SRX

I'm proposing migrating to the SRX210's but I need to know if it can be configured to do the following.  I know it can do HA as well as WAN failover.  But can a 2 SRX's in a HA configuration do the following?

WAN1 - Primarily for core services, high quality and expensive

WAN2 - Primarily for user internet, modest quality, faster and less expensive

LAN1 - Core network

LAN2 - User network

LAN1 uses WAN1 as primary gateway.  LAN1 fails over to WAN2 as needed.

LAN2 uses WAN2 as primary gateway.  LAN2 fails over to WAN1 as needed.

The SRXs will be in a HA configuration for both LAN1 and LAN2.

Right now we are having to use 2 pairs of firewalls to do this since they do not support this configuration with a single pair and/or the devices are EOL.  If it can do what I want, can you let me know what the OS/license requirements would be?  I don't want to propose this and end up needing twice the hardware and licensing to accomplish the same goal.

Thanks,

Ty

You can use VRRP for this. Unfurtunately I don't think you can use VRRP in combination with clustering.

On your first device VRRP can act as primary for the Core network (VRRP group) and as secondary for the User network.

On the other device VRRP can act as primary for the User network and secondary for the Core network.

You can then monitor your internet facing interfaces to control who will have the master role and backup role. I.E if WAN1 fails, you could force all traffic to be routed to your other device and thus through WAN2.

No additional license is required for this VRRP feature.

You can also HA cluster your devices and let them both have access to the two internal as well as external networks. You can then in similar manner to the VRRP monitor / track state of your interfaces and control, who will be the active node for your LAN's. If you want traffic from specific sources routed towards a specific ISP, you can use filter based forwarding (policy based routing) to control this.

No additional license is required for this either.

I confirmed that VRRP and chassis clusters cannot be used simultaneously.  I appreciate your help.

With chassis cluster you should not need the vrrp.  The cluster will maintain the virtual gateway address for all your configured vlans and fail them over between the hardware as needed.

I would see your basic design as a Chassis cluster in Active/Passive mode for hardware redundnacy.  You will need some external layer 2 vlans setup with 3 ports to support the failover scenarios.  One port for the ISP and one for each of the two SRX.  With chassis redundancy both devices need to be able to reach both ISP lines this way.

In the cluster you would create two virtual routers, one for each of your ISP/LAN combinations.

You would create the ISP failover with some routing policies to provide the alternate path out when the primary ISP fails.

You also need to research the limits on traffic, policies and the like to insure that the particular model SRX210 has the capacity you need for the flows.  You can find these specs on the product sheet.

Again, I appreciate everyone's contributions.  These devices appear to be exactly what I need and then some.

Ty

Yes. SRX 210 will support your requirements. Use routing instances type forwarding. you would create a static default in both routing instances. So for instance CORE - default route would have a next-hop to primary ISP 1 and a qualified-next-hop to secondary ISP 2 with a higher preference say 8. And instance NETWORK - default route would have a next-hop to secondary ISP 2 and a qualified-next-hop to primary ISP 1 with a higher preference say 8.
No additional license required to use the routing instances. The routing instances will take care of the fail over. LAN 1 will direct traffic to CORE routing instance and LAN 2 will direct traffic to NETWORK routing instances.

Use a firewall filter to direct relevant traffic to the respective routing instances. Use instance-import to share interfaces-routes with both routing instances.