In this activity, you will complete the following objectives.

Transcription

1 Lab 3-1: JIR Lab Guide Load Balancing and Filter-Based Forwarding In this activity, you will complete the following objectives. Part 1: Configure load balancing. Part 2: Configure filter based forwarding. Page 1

2 Part 1: Configure load balancing Step 1.1 Reload the LAB2-1 configuration. This will remove all configured routes from your device. load override JIR.LAB21 load complete Step 1.2 Go to your DMZ-P, add an additional IP addresses to NIC (Local Area Connection): Leave the original address unchanged. IP address: P Default gateway: P.1 Add additional IP as below: P Open an IE browser and browser to the newly added address to make sure you see the DMZ-P web page displayed. Step 1.3 Configure equal cost static routes for both RA and Master routing instances. edit routing-instances RA routing-options [edit routing-instances RA routing-options] set static route /24 next-hop P.1 [edit routing-instances RA routing-options] set static route /24 next-hop P.10 [edit routing-instances RA routing-options] Page 2

3 set static route 10.0.P.0/24 next-hop P.1 JIR Lab Guide [edit routing-instances RA routing-options] set static route 10.0.P.0/24 next-hop P.1 [edit routing-instances RA routing-options] edit routing-options set static route /0 next-hop P.2 set static route /0 next-hop P.2 run show route protocol static table RA.inet.0 RA.inet.0: 11 destinations, 11 routes (11 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 10.0.P.0/24 *[Static/5] 00:01:14 > to P.1 via lt-0/0/0.2 to P.1 via lt-0/0/ /24 *[Static/5] 00:01:14 to P.1 via ge-0/0/2.0 > to P.10 via ge-0/0/3.0 admin@srxp# run show route protocol static table inet.0 inet.0: 8 destinations, 8 routes (8 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both /0 *[Static/5] 00:01:23 to P.2 via lt-0/0/0.1 > to P.2 via lt-0/0/0.3 Page 3

4 Step 1.4 Configure policy statement and enable load-balancing to subnet. edit policy-options policy-statement POLICY:LB [edit policy-options policy-statement POLICY:LB] set term 1 from protocol static route-filter /24 exact [edit policy-options policy-statement POLICY:LB] admin@srxp# set term 1 then load-balance per-packet [edit policy-options policy-statement POLICY:LB] admin@srxp# show term 1 { from { protocol static; route-filter /24 exact; then { load-balance per-packet; [edit policy-options policy-statement POLICY:LB] admin@srxp# edit routing-options forwarding-table [edit routing-options forwarding-table] admin@srxp# set export POLICY:LB [edit routing-options forwarding-table] Step 1.4 Verify and test the load balancing static route. Page 4

5 How to verify the load balancing from the forwarding-table? [edit routing-options forwarding-table] run show route table RA.inet.0 find /24 *[Static/5] 00:09:08 to P.1 via ge-0/0/2.0 > to P.10 via ge-0/0/ P.0/24 *[Direct/0] 1d 03:30:18 > via ge-0/0/ P.2/32 *[Local/0] 1d 03:30:18 Local via ge-0/0/2.0 [edit routing-options forwarding-table] run show route forwarding-table find /24 user 0 ulst P.1 ucst ge-0/0/ P.10 ucst ge-0/0/ P.0/24 intf 0 rslv ge-0/0/ P.0/32 dest P.0 recv ge-0/0/ P.1/32 dest 0 0:1e:13:35:dc:a8 ucst ge-0/0/ P.2/32 intf P.2 locl P.2/32 dest P.2 locl P.255/32 dest P.255 bcst ge-0/0/ /4 perm 0 mdsc /32 perm mcst /32 perm 0 bcst Go to your INSIDE-PA. Open 4~5 of your IE browser and make each of them browse to P Can you see different web page displayed on each browser window? What it the cause for this result? Step 1.5 Enable load-balancing the traffic flow based on both layer-3 and layer-4 information. [edit routing-options forwarding-table] admin@srxp# edit forwarding-options [edit forwarding-options] Page 5

6 set hash-key family inet layer-3 [edit forwarding-options] set hash-key family inet layer-4 [edit forwarding-options] Go to your INSIDE-PA. Do the same test as in previous step. Can you see different web page displayed on each browser window? What is the cause for this result? Part 2: Configure Filter-Based Forwarding Step 2.1 Create two additional routing-instances and static routes as below: 1. Routing Instance PATH1 -> Takes P.2 as next-hop to subnet. 2. Routing Instance PATH2 -> Takes P.2 as next-hop to subnet. 3. Create rib-group GROUP-FBF [edit forwarding-options] edit routing-instances PATH1 [edit routing-instances PATH1] set instance-type forwarding routing-options static route P/32 next-hop P.2 [edit routing-instances PATH1] edit routing-instances PATH2 [edit routing-instances PATH2] set instance-type forwarding routing-options static route P/32 next-hop P.2 [edit routing-instances PATH2] Page 6

7 edit routing-options JIR Lab Guide set interface-routes rib-group GROUP-FBF set rib-groups GROUP-FBF import-rib [inet.0 PATH1.inet.0 PATH2.inet.0] Step 2.2 Verify the interface routes in the newly created routing instance. By checking routing instance PATH1, which next-hop and interface will be taken to forward traffic to P? By checking routing instance PATH2, which next-hop and interface will be taken to forward traffic to P? run show route P table PATH1.inet.0 PATH1.inet.0: 8 destinations, 8 routes (8 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both P/32 *[Static/5] 00:03:14 > to P.2 via lt-0/0/0.1 admin@srxp# run show route P table PATH2.inet.0 PATH2.inet.0: 8 destinations, 8 routes (8 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both P/32 *[Static/5] 00:03:28 > to P.2 via lt-0/0/0.3 Step 2.3 Page 7

8 Create a firewall policy to match and forward traffic based on objectives as below: 1. Traffic from INSIDE-PA(10.0.P.10), forward using PATH1 routing instance. 2. Traffic from INSIDE-PB(10.0.P.11), forward using PATH2 routing instance. 3. Apply the firewall policy in the interface receiving traffics. admin@srxp# edit firewall family inet filter FILTER:FBF admin@srxp# set term 1 from source-address 10.0.P.10/32 admin@srxp# set term 1 then routing-instance PATH1 admin@srxp# set term 2 from source-address 10.0.P.11/32 admin@srxp# set term 2 then routing-instance PATH2 edit interfaces ge-0/0/5 unit 0 family inet [edit interfaces ge-0/0/5 unit 0 family inet] admin@srxp# set filter input FILTER:FBF [edit interfaces ge-0/0/5 unit 0 family inet] Step 2.5 Go to your INSIDE-PA and INSIDE-PB, verify the routing path by using command tracert d P. INSIDE-PA should take the two paths in turn as following: P P Or Page 8

9 P P P JIR Lab Guide INSIDE-PB should take the two paths in turn as following: P P Or P P P Go to your INSIDE-PB. Change the IP address from 10.0.P.11 to 10.0.P.20. Leave the default gateway as 10.0.P.1 unchanged. Open a new browser windows and access to You should not see any web page displayed Why can t you browse to P? How to fix the problem? Step 2.6 Modify the firewall policy to accept traffic with other source address. [edit interfaces ge-0/0/5 unit 0 family inet] admin@srxp# edit firewall family inet filter FILTER:FBF admin@srxp# show term 1 { from { source-address { 10.0.P.10/32; then { Page 9

10 routing-instance PATH1; term 2 { from { source-address { 10.0.P.11/32; then { routing-instance PATH2; admin@srxp# set term 3 then accept Your INSIDE-PB should be able to browse to P. After the testing, change the IP address to the original address (10.0.P ) Step 2.6 Save the current configuration to admin s home directory. admin@srxp# save JIR.LAB31 Wrote 30 lines of configuration to 'JIR.LAB31' admin@srxp# run file list /cf/var/home/admin/:.ssh/ JIR.LAB21 JIR.LAB22 JIR.LAB23 JIR.LAB31 By saving your current configuration, you are able to rollback at anytime. For Example: Page 10

11 load override JIR.LAB31 load complete JIR Lab Guide Tell your instructor that you have completed this lab. Page 11