Screen OS

Hello Experts

We have mulitple zones in ISG-2000. We have multiple servers zone. One zone is storage/backup zone (5gig aggregate interface). When there is backup happen across the firewall between storage/backup zone and servers zone then there is huge latency and packet drop between each zones across firewall. 

Can any body point out what is the best practice to put backup/storage servers on firewall. I mean storage/backup servers should be in the same zone as servers zone? it should not cross the firewall but the problem is that we have multiple server zones.

Thanks

Generally backup operations push lots of data at the same time.  So it is best to avoid bandwidth restrictive devices like firewalls in this traffic path.

For the ISG2000 your bandwidth processing limit is between 2-4 gig according to the spec sheet.  In addition, lags can only put a single stream on a single link, so each flow would still be limited to the gig line.

http://www.juniper.net/us/en/local/pdf/datasheets/1100036-en.pdf

In a multizone datacenter, I would create a separate layer 2 only vlan for the backup traffic.  Then place a second nic card into the servers that attach just to the backup network.  Have the backups then run separate from the production traffic.  this way you are on line rate capable switching for the entire path.

Hi Spuluka

Thanks for the great idea. But one of my concern is that there are more than 150 physical servers and 400 virtual servers. On physical servers it would be a challenge to connect second nic to the network. The number is big and it would use 150 extra network ports. Do you have any other solution for that?

Hi,

Yes you are correct that there would be additional NIC and port required.

As I have experienced this earlier, the better way to do is as suggested above i.e. use second NIC.

Apart fromFirewall being the bottelneck, at time the NIC itself will be a bottelneck causing delay in production traffic.

Venkat

Hello 

Thanks for the reply. I was just thinking, if I would had SRX then I could use the selective packet mode for backup traffic. It will improve the situation althrough backup traffic is still passing through firewall but in packet mode?

Thanks

Not sure about the SRx. However I belive with single interface on the server at some point there would be some congestion

Venkat

Unless there have been feature updates recently, packet mode is either on or off for the box as a whole.  And even if a selective packet mode were available, I doubt you would see enough of a throughput difference to be measurable.

With a large number of servers there is even more reason to get the backup traffic path physically separated and onto full line rate hardware path.

Running the backups through the firewall is really for small installations where the traffic is not large enough or long running enough to become a problem.

Hello All

Thanks for the help. So from your side the final solution could be, connect the second NIC of servers and backup appliance in the same VLAN (L2 BACKUP VLAN)? If there is any other solution please let me know.