[j-nsp] SRX240 - ready for prime time?

[Per Westerlund]

6 mar 2012 kl. 02:20 skrev TCIS List Acct:

> Thanks for all of the responses.
> 
> A few more questions:
> 
> - Can the L2 switch "feature" on the SRX240 be used when I have a pair of appliances in HA mode?  The docs seem to be conflicting on this -- it appears that it may be supported in 11.x?
> 

Switching with a pair of 240s (and 650s) is supported in 11.1R3 and later, but it does not work with the smaller branch boxes. You need (at least) one extra cable between the boxes dedicated to switch traffic. Have not tried it myself, but it is in the release notes.

> -  Can the SRX be used as a multi-tenant firewall to provide distinct L3 public IP subnets on VLAN interfaces, with their own set of unique firewall rules, and the possibility of overlapping Untrust IP networks (e.g. multiple customers have 192.168.1.0/24), AND the ability to terminate IPSEC VPN tunnels on these VLAN interfaces?  (I'm looking for something to provide multi-tenant firewall services to a small Cloud hosting infrastructure)

Most of these things I have done extensively without problems, but for one item, which I have not been able to verify. In 10.2 it was not possible to terminate an IPsec VPN tunnel on an RVI (Routed VLAN interface), only on normal interfaces. I do not know if that limitation has been lifted.

In current 11.1 there is no problem terminating a static IPsec VPN in a non-default routing instance. There is still only support for Dynamic IPsec VPN in the default router instance.

With router instances and security zones (note that a security zone cannot span routing instances) there is no problem having unique rules for each customer, just place them in their own security zones, and for maximum simplicity, also their own routing instances, if you don't need more than 20 or so.

/Per

> 
> --Mike
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp