SRX

 View Only

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



  • 1.  SRX design help

    Posted 02-16-2010 23:12

    Hi!

     

    I'm going do deploy a couple of customer connections at two different sites. Each site will have two SRX210 and two leased lines, running BGP for failover functionality.

     

    At site1 the two SRX210 will be sitting in the same rack and my plan was to use JSRP-cluster between them. One reth on the the inside so the customer gets one IP-adress and then one interface against each leased line (no reth).

     

    At site2 the SRX210 will be separated by some distance and what I have read jsrp-cluster don't work if there is a switch between them (fabric, control link). What can I use here to receive some kind of redundancy but still give the customer one address on the inside that they can route via?

     

    Does the suggestion at site1 make sense?

     

    Regards

    Freddy



  • 2.  RE: SRX design help

    Posted 02-17-2010 06:25

    You can run VRRP and offer that VIP-address for your clients. You might also find running normal BGP+VRRP a lot more stable than the SRX/J-series cluster function. Also in cluster mode you will lose most of the features available in non-cluster mode.



  • 3.  RE: SRX design help

    Posted 02-17-2010 06:30

     

    Thanks for the reply.

     

    So one BGP per SRX and IBGP between them and VRRP against the internal network, correct?

     

     

     

     



  • 4.  RE: SRX design help
    Best Answer

    Posted 02-17-2010 10:54

    Yeah that work's fine. I have that kind of setup with J-series here. I have also configured BFD between the BGP-peers so they notice faster if the link has dropped.

     



  • 5.  RE: SRX design help

    Posted 03-19-2010 09:29

    Are those SRX in packet or flow-based mode? If the former, I agree in that it's a simple and elegant solution.

    However, if in flow-based mode, all established-flow related information is lost whenever traffic is rerouted, is that correct?

     

    Regarding having a cluster over a layer 2 ethernet network, there are some tips to make this work (where's the FAQ on HA for Juniper products?). "SRX Services Gateway Cluster Deployments Across Layer Two Networks"

    http://forums.juniper.net/t5/SRX-Services-Gateway/SRX-clustering-over-a-switched-network-Is-this-even-possible/m-p/31821

     

    John


    #Availability
    #packet
    #high
    #SRX
    #cluster
    #BGP
    #flow
    #vrrp


  • 6.  RE: SRX design help

    Posted 02-19-2010 03:11
    I have to disagree. It is totally possible to create a jsrp cluster where the firewalls are not in the same room. We have several totally stable installations where the firewalls are separated by 500m or so. The connections are done with fibres. With fxp1 we use media converter (eth-> fibre) and fab is done with fibre.


  • 7.  RE: SRX design help

    Posted 02-19-2010 13:57

    Then you are one of the lucky ones to have a stable J-Series/SRX cluster. Can you please share a config so we can learn from it.