[j-nsp] J-series stateful firewall / NAT architecture

Campbell, Alex Alex.Campbell at dtdigital.com.au
Wed Apr 16 02:52:10 EDT 2008


We currently have two J4350s running as border routers for our hosting
network (multihomed to various ISPs and IXs).

Because of the inevitable asymmetry in the traffic going through our
border routers, we can't run stateful firewall filters on our border
routers.  For this reason I am looking to put two more J4350s as
stateful firewalls behind our border routers.

My first question is whether this is a terrible idea.  I've looked at
SSGs but I would prefer to stick with JunOS for a couple of reasons.  We
don't need much fancy firewall functionality as we're only running in a
pretty simple web hosting environment. 

My second question is what the architecture for this looks like.  As I
understand we need it to look like this:
http://www.choppingblock.com.au/assets/firewalls.jpg (i.e. 4 x J4350s
and 4 x switches).  Have I understood this right?  Are there any tricks
to this that I'm missing?

I'm not too sure how we achieve failover for the firewalls.  Do we run
VRRP on both the external-facing and internal-facing interfaces?  Or do
we run VRRP on the internal-facing interfaces and OSPF on the
external-facing interfaces?

I'm also a little confused about what will happen to NATed traffic if
the primary firewall fails and causes the secondary firewall to take
over.

Any guidance would be most appreciated.

Thanks,

Alex

______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________


More information about the juniper-nsp mailing list