[j-nsp] One router/two firewalls config question
John Center
john.center at villanova.edu
Fri Mar 7 15:12:34 EST 2008
Hi Chuck,
The only problem with using a switch is it's a single point of failure.
I'm not sure how failover would work with each PIX on separate routed
subnet. I'm looking into this now.
Thanks.
-John
Chuck Anderson wrote:
> On Fri, Mar 07, 2008 at 10:33:42AM -0500, John Center wrote:
>> interface Vlan376
>> description "GE connection to DMZ"
>> ip address 192.168.1.254 255.255.255.240
>> ...
>>
>> This way, either firewall can talk to the other & has a common address
>> to talk to the router. Failover is easy & quick. How does one do
>> something similar in JUNOSv9? VLANs can't have addresses assigned to
>> them in JUNOS & there doesn't appear to be any support for IRB for the
>> M120. Any help would be greatly appreciated!
>
> You are correct that the M-series cannot do IRB (except MX). If you
> can live with an external switch, you can create an Aggregated
> Ethernet (802.3ad-type trunk) to that switch, plug both firewalls into
> the switch, and use a configuration like this:
>
>> show configuration | find interfaces
> interfaces {
> ge-2/0/0 {
> description "GE to switch port 1";
> gigether-options {
> 802.3ad ae0;
> }
> }
> ge-2/0/1 {
> description "GE to switch port 2";
> gigether-options {
> 802.3ad ae0;
> }
> }
> ae0 {
> description "GE Connection to DMZ";
> vlan-tagging;
> aggregated-ether-options {
> link-speed 1g;
> }
> unit 376 {
> description "VLAN 376 to DMZ";
> vlan-id 376;
> family inet {
> address 192.168.1.254/28;
> }
> }
> }
> }
>
> Or if you can live with a routed configuration rather than bridged,
> you could put an IP on the lo0 loopback interface and run a routing
> protocol to each firewall.
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
More information about the juniper-nsp
mailing list