-
De : Ben Dale [bd...@comlinx.com.au]
Envoyé : 22.07.2011 22:11 ZE10
À : Richard Zheng rzh...@gmail.com
Cc : juniper-nsp@puck.nether.net
Objet : Re: [j-nsp] srx advice
Hi Richard,
Depending on your topology you can scale this out by having a common
Untrust zone for all customers
Hi,
I am trying to compare different models of srx. The application is to setup
virtual firewalls for several customers. The virtual router instance should
do it. The maximum number of security zones seems to be the limitation of
srx. For example, SRX220 has maximum 24 zones and 15 virtual
Hello Richard,
I would hazard a guess that because not every virtual router needs to be
running in flow-based mode (ie run some in packet-mode ala
http://datainter.cz/doc/3500192-en.pdf ), that it may be possible to not
require 2x Zones per VR.
Just a thought.
Kurt
(@networkjanitor)
On Fri,
Hi Richard,
Depending on your topology you can scale this out by having a common Untrust
zone for all customers (which is has interfaces in the inet.0 instance) and
simply leaking routes (interface(s), default or otherwise) into specific
customer VRs.
Cheers,
Ben
On 22/07/2011, at 5:54 PM,
On 7/22/2011 1:51 AM, Kurt Bales wrote:
Hello Richard,
I would hazard a guess that because not every virtual router needs to be
running in flow-based mode (ie run some in packet-mode ala
http://datainter.cz/doc/3500192-en.pdf ), that it may be possible to not
require 2x Zones per VR.
In a
Just as a reminder : LSYS ( screenos vsys equivalent ) are arriving in 11.2 on
srx
- Message d'origine -
De : Ben Dale [bd...@comlinx.com.au]
Envoyé : 22.07.2011 22:11 ZE10
À : Richard Zheng rzh...@gmail.com
Cc : juniper-nsp@puck.nether.net
Objet : Re: [j-nsp] srx advice
Hi
a 2821) terminates a bunch of lan-to-lan ipsec tunnels (VTI style) to 1841s
all over the place. box is completely VRFed, no global table, all the tunnels
land in the INTERNET vrf and pop out in customer vlans, each their own vrf.
10-30Mbit
One of the large drawbacks on SRX has been lack of
: Re: [j-nsp] SRX advice
I've implemented two pairs of clustered SRX240s for one of my networks. HA is
fairly simple to set up, and seems to work fairly well. sessions tables are
replicated between the cluster, but active routing is not, so you're going to
be using a active/standby scenario
, 2011 11:13 PM
To: juniper-nsp@puck.nether.net
Subject: [j-nsp] SRX advice
Hi-
Totally new here, and I mainly lurk on other lists, so be gentle if possible.
We are in a situation we need to get out of. I am considering a pair of
juniper SRX boxes (240s are in the budget) to do
Goldberg
Sent: Friday, February 04, 2011 10:36 AM
To: juniper-nsp@puck.nether.net
Subject: Re: [j-nsp] SRX advice
Thanks everyone for the replies -
After some deliberation, we are leaning towards a single SRX650 to replace
watchguards a, b and c, and a pair of SRX100 for watchguard d. The 2821
Regarding the odd-setup
Can SRX boxes do (for lack of a better term) nat loopback? In other words,
say you have private net x src natted to public address y. And you have
private network a src natted to public address b. Additionally you have some
dst nat going the other direction for
-boun...@puck.nether.net
[mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Ryan Goldberg
Sent: Friday, February 04, 2011 4:29 PM
To: Julien Goodwin
Cc: juniper-nsp@puck.nether.net
Subject: Re: [j-nsp] SRX advice
Regarding the odd-setup
Can SRX boxes do (for lack of a better term) nat
PM
To: Ryan Goldberg; Julien Goodwin
Cc: juniper-nsp@puck.nether.net
Subject: RE: [j-nsp] SRX advice
I'm not quite understanding your NAT requirement. On the other hand I can
tell you from personal experience that SRX has some of the best NAT
support I've used.
Here are some common
traffic bypasses the SRX, so it's really not usable.
Doug
-Original Message-
From: Ryan Goldberg [mailto:rgoldb...@compudyne.net]
Sent: Friday, February 04, 2011 6:34 PM
To: Doug Hanks; Julien Goodwin
Cc: juniper-nsp@puck.nether.net
Subject: RE: [j-nsp] SRX advice
I apologize
To: Doug Hanks
Cc: Julien Goodwin; juniper-nsp@puck.nether.net
Subject: Re: [j-nsp] SRX advice
Excellent info. Thanks. Scenario 1, while admittedly silly, can occur when the
public ip is what's in dns and rather than playing dns tricks (because perhaps
in a given situation dns tricks
@puck.nether.net
Subject: Re: [j-nsp] SRX advice
Excellent info. Thanks. Scenario 1, while admittedly silly, can occur when
the public ip is what's in dns and rather than playing dns tricks (because
perhaps in a given situation dns tricks are not available or are onerous).
Very happy
Hi-
Totally new here, and I mainly lurk on other lists, so be gentle if possible.
We are in a situation we need to get out of. I am considering a pair of
juniper SRX boxes (240s are in the budget) to do that.
This is what we have:
watchguard a) is the outbound nat box for about 70 small
On 04/02/11 16:12, Ryan Goldberg wrote:
watchguard a) is the outbound nat box for about 70 small offices (we are a
small ISP too, these are fiber-connected customers). it also handles some
amount of inbound nat for those customer's various servers, which may be in
the customers office, or
-Original Message-
From: Julien Goodwin [mailto:jgood...@studio442.com.au]
Sent: Thursday, February 03, 2011 11:50 PM
On 04/02/11 16:12, Ryan Goldberg wrote:
watchguard a) is the outbound nat box for about 70 small offices (we are a
small ISP too, these are fiber-connected
-nsp-boun...@puck.nether.net] On Behalf Of Ryan Goldberg
Sent: Thursday, February 03, 2011 9:13 PM
To: juniper-nsp@puck.nether.net
Subject: [j-nsp] SRX advice
Hi-
Totally new here, and I mainly lurk on other lists, so be gentle if possible.
We are in a situation we need to get out of. I am
I've implemented two pairs of clustered SRX240s for one of my networks. HA is
fairly simple to set up, and seems to work fairly well. sessions tables are
replicated between the cluster, but active routing is not, so you're going to
be using a active/standby scenario with them for now.
I'm
21 matches
Mail list logo
