> -----Original Message----- > From: Julien Goodwin [mailto:jgood...@studio442.com.au] > Sent: Thursday, February 03, 2011 11:50 PM
> On 04/02/11 16:12, Ryan Goldberg wrote: > > watchguard a) is the outbound nat box for about 70 small offices (we are a > small ISP too, these are fiber-connected customers). it also handles some > amount of inbound nat for those customer's various servers, which may be > in the customers office, or a virtual host in our racks. and maybe a half > dozen ssl-vpn road-warrior types. There's also a dozen or so lan-to-lan ipsec > tunnels on it. sustained 2-20 inbound. light outbound. > > That's an odd setup. Yes it is odd in a number of ways. It grew that way, was not designed that way. It started out that we had a 20Mbit internet connection and ran copper throughout our largish office building to other tenants. We handled the whole of their IT needs, and it was seemingly simpler to just hang their vlan off our firewall. In the meantime, we bought a small ISP (I came along with that purchase), started running fiber, etc. We still offer this as a service though, and customers find value: they have nothing in their office but a switch. Their server(s) are at our shop, and we handle their internet traffic too. I personally very much prefer to just hand customers public IP and walk away, but I can't deny we make money from this. > > watchguard b) is for internet facing windows boxes. lotsa inbound nat. > sustained 2-20Mbit outbound > > watchguard c) is for our office, 55ish users. some inbound nat too. 0- > 50Mbit inbound, widely varying > > watchguard d) is for one particular hosting customer where stability is > paramount. The other firewalls get touched a lot (and as of late, have been > puking when they feel like it). 2-15Mbit of sustained web traffic, with the > odd spike or lull. > > These three are fairly trivial. > > > a 2821) terminates a bunch of lan-to-lan ipsec tunnels (VTI style) to 1841s > all over the place. box is completely VRFed, no global table, all the tunnels > land in the INTERNET vrf and pop out in customer vlans, each their own vrf. > 10-30Mbit > > > > So - goal is to collapse all this onto a single pair of boxes running in an > > HA > config. Watchguard a, b, and c are problematic, and are becoming more > problematic. watchguard d is pretty quiet, but we are contractually > obligated to remove all SPOF from that clients setup. the 2821 is very quiet, > no troubles. I assume that cisco VTI style tunnels do not interoperate with an analog on JunOS? > > My main question revolves around number of virtual routers. We can't ... > You only need instances (on SRX) for two things: > * Overlapping IP's need forwarding instances > * Multiple protocol instances (eg, seperate OSPF on either side) take > non-forwarding instances I think you are correct. > > My other question involves HA stability. I've seen instances with other kit > where introducing "HA" actually reduced availability. SRX boxes like > running in HA, or are they fussy? > > I don't run SRX's in HA, the only issues I've had in production are > firmware related (note that you can't do an online firmware upgrade of a > HA cluster, there's still a hit). That's a little maddening, but oh well. > I would suggest an SRX650 over the SRX240, would be far more confident > in that handling your traffic load (on the services side, forwarding > should be trivial for even an SRX100). Noted. Thanks- Ryan _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
