Junos Asymmetric Routing

Ken Gilmour ken.gilmour at gmail.com
Fri May 28 15:20:33 UTC 2010


Hi Mark,

On 28 May 2010 06:37, Mark Hermsdorfer <mark at hermsdorfer.net> wrote:

>
> Ken,
>
> As others have pointed out typically interfaces are not kept track of in
> state tables.  Having said that, I've worked in the past with the ScreenOS
> based SSG platforms that do this.  So if you're coming from an SSG
> background this makes sense.
>

Yes sir I have used SSG for several years but mainly used BSD for the last
decade and most recently OpenBSD. There is an easy fix for this on PF for
OpenBSD and that is to tag the packets from each provider (as in not using
802.1q but a specific function in PF). This works extremely well


>
> These devices seem to keep track of source interface in their state
> tables.  For example I've worked on a one-arm'ed Load Balancer with no
> Source NAT such that one would typically require some policy based routing
> to get the traffic back to the LB, to be have the Destination NAT handled.
> However, with a Juniper SSG, as the router, it's state tables kept track of
> the interfaces and routed traffic correctly without any policy based routing
> required.  When I took over administration of that environment I spent some
> time trying to figure out how the routing worked since there was no
> configuration such as policy based routes that would make sense.
>
> Having said that, If the JunOS based SRX platform does not do session
> tracking in the same was as the SSG platform it would seem that the most
> reasonable solution would be to NAT the traffic as has already been pointed
> out.
>
> Mark
>
> --
> Cheers!
> Mark Hermsdorfer
>



More information about the NANOG mailing list