Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  NSRP Active/Active VSD groups Question

    Posted 11-29-2011 02:41

    Hi Experts

     

    I have requirement like, Both SSG550 firewalls should be in A/A such that:

     

    1- One ISP link should be active on FW1 and other ISP link should be active on FW2

    2- LAN subnet 1 should be active on FW1 and LAN subnet 2 should  be active on FW2

     

    My question is that:

     

    1- For LAN subnet 1 and 2, I will create two VSD groups 1 and 2 respectively so that VSD1 should be active on FW1 and other VSD2 should be active on FW2. I want both VSI interfaces of VSD groups should have different IP (gateway IP of both subnets). Is that possible and valid configuraiton?

     

    2- For WAN links, I can put ISP link 1 in VSD group 1 and link 2 in VSD group 2. But can I configure different VSD groups like 3 and 4 for both WAN links?

     

    Thanks for the reply in advance



  • 2.  RE: NSRP Active/Active VSD groups Question

    Posted 11-30-2011 02:13

    Create 2 virtual routers, each will have its own DG.

    Create 2 VSDs, one that inclides LAN1 and ISP1, and use Virtual Router1. The other that includes LAN2, ISP2 and uses VR2.

    Make node1 the master of the first VSD and node2 the master of the other VSD.

     

    Sam.



  • 3.  RE: NSRP Active/Active VSD groups Question

    Posted 12-04-2011 01:11

    Thanks for the reply. I just like to know why you mentioned virtual routers? We cannot do without virtual routers? Also just for my understanding VSD groups. If I make LAN interface of one firewall in one VSD group and WAN interface in second VSD group and default route is pointed to the WAN interface. If this firewall recieves traffic on LAN interface then it can forward the traffic towards the WAN interface or not? Means WAN and LAN interfaces should be in one VSD?????

     

    Thanks



  • 4.  RE: NSRP Active/Active VSD groups Question
    Best Answer

    Posted 12-06-2011 01:21

    Hi,

     

    I mentioned Virtual Routers, so that traffic from LAN1 will be routed out over WAN1, and traffic from LAN2 will be routed out over WAN2. You could acheive the same thing with source based or policy based routing though.

     

    Sam.



  • 5.  RE: NSRP Active/Active VSD groups Question

    Posted 12-06-2011 21:25

    Hi Sam

     

    Thanks for the input. Just two questions,

     

    1- if we do not use VR and either policy based routing then traffic comes on LAN1 and LAN2 will take with WAN interface? WAN1 OR WAN2. I have default routes to both WAN1 and WAN2.

     

    2- If I make LAN interface of one firewall in one VSD group and WAN interface in second VSD group and default route is pointed to the WAN interface. If this firewall recieves traffic on LAN interface then it can forward the traffic towards the WAN interface or not? Means WAN and LAN interfaces should be in one VSD?????

     

    Appreciated your input