SRX Services Gateway
Reply
New User
PigSnack
Posts: 1
Registered: ‎07-22-2011
0

To VC the SRX nodes or not?

I'm confused whether it is better practice to deploy SRX/NSM in VC mode single IP or as a cluster of two nodes with two IPs.  It seems that there are two good reasons *not* to VC:

 

1) Logging in VC mode does not allow real time sync as logging data does not traverse fxp0.

2)  Individual node status in NSM seems more complete in cluster-from-nodes than VC. 

 

Thanks

 

  

 

 

 

Super Contributor
tbehrens
Posts: 349
Registered: ‎04-30-2010
0

Re: To VC the SRX nodes or not?

If your design allows it - that is, true out-of-band network to communicate with fxp0, and a separate NIC on NSM for communicating to the Internet / receiving stream logs - then I'd manage via fxp0 instead of via VC.

 

Also, afaik, VC is only on option on Branch, not on Highend SRX.

 

Super Contributor
cryptochrome
Posts: 498
Registered: ‎03-29-2008
0

Re: To VC the SRX nodes or not?

One more thing to think about when doing VC mode: Updating the SRX cluster with new Junos releases from NSM is not supported (it will do the update but only on one box, leaving your cluster in undefined state). 

 

Unfortunately, managing SRXs through fxp0 is too much of a hassle too. 

 

Juniper really needs to do something about this.

 

Twitter: @cryptochrome
--------------------------------
plus.google.com/11635909860
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.