ScreenOS Firewalls (NOT SRX)
ScreenOS Firewalls (NOT SRX)

NSRP, two SSG350Ms, and unmanaged switches in the Untrust Zone

‎08-05-2019 01:00 PM
Hi Guys, I've implemented the attached toplogy as a temporary measure whilst we decide the future architecture of our changing environment - only upstream interfaces are shown. So far this works exactly as expected, the active firewall broadcasts a PADI, the concentrator responds and thereafter I only see unicast traffic between the peers on the unmanaged switches - between the active node and two ISPs. During failover, the PPPoE sessions are picked up seemlessly. I've also snoop'd the upstream interfaces of the passive node and haven't yet seen any PPPoE packets to cause concern; well, I've seen some PADI's and PADT's which do need some investigation. Anyway, 'its working' aside, can anyone see any fundamental issues with this temporary implementation? Again, this is temporary fix. Cheers M


ScreenOS Firewalls (NOT SRX)

Re: NSRP, two SSG350Ms, and unmanaged switches in the Untrust Zone

‎08-05-2019 10:03 PM

Hi Mark,


The Active/Passive setup looks fine and is as per the concept of NSRP. Your statement that the failover works seemlessly actually confirms it too.

Regarding few packets seen on the snoop of passive device interfaces, PADI's being broadcast, they are expected to be seem.