I have been working with a platform design for a customer and came across a situation I had not encountered before and thought it might be worth making some notes, this has been boiled down to the essential bits to make life easier

It’s a VMware backed infrastructure with Juniper SRX firewalls; fine

The customer wants servers running on both sites and needs internal communication; no problem

They need to be able to fail a site and it be brought online and the other site and retain the above requirements; that’s a bit different, typically there would be a live site and a DR site, if the live site fails, everything is brought up in the DR site with SRM, which is easy enough

This is what it should look like, Site 1 has the Application servers, and site 2 has the Development servers.

The question now is how do we do the DR bit?

We will be using SRM to protect all VM’s on both sides to their counterpart. How do we do the networking?

As I see it there are two ways to do it:

  1. Have a redundant pair of firewalls at either side
  • Cost, additional firewalls required at each site, more power, more connectivity, more rack space, cost etc. etc.
  • Extra complexity when any rules are added to the firewall as they must be also added to the firewall in the DR site.
  • We can’t just mirror the firewall config because the connecting interfaces will need different addresses otherwise they wouldn’t be able to route traffic between the servers which are already operational at which ever site didn’t fail.
  • Messy
  1. Use the firewalls already in place
  • No additional hardware required
  • Still have that extra step of creating new firewall rules in two places and can’t use a mirror configuration for the same reason, change control to the rescue
  • If the firewall has a directly connected network with the same subnet as a remote network how do we get the two sites communicating during normal two site operation, hmm……

I know that in the Juniper world a static route has a preference of 5 and a directly connected network has a preference of 0, meaning when I configure the network as needed, I will lose access to anything over a static route for a network the firewall “knows” is directly connected, ooh dear

As obvious as this now seems I couldn’t think of the best way to do this. Is there a built in way to do this on the Juniper firewalls? (Short answer, I couldn’t find one) or disable the interfaces until needed (add them as the “now do this” reminder steps in SRM). I also wondered if it would be possible to change the default preference of a directly connected network to a value higher than that of a static route but disregarded that as just plain stupid.

Without any modification our routing table on Site 2 looks like this:

192.168.1.0/24 *[Direct/0] 02:56:17
> via ge-0/0/3.0

At this point we are using the subnet which is directly connected, when we add a static route for the live subnet but over on Site 1, the routing table now looks like this

192.168.1.0/24 *[Direct/0] 02:56:17
> via ge-0/0/3.0
[Static/5] 00:01:10
> to 192.168.168.2 via ge-0/0/1.0

We can see the two routes and that the static route has it’s default value off 5 and the direct route is preferred, as designated by the “*” because of its default value of 0

When the Site 2 interface ge-0/0/3 is disabled, the routing table is updated to this:

192.168.1.0/24 *[Static/5] 00:07:24
> to 192.168.168.2 via ge-0/0/1.0
192.168.1.1/32 *[Local/0] 03:04:01
Reject

Hurrah, the route still exists in the table but only for the statically entered entry, when the interface was disabled it was automatically dropped from the routing table. The firewall’s IP address on the disable interface has been set to reject which I didn’t anticipate but I can’t think of any issue it might introduce.

Leave a Reply

Be the First to Comment!

Notify of
avatar
wpDiscuz