SRX Services Gateway
SRX Services Gateway

SRX650 Cluster with ethernet switching

‎04-29-2014 05:00 PM

Hey Folks,
I'm working on a new design for one of our datacenters, where we have the requirement to have 3 ex4200 VC's connected to a pair of SRX650's in a chassis cluster.  We need to be able to have the same vlan's across all 3 ex4200 VC's.

I have attached a diagram that I think shows how this would be implemented.


My question is what am I giving up, if anything by using ethernet switching on the SRX650 cluster.  I need to support external IPsec tunnels that would remain to be terminated on reth interface.


Does anybody know if there is an outage taken when enabling ethernet switching on the srx cluster?  I seem to remember a website that mentioned there was, but am unable to find this now.


I'm also making some assumptions, in that I can place the RVI's in security zones, and control data flow just as if they were physical interfaces.


If any additional information is needed, please let me know.


Thanks in advance,


SRX Services Gateway

Re: SRX650 Cluster with ethernet switching

‎04-29-2014 05:29 PM


I have put RVI's in security zones on non-clustered configurations, but haven't tried it in this fashion.  There does appear to be a service interruption of ethernet switching during failover.  Not sure if this helps answer your question:


"When chassis cluster failover occurs, a new primary node is elected and the Ethernet Switching Daemon (ESWD) runs in a different node. During failover, chassis control subsystem is restarted, and the traffic outage occurs until the PICs are up and the VLAN entries are re-programmed. After fail over, all Layer 2 protocols re-converge, because Layer 2 protocols states are not maintained in the secondary node.

Note: The Ethernet-switching subsystem runs only in the primary node"


SRX Services Gateway

Re: SRX650 Cluster with ethernet switching

‎05-06-2014 02:53 AM



You can't terminate IPSec VPN's on IRB interfaces, so you can't run you SRX pair in layer 2 mode if this is a requirement (which is what I assume you're asking? Forgive me if I'm wrong).


My suggestion would be to configure a dot1q trunk from your VC's up to a reth interface (let's say reth0) on the SRX pair, and configure your RVI IP addresses under each reth0 unit, and configure them with the VLAN ID's you've configured on your trunk link.  You can place each reth0.x interface in different security zones and firewall appropriately.


Hope this helps.