Background: I have two datacenters, located 300km apart each with a Juniper MX240 router connected over a DWDM 10GE link. The latency is the range of 5ms RTT.
In each datacenter, I have one firewall from a third-party vendor configured in an active/stand-by fashion. Each firewall is connected to one router and only one firewall is globally active between both locations, meaning I could have traffic entering from DC1, moving to firewall in DC2 to end up in DC1.
I will configure two VPLS or L2circuits between my Juniper MX, so the firewall can exchange and synchronize across the network, that is absolutely fine.
However, if one firewall fails, the other should take over, but they will have absolutely the same settings, so I need to have the same IP address on both sides and on my two Juniper MX240. I assume, my option is VRRP, but this needs to happen in a VLAN. Unless I am missing something, as my Juniper is doing the transport, it cannot be part of the L2 domain.
Is there a way to configure VRRP with an IRB, or am I looking at this issue, the wrong way? Any idea, any feedback or any constructive remark would be greatly appreciated.
I am attaching a visual representation of my network.
You can probably configure VPLS between 2 MX240s and call irb as a routing-interface inside that VPLS instance. Also you can then configure 2 irbs on MX240 and reth(irb) interface on firewall with the same LAN segment and run any IGP for route exchange. The interface going towards firewall can be L2 interface which will be part of VPLS instance.
This way, even if one MX goes down, firewall will have IGP reachability over irb to the other MX and continue to forward traffic.
Hi and thank you for replying.
I would agree with your suggestion, but if I configure an irb within the VPLS instance as a routing-interface, this would affect only one MX router, the other would not have an irb. If I configured both side with the same irb, how would this work and how would the firewall know which irb he should talk to? I assume both will reply to arp.
You can configure IRB as routing-interface on both MX routers. You can use different IPs but put all the IRBs in the same subnet.
Something like this:
| \ ____ reth(10.10.10.3/24) Firewall
You can then configure IGP between the routers and firewall and play with metric to prefer any one MX.