11-16-2010 08:14 AM
In multi-site SRX High-End deployments, are there any ways to do active/active load-sharing so that traffic entering node0 exits out of node0 interfaces and traffic entering node1 exits out of node1 for the same VR.
Current solution is through the use of FBF and rib-groups which is configurable but not really scalable in multi-customer environments. Z-Path forwarding through the fabric link is viable in a single site deployment but in multi-site deployment it is less optimal.
11-16-2010 08:25 AM
Agreed that the current FBF solution is a functional workaround, but not an optimal solution. Using separate zones/VRs per site is a cleaner solution but doesn't always match the needs of the customer.
We are currently working to build a solution that will allow A/A, multisite, single-VR operation without Z-mode; nothing yet that has a delivery timeline, but we've heard the request a few times now and are researching the best way to add additional flexibility to our HA capabilities.
11-16-2010 08:28 AM
i see your point and this really is not possible.
And let me tell you why this is not possible ....
to figure out the what interface a packet must go to, we do a route lookup and based on route lookup we get an outgoing interface...
we can not limit this interface to only the same node because.....
1. a customer may have 2 routes to the same destination. And if one goes down he might want to use the other route. The other route might point to an interface on the other node.
2. Also it is possible, that there are 2 routes to same destination, both routes pointing to interfaces on different nodes. It is possible that the route that points interface on node 0 has a higher prefernce than that point to interface on node 1. It is also possible that either via BGP or some othert routing protocol, we change the preferences and now the preferred route will be swapped.
So while designing the functionality we do need to think of corner cases like this.
11-16-2010 08:46 AM
We don't want to 'limit' traffic to the same node, but there have been some discussions around setting up a mechanism to prefer the local node when appropriate, or something similar. It's more a question of finding a solution that's minimally disruptive to the existing HA capabilities, but that allows the scenario above for customers that are looking for that functionality.
11-16-2010 08:53 AM
Exactly, it is possible to perform conditionnal route advertisement for inbound traffic based on redundancy-group primary state. But this condition does not apply to outbound traffic.
In ScreenOS, we had an option for VSD-Less setups and we hope to see the same thing in SRX. The use of redundancy-groups create more issues since it automatically requires extending VLANs across sites and at a higher count of physical interfaces (50% being idle).
11-16-2010 01:50 PM
The best way to solve the A/A load balancing is to rely on external nodes (L2 switches or L3 routers) directing traffic towards the SRX's. However care must be taken to ensure that these external nodes provide load balancing on a flow basis such that for the duration of the flow it ends up on a single SRX node..