[j-nsp] SRX advice

Paul Zugnoni paul.zugnoni at onlive.com
Fri Feb 4 02:24:18 EST 2011



a 2821) terminates a bunch of lan-to-lan ipsec tunnels (VTI style) to 1841s
all over the place.  box is completely VRFed, no global table, all the tunnels
land in the INTERNET vrf and pop out in customer vlans, each their own vrf.
10-30Mbit

One of the large drawbacks on SRX has been lack of support for putting the IKE endpoint IP's in different VRFs - they all had to be placed in the default routing table, whereas Juniper's prior firewall platform - ScreenOS - supported IKE gateways in any VRF. This, however, should be fixed in the latest code. In your situation, it might not matter, since all of your endpoints are in the same VRF. On SRX, you can put the tunnel interfaces in any routing-instance you want.


So - goal is to collapse all this onto a single pair of boxes running in an HA
config.  Watchguard a, b, and c are problematic, and are becoming more
problematic.  watchguard d is pretty quiet, but we are contractually
obligated to remove all SPOF from that clients setup.  the 2821 is very quiet,
no troubles.

While code upgrades on SRX are not hitless, have you considered using two non-clustered boxes for your VPN traffic, where you ignore the state of the connections?


I assume that cisco VTI style tunnels do not interoperate with an analog on JunOS?

I would second that assumption.

 I don't know what a bunch of routing-instances really buys us, if anything (aside from the psychological aspect).

The psychological aspect carries a lot of weight with some people. Unless you're profiting from that configuration, it's just weight on your shoulders. If you're unfamiliar with zone-based firewall configs, you'll probably find more comfort with zones than routing configs to provide good-looking firewall policy w/o the complications of multiple VRFs. However, if you you have a need to separate OSPF routing domains, on a Cisco, you might do this with diff ospf processes (router ospf 1, router ospf 2) w/in the same routing table; but on Juniper, you would need multiple routing-instances for the same thing.

An SRX240 pair should cover you fine if you're not doing IDP, but a 650 pair has significantly more power. Note that both are CPU-based. Good luck.

Paul Z


More information about the juniper-nsp mailing list