Thanks everyone for the replies - After some deliberation, we are leaning towards a single SRX650 to replace watchguards a, b and c, and a pair of SRX100 for watchguard d. The 2821 will likely hang around, as it is not problematic in the least, and all the tunnels it terminates are cisco VTI-style tunnels (I suppose we could convert the far-ends to GRE/ipsec..) . Does this seem reasonable?
Thanks again- Ryan > -----Original Message----- > From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp- > boun...@puck.nether.net] On Behalf Of Ryan Goldberg > Sent: Thursday, February 03, 2011 11:13 PM > To: juniper-nsp@puck.nether.net > Subject: [j-nsp] SRX advice > > Hi- > > Totally new here, and I mainly lurk on other lists, so be gentle if possible. > > We are in a situation we need to get out of. I am considering a pair of > juniper SRX boxes (240s are in the budget) to do that. > > This is what we have: > > watchguard a) is the outbound nat box for about 70 small offices (we are a > small ISP too, these are fiber-connected customers). it also handles some > amount of inbound nat for those customer's various servers, which may be > in the customers office, or a virtual host in our racks. and maybe a half > dozen ssl-vpn road-warrior types. There's also a dozen or so lan-to-lan ipsec > tunnels on it. sustained 2-20 inbound. light outbound. > > watchguard b) is for internet facing windows boxes. lotsa inbound nat. > sustained 2-20Mbit outbound > > watchguard c) is for our office, 55ish users. some inbound nat too. 0-50Mbit > inbound, widely varying > > watchguard d) is for one particular hosting customer where stability is > paramount. The other firewalls get touched a lot (and as of late, have been > puking when they feel like it). 2-15Mbit of sustained web traffic, with the > odd spike or lull. > > a 2821) terminates a bunch of lan-to-lan ipsec tunnels (VTI style) to 1841s > all > over the place. box is completely VRFed, no global table, all the tunnels > land in the INTERNET vrf and pop out in customer vlans, each their own vrf. > 10-30Mbit > > So - goal is to collapse all this onto a single pair of boxes running in an HA > config. Watchguard a, b, and c are problematic, and are becoming more > problematic. watchguard d is pretty quiet, but we are contractually > obligated to remove all SPOF from that clients setup. the 2821 is very quiet, > no troubles. > > My main question revolves around number of virtual routers. We can't > afford a big enough box to stuff everything (as in, every customer network) > in its own vrf/routing-instance. I will admit that I've become hooked on > using vrfs in cisco land on ISRs (a lot of double-ISP configs, random dirty > hacks). But for our future firewall setup, I don't know what a bunch of > routing-instances really buys us, if anything (aside from the psychological > aspect). All we really need is for all the private networks behind this thing > to get natted to their corresponding public ip(s), and if something behind > the firewall needs to talk to something else behind the firewall, it should go > out and back in (getting source nattted, then dest natted). If the J-boxes > can > do that without separate routing-instances, then we're good. > > My other question involves HA stability. I've seen instances with other kit > where introducing "HA" actually reduced availability. SRX boxes like > running in HA, or are they fussy? > > I very much thank anyone who takes the time to reply to this. > > Ryan > _______________________________________________ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp