cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sheng Yang <sh...@yasker.org>
Subject Re: F5 & SRX in in-line mode PRD review
Date Fri, 12 Oct 2012 17:47:05 GMT
Hi Sangeetha,

On Thu, Oct 11, 2012 at 6:54 PM, Sangeetha Hariharan
<Sangeetha.Hariharan@citrix.com> wrote:
> Hi Sheng,
>
> I have the following questions after reviewing the FS:
>
> 1. FS states that VPN services will not be supported in the SRX-F5 inline mode. Is this
correct?

No, I've updated it I think.
>
> 2. Will there be support for conserve mode ="ON" , where the same public ip address can
service both  Lb rules and PF rules ?

No. Since LB on F5 would include one rule implicit to create static
nat from SRX to F5, and we cannot enable static nat and PF rule at the
same time.
>
> 3. When  Lb rule is created , in which DB table can we see the information of the guest
Ip address that gets assigned for corresponding Static NAT purposes?

It would only show as LB rule. Static nat rule is generated by system
implicitly.
>
> 4. Since both SRX and F5 are being programmed when creating a LB rule , if either one
of them is down/unreachable , we should expect the LB rule creation to error out . In such
cases , will we be providing an error message to the user and he should be able to recreate
the same LB rules when SRX and LB are reachable?

I suppose user would retry it later... Or complain to admin who would
know that one device is down.

--Sheng
>
>
> -Thanks
> Sangeetha
>
> -----Original Message-----
> From: Sheng Yang [mailto:sheng@yasker.org]
> Sent: Thursday, October 11, 2012 11:04 AM
> To: cloudstack-dev@incubator.apache.org
> Cc: Sheng Yang
> Subject: Re: F5 & SRX in in-line mode PRD review
>
> Hi Sanjeev,
>
> On Wed, Oct 10, 2012 at 10:12 PM, Sanjeev Neelarapu <sanjeev.neelarapu@citrix.com>
wrote:
>> Hi Sheng,
>>
>> Following are the review comments on F5&SRX in in-line mode PRD:
>>
>>
>> 1.      Apart from providing security to load balancing traffic are there any other
benefits of deploying F5&SRX in in-line mode?
>
> No as I know. The main change is LB would behind Firewall which make more sense and more
secure.
>
>>
>> 2.      In this scenario SRX is the single point of contact for the entire zone.
How are we going to provide the redundancy (to avoid single point of failure condition) ?
>
> No, and even in side-by-side mode, if SRX is failure, we would face the same situation
- I don't think only LB works would be good enough for guest network.
>>
>> 3.      Is there any limit on the no.of IP addresses that can be acquired and configured
for load balancing on SRX?
>
> The same as PF/static nat, as far as I know, no.
>>
>> 4.      Are we going to use SRX with JUNOS 10.4R1 or above for this feature support?
>
> Yes, which would make VPN works.
>>
>> 5.      What level of security are we providing to the load balancing traffic? CIDR&
Port Range based filtering or do we support application level filtering(content inspection)
as well?
>
> In fact F5 support application level filtering, but we haven't got plan to support it
so far. We only support http protocol now.
>
> --Sheng
>>
>>
>> Thanks,
>> Sanjeev
>>
>>
>>

Mime
View raw message