F5 & SRX in in-line mode PRD review

[Sanjeev Neelarapu <sa...@citrix.com>]

Hi Sheng,

Following are the review comments on F5&SRX in in-line mode PRD:


1.      Apart from providing security to load balancing traffic are there any other benefits of deploying F5&SRX in in-line mode?

2.      In this scenario SRX is the single point of contact for the entire zone. How are we going to provide the redundancy (to avoid single point of failure condition) ?

3.      Is there any limit on the no.of IP addresses that can be acquired and configured for load balancing on SRX?

4.      Are we going to use SRX with JUNOS 10.4R1 or above for this feature support?

5.      What level of security are we providing to the load balancing traffic? CIDR& Port Range based filtering or do we support application level filtering(content inspection) as well?


Thanks,
Sanjeev

Re: F5 & SRX in in-line mode PRD review

[Sheng Yang <sh...@yasker.org>]

On Fri, Oct 12, 2012 at 11:36 AM, Chiradeep Vittal
<Ch...@citrix.com> wrote:
>
>>>
>>> 4. Since both SRX and F5 are being programmed when creating a LB rule ,
>>>if either one of them is down/unreachable , we should expect the LB rule
>>>creation to error out . In such cases , will we be providing an error
>>>message to the user and he should be able to recreate the same LB rules
>>>when SRX and LB are reachable?
>>
>>I suppose user would retry it later... Or complain to admin who would
>>know that one device is down.
>
> Looking for a more complete answer here: is it going to be atomic across
> both devices or not?

It would be atomic operation on both devices.

--Sheng

Re: F5 & SRX in in-line mode PRD review

[Chiradeep Vittal <Ch...@citrix.com>]

>>
>> 4. Since both SRX and F5 are being programmed when creating a LB rule ,
>>if either one of them is down/unreachable , we should expect the LB rule
>>creation to error out . In such cases , will we be providing an error
>>message to the user and he should be able to recreate the same LB rules
>>when SRX and LB are reachable?
>
>I suppose user would retry it later... Or complain to admin who would
>know that one device is down.

Looking for a more complete answer here: is it going to be atomic across
both devices or not?

Re: F5 & SRX in in-line mode PRD review

[Sheng Yang <sh...@yasker.org>]

Hi Sangeetha,

On Thu, Oct 11, 2012 at 6:54 PM, Sangeetha Hariharan
<Sa...@citrix.com> wrote:
> Hi Sheng,
>
> I have the following questions after reviewing the FS:
>
> 1. FS states that VPN services will not be supported in the SRX-F5 inline mode. Is this correct?

No, I've updated it I think.
>
> 2. Will there be support for conserve mode ="ON" , where the same public ip address can service both  Lb rules and PF rules ?

No. Since LB on F5 would include one rule implicit to create static
nat from SRX to F5, and we cannot enable static nat and PF rule at the
same time.
>
> 3. When  Lb rule is created , in which DB table can we see the information of the guest Ip address that gets assigned for corresponding Static NAT purposes?

It would only show as LB rule. Static nat rule is generated by system
implicitly.
>
> 4. Since both SRX and F5 are being programmed when creating a LB rule , if either one of them is down/unreachable , we should expect the LB rule creation to error out . In such cases , will we be providing an error message to the user and he should be able to recreate the same LB rules when SRX and LB are reachable?

I suppose user would retry it later... Or complain to admin who would
know that one device is down.

--Sheng
>
>
> -Thanks
> Sangeetha
>
> -----Original Message-----
> From: Sheng Yang [mailto:sheng@yasker.org]
> Sent: Thursday, October 11, 2012 11:04 AM
> To: cloudstack-dev@incubator.apache.org
> Cc: Sheng Yang
> Subject: Re: F5 & SRX in in-line mode PRD review
>
> Hi Sanjeev,
>
> On Wed, Oct 10, 2012 at 10:12 PM, Sanjeev Neelarapu <sa...@citrix.com> wrote:
>> Hi Sheng,
>>
>> Following are the review comments on F5&SRX in in-line mode PRD:
>>
>>
>> 1.      Apart from providing security to load balancing traffic are there any other benefits of deploying F5&SRX in in-line mode?
>
> No as I know. The main change is LB would behind Firewall which make more sense and more secure.
>
>>
>> 2.      In this scenario SRX is the single point of contact for the entire zone. How are we going to provide the redundancy (to avoid single point of failure condition) ?
>
> No, and even in side-by-side mode, if SRX is failure, we would face the same situation - I don't think only LB works would be good enough for guest network.
>>
>> 3.      Is there any limit on the no.of IP addresses that can be acquired and configured for load balancing on SRX?
>
> The same as PF/static nat, as far as I know, no.
>>
>> 4.      Are we going to use SRX with JUNOS 10.4R1 or above for this feature support?
>
> Yes, which would make VPN works.
>>
>> 5.      What level of security are we providing to the load balancing traffic? CIDR& Port Range based filtering or do we support application level filtering(content inspection) as well?
>
> In fact F5 support application level filtering, but we haven't got plan to support it so far. We only support http protocol now.
>
> --Sheng
>>
>>
>> Thanks,
>> Sanjeev
>>
>>
>>

RE: F5 & SRX in in-line mode PRD review

[Sangeetha Hariharan <Sa...@citrix.com>]

Hi Sheng,

I have the following questions after reviewing the FS:

1. FS states that VPN services will not be supported in the SRX-F5 inline mode. Is this correct?

2. Will there be support for conserve mode ="ON" , where the same public ip address can service both  Lb rules and PF rules ? 

3. When  Lb rule is created , in which DB table can we see the information of the guest Ip address that gets assigned for corresponding Static NAT purposes?

4. Since both SRX and F5 are being programmed when creating a LB rule , if either one of them is down/unreachable , we should expect the LB rule creation to error out . In such cases , will we be providing an error message to the user and he should be able to recreate the same LB rules when SRX and LB are reachable?


-Thanks
Sangeetha

-----Original Message-----
From: Sheng Yang [mailto:sheng@yasker.org] 
Sent: Thursday, October 11, 2012 11:04 AM
To: cloudstack-dev@incubator.apache.org
Cc: Sheng Yang
Subject: Re: F5 & SRX in in-line mode PRD review

Hi Sanjeev,

On Wed, Oct 10, 2012 at 10:12 PM, Sanjeev Neelarapu <sa...@citrix.com> wrote:
> Hi Sheng,
>
> Following are the review comments on F5&SRX in in-line mode PRD:
>
>
> 1.      Apart from providing security to load balancing traffic are there any other benefits of deploying F5&SRX in in-line mode?

No as I know. The main change is LB would behind Firewall which make more sense and more secure.

>
> 2.      In this scenario SRX is the single point of contact for the entire zone. How are we going to provide the redundancy (to avoid single point of failure condition) ?

No, and even in side-by-side mode, if SRX is failure, we would face the same situation - I don't think only LB works would be good enough for guest network.
>
> 3.      Is there any limit on the no.of IP addresses that can be acquired and configured for load balancing on SRX?

The same as PF/static nat, as far as I know, no.
>
> 4.      Are we going to use SRX with JUNOS 10.4R1 or above for this feature support?

Yes, which would make VPN works.
>
> 5.      What level of security are we providing to the load balancing traffic? CIDR& Port Range based filtering or do we support application level filtering(content inspection) as well?

In fact F5 support application level filtering, but we haven't got plan to support it so far. We only support http protocol now.

--Sheng
>
>
> Thanks,
> Sanjeev
>
>
>

Re: F5 & SRX in in-line mode PRD review

[Sheng Yang <sh...@yasker.org>]

Hi Sanjeev,

On Wed, Oct 10, 2012 at 10:12 PM, Sanjeev Neelarapu
<sa...@citrix.com> wrote:
> Hi Sheng,
>
> Following are the review comments on F5&SRX in in-line mode PRD:
>
>
> 1.      Apart from providing security to load balancing traffic are there any other benefits of deploying F5&SRX in in-line mode?

No as I know. The main change is LB would behind Firewall which make
more sense and more secure.

>
> 2.      In this scenario SRX is the single point of contact for the entire zone. How are we going to provide the redundancy (to avoid single point of failure condition) ?

No, and even in side-by-side mode, if SRX is failure, we would face
the same situation - I don't think only LB works would be good enough
for guest network.
>
> 3.      Is there any limit on the no.of IP addresses that can be acquired and configured for load balancing on SRX?

The same as PF/static nat, as far as I know, no.
>
> 4.      Are we going to use SRX with JUNOS 10.4R1 or above for this feature support?

Yes, which would make VPN works.
>
> 5.      What level of security are we providing to the load balancing traffic? CIDR& Port Range based filtering or do we support application level filtering(content inspection) as well?

In fact F5 support application level filtering, but we haven't got
plan to support it so far. We only support http protocol now.

--Sheng
>
>
> Thanks,
> Sanjeev
>
>
>