Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  Routing from router cisco to active/active cluster ssg

    Posted 08-09-2008 04:31
    We have an A/A cluster (2 firewalls SSG520 ) with VSD0 and 1 and we have 2 red interface ( red1 and red1:1 ). Untrust zone is connected to our remote site and trust zone is local. In trust zone we have router cisco is gateway for my local, that we must set route to my remote site cross firewall in gateway. There're 2 red interfaces, how can i define next hop for my route?


  • 2.  RE: Routing from router cisco to active/active cluster ssg

    Posted 08-09-2008 23:17

    Hi,

     

    When SSG firewalls are deployed in Active/Active then each have an IP address rather than a floating address. This allows you to split the traffic accross the 2 firewalls, but you need to either use some form of load balancing or statically set which traffic goes over which firewall.

     

    For Example:

     

                 SSG 1                        SSG 2

              10.1.1.1                        10.1.1.2

                    |                                    |

                    |                                    | 

                    ------------------------------

                                      |

                                      |

                            Cisco Router

     

    The cisco router would set a route for a network via SSG1 10.1.1.1, this would failover to SSG 2 if there is a failure otherwise it will always flow over SSG1. To get the traffic to flow over both firewals your would need to do something like ECMP (equal cost multipath) on the Cisco. Where you can set 2 routes to the same network, one with a hop of 10.1.1.1 and one with a hop of 10.1.1.2. This will get traffic flowing over both firewalls. I dont know what this is called on a cisco router ECMP is something that I know you can do with the firewalls.

     

    Hope this helps. Let me know if this isnt what you are trying to do or if you want me to explain more.

     

    Regards

     

    Andy

     



  • 3.  RE: Routing from router cisco to active/active cluster ssg

    Posted 08-11-2008 01:55

    Thanks, follow your advise, can i understand that there're must have unique ip address for each VSI and we must have separate route for each VSD in A/A SSG cluster? All that i must done is set up something like ECMP in cisco router?

     

    I still have a little discussion. I think that the Redundant Interface only usefull if we only have 1 SSG device, otherwise it'll be useless if we have 2 SSG devices and running cluster HSRP because we can create VSI interface base on necessary physical interface of each device instead create Redundant interface base on physical interface of each device then create VSI base on it. If we want running active/active mode just create more VSD group and go on. Is that right? Can you explain more clearly about different of Red and VSI in that case. Thank you so much! Smiley Happy



  • 4.  RE: Routing from router cisco to active/active cluster ssg
    Best Answer

    Posted 08-11-2008 03:25

    Hi,

     

    You are correct in that you must have a unique IP for each VSI when using active/active NSRP and then a seperate route from the cisco router to each VSI IP.

     

    A VSI interface is created to have a floating IP address between the firewalls.

     

    For example:

     

    SSG1

    Eth 0/1:1   10.1.1.1 (active IP)

    Eth 0/1:2   10.1.1.2 (backup IP)

    Eth 0/2:1   2.2.2.1 (active IP)

    Eth 0/2:2   2.2.2.2 (backup IP)

     

    SSG2

    Eth 0/1:1   10.1.1.1 (backup IP)

    Eth 0/1:2   10.1.1.2 (active IP)

    Eth 0/2:1    2.2.2.1 (backup IP)

    Eth 0/2:2    2.2.2.2 (active IP)

     

    If SSG 1 fails then SSG2 will take over the active IP addresses on SSG1

     

    SSG1 (down)

    Eth 0/1:1   10.1.1.1

    Eth 0/1:2   10.1.1.2

    Eth 0/2:1   2.2.2.1

    Eth 0/2:2   2.2.2.2

     

    SSG2

    Eth 0/1:1   10.1.1.1 (active IP)

    Eth 0/1:2   10.1.1.2 (active IP)

    Eth 0/2:1    2.2.2.1 (active IP)

    Eth 0/2:2    2.2.2.2 (active IP)

     

     

    A redundant interface is where you have two interfaces on a SSG plugging into the same network and you want to have failover on those before failing over to another firewall. Creating a full mesh senario.

     

    SSG1

     

    Red.1 eth0/1 (active)

    Red.1 eth0/2 (backup)

    Red.1 IP 10.1.1.1

     

    If eth 0/1 fails then eth0/2 will take over. If you have a pair of SSGs then only if eth 0/1 and eth 0/2 fail then the ssg will failover to the other SSG.

     

    Have a look in the concepts and examples under High availability and look at the Active/Active full-mesh configuration for more information.

     

    It depends how you have your firewalls cabled up and how you want them to act to whether you need to use just VSI interfaces for device failover or whether you use VSI and redundant interfaces for a full mesh senario.

     

    I hope this explains a bit more.

     

    Regards

     

    Andy



  • 5.  RE: Routing from router cisco to active/active cluster ssg

    Posted 08-11-2008 09:11
    I'm clearly now. Thank you so much! Smiley Very Happy