This article describes how to configure ECMP load balancing for EBGP traffic in a scenario where each of the neighbors is in a different autonomous system.
As illustrated below, the perimeter SRX (AS 65000) has EBGP neighborships with two ISPs (one from AS65001 and the other from AS65002). Each of the two ISPs is exporting a default route (of the same cost) to the perimeter SRX.
Our aim here is to configure load balancing on the perimeter SRX such that it load balances the Internet traffic equally between the two ISPs. Please note that the load balancing will happen on a per-session basis.
Below is the detailed procedure to configure ECMP in the above scenario.
Configure EBGP neighborship with ISP 1:
set protocols bgp group EBGP1 type external
set protocols bgp group EBGP1 local-address 10.1.1.1
set protocols bgp group EBGP1 peer-as 65001
set protocols bgp group EBGP1 multipath multiple-as
set protocols bgp group EBGP1 neighbor 10.1.1.2 Configure EBGP neighborship with ISP2:
set protocols bgp group EBGP2 type external
set protocols bgp group EBGP2 local-address 10.1.2.1
set protocols bgp group EBGP2 peer-as 65002
set protocols bgp group EBGP2 multipath multiple-as
set protocols bgp group EBGP2 neighbor 10.1.2.2 Please make a note that the multiple-as option can be exempted when the neighbors are in the same autonomous system.
Configure load-balancing policy:
set policy-options policy-statement loadbal from route-filter 0.0.0.0/0 exact
set policy-options policy-statement loadbal then load-balance per-packet
Although the above configuration statement mentions "per-packet," the load balancing will be done on a per-session basis.
Applying the load-balancing policy to the routing table:
set routing-options forwarding-table export loadbal Verifying if ECMP is working as expected:
Check the routing table for for routes from the ISPs involved and make sure that imported routes are of equal cost.
root> show route
inet.0: 7 destinations, 8 routes (7 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
0.0.0.0/0 *[BGP/170] 01:26:50, localpref 100
AS path: 65002 I
> to 10.1.2.2 via ge-0/0/2.0
to 10.1.1.2 via ge-0/0/1.0
[BGP/170] 01:26:45, localpref 100
AS path: 65001 I
> to 10.1.1.2 via ge-0/0/1.0
Now check the forwarding table to make sure that there are two next hops installed for the default route. You can see in the example below where the default route has two next hops (one through ge-0/0/1.0 and the other through ge-0/0/2.0).
root> show route forwarding-table
Routing table: default.inet
Internet:
Destination Type RtRef Next hop Type Index NhRef Netif
default user 0 ulst 262142 2
0:1f:12:e4:c8:1 ucst 519 3 ge-0/0/2.0
64:87:88:eb:32:1 ucst 532 3 ge-0/0/1.0
default perm 0 rjct 36 1
0.0.0.0/32 perm 0 dscd 34 1
10.1.1.0/24 intf 0 rslv 546 1 ge-0/0/1.0 Here is the complete configuration for reference:
set interfaces ge-0/0/0 unit 0 family inet address *.*.*.*/26
set interfaces ge-0/0/1 unit 0 family inet address 10.1.1.1/24
set interfaces ge-0/0/2 unit 0 family inet address 10.1.2.1/24
set routing-options autonomous-system 65000
set routing-options forwarding-table export loadbal
set protocols bgp group EBGP1 type external
set protocols bgp group EBGP1 local-address 10.1.1.1
set protocols bgp group EBGP1 peer-as 65001
set protocols bgp group EBGP1 multipath multiple-as
set protocols bgp group EBGP1 neighbor 10.1.1.2
set protocols bgp group EBGP2 type external
set protocols bgp group EBGP2 local-address 10.1.2.1
set protocols bgp group EBGP2 peer-as 65002
set protocols bgp group EBGP2 multipath multiple-as
set protocols bgp group EBGP2 neighbor 10.1.2.2
set policy-options policy-statement loadbal from route-filter 0.0.0.0/0 exact
set policy-options policy-statement loadbal then load-balance per-packet
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces all
set security policies default-policy permit-all