SRX Services Gateway
SRX Services Gateway

SRX650 A/P Cluster Question

[ Edited ]
03.09.10   |  
‎03-09-2010 11:23 AM

Hello All,


I am configuring my first SRX cluster, and have a question about setting the system default router and routing for the reth interfaces.


I have used the SRX650 Cluster KB15503 and TN79 as my guides for the base setup.  However it is unclear to me, given my environment (shown in the attached JPG), how to set the system backup-router statements for the nodes.


Should the system backup-router statement (as shown in TN79) be configured with the IP address of the EX4200VC (10.x.x.20/22 in the diagram)?


Do I need a separate VR to contain the routing for the reth 0.0 network to ensure proper routing for the machines in the Trust Zone.


Any suggestions would be greatly appreciated.  


SRX Services Gateway

Re: SRX650 A/P Cluster Question

03.09.10   |  
‎03-09-2010 04:10 PM

JPG is missing, please attach.




Follow me on Twitter @anwar_raheel

If this post was helpful, please mark this post as an "Accepted Solution".
Kudos are always appreciated!
SRX Services Gateway

Re: SRX650 A/P Cluster Question

03.18.10   |  
‎03-18-2010 09:07 PM

Firstly the backup-router statement only applies to the secondary node for RG0 as secondary does not own rpd thus cannot perform route lookup. If managing from 10.x.x.x/22 network then backup-router statement is not needed. But if managing from a remote network, then you would need backup-router configuration. Based on your diagram, you would configure something like below:


set system backup-router 10.x.x.20 destination <remote-ip-subnet>


Also since your trust network seems to overlap your fxp0 network, then you will need to have reths in a separate virtual router type routing-instance. Just remember that you cannot terminate an IPSec tunnel from an interface in a routing-instance at this time.



SRX Services Gateway

Re: SRX650 A/P Cluster Question

03.20.10   |  
‎03-20-2010 05:18 AM

What if , I am not using an overlap network for fxp's but it has to be reached remote network which is doesnt reachable by any forwarding interface (fxp  nsm ) .

passive nodes  RE wil be  reachable but first node will not (cause of the working active RE  didnt know is will sent to the default   route ) 


I am doing a POC and facing this issue recently