Routing

last person joined: 4 days ago 

Ask questions and share experiences about ACX Series, CTP Series, MX Series, PTX Series, SSR Series, JRR Series, and all things routing, including portfolios and protocols.

  • 1.  Separating network using VLAN

    Posted 05-26-2014 10:30
    Hi,

    First of all some background on the current setup...
    The network is flat with trust being on a 10.0.0.0/16, gateway 10.0.0.254 which is on an SRX240 and a few VLANs on 24 subnets which are on a the HP 5412zl switch, the network is:

    2 node SRX240H2 cluster active/passive, the active node connected to a HP 5422zl and passive to a HP 4204vl, the 5412 and 4204 are both connected. Then there are 2 user access switches (HP 4104gl) connected to the 4204vl, as below:

    Active Passive
    SRX240-1 SRX240-2
    | |
    HP 5412zl <- -> HP 4202vl
    |
    HP 4104gl x2

    I will soon be replacing the user access switches with Juniper EX2200s in a 4 node virtual chassis or 2 separate ones. These will be connected to both the HP 5412vl and 4204vl switches.

    At the same time as doing this I'll be separating the network into VLANs:

    Servers: 10.0.0.0
    Users ground floor: 10.0.1.0
    Users first floor: 10.0.2.0
    Printers: 10.0.3.0
    Other network devices: 10.0.4.0

    I stuck with those for ease as the servers are on that range now and are static. The user ones will get their IP from a Windows DHCP server.

    Now finally the questions:
    1) Is this a good way to separate the network?

    2) If so is static routing the way to go with it being a small network?

    3) Is it best to create these VLANs on the SRX interfaces so it acts as the gateway for all the VLANs?

    Thanks
    Ross


  • 2.  RE: Separating network using VLAN
    Best Answer

    Posted 05-30-2014 08:34

    Hmmmm, if it were me I'd do one of two things if your network is as small as you say it is. 

     

    Choice 1:

    Terminate layer three for all vlans on your srx240 cluster, and put them in a security zone (trust), or if you want to segment them even further, put them into their own respective security zones and have policies between them.  Then trunk the cluster down to your EX VC stack as your aggregation layer 2 level, and then trunk any remaining HP switches to that if you need them.

     

    Choice 2:

    Terminate layer 3 for all vlans on your EX VC stack and put do some static routing to send traffic up to the firewall for internet access.  Again then trunk any other HP switches to the VC stack if you need them. 

     

    I basically run Choice 1 on my home lab with an srx220 and one ex3300 switch, i just don't have a clustered/VC setup, layer 3 for all my vlans is on the srx's and they are in their own respective security zones, then i have a layer 2 trunk carrying all vlan traffic over to an ex3300 where i have end devices plugged into.  Choice 1 gives you more of a locked down security approach by separating via vlan and security zone.  Personally I think its cleaner and looks more organized.



  • 3.  RE: Separating network using VLAN

    Posted 05-30-2014 13:00
    Thank Peter, I'll decide which one to do.

    The network is only 130 users, 50 severs, 5 externally published web sites.

    Do you think the SRX will be a bottle neck for this?


  • 4.  RE: Separating network using VLAN

    Posted 05-30-2014 13:17

    Nah I don't think it will be a bottleneck at all.  Real world throughput (IMIX) for a 240 is around 600 Mbps so transit traffic should be fine.  Should you find that things aren't as fast as you'd like them you can always come back here for help.



  • 5.  RE: Separating network using VLAN

    Posted 05-30-2014 13:42
    Ok thanks Peter