Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  Single ISG 1000 with failover to two core switches

    Posted 07-18-2010 07:29

    I have a situation where single ISG 1000 as part of the security solution. This need to be connected to two of the core switches to split the security zones, trust , un_trust, DMZ,  I am looking for a redundant interface failover in which one connecting to the coreswitch1 and the second to the coreswitch2 , basically single point of device failure in the Firewall but in case switch fails i still need to have the ISG securing the zones.

     

    I know it is not a very good design. but at present we are limited with one firewall, I am looking for the best design with a single firewall. can anyone help me with best possible design in this scenario.

     

    Thanks for all your valuable sugesstions

     

    Aji



  • 2.  RE: Single ISG 1000 with failover to two core switches

    Posted 07-18-2010 14:49

    I don't understand your topology from the post.  You have two core switches and the firewall.  Are the core switches existing and already interconnected?  And you are adding a firewall to the mix?



  • 3.  RE: Single ISG 1000 with failover to two core switches

    Posted 07-19-2010 07:48
      |   view attached

    core switches are interconnected and there is no firewall at present,

     

    Single ISG 1000 will be added to the environment for protecting different zones ( VLANs) in the core switches. One vlan for the internal users(trust) and a second vlan in which 2 servers will be connected(dmz), third vlan will be for towards internet ( Un_trust). in case of two firewalls i would have connected respective interfaces from ISG to each core switches and run NSRP for HA.

     

    How this can be achieved with one firewall, Can I connect one interface to coreswitch1 and another interface  to coreswitch2 , for getting the interface redundancy so that failure of switch or link failure to the coreswitch1 will not have impact on the security solution.

     

    Attaching the diagram with two firewalls what will be the best in terms of connectivity and configuration. 

     

    I am ok having single point of failure in firewall for now.

     

    My apologies, I am not good in explaining the situation.

    Attachment(s)

    pdf
    Test.pdf   50 KB 1 version


  • 4.  RE: Single ISG 1000 with failover to two core switches

    Posted 07-20-2010 00:13
    Attached Design in the last post is with two firewalls , but what will be the best design and config in case if we have only one firewall. Rgds Aji NC


  • 5.  RE: Single ISG 1000 with failover to two core switches

    Posted 07-20-2010 04:58

    Thanks for the overview.  I see two major design considerations in this scenario.

     

    First, you need to insure that your core switching no longer operates at layer three for these two security zones.  Right now there is a routed vlan interface that allows those two zones and their associated vlans to communiate with each other.  Once you install the firewall you need to insure that the only route between the affected vlans will transit the switch.

     

    You will trunk all the affected vlans to the firewall.

    Assign the affected vlan nework segments to the correct zones on the firewall

    Create your rules for the control of the traffic

     

    Second, is the consideration for your interface failover between the two core switches.  You say you want redundancy between the two cores.  So you will need to setup redundant interfaces on the firewall with one going to each switch.  Then configure them so that the failover between them occurs and no loops are created in the ethernet fabric.

     

    You can review your options for this in Volume 11 chapter 2 "Interface Redundancy" of the concepts and examples guide on page 49 and following.



  • 6.  RE: Single ISG 1000 with failover to two core switches

    Posted 07-21-2010 05:50

    In this case can I create one bridge group and add the interfaces to the bridge group, and assign the ip address to the bridge group. does bridge groups supported in ISG1000, This is because i want to route the traffic from the coreswitch to a single ip only.

     

    In case of redundant interfaces i should i assign ips to both interface ?? am i right ?

     

    is there a possiblity of creating  an vlan interface other thatn vlan1, or is it same as bridge group.

     

    Thx

     

    Aji

     

     

     

     



  • 7.  RE: Single ISG 1000 with failover to two core switches
    Best Answer

    Posted 07-21-2010 14:52

    Since you have three vlans I was assuming your would:

     

    Create the three vlans on the firewall with the appropriate ip address

    Connect a trunk port to the firewall with all three vlans

    Create the policies for inter vlan communications on the firewall

     

    The bgroup is really just a mini switch with whatever interfaces you put into it.  You can think of the bgroup as essentially an alternative to the vlan.  This is not a method of interface redundancy.  All members of the bgroup are active all the time and are access ports.  So if you created a bgroup with two interfaces connected to the two core switches you would likely be setting up a loop.

     

    You'll need to review the interface redundancy options in the concepts guide listed above and determine which which fits your existing setup best.