NSRP, two SSG350Ms, and unmanaged switches in the Untrust Zone
3 weeks ago
I've implemented the attached toplogy as a temporary measure whilst we decide the future architecture of our changing environment - only upstream interfaces are shown.
So far this works exactly as expected, the active firewall broadcasts a PADI, the concentrator responds and thereafter I only see unicast traffic between the peers on the unmanaged switches - between the active node and two ISPs.
During failover, the PPPoE sessions are picked up seemlessly. I've also snoop'd the upstream interfaces of the passive node and haven't yet seen any PPPoE packets to cause concern; well, I've seen some PADI's and PADT's which do need some investigation.
Anyway, 'its working' aside, can anyone see any fundamental issues with this temporary implementation? Again, this is temporary fix.