Results 1 to 5 of 5
  1. #1
    Join Date
    May 2005
    Location
    Bay Area
    Posts
    1,211

    Network security question...inter-vlan routing and firewalling.

    So as of now I run two clustered Juniper SRX650's and two Juniper EX8200 switches together meshed via OSPF. The SRX cluster handles our BGP, ipsec, nat and other firewall duties, and the EX switches are handling inter-vlan routing for internal traffic to the datacenter.

    The issue that has come up is I need to have a network segregation between a certain subset of machines within our prod network and everything else. It needs to scale, so I can't be hanging switches directly off of the SRX's. Right now since the EX's handle inter-vlan routing, traffic doesn't pass through the firewall unless it is leaving the datacenter. I will have dedicated internal firewalls for this purpose later, but until then....

    How do I do it? One way I thought of, which would be relatively easy, is to create a virtual routing instance on the EX's and run the isolated vlans under them. I would then not allow the native instance and the virtual instance to share routes, and I would give the virtual instance another sub interface on the connections that run OSPF up to the srx cluster. So basically the virtual instance would see routes advertised via OSPF from the SRX cluster, which would force traffic to go up to the firewalls and fall under my policies.

    Does anybody see any immediate problems with this idea? Or a better solution that is relatively painless? Eventually our pod's will each have their own internal firewall cluster, but for now I have to use what I've got.

    As a side note, I realize firewall filters can be created on the EX, but we didn't buy it for security. The SRX is much more flexible for what we need.

    Thanks,
    Morgan
    Last edited by DataCentric; 06-02-2011 at 04:05 AM.

  2. #2
    Join Date
    Mar 2006
    Location
    Reston, VA
    Posts
    3,132
    Quote Originally Posted by RackPoint-Morgan View Post
    So as of now I run two clustered Juniper SRX650's and two Juniper EX8200 switches together meshed via OSPF. The SRX cluster handles our BGP, ipsec, nat and other firewall duties, and the EX switches are handling inter-vlan routing for internal traffic to the datacenter.

    The issue that has come up is I need to have a network segregation between a certain subset of machines within our prod network and everything else. It needs to scale, so I can't be hanging switches directly off of the SRX's. Right now since the EX's handle inter-vlan routing, traffic doesn't pass through the firewall unless it is leaving the datacenter. I will have dedicated internal firewalls for this purpose later, but until then....

    How do I do it? One way I thought of, which would be relatively easy, is to create a virtual routing instance on the EX's and run the isolated vlans under them. I would then not allow the native instance and the virtual instance to share routes, and I would give the virtual instance another sub interface on the connections that run OSPF up to the srx cluster. So basically the virtual instance would see routes advertised via OSPF from the SRX cluster, which would force traffic to go up to the firewalls and fall under my policies.

    Does anybody see any immediate problems with this idea? Or a better solution that is relatively painless? Eventually our pod's will each have their own internal firewall cluster, but for now I have to use what I've got.

    As a side note, I realize firewall filters can be created on the EX, but we didn't buy it for security. The SRX is much more flexible for what we need.

    Thanks,
    Morgan
    You can't without a filter, per juniper KB12021 http://kb.juniper.net/InfoCenter/ind...=1307015600257

    That help?

  3. #3
    Join Date
    May 2005
    Location
    Bay Area
    Posts
    1,211
    Quote Originally Posted by Spudstr View Post
    You can't without a filter, per juniper KB12021 http://kb.juniper.net/InfoCenter/ind...=1307015600257

    That help?
    Like I had mentioned in my original post, I don't want to use the firewall filters on the EX -- they don't do everything I need. Does my solution make sense to anybody else? Having a separate routing instance on the switch should work, I think.

    I would test all of this myself, but the lab equipment isn't here yet. :[

    Morgan

  4. #4
    Join Date
    Oct 2002
    Location
    Vancouver, B.C.
    Posts
    2,656
    Quote Originally Posted by RackPoint-Morgan View Post
    Does anybody see any immediate problems with this idea? Or a better solution that is relatively painless? Eventually our pod's will each have their own internal firewall cluster, but for now I have to use what I've got.
    Why not just have the EX8200s do layer2 only for the isolated VLAN and have the SRX650s act as the gateways?
    ASTUTE HOSTING: Advanced, customized, and scalable solutions with AS54527 Premium Canadian Optimized Network (Level3, PEER1, Shaw, Tinet)
    MicroServers.io: Enterprise Dedicated Hardware with IPMI at VPS-like Prices using AS63213 Affordable Bandwidth (Cogent, HE, Tinet)
    Dedicated Hosting, Colo, Bandwidth, and Fiber out of Vancouver, Seattle, LA, Toronto, NYC, and Miami

  5. #5
    Join Date
    May 2005
    Location
    Bay Area
    Posts
    1,211
    I was thinking about that, but then I thought how it might be counter-intuitive. Each switch has two connections to each firewall, so if I did that I would be undermining the redundancies I already have in place. It is a possibility though, I suppose.

Similar Threads

  1. Cisco VLAN Routing
    By whackatak in forum Colocation and Data Centers
    Replies: 12
    Last Post: 12-26-2010, 12:01 PM
  2. Need help with Inter-VLAN rounting
    By trswyo in forum Systems Management Requests
    Replies: 3
    Last Post: 11-15-2010, 11:01 PM
  3. inter-VLAN router with in/out policers, ipv6
    By speedcolo in forum Colocation and Data Centers
    Replies: 2
    Last Post: 01-23-2010, 02:34 PM
  4. VLAN Routing help needed
    By apexio in forum Colocation and Data Centers
    Replies: 5
    Last Post: 02-12-2007, 01:18 AM
  5. Single Port VLAN Routing, Possible ?
    By richardparry in forum Hosting Security and Technology
    Replies: 1
    Last Post: 02-15-2004, 09:35 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •