Hi Sangeetha, On Thu, Oct 11, 2012 at 6:54 PM, Sangeetha Hariharan <sangeetha.hariha...@citrix.com> wrote: > Hi Sheng, > > I have the following questions after reviewing the FS: > > 1. FS states that VPN services will not be supported in the SRX-F5 inline > mode. Is this correct?
No, I've updated it I think. > > 2. Will there be support for conserve mode ="ON" , where the same public ip > address can service both Lb rules and PF rules ? No. Since LB on F5 would include one rule implicit to create static nat from SRX to F5, and we cannot enable static nat and PF rule at the same time. > > 3. When Lb rule is created , in which DB table can we see the information of > the guest Ip address that gets assigned for corresponding Static NAT purposes? It would only show as LB rule. Static nat rule is generated by system implicitly. > > 4. Since both SRX and F5 are being programmed when creating a LB rule , if > either one of them is down/unreachable , we should expect the LB rule > creation to error out . In such cases , will we be providing an error message > to the user and he should be able to recreate the same LB rules when SRX and > LB are reachable? I suppose user would retry it later... Or complain to admin who would know that one device is down. --Sheng > > > -Thanks > Sangeetha > > -----Original Message----- > From: Sheng Yang [mailto:sh...@yasker.org] > Sent: Thursday, October 11, 2012 11:04 AM > To: cloudstack-dev@incubator.apache.org > Cc: Sheng Yang > Subject: Re: F5 & SRX in in-line mode PRD review > > Hi Sanjeev, > > On Wed, Oct 10, 2012 at 10:12 PM, Sanjeev Neelarapu > <sanjeev.neelar...@citrix.com> wrote: >> Hi Sheng, >> >> Following are the review comments on F5&SRX in in-line mode PRD: >> >> >> 1. Apart from providing security to load balancing traffic are there >> any other benefits of deploying F5&SRX in in-line mode? > > No as I know. The main change is LB would behind Firewall which make more > sense and more secure. > >> >> 2. In this scenario SRX is the single point of contact for the entire >> zone. How are we going to provide the redundancy (to avoid single point of >> failure condition) ? > > No, and even in side-by-side mode, if SRX is failure, we would face the same > situation - I don't think only LB works would be good enough for guest > network. >> >> 3. Is there any limit on the no.of IP addresses that can be acquired >> and configured for load balancing on SRX? > > The same as PF/static nat, as far as I know, no. >> >> 4. Are we going to use SRX with JUNOS 10.4R1 or above for this feature >> support? > > Yes, which would make VPN works. >> >> 5. What level of security are we providing to the load balancing >> traffic? CIDR& Port Range based filtering or do we support application level >> filtering(content inspection) as well? > > In fact F5 support application level filtering, but we haven't got plan to > support it so far. We only support http protocol now. > > --Sheng >> >> >> Thanks, >> Sanjeev >> >> >>
