[j-nsp] MX Firewall Capabilities

Stefan Fouant sfouant at shortestpathfirst.net
Tue Jul 12 13:36:27 EDT 2011


Brendan,

It really depends on what you are trying to accomplish.  The SRX is 
going to scale to much greater levels when it comes to Stateful 
Firewalling capability - it basically operates on a flow forwarding 
paradigm where it's designed from the ground up to handles sessions 
statefully.

On the other hand, the MX with the DPC will give you some of this 
capability, but remember the underlying paradigm is quite a bit 
different.  These are packet forwarding devices, so any traffic that you 
want to handle statefully will have to be routed through the DPC.  As 
such, there are finite limitations to what you can put through a single 
DPC and therefore wouldn't be appropriate if you want all your traffic 
to be handled statefully.

Plus, on the MX with the DPC it is basically configured using 
interface-style and next-hop style service-sets which is quite a bit 
different from the configuration syntax used on the SRX.  The SRX is a 
lot more straightforward and simpler to configure when it comes to this 
type of functionality.  Of course, I am not trying to dissuade you from 
using the MX in this scenario, it's perfectly valid if you only want to 
handle a subset of the traffic statefully.

Stefan Fouant
JNCIE-ER #70, JNCIE-M #513, JNCI
Technical Trainer, Juniper Networks
http://www.shortestpathfirst.net
http://www.twitter.com/sfouant

On 7/12/2011 1:19 PM, Brendan Mannella wrote:
> Nice, and if I decided I want stateful firewalling and IPS, I see I can use the DPC card...
>
> Are there any pros/cons to this vs just buying a separate SRX?
>
>
>
> -----Original Message-----
> From: OBrien, Will [mailto:ObrienH at missouri.edu]
> Sent: Tuesday, July 12, 2011 1:04 PM
> To: sthaug at nethelp.no
> Cc: Brendan Mannella; juniper-nsp at puck.nether.net
> Subject: Re: [j-nsp] MX Firewall Capabilities
>
> Yup. That is correct. Border filters are no problem without the ms-dpc.
>
> Sent from my iPad
>
> On Jul 12, 2011, at 12:56 PM, "sthaug at nethelp.no"<sthaug at nethelp.no>  wrote:
>
>>> Just wondering what the firewalling capabilities are with the MX series vs the SRX. We just would like to have basic firewall (block all incoming ports, allow specifcs). Would we need the MS-DPC to achieve this? The new router will be are trio cards.
>>
>> As long as you don't need *state* tracking but simply basic filtering
>> on ports, IP addresses etc your standard MX cards work just fine - no
>> need for MS-DPC.
>>
>> Steinar Haug, Nethelp consulting, sthaug at nethelp.no
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp


More information about the juniper-nsp mailing list