[j-nsp] Using SRX's for BGP and Firewalling

Keegan Holley keegan.holley at sungard.com
Mon Nov 8 22:17:56 EST 2010


On Mon, Nov 8, 2010 at 7:47 PM, Julien Goodwin <jgoodwin at studio442.com.au>wrote:

> On 09/11/10 02:38, Maqbool Hashim wrote:
> > Hi,
> >
> > I'm looking at doing a multihomed BGP setup using two upstream Internet
> providers.  We are obtaining PI space and would like to announce our PI
> space via BGP to our upstreams.    I'm looking at using one of the SRX range
> from Juniper to handle the BGP and firewalling requirement for us.  We don't
> need a full routing table.  Is it a realistic proposal to do the BGP and
> firewalling on one device (an SRX) ?  Or am I creating a rod for my own back
> by not using separate BGP routers and using separate devices to do the
> firewalling for me.  I'd be interested in hearing if other people are using
> the SRX's in a similar way.
>
> Thunderbird just ate my response, grr.
>
> BGP full feed on an SRX650 is fine, if you disable flow mode (as much as
> you can, don't forget the ALG's).
>

What's the point of doing BGP on a firewall with firewallling turned off?

>
> BGP with a default inbound and advertising a few routes is fine with
> firewalling.
>
> You could probably do this with openwrt if you found the right platform.


> Combining a full feed with firewalling is a bad idea, at least on the
> branch kit, and probably the SRK1k and 3k.




>


> --
> Julien Goodwin
> Studio442
> "Blue Sky Solutioneering"
>
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>


More information about the juniper-nsp mailing list