Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
J
J
JDima2012-06-08 15:52:54
Computer networks
JDima, 2012-06-08 15:52:54

Juniper NSRP over L2VPN?

A question to skilled zhuniperovodam because I never worked with this iron.
We have a couple of firewalls of the junior series (I don’t remember the model now, like the SRX100). For me, these are black boxes, I have absolutely no access to them. It is known that they are clustered, synchronization goes on two links. Probably NSRP is enabled in the active/standby configuration. The documentation says that they should be connected directly by wires no longer than a few meters. But I'm not looking for simple ways, because it is planned to spread them to different data centers (two-way delay between them within 1ms, there are no losses), and connect the ports to catalysts that will wrap traffic in MPLS pseudowire and spit out packets on the other side, where they will be received another cluster juniper.
Questions - because the NSRP documentation is disgusting:
1) Are there any obstacles to the scheme proposed by me to work? Maybe there are no ethernet frames at all, or delays are required not in milliseconds, but in microseconds ...
2) What is the maximum size of forwarded packets? If this is configurable, please specify the default value.
3) What underwater rake can be stepped on by implementing such a scheme? (we believe that transport between junipers will be trouble-free)
And yes, asking the owners of the piece of iron is the most difficult option of all, it just so happened ...

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

1 answer(s)
Report
R
router, 2012-06-15
@JDima

NSRP is not SRX. NSRP is NetScreen.
SRX has a different proprietary clustering protocol.
If SRX, then you can try to overturn. I didn’t do it myself, but you can google it, something came across there: tyts .
SRX100 I remember going crazy once. And so nothing, they work for clients in offices, they keep IPSec. But depending on what you use them for. As a firewall, they are weak, syn flood does not hold more than 5 Mbps.
The question of course is reliability and the price that it is possible to pay for this reliability. If reliability is more important, I would not cluster, but would still make some kind of VRRP. Or some speaker routing, OSPF is the same. Or two IPSec VPNs, if that's what they're for.

Similar questions
P
pavelkolodin2015-12-30 19:27:50
HTTP pipelining - what is the status of usage in the real world? 0Reply
A
Anton Makarov2012-12-24 18:47:03
GPON in a huge building? 3Reply
P
paralon2012-12-25 09:04:19
Does it make sense to implement 802.1x in an office grid? 4Reply
N
Nikolai Vasilchuk2012-12-29 12:16:45
Is it possible to get honest 300 mbps on 802.11n / 2.4 GHz on MacBook Air mid 2012? 3Reply
A
Alexander Fedorov2015-01-03 22:31:53
How to publish multiple services from virtual machines on one white IP? 1Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question