Hi Sheng, I have the following questions after reviewing the FS:
1. FS states that VPN services will not be supported in the SRX-F5 inline mode. Is this correct? 2. Will there be support for conserve mode ="ON" , where the same public ip address can service both Lb rules and PF rules ? 3. When Lb rule is created , in which DB table can we see the information of the guest Ip address that gets assigned for corresponding Static NAT purposes? 4. Since both SRX and F5 are being programmed when creating a LB rule , if either one of them is down/unreachable , we should expect the LB rule creation to error out . In such cases , will we be providing an error message to the user and he should be able to recreate the same LB rules when SRX and LB are reachable? -Thanks Sangeetha -----Original Message----- From: Sheng Yang [mailto:sh...@yasker.org] Sent: Thursday, October 11, 2012 11:04 AM To: cloudstack-dev@incubator.apache.org Cc: Sheng Yang Subject: Re: F5 & SRX in in-line mode PRD review Hi Sanjeev, On Wed, Oct 10, 2012 at 10:12 PM, Sanjeev Neelarapu <sanjeev.neelar...@citrix.com> wrote: > Hi Sheng, > > Following are the review comments on F5&SRX in in-line mode PRD: > > > 1. Apart from providing security to load balancing traffic are there any > other benefits of deploying F5&SRX in in-line mode? No as I know. The main change is LB would behind Firewall which make more sense and more secure. > > 2. In this scenario SRX is the single point of contact for the entire > zone. How are we going to provide the redundancy (to avoid single point of > failure condition) ? No, and even in side-by-side mode, if SRX is failure, we would face the same situation - I don't think only LB works would be good enough for guest network. > > 3. Is there any limit on the no.of IP addresses that can be acquired and > configured for load balancing on SRX? The same as PF/static nat, as far as I know, no. > > 4. Are we going to use SRX with JUNOS 10.4R1 or above for this feature > support? Yes, which would make VPN works. > > 5. What level of security are we providing to the load balancing > traffic? CIDR& Port Range based filtering or do we support application level > filtering(content inspection) as well? In fact F5 support application level filtering, but we haven't got plan to support it so far. We only support http protocol now. --Sheng > > > Thanks, > Sanjeev > > >
