SRX Services Gateway
Reply
Contributor
Posts: 776
Registered: ‎06-30-2009
0

Re: Redundancy Group Design Question

Hi Bill

 

Thanks for the great explaination. As you mentioned for UTM/IPS, RG0 and RG1+ should be on the same chassis.

 

1- Is that true for IPSE VPN and Routing over IPSEC?

 

2- For RG0 and RG1+ on the same node, I will track all interfaces of all RG1+ in RG0? Also should I track interfaces in their respective RG1+ as well?

 

Thanks

Super Contributor
Posts: 128
Registered: ‎05-01-2008
0

Re: Redundancy Group Design Question

1. VPN and routing are done in SPC, so I don't beleive RG0 has any effect here.

2. If you want to be sure that everything (RG0+) fails all together every time, then track all the relevant interfaces in all the RGs; that means you'll fail a chassis if ANY interface fails, but that may be necessary depending on your design requirements.

Highlighted
Contributor
Posts: 776
Registered: ‎06-30-2009
0

Re: Redundancy Group Design Question

Thanks. It really helped. Do you think is there any special relation or considerations between HA and IPSEC. also HA and Routing.

 

Thanks

Super Contributor
Posts: 128
Registered: ‎05-01-2008
0

Re: Redundancy Group Design Question

HA and IPSec: On failover of the forwarding plane, I believe you have to rekey your tunnels.

HA and Routing: On failover of the control plane, you will have to re-establish adjacencies and recalculate your routing tables.

Copyright© 1999-2015 Juniper Networks, Inc. All rights reserved.