05-16-2012 03:49 AM
We run a SRX 3600 cluster as our gateway firewall, with a Cisco core and distribution. I'm investigating the best way to link the vrfs (lite) on the core routers to the SRX cluster. We want to maintain a pure L3 topology, so no vlans etc. The vrfs need to remain seperate, so that they have to traverse the firewall from different zones.
I don't have much experience with mpls but it seems that there are issues with running mpls proper on the SRX's anyway, due to flow vs packet processing. From what I've read the selective processing availble on some of the SRX's isn't available on the 3600's. I expect it would be more complicated than we need anyway.
I am wondering if GRE (or simliar) tunnels would be the way to go.
05-17-2012 05:22 AM
We do something similar with VLAN tagged sub-interfaces on the SRX to link to the core switches. These vlan-tagged sub-interfaces are then placed into different security zones with appropriate policies written. You can either run a complimentary routing protocol (OSPF perhaps) to advertise all routes between VRFs as reachable through the SRX, or just point default from all VRFs to the SRX if that will work in your topology.
05-17-2012 03:54 PM
Using MPLS on an SRX1400/3400/3600/5600/5800 is not an option. Instead you will have to provide a dedicated interface OR sub-interface (via vlan tagging) for every VRF-lite instance you are running. Each sub-interface (or unit in JunOS) will have to have its own vlan id and can be bound seperately to a virtual-router type routing-instance (vrf-lite) and also associated to a security zone.
Hope this helps.
05-18-2012 01:53 AM
Thanks for the suggestions.
I've had some advice from other sources that agrees with everything that's been said. Although I wanted to avoid it, I think a simpler vlan based layout is probably the way to go.