[j-nsp] One router/two firewalls config question
Chuck Anderson
cra at WPI.EDU
Fri Mar 7 11:00:02 EST 2008
On Fri, Mar 07, 2008 at 10:33:42AM -0500, John Center wrote:
> interface Vlan376
> description "GE connection to DMZ"
> ip address 192.168.1.254 255.255.255.240
> ...
>
> This way, either firewall can talk to the other & has a common address
> to talk to the router. Failover is easy & quick. How does one do
> something similar in JUNOSv9? VLANs can't have addresses assigned to
> them in JUNOS & there doesn't appear to be any support for IRB for the
> M120. Any help would be greatly appreciated!
You are correct that the M-series cannot do IRB (except MX). If you
can live with an external switch, you can create an Aggregated
Ethernet (802.3ad-type trunk) to that switch, plug both firewalls into
the switch, and use a configuration like this:
> show configuration | find interfaces
interfaces {
ge-2/0/0 {
description "GE to switch port 1";
gigether-options {
802.3ad ae0;
}
}
ge-2/0/1 {
description "GE to switch port 2";
gigether-options {
802.3ad ae0;
}
}
ae0 {
description "GE Connection to DMZ";
vlan-tagging;
aggregated-ether-options {
link-speed 1g;
}
unit 376 {
description "VLAN 376 to DMZ";
vlan-id 376;
family inet {
address 192.168.1.254/28;
}
}
}
}
Or if you can live with a routed configuration rather than bridged,
you could put an IP on the lo0 loopback interface and run a routing
protocol to each firewall.
More information about the juniper-nsp
mailing list