SRX Services Gateway
SRX Services Gateway

Management of an SRX 345 cluster question

‎09-13-2019 09:39 AM

Can anyone tell/confirm/deny for me IF it is possible to manage an SRX cluster on a 'revenue'/data port and NOT on the fxp0/mgmt port?  I have a very small network, 4 vlans that I am looking to take off of a switch and move 'up' to a firewall which would now be the top layer of the infrastructure and hold all of the gateways at the interface/zone level.  I don't have another network with which to use to assign on the MGMT/FXP0 ports so i'd rather not have to use it if i dont need to.  All of the traffic here is all internal and there shouldnt even be a need for any routes as everything to/from anything else has to pass the firewal which knows where to route to.

 

I suppose if a revenue port cannot also be used as a management port I could just configure the fxp0 ports in the groups statements with some random local network and put a dedicated workstation on that subnet to manage it but would obviously prefer not to if I can just use one of the reth interfaces to manage via ssh/jweb

 

thanks!

3 REPLIES 3
SRX Services Gateway

Re: Management of an SRX 345 cluster question

‎09-13-2019 09:53 AM
Yes, it is possible to manage srx via revenue/data port. Just allow ssh/https etc in host inbound traffic for the particular zone and then you can login to primary node. One caveat is that you can not directly login to the secondary node from your pc. If you want login secondary node, first login to primary node then login to secondary using "request routing-engine......" Command.
Thanks,
Nellikka
JNCIE x3 (SEC #321; SP #2839; ENT #790)
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
SRX Services Gateway

Re: Management of an SRX 345 cluster question

‎09-13-2019 10:49 AM

thank you very much this is what I thought! but was being told by some collegues in the department that management via revenue port was not allowed/possible.  Thank you for the assistance

SRX Services Gateway

Re: Management of an SRX 345 cluster question

a month ago

Brian,

 

I know its not your case but as a FYI, you could even use a revenue port as a out-of-band management interface if you configure it under the managment zone:

 

Ref: https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-zone-configuration.html

 

Management zones have the following properties:

  • Management zones host management interfaces.

  • Traffic entering management zones does not match policies; therefore, traffic cannot transit out of any other interface if it was received in the management interface.

  • Management zones can only be used for dedicated management interfaces.