SRX Services Gateway
Reply
Contributor
Freddy
Posts: 83
Registered: ‎01-04-2009
0
Accepted Solution

SRX design help

Hi!

 

I'm going do deploy a couple of customer connections at two different sites. Each site will have two SRX210 and two leased lines, running BGP for failover functionality.

 

At site1 the two SRX210 will be sitting in the same rack and my plan was to use JSRP-cluster between them. One reth on the the inside so the customer gets one IP-adress and then one interface against each leased line (no reth).

 

At site2 the SRX210 will be separated by some distance and what I have read jsrp-cluster don't work if there is a switch between them (fabric, control link). What can I use here to receive some kind of redundancy but still give the customer one address on the inside that they can route via?

 

Does the suggestion at site1 make sense?

 

Regards

Freddy

Contributor
tontsa
Posts: 24
Registered: ‎01-30-2009
0

Re: SRX design help

You can run VRRP and offer that VIP-address for your clients. You might also find running normal BGP+VRRP a lot more stable than the SRX/J-series cluster function. Also in cluster mode you will lose most of the features available in non-cluster mode.

Contributor
Freddy
Posts: 83
Registered: ‎01-04-2009
0

Re: SRX design help

 

Thanks for the reply.

 

So one BGP per SRX and IBGP between them and VRRP against the internal network, correct?

 

 

 

 

Contributor
tontsa
Posts: 24
Registered: ‎01-30-2009

Re: SRX design help

Yeah that work's fine. I have that kind of setup with J-series here. I have also configured BFD between the BGP-peers so they notice faster if the link has dropped.

 

Ho0
Visitor
Ho0
Posts: 1
Registered: ‎02-19-2010
0

Re: SRX design help

I have to disagree. It is totally possible to create a jsrp cluster where the firewalls are not in the same room. We have several totally stable installations where the firewalls are separated by 500m or so. The connections are done with fibres. With fxp1 we use media converter (eth-> fibre) and fab is done with fibre.
JNCIS-SEC
Contributor
tontsa
Posts: 24
Registered: ‎01-30-2009
0

Re: SRX design help

Then you are one of the lucky ones to have a stable J-Series/SRX cluster. Can you please share a config so we can learn from it.

Regular Visitor
JohnCobalt
Posts: 5
Registered: ‎10-13-2009
0

Re: SRX design help

Are those SRX in packet or flow-based mode? If the former, I agree in that it's a simple and elegant solution.

However, if in flow-based mode, all established-flow related information is lost whenever traffic is rerouted, is that correct?

 

Regarding having a cluster over a layer 2 ethernet network, there are some tips to make this work (where's the FAQ on HA for Juniper products?). "SRX Services Gateway Cluster Deployments Across Layer Two Networks"

http://forums.juniper.net/t5/SRX-Services-Gateway/SRX-clustering-over-a-switched-network-Is-this-eve...

 

John

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.