topic VRRP Design Question in Firewall and Security Management

VRRP Design Question

subrun_jamil — Wed, 19 Jan 2022 21:23:33 GMT

Hello,

Looking for some design suggestion.

Here is the diagram should explain the scenario. In each FW I have 3 Interfaces, one is WAN and another 2 customer routes or Interfaces configured.

P1 Interface has Multiple Sub interface. Each of them is /30 subnet and Over /30 remote IP , customer subnets are routed.

Subnets Configured at P2 Port Sub Interface , is Connected Network. VRRP is configured on this Interfaces. It does not work but I am refreshing these 2 Current Firewall here I am Planning this VRRP to make it work.

I hope I am able to explain my scenario. In this scenario when some subnets are routed over P2P network and some are directly connected can I do Clustering ?

or I guess Clustering Considers Full Device right ? But wondering we can do clustering for Subinterfaces connected at P2 ONLY not for the Interfaces where over P2P Interface we routed some subnets. I do not think so still asking.

Or else If I want to keep it same setup as Some are VRRP and Some are Routed and Redistributed to OSPF , with the connectivity shown will it work ?

Re: VRRP Design Question

Timothy_Hall — Thu, 20 Jan 2022 14:41:47 GMT

If you are employing VRRP to to perform Load Sharing (not balancing) between the members I'd say you'd be better off using the new Active-Active (NOT Load Sharing Unicast/Multicast) mode of ClusterXL introduced in R80.40.

Re: VRRP Design Question

subrun_jamil — Tue, 25 Jan 2022 13:50:37 GMT

@Timothy_Hall Thanks for your reply.

My question is if you look at P1 Interface ( Bigger Subnet routed over P2P Sub Interfaces ) and P2 Has Connected Subnets.

In this scenario, Can I do Clustering ?

If it does not I can only try VRRP for connected subnets.

What's the difference between Load Sharing and balancing ?

Are you able to see the diagram i attached. ?

Re: VRRP Design Question

Chris_Atkinson — Tue, 25 Jan 2022 14:33:08 GMT

If not all interfaces are clusterable I would move VRRP to the switches instead and use dynamic routing.

Routers / L3-switches likely have better integration between VRRP and dynamic routing protocols for particular route advertisement & failure scenarios.

Re: VRRP Design Question

subrun_jamil — Wed, 26 Jan 2022 19:58:15 GMT

If I move Networks to switch firewall filtering will not be possible right. thats why did not wanted to move vrrp to switches. What you think ?

Re: VRRP Design Question

subrun_jamil — Wed, 26 Jan 2022 20:11:46 GMT

And I should clarify that 2 FW are not at same site at 2 diff site in that case clustering does make sense ? on a shared WAN circuit ?

Re: VRRP Design Question

Chris_Atkinson — Wed, 26 Jan 2022 23:15:55 GMT

Apologies for not explaining fully.

You would likely also need to leverage VRFs here to seperate the VLANs at Layer-3 and force traffic via a transit interface to the FW to enforce inter-vlan segmentation, this may require a different/new license on some switch platforms.