ScreenOS Firewalls (NOT SRX)
ScreenOS Firewalls (NOT SRX)

MIPs, VIPs and Interface failovers

[ Edited ]
‎01-17-2012 10:21 AM

I have an SSG with two providers on them ProviderA and ProviderB. On ProviderA, I have MIPs defined and on ProviderB VIPs are defined. (I inherited this mess)

I am looking to know if I can mirror policies on each interface so that if any Provider goes down, the other picks up and routes out.

I am unsure if I need to configure the mirrored policies and routes with preferences.

ProviderA has the most bandwidth but is a cable provider (20Mb down, 5Mb up) while the other is a 10Gb connection. ProviderB handles VPN tunnels while ProviderA handles incoming connections to webservers, mailservers, etc.

Unsure if I make similar rules will the SSG understand what I am trying to do:

e.g. (existing)
ProviderA (external) --> VIP --> (http)
ProviderA (external) --> VIP --> (stmp)
ProviderA (external) --> VIP --> (POP3)

ProviderB (external) --> MIP -->

What I would like to do:
ProviderA (external) --> VIP --> (http) [preferred]
ProviderA (external) --> VIP --> (stmp) [preferred]
ProviderA (external) --> VIP --> (POP3) [preferred]

ProviderB (external) --> VIP --> (http) [only on a ProviderA failure]
ProviderB (external) --> VIP --> (stmp) [only on a ProviderA failure]
ProviderB (external) --> VIP --> (POP3) [only on a ProviderA failure]

ProviderB (external) --> MIP -->
ProviderB (external) --> MIP -->  [only on a ProviderB failure]

ScreenOS Firewalls (NOT SRX)

Re: MIPs, VIPs and Interface failovers

‎01-18-2012 05:48 PM

You really cannot point two different public ip addresses to the same internal ip address.


What you can do is add a second internal ip address to each of your servers, then use this as the destination for the second MIP/VIP you configure.


In terms of preferences, your inbound traffic will be what selects the interface used. 


So for your mail systems you can configure your MX records with preferences for the larger pipe.


With the web traffic and the pop connections you don't get any control like this. So your choices are to round robin or manual failover.


Configure two DNS records for round robin.  This means that every other connection goes to each line.   Both lines are used all the time and the load inbound is spread.


Or you can manually change the record on failure.  For this you configure the primary line and a very low TTL like 10 minutes on DNS.  In the event of a failure you would have to change the ip address on the DNS record.  Ten minutes after the change most clients would be updated and using the alternate link.

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)