[j-nsp] One router/two firewalls config question

John Center john.center at villanova.edu
Fri Mar 7 16:16:12 EST 2008 

To reply to my own message, the PIX standby interfaces have to be on the 
same subnet as their corresponding primary interfaces.

	-John


John Center wrote:
> Hi Chuck,
> 
> The only problem with using a switch is it's a single point of failure.
>   I'm not sure how failover would work with each PIX on separate routed
> subnet.  I'm looking into this now.
> 
> Thanks.
> 
>         -John
> 
> 
> Chuck Anderson wrote:
>> On Fri, Mar 07, 2008 at 10:33:42AM -0500, John Center wrote:
>>> interface Vlan376
>>>   description "GE connection to DMZ"
>>>   ip address 192.168.1.254 255.255.255.240
>>> ...
>>>
>>> This way, either firewall can talk to the other & has a common address
>>> to talk to the router.  Failover is easy & quick.  How does one do
>>> something similar in JUNOSv9?  VLANs can't have addresses assigned to
>>> them in JUNOS & there doesn't appear to be any support for IRB for the
>>> M120.  Any help would be greatly appreciated!
>> You are correct that the M-series cannot do IRB (except MX).  If you
>> can live with an external switch, you can create an Aggregated
>> Ethernet (802.3ad-type trunk) to that switch, plug both firewalls into
>> the switch, and use a configuration like this:
>>
>>> show configuration | find interfaces
>> interfaces {
>>     ge-2/0/0 {
>>         description "GE to switch port 1";
>>         gigether-options {
>>             802.3ad ae0;
>>         }
>>     }
>>     ge-2/0/1 {
>>         description "GE to switch port 2";
>>         gigether-options {
>>             802.3ad ae0;
>>         }
>>     }
>>     ae0 {
>>         description "GE Connection to DMZ";
>>         vlan-tagging;
>>         aggregated-ether-options {
>>             link-speed 1g;
>>         }
>>         unit 376 {
>>             description "VLAN 376 to DMZ";
>>             vlan-id 376;
>>             family inet {
>>                 address 192.168.1.254/28;
>>             }
>>         }
>>     }
>> }
>>
>> Or if you can live with a routed configuration rather than bridged,
>> you could put an IP on the lo0 loopback interface and run a routing
>> protocol to each firewall.
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp

More information about the juniper-nsp mailing list