Juniper Srx 3400 Stencil
ShapeSource is the best place to find free Juniper Networks Microsoft Visio shapes and stencils.These shapes contain high quality graphics and a set of smart behaviors that will save you time and effort while producing outstanding quality drawings of data center installations.
Hi Guys,I am a network engineer and i have touched firewalls in general and in depth with Cisco ASA and Checkpoint.But Juniper is a new beast to me, i have been digging a bit in a network that i need to master for a project.They use a Juniper firewall as external and internal firewalls.I will probably have some seriously basic questions but here i go. The design is that they have a cluster which spans 2 data centers. So the master in in DC1 and the slave is in DC2, between them they have redundancy.Am i correct in assuming the following:Redundancy Group 0 and 1 are for control plane and data plane respectively?
Juniper Srx Visio Stencil
It's probably also 2 physical cables? Spanned via a switch or an IP network between the 2 firewalls in the clusters.We have VRRP running on our Cisco network if they need SVI (layer 3 vlan), but for a lot of vlan's the firewall is the layer 3 endpoint. So i have seen the following: For each vlan you define an interface on the firewall (sub interface) you follow the vlan naming convention as the interface naming convention. It's like running Routing on a Stick.I follow there, but the interface only has 1 IP.So in HSRP or VRRP each interface on the device has an IP and they share a VIP. But in the Juniper firewall the IP is the same across the cluster correct? Is also the MAC the same or does the Juniper performs a grat ARP during failover?Is there a comprehensive guide to understand this fail-over scenario?Thanks in advance. The should have what you need.RG0 is always the control plane for the cluster.
RG1 is the data plane - you can configure multiple RGs for the data plane but it is almost never necessary. Generally two links between the nodes, a control link for RG0 and a fabric link for the data plane, with some of the larger models supporting redundant control and fab links.As you mentioned, you don’t configure VRRP on the SRX, there is a shared IP on the SRX for each network. It functions as the VIP, and the primary node in RG0 does GARP so connected devices forward traffic to the proper node.Hope this helps. Basically the cluster doesn't need VRRP (or similar) between the firewalls since they already know if the other peer drops down because of the control link between them.
Juniper Srx 3400 Specifications
RG0 is reserved for the cluster itself but if I recall correctly, it's the only 'hard coded' RG (so fabric and control links don't have a RG per se).In addition to the RG0, you can configure additional redundancy groups and add one or more interfaces into them. It depends on the network topology if you should add them to the same or different RG's.For example you can configure IP monitoring so that the firewall will ping next hop address and if it fails, it drops the priority of associated RG thus possibly causing a fail over for that RG (which might be just VIP (or several) jumping from firewall to an another or even the causing the whole cluster fail over (though sounds pretty bad idea to me).