SRX

Hi Guys,

I don't have access to an SRX at the moment, so just wondered is it possible to have redundant ethernet interface configured across a pair of SRX firewalls without doing chassis cluster. I don't think you can do it, but would like to get my thought confirmed.

Thanks.

Specifically a 'reth' interface, no.  But you can have two SRXes providing next-hop redundancy without a chassis cluster, so long as your traffic flow is not asymmetric at any point.

Thanks evt, do you have any links/documents that explains next hop redundancy you mentioned?

What is it that you are trying to do?  If your SRXes are in layer 3 mode (not transparent) then first-hop (my bad, next-hop is slightly incorrect terminology) redundancy can be provided by VRRP:

http://kb.juniper.net/InfoCenter/index?page=content&id=KB24681

You need to make sure that 'vrrp' is configured as an allowed protocol in your zone configuration.

If you are using the SRXes as BGP devices, you can control when your traffic is routed by using conditional advertisement:

http://alostrealist.com/2014/05/13/conditional-route-advertising-on-srx/

I actually use two pairs of SRX clusters in a VRRP configuration in a critical part of our network and use the VRRP /32 virtual address as the condition by which the local SRX advertises specific a specific route.  This ensures that a network that is primary on one cluster is always advertised out that cluster unless the VRRP master changes to the secondary cluster.

Thanks evt, this answered my question.