ScreenOS Firewalls (NOT SRX)
Reply
Contributor
JerryE
Posts: 16
Registered: ‎07-31-2008
0

SSG and VLAN routing

Greetings,

 

First a little background info:

My network is comprised of 40ish HP Procurve switches with an SSG-550M at the front.  The edge switches are procurve 2524s and procurve 2650s.  I have 3 core switches (fiber distribution mostly), 2 of wich are HP Procurve 5304s, and an Extreme Summit x450a.  I have 6 VLANs configured and currently VLAN routing is done on the extreme switch using switch policies for vlan security.

 

The Extreme switch, while is a monster of a switch, leaves much to be desired in terms of VLAN policy administration.  Im thinking of moving my VLAN routing onto the SSG-550, wich is a MUCH easier solution for vlan policy management.  Is this a bad idea, a good idea, or maybe?

 

Thanks!

Contributor
privatepile
Posts: 42
Registered: ‎05-15-2008
0

Re: SSG and VLAN routing

Depends on your requirements - IE how much traffic is passing between VLANs?

 

If you have say, a server vlan and a client vlan, I would not have the SSG route that traffic.  Let your firewall be a firewall, and the switch be a switch.

Contributor
JerryE
Posts: 16
Registered: ‎07-31-2008
0

Re: SSG and VLAN routing

[ Edited ]

Unfortunatly, I did seperate my servers onto a seperate VLAN.  I think had I know then what I know now, I would not have done so.

I have the following VLANS:

networking (for device management)

servers

employees

students (lab computers)

wireless

 

I wish Id have combined the servers and employee vlans, because pretty much all of the employees need access to most servers.  The other vlans should have very limited activity with each other. 

 

And I think it worth noting, I dont think Ive every seen Processor Utilization above 3%, or more than 600 sessions active on the Juniper :smileyhappy:   

Message Edited by JerryE on 08-04-2008 06:46 AM
Contributor
privatepile
Posts: 42
Registered: ‎05-15-2008
0

Re: SSG and VLAN routing

That's a reasonable architecture.  I've seen mixed results when trying to use the firewall in this manner.  Mainly session counts and the bottleneck that the interface creates.   Good luck.
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.