Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Configure a WAN Link with LTE Backup in Active/Active Mode to the Internet

 

This example shows how to configure a WAN link with LTE backup in Active/Active setup on the SRX300 line of devices or SRX550M.

Requirements

This example the following hardware and software components:

  • One SRX300 Series device (SRX320, SRX340, SRX345, SRX380) or SRX550M

  • One LTE Mini-PIM for SRX300 Series

  • One SIM card with subscription for data services

  • Junos OS 19.4R1 or later

We’ve tested this configuration on an SRX320 device with Junos OS 19.4R1.

Overview

In this example, we are setting up a branch SRX320 Series device to provide a wired and a wireless Internet and Intranet access to the employees on-site. We are also providing a wireless Internet access to the guest devices. The primary link connectivity is provided through MPLS. The broadband Internet access is through Ethernet and the backup connectivity is through an LTE network. The two links are configured in Active/Active mode; no traffic is routed through the LTE modem, unless both primary and secondary links are down.

We are using the topology shown in Figure 1 for this example.

Figure 1: Branch Office with Redundant Internet Connectivity Example
Branch Office with Redundant
Internet Connectivity Example

In the topology:

  • The LTE Mini-PIM is installed in slot 1 of the SRX Series device.

  • The SIM card is installed in slot 1 of the LTE Mini-PIM.

  • The primary MPLS link is connected to the interface ge-0/0/6.

  • The broadband Internet link is connected to the interface ge-0/0/7.

  • The interface cl-1/0/0 identifies the modem Mini-PIM.

  • The link over the cellular network terminates on interface dl.0.

  • The wired ports ge-0/0/6 and ge-0/0/7 receive their IP address, network mask, and default gateway through DHCP.

  • The LTE interfaces (cl-1/0/0 and dl.0) receive IP address, network mask, default gateway by the cellular service provider.

In this example, we are using two security zones untrust and trust configured on the SRX320 device. The separation of the interfaces into security zones enables the separation of traffic and mitigates the risks the corporate Intranet is exposed to. Security zones also let you achieve clear and simplified implementation of security policies. The untrust zone hosts interfaces that have access to the Internet. The internal interfaces in the corporate Intranet are in the trust zone. See Figure 2 and Table 1 to understand the interfaces, security zones, and security policy configuration.

Figure 2 shows the interfaces in each security zone.

Figure 2: Security Zones
Security Zones

Table 1 shows the desired behavior of the security policies for the traffic between the zones.

Table 1: Security Policies by Zone

From Zone

To Zone

Security Policy Behavior to Allow Traffic

Trust

Trust

Yes

Untrust

Untrust

No

Trust

Untrust

Yes

Untrust

Trust

Trust-initiated only.

Allow traffic initiated in the trust zone and the return traffic.

Table 2 summarizes the VLAN information and the IP address information for the interfaces.

Table 2: Interfaces Configuration Details

Interface

VLAN

IP Address

Network Mask

dl.0

-

DHCP

-

ge-0/0/6

DHCP

255.255.255.0

ge-0/0/7

-

DHCP

-

irb.0

3

192.168.1.1

255.255.255.0

Let’s consider the applications in Table 3. For illustrative purpose, lets assume that Office365, Salesforce and Zoom applications are business-critical, we’ll route them through the MPLS link predominantly. We are prioritizing these applications over the LTE link as well. The remaining applications will use broadband Internet access link. We are reserving LTE backup link for only business-critical applications. As a result, noncritical applications are inaccessible when the LTE connection is the only connection available.

Table 3: Priorities for the Applications

Applications

Primary Link

Secondary Link

Critical Application?

Office365

MPLS

Broadband Internet

Yes

Salesforce

MPLS

Broadband Internet

Yes

Zoom

MPLS

Broadband Internet

Yes

Slack

Broadband Internet

MPLS

No

GoToMeeting

Broadband Internet

MPLS

No

Dropbox

Broadband Internet

MPLS

No

Skype

Broadband Internet

MPLS

No

Youtube

Broadband Internet

MPLS

No

Configuration

Step-by-Step Procedure

The steps in this configuration example are logically build from the lower layers to the upper layers.

  1. Set the Access Point Name (APN) for the SIM in the modem (LTE-MPIM).
  2. Create a common VLAN for the LAN segment of the network. In this example we use VLAN ID 3 and call it vlan-trust.
  3. Create a security policy to allow traffic between the trust zone and untrust zone. Make sure to include the desired network segments and applications in the policy.
  4. Create a security policy to allow traffic between devices in the trust zone. Make sure to include the desired network segments and applications in the policy.
  5. Create a unique DHCP server group for the devices that are connected on the LAN segment.
  6. Create a pool of IP addresses to be assigned to devices in the LAN segment. For this pool of IP addresses, specify the lowest and the highest IP address, the IP address for the DNS servers, and the IP address of the default gateway (irb.0 interface).The default gateway is usually the irb.0 interface.
  7. Create source NAT to apply NAT to devices in the trust zone to the outer interface.
  8. Configure the interface for the primary Internet link. Set the interface to obtain configuration over DHCP protocol.
  9. Configure the LTE-MPIM interface. Ensure that the SIM slot, which contains the SIM card, is set to active.
  10. Configure the dialer interface.
  11. Configure the LAN interfaces ge-0/0/0, ge-0/0/1, and the other interfaces as switching interfaces in the trust VLAN. The trust VLAN effectively add the interfaces to the trust zone. We are showing configuration for one interface. Repeat the same steps to configure all LAN segment interfaces.
  12. Allow the necessary protocols in the trust zone. This step ensures proper operation of the LAN segment of the network.
  13. Allow the necessary protocols in the untrust zone.
  14. Create time-performance monitoring probes for each application and each link specified in Table 3.

    In this step, we are setting probe type as icmp-ping to the Office365 application. Office365 uses the MPLS link. This probe test probes the connectivity to the IP address 40.97.223.114, which is used by Office365. The probe test runs 5 times, 6 seconds apart. The expected thresholds that should not be violated are loss of 5 successive tests and/or return transmit time (RTT) of 300000 microseconds. The IP address of the gateway on interface ge-0/0/6 is 192.168.220.1

  15. Create the second probe for the same application. Be sure to use the secondary interface details for this application. The IP address of the default gateway on the broadband Internet link is 10.10.10.1.
  16. Create two probes for the Skype application.

    In this step, we are setting a shorter probe interval of 1 second, and a shorter RTT of 60000 microseconds. This configuration reflects the higher link guarantees for the application. Note that the interface for the primary probe is ge-0/0/7 and the IP address to be probed is different, compared to Office365. The IP addresses used in this step are the target addresses that we use for our probes. That is, each of the target addresses belongs to the application, for which we’ve created the probe.

  17. Configure the probes for the remaining applications using the same pattern.
  18. Create a routing instance for each application. Ensure that the route over the primary link for that application has a lower preference value, compared to the other links. Lower preference value makes the route more preferred. Ensure that the business-critical applications use the LTE backup interface.

    In this step, we are configuring the routing instance for the Office365 application. The primary link is the MPLS link. Setting a preference value of 10 to the gateway of this link makes it the most preferred route. Preference value of 20 for the gateway of the broadband Internet link makes it the second best preferred option. The LTE backup link has a preference value of 30 and is the least preferred option.

  19. Configure the routing instances for the remaining applications using the same pattern as in the previous step.
  20. Configure IP monitoring policies for all applications. The goal of the policies is to change the metric of routes that are created in the routing instances from the previous step. The policies are created on a per-probe basis.

    In this step, we are creating an IP monitoring policy for office365 application. We have configured two probes and therefore created two policies—one for each probe. When the probed link deviates from the allowed thresholds, the policy changes the preference of the routes in order to reroute the application traffic over the other link . The policy decreases the metric for the second best link to 2.

    Example: When the probe identifies that the primary link (MPLS) for Office35 does not meet the requirements for RTT and packet loss, the policy allows the gateway for the broadband Internet link to have a metric of 2. Note that the policy changes the metric for the second best route.

  21. Configure the IP monitoring policy for the secondary probe for Office365. The next-hop address is the primary MPLS link.
  22. Configure IP monitoring policy for the remaining applications following the similar pattern as done in previous two steps.
  23. Configure an advanced policy-based routing (APBR) profile that matches all eight applications in scope and redirects the traffic to the respective routing instance for that application. The profile is divided into rules. Each rule covers one application and one routing instance.

    In this step, the rule office365_rule matches all traffic for application junos:OFFICE365-CREATE-CONVERSATION” and redirects traffic to routing instance office365_RInstance.

    In this step, we are not allowing mid-session path changes for the ongoing sessions to avoid any impact on the application continuity. This is achieved by setting the max-route-change parameter to 0.

  24. Configure a protocol-independent group of routing tables. The group imports the routing tables of the dedicated instances to the main routing table.
  25. Add the newly created profile apbr_profile to the security zone trust. This configuration applies the profile to traffic in the trust zone.
  26. Commit the configuration.

Validation

To confirm that the configuration is working properly, perform the following tasks:

Verify Detection of Mini-PIM Modules by Junos OS

Purpose

Verify that the Junos OS is detecting Mini-PIM modules.

Action

From operational mode:

user@host> show chassis hardware

Meaning

The device displays the Mini-PIM module LTE for AE in the output.

Verify the Firmware Version of the Mini-PIM

Purpose

Check the firmware version of the Mini-PIM.

Action

From operational mode:

user@host> show system firmware

Meaning

The output shows the firmware version of the Mini-PIM as 17.1.80. Update the firmware if required. See Firmware Upgrade on the LTE Mini-Physical Interface Module.

Verify APBR Rule Effectiveness

Purpose

Verify the traffic handling details after applying the APBR rule.

Action

From operational mode:

user@host> show security advance-policy-based-routing statistics

Meaning

The output displays details about the sessions processed for the application-based routing rule, the number of times the application traffic matches the APBR profile (rule hit) and number of time APBR is applied for the session (Route change).