SRX

Hi to All,

Could you help me with a doubt of the SRX`s fab interfaces?

By default it seems to be located at a "null zone" as is apears in the following.

The fab0, fab1 are located at the Null Zone, and everything goes OK at the Data Plane (no issues with Stateful failover etc).

But is this the best way (best practice) to use the fabric interfaces?

Or should I move them to a Trust Zone or some any other zone?

--------------------------------------------------

root@a> show interfaces fab1

Physical interface: fab1, Enabled, Physical link is Down

/ omit/ 

Security: Zone: Null★

Protocol inet, MTU: 9000

--------------------------------------------------

Regards, Elton

Hi Elton,

Fab links should not be configured to be part of any security zone.

These links are for fabric monitoring for the both nodes to synchronize sessions etc.

They will be part of NULL Zone only.



Regards
rparthi
 

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too

hi Rparthi 

Thanks foy your reply.

I just would like to figure out the next statement that we can find at an explanation about Null Zones.

" Note: By default, interfaces are in the null zone. The interfaces will not pass traffic until they have been assigned to a zone."

http://www.juniper.net/techpubs/en_US/junos12.1/topics/example/zone-security-creating-cli.html

Are the RTO`s an exception , I mean it`s not considered traffic so that`s why it can pass through the Null Zone?

Regards, Elton

fab links can not be part of any zones.

They are used for exchanging RTO's between the nodes. Please do  not add them to any zones.

Regards.
c_r

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too

hi c_r

Thanks foy your reply.

I just would like to figure out the next statement that we can find at an explanation about Null Zones.

" Note: By default, interfaces are in the null zone. The interfaces will not pass traffic until they have been assigned to a zone."

http://www.juniper.net/techpubs/en_US/junos12.1/topics/example/zone-security-creating-cli.html

Are the RTO`s an exception , I mean RTO`s are not considered traffic so that`s why it can pass through the Null Zone?

Regards, Elton

Hi Elton,

yes , you are right.

Fab links are used for cluster communication between 2 srx device and it is not used for forwarding realtime traffic so it has to be in Null Zone and it cannot be used under any security zone.

Regards
rparthi
 

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too

Hi rparthi

Thanks a lot for your answer.

It was very helpfull.

Elton

Hi Elton,

fab interfaces are not regular interfaces, which are used for passing traffic.

Theya re specuial interfaces used by cluster for communicating RTO's or Real Time Objects between nodes , basically session syncing information.

RTO's yes are not considered as traffic perse.

There are a set of such interfaces in SRX/Junos that need not be added to any zones,a nd hence part of default zone that can carry out normal functionality.

Interfaces with such excemptiona re viz. fab0,fab1,fxp0,fxp1,em0,em1 etc.

Theya re not regular interfaces and are special interfaces meant for spefic roles.

I hope this explains. Your question.

Rgeards,
c_r

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too

Hi c_r!

I got all clearly! Thanks for help! 

Elton