You wrote:
What we are now doing [emphasis added] is the ISP will setup a single managed router that will sit in front of the SRXes and both internet uplinks will terminate into the router
So I thought this had moved from a suggestion to a decision. If it's not yet a decision, then it's just another "IF" becuase it affect how you'd approach this.
A couple of notes:
- With independent firewalls and /30 IP assignments on the two links, full mesh connectivity does NOT give you any automatic failover benefit because there are not enough IP addresses for both your firewalls. If the ISP1 link is connected to both firewalls you'd need 3 IP addresses to use it from both firewalls (one for each firewall, plus one for the ISP router), and you only have two. So yes, you can have everything cabled up, but you'd have to manually do configuration in the event of a failure.
- If you can do BGP with your ISP for the purposes of receiving a 0.0.0.0/0 route, that will save you from having to implement health checks, so yes, BGP with the ISP would be nice.
- If you can then go iBGP with your QFX, and then set up ECMP on the switch, that would probably be easier than my original idea of interconnecting the two SRX firewalls and balancing there. As long as the QFX can do per-flow ECMP load balancing, it will be easier.
- IF you go ahead with an ISP managed router, then A) you have a single point of failure, and B) you need to find out exactly how they're going to do the load-balancing (that's to ensure they won't set you up with only failover without load balancing).
My original suggestion for doing ECMP on each firewall and VRRP on the LAN side, while possible, would actually be more cumbersome than doing ECMP on the QFX if it can handle it.
I still maintain, though, that an SRX cluster makes things even simpler:
