ON THIS PAGE
Topologies Tested
The topologies tested with MX Series Routers and SRX Series Firewalls combinations are as follows:
Topology 1 – ECMP CHASH – Single MX Series Router with Scaled Out Standalone SRXs (Multiple Individual SRX Series Firewalls)
This topology is simple and least redundant. The resiliency is provided at MX Series Router, with a redundant RE, PSU, etc however, there is no protection against MX-node failure. There is no backup of the MX Series Router and there are no sessions synchronization between the SRX Series Firewalls.
However, it helps to understand how this architecture works. Typically, you can opt for more redundancy. If you are not concerned about stateful failover and may want to augment security service capacities by adding more SRX series firewalls, then the application sessions may be short lived (a redundancy mechanism may be handled at an application level not requiring any session sync between two different firewalls).
- Pros: Simplicity and scaling with each individual SRX Series Firewalls
- Cons: No redundancy
Topology 2 – ECMP CHASH – Dual MX Series Router with Scaled-Out MNHA SRX Pairs (Multiple Pairs of SRX Series Firewalls)
This topology does offer redundancy for the MX Series Routers and for each SRX Series Firewall. The dual MX Series Router uses an SRD mechanism to monitor the physical elements of the network and/or the MX Series Router itself, as well as any other routing and system event that may need to trigger a failover to the other MX Series Router.
In case of a network failure detected by an active MX Series Router, the second MX Series Router takes over the active role and all traffic is redirected to this active MX Series Router. It means the traffic sent to the previously backup SRX Series Firewall is becoming master of the MNHA pair. This architecture allows the use of only one SRX Series Firewalls of a pair at a time, basically the SRX Series Firewalls connected to the same MX Series Router. However, in case of any failover, the traffic continues the second node of each MNHA pair.
On the SRX Series Firewalls side, Multi-Node High Availability (MNHA) allows both SRX Series Firewalls to handle and synchronize the sessions and offer any requested security services on both the firewalls. Since this topology uses SRG0 (active/active) as cluster mode, there is no need to failover the MNHA SRX Series Firewall pair to the redundant SRX Series Firewall when the MX Series Router detects a failure. The session synchronization in the MNHA pair ensures that the redundant SRX Series Firewall assumes responsibility for the sessions previously processed by the other SRX Series Firewall while maintaining session state. Note that, when an SRX Series Firewall detects a failure, a failover occurs in the MNHA pair.
- Pros: Simple redundancy and scaling with each SRX Series Firewall pair
- Cons: half of the architecture is active at a time
Topology 3 – TLB – Single MX Series Router Scaled-Out MNHA SRX Pairs (Multiple Pairs of SRX Firewalls)
This topology does offer redundancy for the SRX series firewalls and not for the MX Series Routers, though this one may have a second Routing Engine (RE) installed in the appropriate slot. In that case, this solution does not use two MX Series Routers chassis.
MNHA offers session synchronization within a cluster and helps with any failure scenario. As explained before, the second SRX of each pair handles any traffic started on the first SRX before fail over of the MX Series Router happened.
- Pros: Redundancy and scaling with each SRX Series Firewalls pair
- Cons: No redundancy on the router (except using dual RE)
Topology 4 – TLB – Dual MX Series Routers Scaled-Out MNHA SRX Pairs (Multiple Pairs of SRX Firewalls)
This topology offers redundancy for both the MX Series Routers and SRX Series Firewalls and takes advantage of having all the components used at the same time. Any failover scenario can be covered.
The MX Series Router can handle traffic on any of the two routers, while SRX Series Firewalls can be used either in the Active or Backup role and even in the Active-Active role, making use of both nodes at the same time. This augments the capacity of the network during normal operation. However, this leaves one node active at a time when a failure occurs (in case of single MNHA cluster).
Each SRX Series Firewall is connected to both MX Series Routers. If any of one node fails within a cluster, all other SRX Series Firewalls pairs might have an independent failover from the other SRX Series Firewalls pairs and the MX Series Router.
- Pros: Full redundancy and scaling for MX Series Router and SRX Series Firewall pairs.
- Cons: More interfaces used on the MX Series Router if directly connected. Then, an optional distribution layer can cover more connectivity needs when SRX Series Firewall count augments.