SRX Services Gateway
SRX Services Gateway

SRX-Chassis-Cluster / Switched Fabric Interface / IPSEC-Termination on IRB-Interface

‎01-17-2019 11:56 PM

Hi all,

 

just a quick one:

Please let me know of this scenario is supported:

 

Two SRX345 in Chassis-Cluster + Switched Fabric (swfab).

Create VLAN and L3-IRB-Interface. (lets assume: VLAN:External and vlan-id 10 // and IRB unit 10 family inet address 10.10.10.1/24)

Configure the VLAN on multiple ports on Node0 and Node1.

(Lets assume: Node0 ge-0/0/5 and ge-0/0/6 and Node1 ge-5/0/5 and ge-5/0/6)

And then finally use this IRB as external-interface within ike-gateway.

USE STP for blocking these 3 of this 4 external Ports and make sure that only one /ge-0/0/5 prefered will be used for IPSEC-Termination.

Only in case of failure, the other ports should be chossen by stp for IPSEC_Termination.

 

Is this a supported feature or are there any known issues with SWFAB + IPSEC on IRB

 

Best regards, CHristoph.

2 REPLIES 2
SRX Services Gateway

Re: SRX-Chassis-Cluster / Switched Fabric Interface / IPSEC-Termination on IRB-Interface

‎01-18-2019 12:12 AM

IMHO but not tested, it should work, however

STP switchover is slow

 

and the better way for doing this is defining a reth on the srx and 2 ae on the remote site if they are going to the same device, else define 2 reth-interfaces.

Reth interfaces are supported for IKE termination, the ST0.* interface can be in any zone

 

regards

 

alexander

SRX Services Gateway

Re: SRX-Chassis-Cluster / Switched Fabric Interface / IPSEC-Termination on IRB-Interface

‎01-18-2019 01:08 AM

Hi Alexander,

 

thanks for your reply.

RETH-Interface are not possible in that scenario.

Customer wants to have a cross connect on LAN and WAN INterface (so in total 4x LAN-Ports and 4x WAN-Ports)

The Switches, the SRX-Nodes will be connected to are in different buildings and are only connected by a Port-Channel.

So the switches can be assumes as standalone, no VSS or Virtual-Chassis or MC-LAG possible.

And this is the point, why RETH-Interfaces wont work. Whenever I put more childs on the same node into reth-interface they will create a LAG but the "standalone-Switches" will not know on how to respond on these LAG-Pakets because they will always see only  the "half"paket....

So I came over to the solution to make the SRX-Cluster also act as Switch by activation of swfab.

 

BR, Christoph