I have two Juniper routers (a SRX340 and a SRX320), each with a leased line, on the same IP range. They are designed to be connected together on specific network ports so that the SRX320 takes over if the SRX340 fails.
I also have two SonicWALL TZ600 firewalls, currently configured in "Active / Standby" high availability mode.
I want to connect the routers to the firewalls in such a way that any one device can fail without the whole system losing internet access. What options do I have, please?
EDIT:
I have this working now. I connected the LAN ports from the two routers into a single switch, and then from there into the X1 port on the two firewalls. Each device can be switched off and internet access is maintained (after a minute or so of downtime). All I need to know now is how to eliminate the single switch as a potential single point of failure.
Best Answer
High availability is a big and sometimes tricky topic, depending on what you actually want to achieve. If you want to maintain running TCP connections, for example, with sub 100 ms retransmission, you've got some work to do.
On the other hand, a typical business who wants to maintain internet connectivity might have simpler targets: no single cable, box, or fuse should prevent a new browser connection after a 30 second outage. ("Hmm, that's slow, maybe try refresh, ah ... there it is.") Which is good enough for most business continuity purposes.
Usually the hardest parts to achieve are "divergent path" internet connections which don't actually diverge very much. I've had single trucks hitting single street furniture cause supposedly divergent multiple links to fail. Power supply can be another issue: in most organisations UPS is the only realistic approach. (Two small UPS per rack is what I normally try to use; big UPS can be very inflexible.)
In your case, I'm guessing your ISP has delivered something like VRRP (virtual router redundancy protocol) which delivers a new virtual router with a new IP address. One of the configured pool is elected to operate as this virtual router; if it dies, another takes over. It may have something better, to take into account link state.
Sonicwall on the other hand, operates as an active/passive pair, and the hardware swaps if one becomes defective.
Your layout might look like the following diagram. Note I've drawn servers as multiply connected, perhaps with two IP addresses or with an ethernet card which takes part in spanning tree. User PCs I've shown in two teams, one of which might go out at a time. (Or use wifi with multiple access points to address this.)
With spanning tree throughout your switches, and considering the Juniper devices as a router with a switch, you might implement that like this:
Hope that's helpful.