[j-nsp] SRX240 - ready for prime time?

TCIS List Acct listacct at tulsaconnect.com
Tue Mar 6 08:46:26 EST 2012

> Switching with a pair of 240s (and 650s) is supported in 11.1R3 and
> later, but it does not work with the smaller branch boxes. You need (at
> least) one extra cable between the boxes dedicated to switch traffic.
> Have not tried it myself, but it is in the release notes.

Is this extra cable b/t the boxes a "fabric" or "stacking" connector of sorts? 
In the application I had in mind, I will be using (2) NICs from each server 
using the Intel Pro/1000 ET's VMLB (virtual machine load balancing) feature. 
VMLB requires a "stacked switch" to work properly when you distribute the 
connections across multiple switches (that is, they must "look" like a single 

>> - Can the SRX be used as a multi-tenant firewall to provide distinct
>> L3 public IP subnets on VLAN interfaces, with their own set of unique
>> firewall rules, and the possibility of overlapping Untrust IP networks
>> (e.g. multiple customers have, AND the ability to
>> terminate IPSEC VPN tunnels on these VLAN interfaces? (I'm looking for
>> something to provide multi-tenant firewall services to a small Cloud
>> hosting infrastructure)
> Most of these things I have done extensively without problems, but for
> one item, which I have not been able to verify. In 10.2 it was not
> possible to terminate an IPsec VPN tunnel on an RVI (Routed VLAN
> interface), only on normal interfaces. I do not know if that limitation
> has been lifted.

The vSYS (or whatever the SRX calls them) would work well for my application, 
but I just wish it supported more than 20 (and the SRX 650 is very expensive for 
just an increase in the # of vSYS).


More information about the juniper-nsp mailing list