/32 *[Local/0] 1d 03:30:18 Local via ge-0/0/2.0

[edit routing-options forwarding-table]

admin@SRXP# run show route forwarding-table | find 172.26

172.26.26.0/24 user 0 ulst 262142 2

192.168.P.1 ucst 564 2 ge-0/0/2.0 172.16.P.10 ucst 569 3 ge-0/0/3.0

192.168.P.0/24 intf 0 rslv 563 1 ge-0/0/2.0 192.168.P.0/32 dest 0 192.168.P.0 recv 561 1 ge-0/0/2.0 192.168.P.1/32 dest 0 0:1e:13:35:dc:a8 ucst 564 2 ge-0/0/2.0 192.168.P.2/32 intf 0 192.168.P.2 locl 562 2 192.168.P.2/32 dest 0 192.168.P.2 locl 562 2 192.168.P.255/32 dest 0 192.168.P.255 bcst 560 1 ge-0/0/2.0 224.0.0.0/4 perm 0 mdsc 543 1 224.0.0.1/32 perm 0 224.0.0.1 mcst 539 1 255.255.255.255/32 perm 0 bcst 540 1

Go to your INSIDE-PA. Open 4~5 of your IE browser and make each of them browse to 172.26.26.P

Question: Can you see different web page displayed on each browser window? What it the cause for this result?

Answer: ____________________________________________________________________________

Step 1.5

Enable load-balancing the traffic flow based on both layer-3 and layer-4 information. [edit routing-options forwarding-table]

admin@SRXP# top

[edit]

admin@SRXP# edit forwarding-options [edit forwarding-options]

Page 6 admin@SRXP# set hash-key family inet layer-3 [edit forwarding-options]

admin@SRXP# set hash-key family inet layer-4 [edit forwarding-options]

admin@SRXP# commit commit complete

Go to your INSIDE-PA. Do the same test as in previous step.

Question: Can you see different web page displayed on each browser window? What is the cause for this result?

Answer: ____________________________________________________________________________

Part 2: Configure Filter-Based Forwarding

Step 2.1

Create two additional routing-instances and static routes as below:

1. Routing Instance “PATH1” -> Takes 172.16.1P.2 as next-hop to 172.26.26.0 subnet. 2. Routing Instance “PATH2” -> Takes 172.16.2P.2 as next-hop to 172.26.26.0 subnet. 3. Create rib-group “GROUP-FBF”

[edit forwarding-options]

admin@SRXP# top edit routing-instances PATH1 [edit routing-instances PATH1]

admin@SRXP# set instance-type forwarding routing-options static route 172.26.26.P/32 next-hop 172.16.1P.2

[edit routing-instances PATH1]

admin@SRXP# top edit routing-instances PATH2 [edit routing-instances PATH2]

admin@SRXP# set instance-type forwarding routing-options static route 172.26.26.P/32 next-hop 172.16.2P.2

Page 7 admin@SRXP# top edit routing-options [edit routing-options]

admin@SRXP# set interface-routes rib-group GROUP-FBF [edit routing-options]

admin@SRXP# set rib-groups GROUP-FBF import-rib [inet.0 PATH1.inet.0 PATH2.inet.0] [edit routing-options]

admin@SRXP# commit

commit complete

Step 2.2

Verify the interface routes in the newly created routing instance.

Question: By checking routing instance PATH1, which next-hop and interface will be taken to forward traffic to 172.26.26.P?

Answer: ____________________________________________________________________________ Question: By checking routing instance PATH2, which next-hop and interface will be taken to forward traffic to 172.26.26.P?

Answer: ____________________________________________________________________________ [edit routing-options]

admin@SRXP# run show route 172.26.26.P table PATH1.inet.0

PATH1.inet.0: 8 destinations, 8 routes (8 active, 0 holddown, 0 hidden)

+ = Active Route, - = Last Active, * = Both 172.26.26.P/32 *[Static/5] 00:03:14

> to 172.16.1P.2 via lt-0/0/0.1 [edit routing-options]

admin@SRXP# run show route 172.26.26.P table PATH2.inet.0

PATH2.inet.0: 8 destinations, 8 routes (8 active, 0 holddown, 0 hidden)

+ = Active Route, - = Last Active, * = Both 172.26.26.P/32 *[Static/5] 00:03:28

> to 172.16.2P.2 via lt-0/0/0.3

Page 8

Create a firewall policy to match and forward traffic based on objectives as below: 1. Traffic from INSIDE-PA(10.0.P.10), forward using PATH1 routing instance. 2. Traffic from INSIDE-PB(10.0.P.11), forward using PATH2 routing instance. 3. Apply the firewall policy in the interface receiving traffics.

[edit routing-options] admin@SRXP# top [edit]

admin@SRXP# edit firewall family inet filter FILTER:FBF [edit firewall family inet filter FILTER:FBF]

admin@SRXP# set term 1 from source-address 10.0.P.10/32 [edit firewall family inet filter FILTER:FBF]

admin@SRXP# set term 1 then routing-instance PATH1 [edit firewall family inet filter FILTER:FBF]

admin@SRXP# set term 2 from source-address 10.0.P.11/32 [edit firewall family inet filter FILTER:FBF]

admin@SRXP# set term 2 then routing-instance PATH2 [edit firewall family inet filter FILTER:FBF]

admin@SRXP# top edit interfaces ge-0/0/5 unit 0 family inet [edit interfaces ge-0/0/5 unit 0 family inet]

admin@SRXP# set filter input FILTER:FBF [edit interfaces ge-0/0/5 unit 0 family inet] admin@SRXP# commit

commit complete

Step 2.5

Go to your INSIDE-PA and INSIDE-PB, verify the routing path by using command “tracert –d 172.26.26.P”.

INSIDE-PA should take the two paths in turn as following: 10.0.1.1

172.16.1P.2 172.26.26.P Or

Page 9 10.0.1.1

172.16.1P.2 192.168.P.1 172.26.26.P

INSIDE-PB should take the two paths in turn as following: 10.0.1.1 172.16.2P.2 172.26.26.P Or 10.0.1.1 172.16.2P.2 192.168.P.1 172.26.26.P Go to your INSIDE-PB.

Change the IP address from 10.0.P.11 to 10.0.P.20. Leave the default gateway as 10.0.P.1 unchanged.

Open a new browser windows and access to http://172.26.26.P

You should not see any web page displayed

Question: Why can’t you browse to 172.26.26.P? How to fix the problem?

Answer: ____________________________________________________________________________

Step 2.6

Modify the firewall policy to accept traffic with other source address. [edit interfaces ge-0/0/5 unit 0 family inet]

admin@SRXP# top [edit]

admin@SRXP# edit firewall family inet filter FILTER:FBF

[edit firewall family inet filter FILTER:FBF] admin@SRXP# show term 1 { from { source-address { 10.0.P.10/32; } } then {

Page 10 routing-instance PATH1; } } term 2 { from { source-address { 10.0.P.11/32; } } then { routing-instance PATH2; } }

[edit firewall family inet filter FILTER:FBF] admin@SRXP# set term 3 then accept [edit firewall family inet filter FILTER:FBF] admin@SRXP# commit

commit complete

Your INSIDE-PB should be able to browse to 172.26.26.P.

After the testing, change the IP address to the original address (10.0.P.11 255.255.255.0)

Step 2.6

Save the current configuration to admin’s home directory. admin@SRXP# save JIR.LAB31

Wrote 30 lines of configuration to 'JIR.LAB31' [edit]

admin@SRXP# run file list /cf/var/home/admin/: .ssh/ JIR.LAB21 JIR.LAB22 JIR.LAB23 JIR.LAB31

By saving your current configuration, you are able to rollback at anytime. For Example:

Page 11

admin@SRXP# load override JIR.LAB31 load complete

[edit]

admin@SRXP# commit commit complete