I would like to connect 2 core switches ( vrrp mode ) to a SRX 650 firewall on two physical interface as uplink , so this will provide redundany for the core switches. presently i dont have 2nd firewall, so looking for this option..
Can we do this or will form a loop...If possible how?
Hello, it will certainly form a loop and therefore you'd better configure the same *STP protocol on your SRX as on the core switches, this way one of your ports will be blocked. All you'll have to keep in mind is to have VRRP master configured on the same switch which is the *STP root bridge.
This may also lead to some non-optimal traffic forwarding in case of VRRP switchover to the slave VRRP speaker, while the port to this switch is blocked by *STP, but it may happen very rarely or may not happen at all.
If you have the same VLANs on both uplinks going to the SRX, then you can simply enable MSTP/RSTP on the SRX and this will stop loops forming.
Make sure that you set the bridge-priotiies across your devices so that your core switches are the spanning-tree root for each of the VLANs (you probably don't want the SRX to be root) and that one of the links to the SRX is blocking (not the link between core switches).
Mixing both Layer-2 (xSTP) and Layer-3 (VRRP) redundancy always comes with caveats. In a triangle configuration such as this, VRRP requires that spanning-tree has converged before it can fail over correctly. Also, you will require all VLANs trunked between both switches so that the VRRP master can still send heartbeats to the backup, without relying on the SRX to be up.
Hope this helps
Ben Dale JNCIP-ENT, JNCIP-SP, JNCIP-DC, JNCIE-SEC #63 Juniper Ambassador Follow me @labelswitcher