We currently have two J4350s running as border routers for our hosting network (multihomed to various ISPs and IXs).
Because of the inevitable asymmetry in the traffic going through our border routers, we can't run stateful firewall filters on our border routers. For this reason I am looking to put two more J4350s as stateful firewalls behind our border routers. My first question is whether this is a terrible idea. I've looked at SSGs but I would prefer to stick with JunOS for a couple of reasons. We don't need much fancy firewall functionality as we're only running in a pretty simple web hosting environment. My second question is what the architecture for this looks like. As I understand we need it to look like this: http://www.choppingblock.com.au/assets/firewalls.jpg (i.e. 4 x J4350s and 4 x switches). Have I understood this right? Are there any tricks to this that I'm missing? I'm not too sure how we achieve failover for the firewalls. Do we run VRRP on both the external-facing and internal-facing interfaces? Or do we run VRRP on the internal-facing interfaces and OSPF on the external-facing interfaces? I'm also a little confused about what will happen to NATed traffic if the primary firewall fails and causes the secondary firewall to take over. Any guidance would be most appreciated. Thanks, Alex ______________________________________________________________________ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email ______________________________________________________________________ _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp