SRX

I am trying to setup some high availability and need to setup virtual IP or VIP 

Basically something like floating IP so i can setup this setup in this tutorial https://www.digitalocean.com/community/tutorials/how-to-create-a-high-availability-setup-with-corosync-pacemaker-and-floating-ips-on-ubuntu-14-04

Please help

Thanks

Hi,

You can use destination nat to acheive this :-

http://www.juniper.net/techpubs/en_US/junos12.1/topics/example/nat-security-destination-address-port-translation-configuring.html

You can also use a one to one static mapping for this :-

http://www.juniper.net/techpubs/en_US/junos12.1/topics/example/nat-security-static-single-address-translation-configuring.html

Please let me know if there are any doubts in this.

Regards,

Sahil Sharma

---------------------------------------------------

Please mark my solution as accepted if it helped, Kudos are appreciated as well.

Hi,

I didn't quite understand the scenario. Do you required a NAT IP for a VIP running between 2 load balancers or a VIP to be running between 2 SRXs?

The most common and open standard protocol for running a VIP is VRRP, which requires a switching infrastructure between the 2 physical interfaces for exchange of VRRP packets.

SRXs can also be operated in clusters for high availability.

Cheers,

Ashvin

My virtual IP will like floating IP in this diagram https://assets.digitalocean.com/articles/high_availability/ha-diagram-animated.gif

Hi,

You would need a reth interface and configure the SRX nodes in a chassis cluster.

Else, VRRP could be used :-

https://kb.juniper.net/InfoCenter/index?page=content&id=KB24681&actp=search

Regards,

Sahil Sharma

---------------------------------------------------

Please mark my solution as accepted if it helped, Kudos are appreciated as well.

I am not trying to do HA on SRX device, i want to setup floating IP so i can loadbalance 2 loadbalancer virtual machine in my infrastructure. I only have 1 Juniper SRX router and i believe i should be able to do this. 

https://www.digitalocean.com/community/tutorials/how-to-create-a-high-availability-setup-with-corosync-pacemaker-and-floating-ips-on-ubuntu-14-04 (https://assets.digitalocean.com/articles/high_availability/ha-diagram-animated.gif)

I want to follow this tutorial but a requirement is i must have floating IP or virtual IP and want to know how i can get that IP from my juniper router. I have /27 public IP block to use, so how do i use SRX to setup a floating/virtual IP?

That is what my question is.

Thanks

I am not sure what exactly the links are doing, i see the first link makes me route to different ports, but i want to route to same port on different IP

its like this image here https://assets.digitalocean.com/articles/high_availability/ha-diagram-animated.gif

The example you link  to on digital ocean shows how you configure load balancers.  Load balancers can send the same input traffic to multiple destination servers.

The SRX is a firewall and does not have load balancer features.

Ok again i want to setup Floating IP.

Do you know what floating IP is? Did you read the link i sent to know what the use of floating IP is? Floating IP is NOT a loadbalancer, it is used to direct traffic to particluar server or virtual machine without the virtual machine knowing the IP.

The same link i sent has all this information https://www.digitalocean.com/company/blog/floating-ips-start-architecting-your-applications-for-high-availability/

No need to get rude, yes, I read your link.  The discussion on floating ip address is a function of the load balancer.

From your diagram  LOAD BALANCER failover in the flow diagram.

The SRX does not do loadbalancing.  It can do destination nat to forward an address to a single downstream ip address as the links above note.  What it cannot do is have two servers conencted to that same ip and port as shown in your sample diagram.

For high availablity on this function the SRX can be put into a chassis cluster so that a second firewall will take over for the failed firewall.

https://kb.juniper.net/InfoCenter/index?page=content&id=KB15650

Hi,

Am not familiar with load balancing mechanism by fit for purpose load balancers.

On the SRX, D-NAT can be used to present a "public facing" IP, similar to a floating IP.

As Steve mentions, SRXs are firewalls and not fit for purpose load balancers.

However, in routing load sharing is possible when there are 2 equal cost routes to a destination also known as ECMP.

This is enabled by applying either a load-balance per packet or per flow policy to forwarding-table or forwarding-options.

This is load-balancing in purely IP routing where there is no visibilty of application protocols and normally load shared over a core network.

Substituting an application-specific load balancer by a firewall does not guarantee the same behavior and results. However, I believe these are different technological solutions in their own rights to tackle specific challenges/problems.

Cheers,

Ashvin