[j-nsp] SRX advice

Ryan Goldberg RGoldberg at compudyne.net
Fri Feb 4 13:36:03 EST 2011


Thanks everyone for the replies - 

After some deliberation, we are leaning towards a single SRX650 to replace watchguards a, b and c, and a pair of SRX100 for watchguard d.  The 2821 will likely hang around, as it is not problematic in the least, and all the tunnels it terminates are cisco VTI-style tunnels (I suppose we could convert the far-ends to GRE/ipsec..) .  Does this seem reasonable?

Thanks again-
Ryan

> -----Original Message-----
> From: juniper-nsp-bounces at puck.nether.net [mailto:juniper-nsp-
> bounces at puck.nether.net] On Behalf Of Ryan Goldberg
> Sent: Thursday, February 03, 2011 11:13 PM
> To: juniper-nsp at puck.nether.net
> Subject: [j-nsp] SRX advice
> 
> Hi-
> 
> Totally new here, and I mainly lurk on other lists, so be gentle if possible.
> 
> We are in a situation we need to get out of.  I am considering a pair of
> juniper SRX boxes (240s are in the budget) to do that.
> 
> This is what we have:
> 
> watchguard a) is the outbound nat box for about 70 small offices (we are a
> small ISP too, these are fiber-connected customers).  it also handles some
> amount of inbound nat for those customer's various servers, which may be
> in the customers office, or a virtual host in our racks.  and maybe a half
> dozen ssl-vpn road-warrior types.  There's also a dozen or so lan-to-lan ipsec
> tunnels on it.  sustained 2-20 inbound.  light outbound.
> 
> watchguard b) is for internet facing windows boxes.  lotsa inbound nat.
> sustained 2-20Mbit outbound
> 
> watchguard c) is for our office, 55ish users.  some inbound nat too.  0-50Mbit
> inbound, widely varying
> 
> watchguard d) is for one particular hosting customer where stability is
> paramount.  The other firewalls get touched a lot (and as of late, have been
> puking when they feel like it).  2-15Mbit of sustained web traffic, with the
> odd spike or lull.
> 
> a 2821) terminates a bunch of lan-to-lan ipsec tunnels (VTI style) to 1841s all
> over the place.  box is completely VRFed, no global table, all the tunnels
> land in the INTERNET vrf and pop out in customer vlans, each their own vrf.
> 10-30Mbit
> 
> So - goal is to collapse all this onto a single pair of boxes running in an HA
> config.  Watchguard a, b, and c are problematic, and are becoming more
> problematic.  watchguard d is pretty quiet, but we are contractually
> obligated to remove all SPOF from that clients setup.  the 2821 is very quiet,
> no troubles.
> 
> My main question revolves around number of virtual routers.  We can't
> afford a big enough box to stuff everything (as in, every customer network)
> in its own vrf/routing-instance.  I will admit that I've become hooked on
> using vrfs in cisco land on ISRs (a lot of double-ISP configs, random dirty
> hacks).  But for our future firewall setup, I don't know what a bunch of
> routing-instances really buys us, if anything (aside from the psychological
> aspect).  All we really need is for all the private networks behind this thing
> to get natted to their corresponding public ip(s), and if something behind
> the firewall needs to talk to something else behind the firewall, it should go
> out and back in (getting source nattted, then dest natted).  If the J-boxes can
> do that without separate routing-instances, then we're good.
> 
> My other question involves HA stability.  I've seen instances with other kit
> where introducing "HA" actually reduced availability.  SRX boxes like
> running in HA, or are they fussy?
> 
> I very much thank anyone who takes the time to reply to this.
> 
> Ryan
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp




More information about the juniper-nsp mailing list