SRX Services Gateway
Highlighted
SRX Services Gateway

SRX connectivity to 2 core switches

‎05-28-2011 05:36 PM

HI,

 

I would like to connect 2 core switches ( vrrp mode ) to a SRX 650 firewall on two physical interface as uplink , so this will provide redundany for the core switches. presently i dont have 2nd firewall, so looking for this option..

 

Can we do this or will form a loop...If possible how?

 

Raj

3 REPLIES 3
Highlighted
SRX Services Gateway

Re: SRX connectivity to 2 core switches

‎05-29-2011 12:53 AM

Hello, it will certainly form a loop and therefore you'd better configure the same *STP protocol on your SRX as on the core switches, this way one of your ports will be blocked. All you'll have to keep in mind is to have VRRP master configured on the same switch which is the *STP root bridge.

This may also lead to some non-optimal traffic forwarding in case of VRRP switchover to the slave VRRP speaker, while the port to this switch is blocked by *STP, but it may happen very rarely or may not happen at all.

Regards,
Dumitru Papana
Highlighted
SRX Services Gateway

Re: SRX connectivity to 2 core switches

‎05-29-2011 03:04 PM

I am running mstp in core switches and sharing the vlans between the two..

 

Is it possible in this scenario.

 

Raj

Highlighted
SRX Services Gateway
Solution
Accepted by topic author raj_bjs77
‎08-26-2015 01:27 AM

Re: SRX connectivity to 2 core switches

[ Edited ]
‎05-29-2011 08:13 PM

Hi Raj,

 

If you have the same VLANs on both uplinks going to the SRX, then you can simply enable MSTP/RSTP on the SRX and this will stop loops forming.

 

Make sure that you set the bridge-priotiies across your devices so that your core switches are the spanning-tree root for each of the VLANs (you probably don't want the SRX to be root) and that one of the links to the SRX is blocking (not the link between core switches).

 

Mixing both Layer-2 (xSTP) and Layer-3 (VRRP) redundancy always comes with caveats.  In a triangle configuration such as this, VRRP requires that spanning-tree has converged before it can fail over correctly.  Also, you will require all VLANs trunked between both switches so that the VRRP master can still send heartbeats to the backup, without relying on the SRX to be up.

 

Hope this helps

Ben Dale
JNCIP-ENT, JNCIP-SP, JNCIP-DC, JNCIE-SEC #63
Juniper Ambassador
Follow me @labelswitcher
Feedback