SRX

I have an existing standalone SRX240 with several layer-3 vlan interfaces that work great.  I need to add redundancy so we got a 2nd SRX240.  The last time I deployed a cluster of SRX's were before they supported switching mode.  And I understand with 11.1 and newer on the SRX240, switching mode is supported in cluster mode, so I have a few questions.

1.  Do I need to enable STP on the cluster?  By default it's off.  Will the cluster look like a single switch from a STP perspective?  I looked in the 11.4 config guide for clustering, and it doesn't really mention it.

2.  I need remote access and site to site VPN's to work.  I see nothing in the release notes that indicate it won't work in a cluster.  But I'm just wondering if anyone can confirm that this will work so I don't end up with a nice surprise.

3.  When reading this KB ArticleI was kinda shocked to read this at the very end.... This seems to suggest what I suspect are the most common use cases for this won't work????

NOTE: As of this writing, while using ethenet-switching in chassis cluster deployment Layer3 routing from L2 ethernet-switching network via L3-interface Vlan.X is not supported. 

 4.  So it seems I'll need at least 4 interfaces to make the cluster work (1 for fxp0, 1 for the control, 1 for the regular fabric and 1 for the switching fabric).  Is that correct?  Seems to be quite a bit of ports burned up just to get a cluster to work.

5.  It seems I won't need any reth interfaces based on the example in the config guide so I can just keep my existing vlan interfaces and mappings to the security zones?

Any other comments or tricks?

---

1.  Do I need to enable STP on the cluster?  By default it's off.  Will the cluster look like a single switch from a STP perspective?  I looked in the 11.4 config guide for clustering, and it doesn't really mention it.

---

It appears as a single device.  You won't need STP any more than you would with a single SRX.  However, that being said, it's usually a good idea to have some kind of STP whenever switching devices are involved.  Just as a good practice.

---

2.  I need remote access and site to site VPN's to work.  I see nothing in the release notes that indicate it won't work in a cluster.  But I'm just wondering if anyone can confirm that this will work so I don't end up with a nice surprise.

 

---

From the Junos 12.1 release notes:

• On all branch SRX Series devices, only redundant Ethernet interfaces (reth) are supported for IKE external interface configuration in IPsec VPN. Other interface types can be configured, but IPsec VPN might not work.

This relates to your points 3 and 4.  (and 5).

---

3.  When reading this KB ArticleI was kinda shocked to read this at the very end.... This seems to suggest what I suspect are the most common use cases for this won't work????

 

NOTE: As of this writing, while using ethenet-switching in chassis cluster deployment Layer3 routing from L2 ethernet-switching network via L3-interface Vlan.X is not supported. 

---

I was not aware of that -- but I've honestly not tried that setup.  I can't say that I'm really all that surprised, though.

This limitation alone pretty much puts a squash on your proposed configuration since it's not going to work the way you are looking for.

---

 4.  So it seems I'll need at least 4 interfaces to make the cluster work (1 for fxp0, 1 for the control, 1 for the regular fabric and 1 for the switching fabric).  Is that correct?  Seems to be quite a bit of ports burned up just to get a cluster to work.

---

Yup.

---

5.  It seems I won't need any reth interfaces based on the example in the config guide so I can just keep my existing vlan interfaces and mappings to the security zones?

---

It would seem not, based on your point #3.  Also the VPNs have to terminate on a reth interface rather than a vlan RVI.

Perfect.  Thanks, kr!