dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
801
share rss forum feed

xdxml12

join:2012-10-26

FW STP?

Click for full size
Hi All,

I had a quick question I wanted to run by you. I have the attached picture for clarification. I have 2 firewalls that will both be on but in transparent mode. If that is the case from my understanding they will be as layer 2 mode. ( These are isg 1000 fw). Am i correct that the topology attached will not work if i want both firewalls to be on because spanning tree will block one connection to the firewall? Or is this a wrong deduction? The plan being being able to use both firewalls to "load balance" the in/out connections to the server. The routing will happen at the core.

Any help will be appreciated.


tubbynet
reminds me of the danse russe
Premium,MVM
join:2008-01-16
Chandler, AZ
kudos:1

transparent mode creates 'bump in the wire' firewalls.
all normal "stp bits" will be done per usual -- so if you're layer-2 to your switch -- you're going to create a blocked stp port.

while i can't speak to other fw vendors in transparent mode -- cisco asa best practices for transparent firewalls are to use a dedicated context per vlan. in this instance -- you achieve 'active/active' based on a per-vlan basis (i.e. you'll have even vlans active on one, odds on the other -- completely based on stp).
if you're running a mcec-capable device, you can achieve a completely active design.

q.
--
"...if I in my north room dance naked, grotesquely before my mirror waving my shirt round my head and singing softly to myself..."


aryoba
Premium,MVM
join:2002-08-22
kudos:4
reply to xdxml12

FYI, the context concept in Cisco firewall is like virtual system or virtual router in Juniper ScreenOS lingo.



tubbynet
reminds me of the danse russe
Premium,MVM
join:2008-01-16
Chandler, AZ
kudos:1

said by aryoba:

FYI, the context concept in Cisco firewall is like virtual system or virtual router in Juniper ScreenOS lingo.

but if i recall correctly -- in a 'transparent' mode -- juniper (at least the srx) can have multiple 'bridge-groups' inside of a logical system, yes? in this instance, you could do everything inside of a single logical system and just take inside-outside vlan pairs and bridge them using unique group numbers -- rather than cisco asa where you can only specify an inside-outside pair globally per context.

q.
--
"...if I in my north room dance naked, grotesquely before my mirror waving my shirt round my head and singing softly to myself..."

aryoba
Premium,MVM
join:2002-08-22
kudos:4

In Juniper SRX running JUNOS, you can have multiple routing instances (similar to multiple contexts in ASA) which comprise multiple virtual routers/switches/firewalls within single physical box where each individual interface (either logical or physical) belongs to specific routing instances.



tubbynet
reminds me of the danse russe
Premium,MVM
join:2008-01-16
Chandler, AZ
kudos:1

said by aryoba:

In Juniper SRX running JUNOS, you can have multiple routing instances (similar to multiple contexts in ASA) which comprise multiple virtual routers/switches/firewalls within single physical box where each individual interface (either logical or physical) belongs to specific routing instances.

i grasp the concepts, aryoba See Profile. ;-)
in juniper-speak -- routing-instance is similar to a vrf. unified control-plane with different tables for each instance. logical-systems are complete partitions of the router/firewall into mutiple "virtual" boxen (similar to the nexus vdc concept). these systems, while falling under the same umbrella -- have unique control planes that must be switched back and forth to.

using this comparison -- while juniper srx may be able to handle unique bridge groups within the same logical-system and creating routing-instances for each vlan -- i feel that a more 'complete' comparison with an asa's context is a logical system. in this comparison, you must switch to a unique control-plane prior to changing any relevant config;
set cli logical-system (foo)
in juniper-land,
changeto context (foo)
in asa-speak. however -- regardless of method of attack -- the principle (and question) remain the same that juniper can create multiple bridge-groups without having to resort to the hackery that cisco provides?

in fact -- digging deeper -- it looks to be the case -- and even to the point where vlan translations aren't required to work. in this case -- as i see it -- the default routing-instance and logical-system can be used to provide a large number of transparent firewalls -- one for each vlan -- without any trickery.

q.
--
"...if I in my north room dance naked, grotesquely before my mirror waving my shirt round my head and singing softly to myself..."

aryoba
Premium,MVM
join:2002-08-22
kudos:4

said by tubbynet:

said by aryoba:

In Juniper SRX running JUNOS, you can have multiple routing instances (similar to multiple contexts in ASA) which comprise multiple virtual routers/switches/firewalls within single physical box where each individual interface (either logical or physical) belongs to specific routing instances.

i grasp the concepts, aryoba See Profile.
in juniper-speak -- routing-instance is similar to a vrf.

Not quite since you can set routing instances as various system such as virtual router, virtual switch, VRF, VPLS, and L2VPN. It is kind of different animal

But why do you need bridge group anyway in the 1st place? You can simply create multiple Layer-3 VLAN (SVI in Cisco world) to support both routing and switching.

aryoba
Premium,MVM
join:2002-08-22
kudos:4
reply to tubbynet

I recalled I found it interesting when one guy with Cisco background (limited to no background on JUNOS) met another guy with Juniper background (limited to no background on Cisco). Conversation between them was like each person used their own language and did not match up; not until they spoke of protocols and networking logics



tubbynet
reminds me of the danse russe
Premium,MVM
join:2008-01-16
Chandler, AZ
kudos:1
reply to aryoba

said by aryoba:

Not quite since you can set routing instances as various system such as virtual router, virtual switch, VRF, VPLS, and L2VPN. It is kind of different animal

hence the word similar -- its not quite the same thing -- but its the closest approximation that exists. ;-P .

But why do you need bridge group anyway in the 1st place? You can simply create multiple Layer-3 VLAN (SVI in Cisco world) to support both routing and switching.

this is in regards to transparent mode firewalls -- not routers, nor switches.

in the op's case -- for a cisco asa to work as required -- you must set up each vlan as its own context. this context has an 'inside' and an 'outside'. the 'outside' has its own vlan tag, which is then re-written post-filtering and vice-versa.
as such -- you'd create something simlar to the following:

context_10
• outside_vlan = 10
• inside_vlan = 1010

context_20
• outside_vlan = 20
• inside_vlan = 1020

and so forth. as you can see -- you have to create a separate context for each bridge pair.

in j-land -- you can set up unique bridge groups to filter pairs of vlans without having to use a different routing-instance or logical systems (at least this is how i understand things to work).

q.
--
"...if I in my north room dance naked, grotesquely before my mirror waving my shirt round my head and singing softly to myself..."

aryoba
Premium,MVM
join:2002-08-22
kudos:4

This is one way of doing it in SRX (pardon the simplicity)


vlans {
FW1_Outside {
vlan-id 10;
l3-interface vlan.10;
}
FW1_Inside {
vlan-id 1010;
l3-interface vlan.1010;
}
FW2_Outside {
vlan-id 20;
l3-interface vlan.20;
}
FW2_Inside {
vlan-id 1020;
l3-interface vlan.1020;
}
}

security zones {
security-zone FW1-trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
vlan.1010;
}
}
security-zone FW1-untrust {
screen untrust-screen;
interfaces {
vlan.10;
}
}
security-zone FW2-trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
vlan.1020;
}
}
security-zone FW2-untrust {
screen untrust-screen;
interfaces {
vlan.20;
}
}
}

routing-instances {
FW1 {
instance-type virtual-router;
interface vlan.10;
interface vlan.1010;
}
FW2 {
instance-type virtual-router;
interface vlan.20;
interface vlan.1020;
}
}

aryoba
Premium,MVM
join:2002-08-22
kudos:4
reply to tubbynet

said by tubbynet:

in j-land -- you can set up unique bridge groups to filter pairs of vlans without having to use a different routing-instance or logical systems (at least this is how i understand things to work).

I think you referred to ScreenOS instead of JUNOS on SRX. With that in mind, you could do some bridge-groups approach but I still prefer to set multiple virtual systems.


tubbynet
reminds me of the danse russe
Premium,MVM
join:2008-01-16
Chandler, AZ
kudos:1

said by aryoba:

said by tubbynet:

in j-land -- you can set up unique bridge groups to filter pairs of vlans without having to use a different routing-instance or logical systems (at least this is how i understand things to work).

I think you referred to ScreenOS instead of JUNOS on SRX. With that in mind, you could do some bridge-groups approach but I still prefer to set multiple virtual systems.

thanks.
when looking at a problem and all you have is a hammer -- you begin to think the problem can be handled like a nail.

in c-land -- bridge-groups are all we've got -- hence my insistence on them. also -- when you have no idea what you're looking for -- juniper docs are incredibly difficult to parse/grep.

q.
--
"...if I in my north room dance naked, grotesquely before my mirror waving my shirt round my head and singing softly to myself..."

aryoba
Premium,MVM
join:2002-08-22
kudos:4

Well, Cisco solution does have multiple context approach on firewalls and VRF on switches/routers; so you still have some choices.

I agree though that Juniper online documentation is not as well organized compared to Cisco online documentation. In fact I think Cisco online documentation is the most organized one out there

From different perspective; I'm sure as consultant, you are used to deal with network gears that has limited to no documentation, which sometimes force you to work your way through to get things done. So I'm sure you use ? a lot in the field on CLI prompt



tubbynet
reminds me of the danse russe
Premium,MVM
join:2008-01-16
Chandler, AZ
kudos:1

said by aryoba:

Well, Cisco solution does have multiple context approach on firewalls and VRF on switches/routers; so you still have some choices.

the point was to not have to burn a context for every vlan pair to be filtered in transparent mode -- so yes -- we do have multiple contexts -- but we have to use one for each vlan pair (in/out).

q.
--
"...if I in my north room dance naked, grotesquely before my mirror waving my shirt round my head and singing softly to myself..."