[j-nsp] Using SRX's for BGP and Firewalling

Maqbool Hashim mhashim at ntsuk.co.uk
Tue Nov 9 04:30:47 EST 2010

Thanks, taking the responses on board:

I think 2 x SRX210s in HA Active Passive mode connected into 2 x EX2200-24T  should work for us.  I want to take a default and partial routing table from the ISPs.  Partial as in just the routes for that ISP.  I think that should be well within the capabilities of the SRX210s.  In addition to that firewalling and maybe some VPNs in the future.

Shame about not being able to do hitless upgrades due to having to do upgrades on the HA pair at the same time as Keegan Holley said.  However we will just have to bear this in mind and plan upgrades accordingly.

From: Keegan Holley [mailto:keegan.holley at sungard.com]
Sent: 09 November 2010 03:18
To: Julien Goodwin
Cc: Maqbool Hashim; juniper-nsp
Subject: Re: [j-nsp] Using SRX's for BGP and Firewalling

On Mon, Nov 8, 2010 at 7:47 PM, Julien Goodwin <jgoodwin at studio442.com.au<mailto:jgoodwin at studio442.com.au>> wrote:
On 09/11/10 02:38, Maqbool Hashim wrote:
> Hi,
> I'm looking at doing a multihomed BGP setup using two upstream Internet providers.  We are obtaining PI space and would like to announce our PI space via BGP to our upstreams.    I'm looking at using one of the SRX range from Juniper to handle the BGP and firewalling requirement for us.  We don't need a full routing table.  Is it a realistic proposal to do the BGP and firewalling on one device (an SRX) ?  Or am I creating a rod for my own back by not using separate BGP routers and using separate devices to do the firewalling for me.  I'd be interested in hearing if other people are using the SRX's in a similar way.
Thunderbird just ate my response, grr.

BGP full feed on an SRX650 is fine, if you disable flow mode (as much as
you can, don't forget the ALG's).

What's the point of doing BGP on a firewall with firewallling turned off?

BGP with a default inbound and advertising a few routes is fine with
You could probably do this with openwrt if you found the right platform.

Combining a full feed with firewalling is a bad idea, at least on the
branch kit, and probably the SRK1k and 3k.

Julien Goodwin
"Blue Sky Solutioneering"

juniper-nsp mailing list juniper-nsp at puck.nether.net<mailto:juniper-nsp at puck.nether.net>

This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you are not an intended recipient, please delete this e-mail immediately and notify NTS(UK) Ltd on 0844 815 5925
This e-mail does not necessarily reflect the Company's opinion and should not be interpreted as such.
This message was scanned by Proofpoint Protection Server - please contact NTS for further information.

More information about the juniper-nsp mailing list