SRX Services Gateway
Showing results for 
Search instead for 
Do you mean 
Reply
Highlighted
Trusted Contributor
Posts: 819
Registered: ‎08-10-2010
0 Kudos

Best practice migrate NSRP Active/Active to SRX Cluster?

Hi All,

 

 

If i have Netscreen cluster active/active and i want swap/migrate it with SRX cluster 5800, may i know whether i the best pratice is active/passive or active/active also. If i setup SRX cluster active/active then i need add new physical cable because as i'm undertand active/active on SRX will have RG2 or etc. The purpose is config one-to-one swap without need to change config on other equipment except the ISG to SRX. If i setup both SRX without cluster what the disadvantges except config not syng or have two devide need to manage. The protocol in the existing ISG is just static route only.

 

 

Thanks and appreciate some advise.

Distinguished Expert
Posts: 4,937
Registered: ‎03-30-2009
0 Kudos

Re: Best practice migrate NSRP Active/Active to SRX Cluster?

Both the ISG ScreenOS and the SRX Junos recommend that clusters be Active/Passive unless there is a need for all the interfaces to be actively passing traffic.

 

So in this sense there is no difference in the recommendations for your original ISG deploy and the new SRX deploy.

 

If the primary goal is to replace the existing working fine Active/Active setup without any changes outside the cluster then I recommend you stick with Active/Active on the SRX too.  Chances are reasonable in a working system that they made the correct deployment decision.  Even if it is not the best pracice, then you will need to change other elements of the toplogy when you do the SRX install.

 

You can only get away with two separate devices instead of a cluster if the routing paths are never asymmetrical paths involving the two SRX.  If there are asymetrical paths you must have the Active/Active cluster so that the session flows can match and the traffic is complete.

Steve Puluka BSEET
Juniper Ambassador
Senior IP Engineer - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
JNCIA-Junos JNCIS-SEC JNCIP-SEC JNCSP-SEC
JNCIS-FWV
JNCDA JNCDS-DC JNCDS-SEC
JNCIS-SP
ACE PanOS 6 ACE PanOS 7
http://puluka.com/home
Trusted Contributor
Posts: 819
Registered: ‎08-10-2010
0 Kudos

Re: Best practice migrate NSRP Active/Active to SRX Cluster?

Hi Spuluka,

 

 

Thanks for your feedback. Below is my additional queries:

 

1.) The other limitation is we cannot add new interface to make it active/active in SRX (cost to buy another SFP).

2.) If i'm to do non cluster setup so the static route from other equipment to SRX must same with static in the SRX right to avoid asymetric route?

 

3.) Can we made both pysical interfaae active in the cluster setup. I mean we not binding the physical into RETH but we bind it into apply groups such as fxp0. So in other word we can have overlapping ip address. But if i do like that is it the both interface is active at same time?

 

Thanks and appreciate any feedback

 

 

Distinguished Expert
Posts: 4,937
Registered: ‎03-30-2009
0 Kudos

Re: Best practice migrate NSRP Active/Active to SRX Cluster?

1.) The other limitation is we cannot add new interface to make it active/active in SRX (cost to buy another SFP).

 

I'm confused by this because any cluster uses just the two interconnects whether it is active/active or active/passive.  

Are you saying you can't make it a cluster at all then?

 

2.) If i'm to do non cluster setup so the static route from other equipment to SRX must same with static in the SRX right to avoid asymetric route?

 

The type of routing (static or dyanamic) is not relevant to the issue of asymmetrical routing.  Asymmetrical routing is when the routing path starting from A going to B is different than the routing path starting at B and going to A.

 

In your existing cluster there are active interfaces on both physical devices.

Asymmetrical routing is when A enters port 1 and exits port 2 while traffic from B enters port 3 and exits port 4.

Or any other combination that does not ahve the same ingress and egress ports in both directions.

This is a major problem if the ports are ALSO on different physical nodes and you then break this up to two independent devices.

 

Asymmetrical routing is a common reason that Active/Active clusters get deployed.

 

you test for this by running trace routes from the A and B devices towards each other and compare the paths.

 

3.) Can we made both pysical interfaae active in the cluster setup. I mean we not binding the physical into RETH but we bind it into apply groups such as fxp0. So in other word we can have overlapping ip address. But if i do like that is it the both interface is active at same time?

 

Correct, when you run active / active you generally setup all the interfaces separately without reference to RETH groups or interfaces for failover at all.

Steve Puluka BSEET
Juniper Ambassador
Senior IP Engineer - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
JNCIA-Junos JNCIS-SEC JNCIP-SEC JNCSP-SEC
JNCIS-FWV
JNCDA JNCDS-DC JNCDS-SEC
JNCIS-SP
ACE PanOS 6 ACE PanOS 7
http://puluka.com/home
Trusted Contributor
Posts: 819
Registered: ‎08-10-2010
0 Kudos

Re: Best practice migrate NSRP Active/Active to SRX Cluster?

Hi Spuluka,

 

Thanks for the feedback. Currently i'm already simulated it setup stand alone firewall in GNS3 and  thats true the traffic will drop. I'm simulate static route from CE-1 flow through SRX-1 to CE-2 and make static route back from CE2 to CE1 flow through FW-2 and the traffic cannot pass (browse website) but no issue when ping.

 

 

3.) If i setup cluster but physical interface i'm not bind into RETH. Physical interface i'm bind into config apply groups node0 and node1 same as FXP interface (OOB). Using this style can i do overlapping ip address in that interface. But i'm not sure whether the physical interface that bind into apply group node 0 and node 1 still can put into security zone or not.

 

Do u have exprience to setup such like this?

 

If no option then its look like i need force to use Cluster setup then need change route other equipment also.

Distinguished Expert
Posts: 4,937
Registered: ‎03-30-2009
0 Kudos

Re: Best practice migrate NSRP Active/Active to SRX Cluster?

Yes, I've deployed active/active SRX5800 in a data center using this method of direct interface configuration and no reth groups.

 

Your fxp0 interfaces work similar to vrrp.  You have a local address for each SRX directly and a shared ip address that will be owned by the current master device in the cluster.  Normally you ssh to the shared ip for control and monitor both local ips for your health of the hardware.  

 

These currently must be in the master routing instance and share the inet.0 route table.  So if you have a true OOB network you will want to consider creating an operation routing instance to put the normal interfaces into to separate the routing tables and have different default routes for your OOB network and production network.

 

I understand that  in some version of Junos soon or perhaps in Junos 17, we will be able to move the fxp0 into the routing instance instead but I don't remember the version needed for this direction.

Steve Puluka BSEET
Juniper Ambassador
Senior IP Engineer - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
JNCIA-Junos JNCIS-SEC JNCIP-SEC JNCSP-SEC
JNCIS-FWV
JNCDA JNCDS-DC JNCDS-SEC
JNCIS-SP
ACE PanOS 6 ACE PanOS 7
http://puluka.com/home