[j-nsp] J-series stateful firewall / NAT architecture

Amos Rosenboim amos at oasis-tech.net
Sat Apr 19 09:28:26 EDT 2008 

Hello,

Regarding the number of boxes, you can consolidate the 4 switches to  
just two by using vlans.
I would use ospf for managing the failover with the external routers  
and keep VRRP for the static elements (servers I guess) inside.
I'm not very familiar with the stateful filters feature of Junos -  
does it it include state synchronization between two or more network  
elements?
If not then I would seriously consider ScreenOS based device.

Regards

Amos


On Apr 16, 2008, at 9:52 AM, Campbell, Alex wrote:

> We currently have two J4350s running as border routers for our hosting
> network (multihomed to various ISPs and IXs).
>
> Because of the inevitable asymmetry in the traffic going through our
> border routers, we can't run stateful firewall filters on our border
> routers.  For this reason I am looking to put two more J4350s as
> stateful firewalls behind our border routers.
>
> My first question is whether this is a terrible idea.  I've looked at
> SSGs but I would prefer to stick with JunOS for a couple of  
> reasons.  We
> don't need much fancy firewall functionality as we're only running  
> in a
> pretty simple web hosting environment.
>
> My second question is what the architecture for this looks like.  As I
> understand we need it to look like this:
> http://www.choppingblock.com.au/assets/firewalls.jpg (i.e. 4 x J4350s
> and 4 x switches).  Have I understood this right?  Are there any  
> tricks
> to this that I'm missing?
>
> I'm not too sure how we achieve failover for the firewalls.  Do we run
> VRRP on both the external-facing and internal-facing interfaces?   
> Or do
> we run VRRP on the internal-facing interfaces and OSPF on the
> external-facing interfaces?
>
> I'm also a little confused about what will happen to NATed traffic if
> the primary firewall fails and causes the secondary firewall to take
> over.
>
> Any guidance would be most appreciated.
>
> Thanks,
>
> Alex
>
> ______________________________________________________________________
> This email has been scanned by the MessageLabs Email Security System.
> For more information please visit http://www.messagelabs.com/email
> ______________________________________________________________________
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp

More information about the juniper-nsp mailing list