08-16-2011 01:31 PM
I'm confused whether it is better practice to deploy SRX/NSM in VC mode single IP or as a cluster of two nodes with two IPs. It seems that there are two good reasons *not* to VC:
1) Logging in VC mode does not allow real time sync as logging data does not traverse fxp0.
2) Individual node status in NSM seems more complete in cluster-from-nodes than VC.
08-18-2011 07:56 AM
If your design allows it - that is, true out-of-band network to communicate with fxp0, and a separate NIC on NSM for communicating to the Internet / receiving stream logs - then I'd manage via fxp0 instead of via VC.
Also, afaik, VC is only on option on Branch, not on Highend SRX.
08-21-2011 09:56 AM
One more thing to think about when doing VC mode: Updating the SRX cluster with new Junos releases from NSM is not supported (it will do the update but only on one box, leaving your cluster in undefined state).
Unfortunately, managing SRXs through fxp0 is too much of a hassle too.
Juniper really needs to do something about this.