[j-nsp] J-series stateful firewall / NAT architecture

Doug Marschke Doug at ietraining.net
Mon Apr 21 14:06:39 EDT 2008 

I believe lots of Screen-OS already has been mapped to JUNOS in new J-seris routers. I am not sure if the synchronization  features are there yet.

http://www.juniper.net/training/technical_education/courses/EDU-JUN-OESJ.html

 


Doug Marschke
Principal Technologist
Strategic Networks Training
JNCIE-ER #3, JNCIE-M/T #41, JNCIS-FW, JNCI
www.ietraining.net
(415)902-5702


-----Original Message-----
From: juniper-nsp-bounces at puck.nether.net [mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of Campbell, Alex
Sent: Sunday, April 20, 2008 2:57 PM
To: Amos Rosenboim; Florian Weimer
Cc: juniper-nsp at puck.nether.net
Subject: Re: [j-nsp] J-series stateful firewall / NAT architecture

We wll definitely run separate pairs of switches.  The only clean way to avoid the 4 x switch requirement is to use Routed Edge Resiliency, which doesn't seem ideal as it uses OSPF for failover.

State sync is a requirement so it looks like we will be going with a pair of SSG-550s.  Hopefully all the firewall features from ScreenOS will one day be moved to mainstream JunOS.


-----Original Message-----
From: Amos Rosenboim [mailto:amos at oasis-tech.net]
Sent: Monday, 21 April 2008 7:16 AM
To: Florian Weimer
Cc: Campbell, Alex; juniper-nsp at puck.nether.net
Subject: Re: [j-nsp] J-series stateful firewall / NAT architecture

I Indeed mean using VLAN separation. Although this is considered not a good practice for this scenario, mainly because of VLAN hopping and other L2 attacks, considering that there are L3 devices connected to this switch from all directions it does not look as a too big of a risk.

Of course the 4 switches option is preferred if the budget allows it.

Amos

On Apr 19, 2008, at 7:56 PM, Florian Weimer wrote:

> * Amos Rosenboim:
>
>>
>> Regarding the number of boxes, you can consolidate the 4 switches to 
>> just two by using vlans.
>
> Huh?  You either lose redundancy, or you heavily rely on VLAN 
> separation on those switches.  Neither seems to be a good idea.
>
> -- 
> Florian Weimer                <fweimer at bfk.de>
> BFK edv-consulting GmbH       http://www.bfk.de/
> Kriegsstraße 100              tel: +49-721-96201-1
> D-76133 Karlsruhe             fax: +49-721-96201-99


______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email ______________________________________________________________________
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp

More information about the juniper-nsp mailing list