SRX Services Gateway
Reply
Contributor
jyokoyama
Posts: 13
Registered: ‎10-01-2010
0
Accepted Solution

2x SRX, 2x ISP links- design suggestions?

[ Edited ]

Hey guys,

 

Attached is a proposed network diagram. We currently have one SRX with one ISP so things are pretty straight forward. We will be moving our internet connection to a new datacenter and will be connecting to a fully-meshed ISP that can hand us 2 links. They have various options for redundancy such as HSRP (VRRP), full bgp table, partial bgp table, or bgp default route. We are leaning towards either going the bgp default route or VRRP method. 

 

1) In the network diagram, a couple of the links are dashed. Because of the way these will be setup, are the dashed links necessary?

 

2) We will be hosting certain services on servers behind the firewalls. To avoid policy/session mismatching and asymmetric routing, is going to an active/passive situation better? (we might even have to go A/P, anyways) Is VRRP or default bgp route more preferrable? 

 

3) I was just planning on keeping both firewalls separate, each with their own [relatively identical] config. I've played around with HA on J-series routers, and it seemed kind of clunky. Would doing high-availability really prove to be that beneficial?

 

4) Any other suggestions, warnings, or red-flags?

 

Thanks in advance!

Trusted Contributor
SapphireNET
Posts: 154
Registered: ‎03-27-2008

Re: 2x SRX, 2x ISP links- design suggestions?

1) In the network diagram, a couple of the links are dashed. Because of the way these will be setup, are the dashed links necessary?

 

If you are going to be doing a HA cluster then these would be clustered links, if you are going to make the intermediate line between SRX's an L3 link is also ok, but a L2 link would steer away from it.

 

2) We will be hosting certain services on servers behind the firewalls. To avoid policy/session mismatching and asymmetric routing, is going to an active/passive situation better? (we might even have to go A/P, anyways) Is VRRP or default bgp route more preferrable? 

 

if you are going to be doing a very basic active/passive setup with static default routing then the failover is very fast.

if you stick L3 on top, like routing protocols, then failover takes substantially longer as the protocols essentially start from scratch and have to peer up and converge

 

3) I was just planning on keeping both firewalls separate, each with their own [relatively identical] config. I've played around with HA on J-series routers, and it seemed kind of clunky. Would doing high-availability really prove to be that beneficial?

 

you end up with one config that is mirrored onto the passive node, as long as your performance and port requirements are met is a good backup solution.

 

4) Any other suggestions, warnings, or red-flags?

 

be careful with the srx software version as it does tend to be flaky, go with recommened version unless you have a specific requirement.

JNCIS-M, JNCIS-SEC
Contributor
jyokoyama
Posts: 13
Registered: ‎10-01-2010
0

Re: 2x SRX, 2x ISP links- design suggestions?

thanks for the response, sapphire!

 

i guess i am leaning towards going the HA route. ill play around with HA and BGP with some of the routers laying around here and see how i like it.

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.