Hello, Regarding the number of boxes, you can consolidate the 4 switches to just two by using vlans. I would use ospf for managing the failover with the external routers and keep VRRP for the static elements (servers I guess) inside. I'm not very familiar with the stateful filters feature of Junos - does it it include state synchronization between two or more network elements? If not then I would seriously consider ScreenOS based device.
Regards Amos On Apr 16, 2008, at 9:52 AM, Campbell, Alex wrote: > We currently have two J4350s running as border routers for our hosting > network (multihomed to various ISPs and IXs). > > Because of the inevitable asymmetry in the traffic going through our > border routers, we can't run stateful firewall filters on our border > routers. For this reason I am looking to put two more J4350s as > stateful firewalls behind our border routers. > > My first question is whether this is a terrible idea. I've looked at > SSGs but I would prefer to stick with JunOS for a couple of > reasons. We > don't need much fancy firewall functionality as we're only running > in a > pretty simple web hosting environment. > > My second question is what the architecture for this looks like. As I > understand we need it to look like this: > http://www.choppingblock.com.au/assets/firewalls.jpg (i.e. 4 x J4350s > and 4 x switches). Have I understood this right? Are there any > tricks > to this that I'm missing? > > I'm not too sure how we achieve failover for the firewalls. Do we run > VRRP on both the external-facing and internal-facing interfaces? > Or do > we run VRRP on the internal-facing interfaces and OSPF on the > external-facing interfaces? > > I'm also a little confused about what will happen to NATed traffic if > the primary firewall fails and causes the secondary firewall to take > over. > > Any guidance would be most appreciated. > > Thanks, > > Alex > > ______________________________________________________________________ > This email has been scanned by the MessageLabs Email Security System. > For more information please visit http://www.messagelabs.com/email > ______________________________________________________________________ > _______________________________________________ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp