ScreenOS Firewalls (NOT SRX)
ScreenOS Firewalls (NOT SRX)

SSG and VLAN routing

07.31.08   |  
‎07-31-2008 01:25 PM



First a little background info:

My network is comprised of 40ish HP Procurve switches with an SSG-550M at the front.  The edge switches are procurve 2524s and procurve 2650s.  I have 3 core switches (fiber distribution mostly), 2 of wich are HP Procurve 5304s, and an Extreme Summit x450a.  I have 6 VLANs configured and currently VLAN routing is done on the extreme switch using switch policies for vlan security.


The Extreme switch, while is a monster of a switch, leaves much to be desired in terms of VLAN policy administration.  Im thinking of moving my VLAN routing onto the SSG-550, wich is a MUCH easier solution for vlan policy management.  Is this a bad idea, a good idea, or maybe?



ScreenOS Firewalls (NOT SRX)

Re: SSG and VLAN routing

07.31.08   |  
‎07-31-2008 04:57 PM

Depends on your requirements - IE how much traffic is passing between VLANs?


If you have say, a server vlan and a client vlan, I would not have the SSG route that traffic.  Let your firewall be a firewall, and the switch be a switch.

ScreenOS Firewalls (NOT SRX)

Re: SSG and VLAN routing

[ Edited ]
08.04.08   |  
‎08-04-2008 06:43 AM

Unfortunatly, I did seperate my servers onto a seperate VLAN.  I think had I know then what I know now, I would not have done so.

I have the following VLANS:

networking (for device management)



students (lab computers)



I wish Id have combined the servers and employee vlans, because pretty much all of the employees need access to most servers.  The other vlans should have very limited activity with each other. 


And I think it worth noting, I dont think Ive every seen Processor Utilization above 3%, or more than 600 sessions active on the Juniper Smiley Happy   

Message Edited by JerryE on 08-04-2008 06:46 AM
ScreenOS Firewalls (NOT SRX)

Re: SSG and VLAN routing

08.05.08   |  
‎08-05-2008 11:58 PM
That's a reasonable architecture.  I've seen mixed results when trying to use the firewall in this manner.  Mainly session counts and the bottleneck that the interface creates.   Good luck.