SRX

please see top in attachment. I have configure chassis cluster for firewall. D1 and D2
have same gateway ip address, and redundant-parent reth0. 

My question is(the route from D1 and D2 is prefer L1 and L2 :

1. when the D1 down, whether the cluster status don't be changed, then the traffic change from switch1->fw1->D1 to switch1->fw1->fw2->D2.

2. when the switch1 down, whether the cluster status don't be changed, then the traffic change from switch1->fw1->D1 to switch2->fw2->D2.

The answer depends on your configuration.  Generally you would have a switch on the INET side as well, but....

If you monitor the link D1, then it would cause a fail over to FW2 and traffic would flow SW1-> SW2 -> FW2 ->D2

Just kind of depends on how many RG's you have and how they are configured for failover and monitoring.

Hello, I don't monitor any interface on firewall, so the HA status won't be changed. D1 and D2 interface are in same redundant-parent reth0, so I want to know whether the firewall can know when the D1 down, the traffic from SW1 will be transfered to FW2 and the to D2.

If the physical interface drops, then yes, but I believe you have to monitor for that RG to move to FW2.

Pull the cable and see if it works...?

---

@ed_gpc wrote:

If the physical interface drops, then yes, but I believe you have to monitor for that RG to move to FW2.

 

Pull the cable and see if it works...?

---

Because if only one interface drops, the RG needn't move to FW2. If the other interface aslo drops, it will.

Hi Zouj,

1. If you do not want routing engines to shift from one firewall to other, tackle it by not defining interface-monitor & defining only priority under redundancy-group 0 (sice REs are always member of RG0)

2. Moreover, if you want the traffice to traverse both the firewalls in case of cloud or switch failure  traffic, then you should use separate RGs for trust and untrust sides i.e. RG1 and RG2. 

an example config will become like this

In above example ge-2/0/0,  ge-2/0/1, ge-11/0/0, ge-11/0/1 are connected to L1, L2, D1 and D2, respectively and LACP enabled. Whereas ge-2/0/2 and ge-11/0/2 are connected to Switch-1 and Switch-2 respectively. Moreover, reth0 & reth1 will be member of different redundancy-groups therefore, failure of ge-2/0/0 will not impact RG2.or anyother.

Hope it helps

---

@rasmus wrote:

Hi Zouj,

 

1. If you do not want routing engines to shift from one firewall to other, tackle it by not defining interface-monitor & defining only priority under redundancy-group 0 (sice REs are always member of RG0)

 

2. Moreover, if you want the traffice to traverse both the firewalls in case of cloud or switch failure  traffic, then you should use separate RGs for trust and untrust sides i.e. RG1 and RG2. 

 

an example config will become like this

 

chassis {

    cluster {

        control-link-recovery;

        reth-count 2;

        heartbeat-threshold 3;

        node 0;

        node 1;

        redundancy-group 0 {

            node 0 priority 254;

            node 1 priority 1;

        }

        redundancy-group 1 {

            node 0 priority 254;

            node 1 priority 1;

            preempt;

            interface-monitor {

                ge-2/0/0 weight 255;

                ge-11/0/0 weight 255;

                ge-2/0/1 weight 255;

                ge-11/0/1 weight 255;

            }

        }

       redundancy-group 2 {

            node 0 priority 254;

            node 1 priority 1;

            preempt;

            interface-monitor {

                ge-2/0/2 weight 255;

                ge-11/0/2 weight 255;

            }

        }

    }

}

 

In above example ge-2/0/0,  ge-2/0/1, ge-11/0/0, ge-11/0/1 are connected to L1, L2, D1 and D2, respectively and LACP enabled. Whereas ge-2/0/2 and ge-11/0/2 are connected to Switch-1 and Switch-2 respectively. Moreover, reth0 & reth1 will be member of different redundancy-groups therefore, failure of ge-2/0/0 will not impact RG2.or anyother.

 

Hope it helps

 

---

Thank you very much！