HA without a dedicated port for HA

buntit

Newbie

Posts: 2

« on: September 29, 2009, 09:49:30 PM »

Hi to all! I am just a newbie w/ Juniper Netscreen. I came here to seek advice and correct my understanding if I am wrong. Thanks in advance.

SCENARIO: I got 2 Netscreen SSG 320M. 4 of the ports are being used by customer for trust zone, untrust zone, DMZ and user-define DMZ. Now, our requirement is to configure it for HA Active/Active. I read on the technical files on the internet that for us to obtain or goal, we should have atleast 1 dedicated port for HA. My questions are:

1. Is it possible for us to set up the 2 x SSG 320 for HA even without a dedicated port?

2. In case this will be possible, what are the drawbacks/disadvantages/implications/issues that may arise for this set up?

Set up is below

R1==>untrust[FW1]trust===>[switch]<==trust[FW2]untrust<===R2

=] between R1 and R1 we're running VRRP
=] switch is Cisco 2900 series w/ 4 VLANs

Please advise and many thanks.

Lily


	Logged

signal15

Administrator
Sr. Member

Posts: 480

Re: HA without a dedicated port for HA

« Reply #1 on: September 30, 2009, 01:12:47 AM »

No, you need a dedicated port. You can free up a port by doing a trunk from your switches to the firewall and then using 802.1q tagging on subinterfaces.

Why are you doing active/active? If you exceed 50% capacity on the firewalls, and one dies, you are down. You no longer would have redundancy. Plus, the increased complexity is not worth it. More chance for configuration errors both on the firewall and the surrounding network equipment that could take it down, and more chance of problems. Troubleshooting is going to take you longer also if there is a problem.

Active/passive is a more solid solution. I've done a lot of both. Most customers that insist on active/active change their minds either during implementation or shortly thereafter. Juniper also recommends active/passive.


	Logged

buntit

Newbie

Posts: 2

Re: HA without a dedicated port for HA

« Reply #2 on: October 01, 2009, 07:47:36 PM »

Hi Signal! Appreciate the reply from you. I do have additional question if you don't mind regarding your reply below:

[No, you need a dedicated port. You can free up a port by doing a trunk from your switches to the firewall and then using 802.1q tagging on subinterfaces.]

=] Where will I put the current IP address of that interface that I need to free up and be used for HA?
=] If I my understanding is correct [which you can correct if I am wrong], you want me to do the set up below, right?

[FW1]<==dedicated port==>[switch1 w/ vlan]<== trunk connection==>[switch2 w/ vlan]<==dedicated port==>[FW2]

=] if the one above will be my set up, I have to configure my trunk port to allow the vlan I configured for the dedicated port connection of my FW right?
=] as for the A/A set up, I agree with you on it. So the set up will be the A/P. Just bothered now where will I put the IP address of the existing port on the FW that I'll be needing to free up to become a dedicated port for HA.

Many thanks.

Lily=]


	Logged

Pages: [1]

JuniperForum.com > Security > NSRP > Topic: HA without a dedicated port for HA

« previous next »

Latest Knowledgebase Articles

Navigation

Donate

Tools

Recent

Stats

Members

Stats

Users Online