[j-nsp] One router/two firewalls config question

[Chuck Anderson]

The switch would have a single VLAN/subnet for both interfaces to be 
on.

Yes, there would be a single point-of-failure for the switch, but the 
links themselves would still be redundant.  Simple switches are 
usually less prone to failure than a complex router.  I think most of 
the failures we have are human error or software-related (bugs), 
rather than actual hardware failures.  If the switch had a very low 
churn of changes, this would be mitigated.

You can think of IRB as being just an integrated switch inside the 
router--you still have only a single router/switch.  So in your 
original scenario, there was a single point-of-failure of the router 
itself. 

On Fri, Mar 07, 2008 at 04:16:12PM -0500, John Center wrote:
> To reply to my own message, the PIX standby interfaces have to be on the 
> same subnet as their corresponding primary interfaces.
> 
> 	-John
> 
> 
> John Center wrote:
> > Hi Chuck,
> > 
> > The only problem with using a switch is it's a single point of failure.
> >   I'm not sure how failover would work with each PIX on separate routed
> > subnet.  I'm looking into this now.
> > 
> > Thanks.
> > 
> >         -John
> > 
> > 
> > Chuck Anderson wrote:
> >> On Fri, Mar 07, 2008 at 10:33:42AM -0500, John Center wrote:
> >>> interface Vlan376
> >>>   description "GE connection to DMZ"
> >>>   ip address 192.168.1.254 255.255.255.240
> >>> ...
> >>>
> >>> This way, either firewall can talk to the other & has a common address
> >>> to talk to the router.  Failover is easy & quick.  How does one do
> >>> something similar in JUNOSv9?  VLANs can't have addresses assigned to
> >>> them in JUNOS & there doesn't appear to be any support for IRB for the
> >>> M120.  Any help would be greatly appreciated!
> >> You are correct that the M-series cannot do IRB (except MX).  If you
> >> can live with an external switch, you can create an Aggregated
> >> Ethernet (802.3ad-type trunk) to that switch, plug both firewalls into
> >> the switch, and use a configuration like this:
> >>
> >>> show configuration | find interfaces
> >> interfaces {
> >>     ge-2/0/0 {
> >>         description "GE to switch port 1";
> >>         gigether-options {
> >>             802.3ad ae0;
> >>         }
> >>     }
> >>     ge-2/0/1 {
> >>         description "GE to switch port 2";
> >>         gigether-options {
> >>             802.3ad ae0;
> >>         }
> >>     }
> >>     ae0 {
> >>         description "GE Connection to DMZ";
> >>         vlan-tagging;
> >>         aggregated-ether-options {
> >>             link-speed 1g;
> >>         }
> >>         unit 376 {
> >>             description "VLAN 376 to DMZ";
> >>             vlan-id 376;
> >>             family inet {
> >>                 address 192.168.1.254/28;
> >>             }
> >>         }
> >>     }
> >> }
> >>
> >> Or if you can live with a routed configuration rather than bridged,
> >> you could put an IP on the lo0 loopback interface and run a routing
> >> protocol to each firewall.