[j-nsp] One router/two firewalls config question

John Center john.center at villanova.edu
Tue Mar 11 10:30:19 EDT 2008 

Hi Chuck,

Our M120 has multiple REs, FEBs, FPCs, etc. just to avoid that scenario. 
  ;-)  It is the most redundant piece of equipment we have.  It's funny, 
but it looks like it might have been better to have 2 separate boxes! 
Then, we could have done VRRP, etc.

Thanks.

	-John


Chuck Anderson wrote:
> The switch would have a single VLAN/subnet for both interfaces to be
> on.
> 
> Yes, there would be a single point-of-failure for the switch, but the
> links themselves would still be redundant.  Simple switches are
> usually less prone to failure than a complex router.  I think most of
> the failures we have are human error or software-related (bugs),
> rather than actual hardware failures.  If the switch had a very low
> churn of changes, this would be mitigated.
> 
> You can think of IRB as being just an integrated switch inside the
> router--you still have only a single router/switch.  So in your
> original scenario, there was a single point-of-failure of the router
> itself.
> 
> On Fri, Mar 07, 2008 at 04:16:12PM -0500, John Center wrote:
>> To reply to my own message, the PIX standby interfaces have to be on the
>> same subnet as their corresponding primary interfaces.
>>
>>       -John
>>
>>
>> John Center wrote:
>>> Hi Chuck,
>>>
>>> The only problem with using a switch is it's a single point of failure.
>>>   I'm not sure how failover would work with each PIX on separate routed
>>> subnet.  I'm looking into this now.
>>>
>>> Thanks.
>>>
>>>         -John
>>>
>>>
>>> Chuck Anderson wrote:
>>>> On Fri, Mar 07, 2008 at 10:33:42AM -0500, John Center wrote:
>>>>> interface Vlan376
>>>>>   description "GE connection to DMZ"
>>>>>   ip address 192.168.1.254 255.255.255.240
>>>>> ...
>>>>>
>>>>> This way, either firewall can talk to the other & has a common address
>>>>> to talk to the router.  Failover is easy & quick.  How does one do
>>>>> something similar in JUNOSv9?  VLANs can't have addresses assigned to
>>>>> them in JUNOS & there doesn't appear to be any support for IRB for the
>>>>> M120.  Any help would be greatly appreciated!
>>>> You are correct that the M-series cannot do IRB (except MX).  If you
>>>> can live with an external switch, you can create an Aggregated
>>>> Ethernet (802.3ad-type trunk) to that switch, plug both firewalls into
>>>> the switch, and use a configuration like this:
>>>>
>>>>> show configuration | find interfaces
>>>> interfaces {
>>>>     ge-2/0/0 {
>>>>         description "GE to switch port 1";
>>>>         gigether-options {
>>>>             802.3ad ae0;
>>>>         }
>>>>     }
>>>>     ge-2/0/1 {
>>>>         description "GE to switch port 2";
>>>>         gigether-options {
>>>>             802.3ad ae0;
>>>>         }
>>>>     }
>>>>     ae0 {
>>>>         description "GE Connection to DMZ";
>>>>         vlan-tagging;
>>>>         aggregated-ether-options {
>>>>             link-speed 1g;
>>>>         }
>>>>         unit 376 {
>>>>             description "VLAN 376 to DMZ";
>>>>             vlan-id 376;
>>>>             family inet {
>>>>                 address 192.168.1.254/28;
>>>>             }
>>>>         }
>>>>     }
>>>> }
>>>>
>>>> Or if you can live with a routed configuration rather than bridged,
>>>> you could put an IP on the lo0 loopback interface and run a routing
>>>> protocol to each firewall.
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp

More information about the juniper-nsp mailing list