ScreenOS Firewalls (NOT SRX)
ScreenOS Firewalls (NOT SRX)


11.24.08   |  
‎11-24-2008 08:04 PM

Dear Sir,


Can you please help to verify if the below design is good? Thanks.

1. There are two links (Link1 and Link2) between SiteA and SiteB.
2. For each site, a pair of SSG140 with active/active resilience is configured. Each SSG140 has one link.
3. IPSec VPN (3DES) is built on Link1 and Link2 with SSG140.
4. On each site, there are two setments(setmentA & setmentB). We need to extend the two setments from SiteA to SiteB.
5. SetmentA will use Link1 as primary and Link2 as backup link. SetmentB will use Link2 as primary and Link1 as backup link.
6. One each site, a pair of 3560(for resilience) will route the traffic from to one of the SSG140 for each setment. Thus, there are four 3560 on each site.


As described in the attachment, I am also thinking the below setup...


SiteA-SegmentA will select linkA, which is connected to SSG140A to access SiteB-SegmentA as primary, SSG140B is used as backup with static route.

SiteA-SegmentB will select LinkB, which is connected to SSG140B to access SiteB-SegmentB as primary, SSG140A is used as backup with static route.

Thus, though SSG140A and SSG140B are configured independent. The static route on switches will switch the traffic from primary to secondary link in case of primary link failure.

Compare with configuring the SSG140 in active/active, is it more reliable? As people told me active/active is seldom employed in real life case.

What do you think?


ScreenOS Firewalls (NOT SRX)

Re: SSG 140 VPN

11.26.08   |  
‎11-26-2008 09:34 AM

I would not use active/active it tends to be problematic, use active/passive. Also I would use one link as primary and the other as backup. Such as, a primary DS3 with a shadow backup. You might be over engineering this, and making it more complex than it has to be, my two cents.




ScreenOS Firewalls (NOT SRX)

Re: SSG 140 VPN

11.27.08   |  
‎11-27-2008 07:35 PM

Thanks for you idea and I have another idea.


1. For each leased line, configure two point-to-point VPNs (one for segmentA and ther other for segmentB)

2. Use static route in switches to choice which line to go and achieve the load balance result. And the two lines will back up each other in case of failure.

3.  Each SSG140 has static route point to both segmentA and B.

4. one each site, the pair of SSG140 are configured independently. Neighter A/A nor A/S.


What do you think of this design.




ScreenOS Firewalls (NOT SRX)

Re: SSG 140 VPN

11.28.08   |  
‎11-28-2008 08:07 PM

1. when you say leased lines do you mean a T1 to the INET or private frame-relay?


2. is this two sites or four sites? if this is just two sites then you can build a trunk to the switch and just vlan tag segmentA and B






ScreenOS Firewalls (NOT SRX)

Re: SSG 140 VPN

12.05.08   |  
‎12-05-2008 07:21 AM

The leased line is 100M fast ethernet.


We want to build VPN on layer three routing.