SRX

Hi,

Sorry I am bit new to SRX Firewalls. Can someone guide me to set up a cluster of (Active / Standby) for internet & Internal connectivity if the SRX are separated geographically (one SRX in each Data Centres). I need all technical details and consideration to connect Fabric (Data) & Control links on both firewalls. Will i create separate vlan to pass control link traffic? Or Do i need to use IBGP(with an OSPF on internal network) on both firewalls to act as primary / secondary and take over control in case of failure?

Both Data Centres are connected via an intermediate office on Layer 2 /3 and also connected via VPN over Internet in case of intermediate link fails any point.

Hello,

Please check the below link to understand what is needed to be done on the L2 switch to connect control and fabric links between both the nodes of the SRX.

https://kb.juniper.net/InfoCenter/index?page=content&id=KB25017

Also adding to the above link if you want to have dual control links (Possible only on High End SRX Devices) then you need to have both the control links in separate Vlans else the cards on the High End SRX will get stuck in PRESENT state as per the below KB article:-

https://kb.juniper.net/InfoCenter/index?page=content&id=KB28503&actp=search

Also you can refer the below deplyment guide for more information to deploy a SRX HA cluster.

https://kb.juniper.net/library/CUSTOMERSERVICE/GLOBAL_JTAC/NT260/SRX_HA_Deployment_Guide.pdf

Hope this helps. )

Thanks,
Pulkit Bhandari
Please mark my response as Solution Accepted if it Helps, Kudos are Appreciated too. 🙂

thanks alot , I 'll get back to you once i go through all.

HI,

Another documentation that discusses this matter specifically:

https://kb.juniper.net/library/CUSTOMERSERVICE/GLOBAL_JTAC/technotes/3500165-EN.pdf

The cluster is set up accross Layer 2 and there needs to be separate vlans for each control and the fabric link. Also, I believe fabric link requires jumbo frames MTU if there is to be Z-flow traffic and its recommended for the paths of the control links to be diverse due to the cluster's sensitivity to control traffic.

_________________________________________________________________________________________________

Or Do i need to use IBGP(with an OSPF on internal network) on both firewalls to act as primary / secondary and take over control in case of failure?

_________________________________________________________________________________________________

In cluster mode, both nodes appear as a single logical unit in active/standby mode or active-active mode.  If the cluster fails over to standby, the interfaces [redundancy groups] also fail over.  Dynamic routing protocols can be used with other network elements in the network for routing but I believe its not required for the cluster functionallity.

Cheers,

Ashvin

Hi Ash,

Agreed that's not required. Actually that was said due to another config.

Thanks

Hi Ash,

Agreed that's not required. Actually that was said due to another config on these firewall also acting as G/w.

Thanks

Hi Pulkit,

The document is great. Except that for layer2 connection we have same physical network (Whereas they have recommend separate connection for both Control & Fabric links. Other way i am thinking to use internet connection to pass Control link layer2 for Fabric path and in case of failure both link act as back. Kindly guide me if this a viable solution. Alternatively I use layer2 connection (for both Control  & Fabric links) and in case of failure use Internet Connection.

Hi,

Over the Internet connection, do you mean some layer 2 tunneling protocol over Internet?

Please also note the requirement for latency:

"latency shall not exceed more than 100ms between the two devices. Exceeding this latency can cause the cluster to go into an unstable state, with effects varying from dual mastership and or the inability pass traffic."

You could have 2 control links & 1 fabric link, with 1 control and 1 fabric on same L2 physical network and the other control on another L2 network.

Is it a branch or High-End SRX?

Cheers,

Ashvin

These are Branch SRX 240 which are serving as Gateway. 

At the moment its simple VPN connectivity but planning to move on to L2TP for layer 2 (i.e. internet) connectivity in case of failure of Primary layer2 link (Intranet).  By the way 2 control links is a good idea.

How do you move forward in such scenario.

Hello,

Well,  Unfortunately SRX 240 cannot have two control links on it.

Please refer the below KB article to find the interfaces which are designated control ports on various SRX platforms:-

http://kb.juniper.net/InfoCenter/index?page=content&id=KB15356

You can have two fabric links on it but not two control links.

Hope this helps 🙂

Thanks,
Pulkit Bhandari
Please mark my response as Solution Accepted if it Helps, Kudos are Appreciated too. 🙂

Hi, 

Unfortunately, 2 control-links are only supported by High-End SRXs.

https://kb.juniper.net/InfoCenter/index?page=content&id=KB15356&actp=search

Points to be considered:

• The L2 network appears to be a single point of failure which could lead to split-brain issues

• Also, Branch SRX platforms tag control-plane traffic with VLAN ID 4094, this tag should not be modified or removed by the transport network.   "The simplest way to transport tagged traffic across an ethernet WAN network is to configure the switch port that connects to the Branch SRX control ports as a trunk port, member of the VLAN 4094. Traffic received by the trunk port will be forwarded without modifying the existing VLAN tag. This option can only be used if no other VLAN in the network is using the 4094 VLAN ID."

https://forums.juniper.net/jnet/attachments/jnet/srx/1659/1/L2HAAppNotev2.pdf

Can you share the requirements for geo-cluster? Would hosts in site A still need to reach the gateway [SRX] when the SRX cluster interfaces has failed over to site B and vice-versa?

Cheers,

Ashvin

Good Points I 'll take care of these.

My requirements are as follow;

1. Site A has services & Internet Connection with SRX & connected to internet A

2. Site B has limited services & Internet Connection with SRX & connected to internet B but its standby

(Its an Active / Standby )

3. These are connected as Layer 2 & internet as well as alternative link.

There can be couple of scenarios

 Primary Firewall (Site A) Goes down now SRX at Site B should perform same function for hosts in Site A  vice versa

OR Firewall is ok but Site A internet connection goes down in these cases Site B 's SRX start providing internet services as Site B is connected to a different internet connection.

Layer 2 Link between Site A & B goes down now site B should connect to Site A via internet (can it be a L2TP?).

Hello,

I think that internet connection would not be a good way to acheive HA considering the latency and minimum bandwidth requirement for the control and fabric links.

Now coming back to your concern of separate connection for both Control & Fabric links, i think the document suggest that you havd different layer 2 setting for each of the HA connection i.e.

1. If you yhave two control inks then both of them are in different vlans.
2. If you have two control link then both of them are also in different vlans.

I believe that would not be a problem considering you have layer 2 connectivity between both the locations going by your first update on this thread.

Hope this helps 🙂

Thanks,
Pulkit Bhandari
Please mark my response as Solution Accepted if it Helps, Kudos are Appreciated too. 🙂

To Avoid Split Brain:

While it is possible to use VLAN tagging and have both control and data traffic share the same switching infrastructure, it is not recommended to do so.

I agree we Can use separate Vlan on same physical infrastructure but  wouldn't that will increase the risk(Split brain)?.

My second Question is What is a good option / your suggestion to connect both side via internet so that user (in Location2) may be access all services (in Location1) in case primary Layer2 link goes down?

Hi,

You cannot use Internet to connect the HA Control and Fab links between the two SRX nodes because of the following reasons :-

1. Latency needs to be less than 100ms.
2. For HE, minimum bandwidth needed is 1Gbps, for Branch, this varies.
3. The network should be isolated from any other hosts.
4. The network connecting both the nodes should be free of any traffic.
5. The communication between the devices uses private MAC and IP addresses, which could conflict with other hosts and would not be routable on the internet.
6. IGMP snooping should be disabled on the L2 device.
7. The L2 device should not perform IP Legitimate check.
8. Jumbo frames should be allowed to pass through.
9. Control and Fab links should be in separate Vlans.

All the above requirements cannot be achieved traversing through the internet.

Hence it is not possible to deploy a chassis cluster with control and fab links traversing over the Internet.

Regards,

Sahil Sharma

---------------------------------------------------

Please mark my solution as accepted if it helped, Kudos are appreciated as well.

Hi,

________________________________________________________________________________________________

I agree we Can use separate Vlan on same physical infrastructure but  wouldn't that will increase the risk(Split brain)?.

________________________________________________________________________________________________

IMO, the risk is same as using 2 physical switches/network but a single WAN. The single WAN or the common device connecting the WAN are the single points of failure which can cause split brain. See Figure 8.

Based on the requirements [more specifically Internet connectivity] it seems a mixed-mode HA is more appropriate. See Figure 7-8. This would probably need Z-flow traffic.

_________________________________________________________________________________________________

Layer 2 Link between Site A & B goes down now site B should connect to Site A via internet (can it be a L2TP?).

_________________________________________________________________________________________________

I understand the same WAN link is used for hosts on siteA to connect to hosts on SiteB on same vlan, for instance when SRXA is down hosts on siteA will reach reth interface on SRXB over the same WAN link carrying control/fabric for HA. There are different protocols that can enable L2 connectivity between DCs over Internet like L2TP, L2 over GRE, EVPN/VXLAN or MPLSoverGRE for example.

However, when the WAN link is down the SRXs will be in split brain, so anything that goes through the SRX for L3 would most probably go through the local SRX.

Hope this helps.

Cheers,

Ashvin

Hi,

_________________________________________________________________________________________________

You cannot use Internet to connect the HA Control and Fab links between the two SRX nodes

_________________________________________________________________________________________________

Just for arguments sake, assuming all the conditions are met, can the control link be run over Internet through some L2 tunneling or L2VPN mechanism:

1. Latency < 100ms

2. 2.8Mbps per 1000 sessions/s plus any asymmetric traffic resulting from Z-mode deployments for branch SRX. Assuming a 10Mbps symmetric Internet

3. Vlan is isolated from any other hosts and free of any traffic

4. Private MAC & IP addresses are tunnelled over L2

5. No IGMP snooping

6. Min MTU for fabric link 9014. Nothing mentioned for control link

Because of MTU requirement for fabric, it can definitely not be transported over Internet.

Although I agree running any HA cluster traffic is not recommended over Internet for stability reasons as Internet is only best effort, would it be theoretically possible to transport control traffic over Internet.

Cheers,

Ashvin

Thanks you guys for such a quick help