I am configuring 2 x SRX1500s and have successfully configured as Active/Passive.... But, we need, from a company and toplogical perspective, to have these SRX1500s clustered in active/active HA configuration.
From reading the active/active technical documents on the juniper sites, it seems to indicate that this CANNOT be achieved with a back to back setup. It indicates that switches are required for an Active/Active to be acheived.
Can you please confirm if I can connect, back-to-back, 2 x SRX1500s and configure them in an active/active configuration?
Thanks in advance
I have deployed SRX active/active without switches directly connecting both devices to upstream and downstream routers with the control and fabric cables directly connected as well.
Do you have a diagram of your proposed design?
Or the link to the documentation that you are referring to?
Please accept my apologies. After a lot of investigation yesterday evening I actually found out that the SRX deals with A/A and A/P in a different way from my usual understanding from a Cisco perspective.
It looks like the Data-Plane, even in an A/P still acts, or seems to, like an A/A..... It appears that the Control Plane, even in an A/A configuration is actually running as Active/Passive and only the Data-Plane is A/A.... this actually makes a lot of sense as we don't really care about the Control-Plane because that is the Chassis, but we DO care about the RTO (Fabric and Data-Plane).... I will confirm this today by running "show chassis cluster information" ...... Not sure how to upload a diagram but I have been tasked with building a NEW ISP Network in the following configuration (across 2 sites):
CE ---> PE1 (LNS1) ---------------- PE3 (core1) --------- Transit (CE)
CE ---> PE2 (LNS2) ---------------- PE4 (Core2) -------- Transit (CE)
No problem with the core.... typical IS-IS, MPLS, BGP .......
Yes there is a single brain for the two A/A nodes.
You do need to have the control and fabric ethernet connections between the two SRX at both sites for the cluster to operate too.
Looks like you are doing firewall on a stick and not in path. So for this setup you will need to carefully craft your routing policies. When one side fails you need to make sure the associated CE is going to forward traffic over to the other CE and SRX path during the failure.
It appears to tbe the way this is wanted to be completed. In all the environments I have worked before, the core ISP network was already in place and this is the first time I have had to design and configure one from scratch.
I have attached a basic network diagram (as I didn't realise there was an upload box at the bottom (that's a good start 🙂 )....
Could you have a quick look and see if that fits the requirements of a small ISP or should the firewalls be placed inline and if so I am guessing they should sit between the PE's? I would then have to forward MPLS and IS-IS traffic across them.... if they are utilised there, would it require iBGP? My understanding is that with MX series, only eBGP at the CE facing PE interfaces is required?
Thanks again for your help.
Thanks for the diagram, that is a little clearer. I had assumed this was delivering internet service but this does appear from the services diagram to we a WAN solution.
And the connection of WAN services and WAN termination to the same core1/core2 then makes sense for building out the service paths with redundancy.
This still does not show that the two SRX1500 need dual ethernet connections between them for the control and fabric links but I assume those will be build out in layer 2 services between the core1/core2 devices.
The objective is, from my understanding (and I could be wrong) is as follows:
MPLS in the core (the internal facing interfaces on the MX240s - all will be Ingress and Egress (Popping)
IS-IS as the IGP - I am not sure if this has to extend to the CE or not, or if it stops at the external facing interfaces (I am sure I will find out)....
eBGP at the PE (which is all four of them) (this is especially important at the LNS as far as I can see for tunnel information to be able to send packets to correct customers)...
IPv6 - as the company wants to move forwards that way.
Dual IPv6/IPv4 stack.
As HA is a requirement then, as the topology shows, a JVC will be on Core1 and Core2 and the SRX1500s will be linked across the core for redundancy and HA.....
Looks good to me then seems like all the paths are covered and redundancy accounted for.
Here is the example for configuring A/A. A/A concept is easy, all you youi doing is configuring A/P twice with one redundancy group higher priority on the other node. So RG 1 high priority Node 0, low priority Node and RG 2 high priority node 1 low priority node 0.
Here is the example:
Just so know Juniper's recommendation is A/P. You should really consider what is the reason why you want to enable A/A and consider that what features are not supported in A/A, do you lose any benefits due to Z traffic, if issues, is t easier to troubleshoot A/A or A/P.
Next topic is, how is the network set up without connecting switches to the SRX? What are you connecting to the SRX? IF no switches then what are you trying to accomplish configuring A/A? I.o.W who will benefit and how?