SRX Services Gateway
Reply
Contributor
aeroplane
Posts: 724
Registered: ‎06-30-2009
0

Re: Redundancy Group Design Question

Hi Bill

 

Thanks for the great explaination. As you mentioned for UTM/IPS, RG0 and RG1+ should be on the same chassis.

 

1- Is that true for IPSE VPN and Routing over IPSEC?

 

2- For RG0 and RG1+ on the same node, I will track all interfaces of all RG1+ in RG0? Also should I track interfaces in their respective RG1+ as well?

 

Thanks

Super Contributor
billp
Posts: 126
Registered: ‎05-01-2008
0

Re: Redundancy Group Design Question

1. VPN and routing are done in SPC, so I don't beleive RG0 has any effect here.

2. If you want to be sure that everything (RG0+) fails all together every time, then track all the relevant interfaces in all the RGs; that means you'll fail a chassis if ANY interface fails, but that may be necessary depending on your design requirements.

Contributor
aeroplane
Posts: 724
Registered: ‎06-30-2009
0

Re: Redundancy Group Design Question

Thanks. It really helped. Do you think is there any special relation or considerations between HA and IPSEC. also HA and Routing.

 

Thanks

Super Contributor
billp
Posts: 126
Registered: ‎05-01-2008
0

Re: Redundancy Group Design Question

HA and IPSec: On failover of the forwarding plane, I believe you have to rekey your tunnels.

HA and Routing: On failover of the control plane, you will have to re-establish adjacencies and recalculate your routing tables.

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.