Hi!
I need some help figuring out the best configuration scenario for my network. Please have a look at the attached image as I’ll refer to it.
I have a two ISP setup with BGP to both peers. My SRX Router cluster both are connected to each ISP. Right after the routers I’ve placed my firewalls. As you can see on the pic each router is connected to only one firewall through the ‘reth2’ interface. This is only one physical interface.
And after the firewalls the core switch and the rest of the equipment is located.
So, my problem is the redundancy between the router and the firewall cluster. From the beginning I used Interface Monitor to trigger the failover in case of a breakdown. But this solution was either misconfigured by me or did not solve it the way I wanted. During a reboot of both the primary nodes in each cluster it all got stuck in a loop arguing witch node should be primary/secondary. Interfaces going wild, and so on.
Now I only have a weight difference on the redundancy groups on each node but I realize that if node0 on the router side should fail, node0 in the firewall cluster will still try to use this patch since it does not care about interface status.
What’s my best option here? Should I put a switch in between the two clusters? Connecting all reth2 interfaces to one switch? Or can I trim the configuration to work with my topology?
All feedback appreciated!