Re: Cheap Juniper Gear for Lab
On 4/12/2012 2:47 AM, Robert E. Seastrom wrote:
We tried running on 9.3 but - surprise - 9.3 won't do 32 bit ASNs.
That came in 10.1 or something.
Hi,
we are running
Model: j2350
JUNOS Software Release [9.3R4.4]
and
had:
neighbor 41.188.165.50 {
description AfNOG_Whitesands;
peer-as 327686;
}
with success.
(and several on this list used it ~10months ago)
so, a 32-bit AS as neighbor works, not sure if you meant router's own AS
to be 32-bit.
Regards,
Frank
Re: Cheap Juniper Gear for Lab
On 12/04/12 09:47, Robert E. Seastrom wrote: We tried running on 9.3 but - surprise - 9.3 won't do 32 bit ASNs. That came in 10.1 or something. As a member of the ARIN Advisory Council, I felt compelled to eat the same dog food that I was selling, and we found ourselves at an impasse. Er, I think you're probably meaning 8.3 and 9.1. (32-bit ASN's were introduced in 9.1, and I don't remember seeing anything in the release notes for 10.x about them)
Re: Cheap Juniper Gear for Lab
I was bitten by a similar issue when I deployed a couple of J2350s at
our edge.
On 4/11/12 2:33 PM, Carl Rosevear wrote:
Yeah, I have to apply the term awful and annoying to the packet
mode implementation on SRX/J-series. Anyway, I spent *hours* with JTAC
on the phone trying to get the thing to just pass packets. Best part
was, I didn't know how to do it and nor did they! I escalated, worked
with many engineers. My key statement was I just want my router to
route. Make it do what it is supposed to do. No session tracking!
This is not a firewall. So, now it doesn't require valid sessions to
pass packets but it does still appear to *track* sessions in some
tables and I am, of course, very curious when some attack vector will
fill up some table.
Anyway, not the best devices for an edge router that is for sure.
Which is too bad... for very small DC edge applications, the J6350
was a pretty cool router in earlier versions of JunOS that didn't
decide to re-engineer your network and transit for you.
Anyway I digress. But this had, in the past, been a frustrating
enough issue for me that I had to share.
--Carl
On Tue, Apr 10, 2012 at 6:30 PM, Owen DeLong o...@delong.com wrote:
On Apr 10, 2012, at 6:02 PM, Mark Kamichoff wrote:
On Tue, Apr 10, 2012 at 11:57:31AM -0700, Owen DeLong wrote:
The fact that you can't put it into flow mode.
s/flow/packet/
(oops, wasn't awake yet)
Actually, this is possible:
prox@asgard show configuration security
forwarding-options {
family {
inet6 {
mode packet-based;
}
mpls {
mode packet-based;
}
}
}
The above is from an SRX210B, but the same configuration will work on
any J-series or /branch/ SRX-series platform.
Right, sort of. To the extent that it works. It doesn't actually do
everything you
think it should, and, it's somewhat dependent on the version of JunOS as to
how well it does or doesn't work.
Don't let the mpls keyword throw you off. This actually causes the
box to run the inet /and/ mpls address families in packet mode.
I'm not unfamiliar or uninitiated in this regard. I had tickets with Juniper
for
over a year and it escalated quite high up their escalation chain before they
finally admitted Yeah, Services JunOS is different and it behaves
differently
and if you need to do what you're trying to do, you should buy an M or MX
series.
It's quite unfortunate. I'd really like for the SRX series to not be so
crippled for
my purposes.
Owen
Re: Cheap Juniper Gear for Lab
On 11 Apr 2012, at 02:34, Owen DeLong o...@delong.com wrote:. Don't let the mpls keyword throw you off. This actually causes the box to run the inet /and/ mpls address families in packet mode. I'm not unfamiliar or uninitiated in this regard. I had tickets with Juniper for over a year and it escalated quite high up their escalation chain before they finally admitted Yeah, Services JunOS is different and it behaves differently and if you need to do what you're trying to do, you should buy an M or MX series. It's quite unfortunate. I'd really like for the SRX series to not be so crippled for my purposes. Do you have an example of this crippledness? -- Leigh __ This email has been scanned by the Symantec Email Security.cloud service. For more information please visit http://www.symanteccloud.com __
RE: Cheap Juniper Gear for Lab
-Original Message- From: Owen DeLong [mailto:o...@delong.com] Sent: Tuesday, April 10, 2012 9:31 PM To: Mark Kamichoff Cc: jgood...@studio442.com.au; nanog@nanog.org Subject: Re: Cheap Juniper Gear for Lab It's quite unfortunate. I'd really like for the SRX series to not be so crippled for my purposes. Owen While it may not forward packets exactly like an M-series or MX, for the OP's purpose of simply learning JUNOS in a home lab, it will work just fine. I learned quite a bit using Olives (which don't exist), with the understanding that there were a lot of limitations. To the OP, I would also suggest checking out Juniper's website, specifically the 'Education' section. There are a ton of excellent learning tools on there - Learning Bytes, Web-Based Training, Day One books, etc.: http://www.juniper.net/us/en/training/jnbooks/ https://learningportal.juniper.net/juniper/user_activity_info.aspx?id=5853 https://learningportal.juniper.net/juniper/user_courses.aspx -evt
Re: Cheap Juniper Gear for Lab
In a message written on Tue, Apr 10, 2012 at 08:31:04PM -0500, Tim Eberhard
wrote:
While I know you are a smart engineer and obviously have been working
with this gear for a long time you're really not adding anything or
backing up your argument besides saying yet again the packet
forwarding is different. While this maybe true..It's my understanding
that enabling packet mode does turn it into a normal packet based
junos.
I honestly don't remember what caused the problem when I ran into
it, but the first time I configured IPv6 on a SRX I used per-packet
and I had all sorts of problems. After contacting Juniper support
and some friends who ran them they all told me to configure flow-based
for IPv6, and it started working properly. Juniper support basically
said IPv6 didn't work at all unless it was in flow mode.
My vague memory at least was OSPFv3 would not come up in IPv6
per-packet mode no matter what changes were made, but with flow
mode it came right up.
In any event, I will back up Owen on this one. Any JunOS box with
a security {} section (which I think means of Netscreen lineage)
does a number of weird things when you're used to the JunOS boxes
without a security section. For instance they basically default
to a stateful firewall, so when I used a pair for redundancy and
had asymmetrical paths it took way too many lines of config (4-5
features that had to be turned off) to make it not-stateful. That's
a big surprise when you come from working on M-series.
Still, they are very nice boxes, particularly for the capabilities
you get at the price point. It's just that darn security {} section
that seems to be quite poorly thought out, even all the working
parts are just laid out in a way that's not intuitive to me and
don't seem to match the rest of JunOS well. Want to list a netblock,
you have to put it in an address book. Want to list two, it has
to be in an address-book group, you can't just list them between
brackets, and so on. It may be the only router platform where I turn to
the web gui from time to time to configure things, otherwise it's an
exercise in frustration trying to get the syntax right.
--
Leo Bicknell - bickn...@ufp.org - CCIE 3440
PGP keys at http://www.ufp.org/~bicknell/
pgpiuZJqUZnvh.pgp
Description: PGP signature
Re: Cheap Juniper Gear for Lab
Yeah, I have to apply the term awful and annoying to the packet
mode implementation on SRX/J-series. Anyway, I spent *hours* with JTAC
on the phone trying to get the thing to just pass packets. Best part
was, I didn't know how to do it and nor did they! I escalated, worked
with many engineers. My key statement was I just want my router to
route. Make it do what it is supposed to do. No session tracking!
This is not a firewall. So, now it doesn't require valid sessions to
pass packets but it does still appear to *track* sessions in some
tables and I am, of course, very curious when some attack vector will
fill up some table.
Anyway, not the best devices for an edge router that is for sure.
Which is too bad... for very small DC edge applications, the J6350
was a pretty cool router in earlier versions of JunOS that didn't
decide to re-engineer your network and transit for you.
Anyway I digress. But this had, in the past, been a frustrating
enough issue for me that I had to share.
--Carl
On Tue, Apr 10, 2012 at 6:30 PM, Owen DeLong o...@delong.com wrote:
On Apr 10, 2012, at 6:02 PM, Mark Kamichoff wrote:
On Tue, Apr 10, 2012 at 11:57:31AM -0700, Owen DeLong wrote:
The fact that you can't put it into flow mode.
s/flow/packet/
(oops, wasn't awake yet)
Actually, this is possible:
prox@asgard show configuration security
forwarding-options {
family {
inet6 {
mode packet-based;
}
mpls {
mode packet-based;
}
}
}
The above is from an SRX210B, but the same configuration will work on
any J-series or /branch/ SRX-series platform.
Right, sort of. To the extent that it works. It doesn't actually do
everything you
think it should, and, it's somewhat dependent on the version of JunOS as to
how well it does or doesn't work.
Don't let the mpls keyword throw you off. This actually causes the
box to run the inet /and/ mpls address families in packet mode.
I'm not unfamiliar or uninitiated in this regard. I had tickets with Juniper
for
over a year and it escalated quite high up their escalation chain before they
finally admitted Yeah, Services JunOS is different and it behaves differently
and if you need to do what you're trying to do, you should buy an M or MX
series.
It's quite unfortunate. I'd really like for the SRX series to not be so
crippled for
my purposes.
Owen
--
Carl Rosevear
Manager of Operations
Skytap, Inc.
direct (206) 588-8899
Re: Cheap Juniper Gear for Lab
Anyway, not the best devices for an edge router that is for sure. Which is too bad... for very small DC edge applications, the J6350 was a pretty cool router in earlier versions of JunOS that didn't decide to re-engineer your network and transit for you. We have 3 J2320s in the lab, all running 9.3R3.8. That's the last *real* JunOS (no session/flow tracking) for these boxes. They'll stay in the lab, and they'll never be upgraded to anything newer. Which is too bad, I had great hopes for the J series. But at least they're nice boxes to teach the JunOS CLI and things like that... Steinar Haug, Nethelp consulting, sth...@nethelp.no
Re: Cheap Juniper Gear for Lab
We have 3 J2320s in the lab, all running 9.3R3.8. That's the last *real* JunOS (no session/flow tracking) for these boxes. +1 on that. We have a number of 2300s in our lab for the same purpose running 8.x code. We also use Junosphere extensively, but nothing beats real hardware. j2300s are cheap. Jay
RE: Cheap Juniper Gear for Lab
-Original Message- From: Jay Hanke [mailto:jay.ha...@mankatonetworks.com] Sent: Wednesday, April 11, 2012 1:03 PM To: sth...@nethelp.no Cc: nanog@nanog.org .Subject: Re: Cheap Juniper Gear for Lab We have 3 J2320s in the lab, all running 9.3R3.8. That's the last *real* JunOS (no session/flow tracking) for these boxes. +1 on that. We have a number of 2300s in our lab for the same purpose running 8.x code. We also use Junosphere extensively, but nothing beats real hardware. j2300s are cheap. Jay So, I have a question, then. For the purposes of learning JUNOS, is 8.3 code sufficient? Would you be missing a lot of features that are in newer code? I would assume IPv6 features are different between 8.3 and the latest code, is that right? Tom - Tom Ammon Network Engineer M: (801)674-9273 tom.am...@utah.edu Center for High Performance Computing University of Utah http://www.chpc.utah.edu ---L-O---
Re: Cheap Juniper Gear for Lab
On 11 Apr 2012, at 18:36, Carl Rosevear crosev...@skytap.com wrote: Yeah, I have to apply the term awful and annoying to the packet mode implementation on SRX/J-series. Anyway, I spent *hours* with JTAC on the phone trying to get the thing to just pass packets. Best part was, I didn't know how to do it and nor did they! I escalated, worked with many engineers. My key statement was I just want my router to route. Make it do what it is supposed to do. No session tracking! This is not a firewall. So, now it doesn't require valid sessions to pass packets but it does still appear to *track* sessions in some tables and I am, of course, very curious when some attack vector will fill up some table. I have had some rather odd issues with the SRX boxes but JTAC were pretty good at turning around fixes for me for my specific issues. Since then I have had quite a lot of SRX boxes across the range running various MPLS services including MPLS over GRE with fragmentation/reassembly which has been working very well. Since 11.1R3 I've had no issues at all with them. So yeah the new flow mode stuff had its issues, but as a *small* MPLS box it is very functional. Of course in MPLS mode, you turn the flow stuff off.. -- Leigh Porter __ This email has been scanned by the Symantec Email Security.cloud service. For more information please visit http://www.symanteccloud.com __
Re: Cheap Juniper Gear for Lab
FWIW, when I took my JNCIE, I used all J-series running flow code (disabled) for my study pod and never had any issues. I have 9 physical routers plus a bunch of VRs on them. I agree there can be issues depending on what you are trying to do, but I am not sure why this is such a big deal if this is just a lab setup. I wouldn't test something on a J-series and expect to deploy it on M/MX/T in production or something, but that wasn't what the OP was asking to do. For a home lab I can't think of any reason not to use some J-series boxes. -Jeff On Apr 11, 2012, at 1:29 PM, Leigh Porter wrote: On 11 Apr 2012, at 18:36, Carl Rosevear crosev...@skytap.com wrote: Yeah, I have to apply the term awful and annoying to the packet mode implementation on SRX/J-series. Anyway, I spent *hours* with JTAC on the phone trying to get the thing to just pass packets. Best part was, I didn't know how to do it and nor did they! I escalated, worked with many engineers. My key statement was I just want my router to route. Make it do what it is supposed to do. No session tracking! This is not a firewall. So, now it doesn't require valid sessions to pass packets but it does still appear to *track* sessions in some tables and I am, of course, very curious when some attack vector will fill up some table. I have had some rather odd issues with the SRX boxes but JTAC were pretty good at turning around fixes for me for my specific issues. Since then I have had quite a lot of SRX boxes across the range running various MPLS services including MPLS over GRE with fragmentation/reassembly which has been working very well. Since 11.1R3 I've had no issues at all with them. So yeah the new flow mode stuff had its issues, but as a *small* MPLS box it is very functional. Of course in MPLS mode, you turn the flow stuff off.. -- Leigh Porter __ This email has been scanned by the Symantec Email Security.cloud service. For more information please visit http://www.symanteccloud.com __
Re: Cheap Juniper Gear for Lab
sth...@nethelp.no writes:
Anyway, not the best devices for an edge router that is for sure.
Which is too bad... for very small DC edge applications, the J6350
was a pretty cool router in earlier versions of JunOS that didn't
decide to re-engineer your network and transit for you.
We have 3 J2320s in the lab, all running 9.3R3.8. That's the last
*real* JunOS (no session/flow tracking) for these boxes.
They'll stay in the lab, and they'll never be upgraded to anything
newer. Which is too bad, I had great hopes for the J series.
Got a pair of J2350s in the previous job to run as part of a command
and control network. Had the same I just want this stuff to route!
experience that others have mentioned and griped about.
We tried running on 9.3 but - surprise - 9.3 won't do 32 bit ASNs.
That came in 10.1 or something. As a member of the ARIN Advisory
Council, I felt compelled to eat the same dog food that I was selling,
and we found ourselves at an impasse.
We ended up putting the CC network in VRFs on a couple of MX80s that
were already there. With a few contemptuous comments on the side we
sent the 2350s back to the VAR.
I think my successors ended up undoing the VRFs and putting Cisco
2951s in their place.
I've heard it hypothesized that this change was related to the costs
of maintaining two different packet forwarding paths (remember that
the J series used, in 9.3 and before, an emulation of the ASIC in the
hardware based routers) and that, having decided to cancel one, they
decided to cancel the less featureful one. This is a reasonable
decision to make even if we don't like it as techies.
None of the difficulties we had, however, would have gotten in the way
of the OP's apparent goal of getting comfortable typing things like
show chassis environment, request system software add, show
config | display set, and show version and haiku.
Unlike Owen I'm not going to say useless due to security { ... },
I'm going to say useful with caveats, and you might want to think
twice about what you're trying to do before moving it out of the lab.
-r
Re: Cheap Juniper Gear for Lab
On 04/10/2012 12:31 AM, Steven King wrote: Hello All, I am tasked with replacing an old linux router setup with Juniper gear in the near future. Though I am a Cisco guy myself. Does anyone know of any older cheap Juniper gear I might find on Ebay so that I may build a home lab without going broke? Thanks! http://www.ebay.com/sch/Networking-Communications-/11176/i.html?_from=R40_nkw=juniper http://www.ebay.com/sch/Networking-Communications-/11176/i.html?_from=R40_nkw=juniper
Re: Cheap Juniper Gear for Lab
On 10/04/12 14:31, Steven King wrote: I am tasked with replacing an old linux router setup with Juniper gear in the near future. Though I am a Cisco guy myself. Does anyone know of any older cheap Juniper gear I might find on Ebay so that I may build a home lab without going broke? A slightly more useful way of answering this then just pointing to eBay is to give some candidates. Routing/switching *config*, firewalling - Branch SRX / J The lower end SRX, and J series devices are nice as they take nearly all the config (except MX-type bridging, and some EX bits), including MPLS. Switching - EX [34]200 The 4200 3200 are essentially the flagship, and if you can only buy one switch for a lab make it one of those Routing - M5/10/7i/10i/20 A bunch of the smaller and older M series kit is now fairly cheaply available. These are still quite nice boxes, and support SONET and ATM unlike the platforms above should you need them. MX Routing - MX 80 (new) The MX80 (or as locked 5/10/40 variants) is by far the cheapest way to test the MX-specific ethernet services, as long as you don't want BRAS functionality. Juniper do have a bunch more lines, but those are the most common (there's also the E/ERX BRAS boxes and ScreenOS firewalls, but both are not long for this world). If you just want one box to get to know the OS an SRX2X0 (or possibly a 100) is by far the most flexible way, and can be had for $500 used).
Re: Cheap Juniper Gear for Lab
I think GNS3 can emulate Juniper devices. http://www.gns3.net/ -dan Dan Brisson Network Engineer University of Vermont (Ph) 802.656.8111 dbris...@uvm.edu On 4/10/12 12:31 AM, Steven King wrote: Hello All, I am tasked with replacing an old linux router setup with Juniper gear in the near future. Though I am a Cisco guy myself. Does anyone know of any older cheap Juniper gear I might find on Ebay so that I may build a home lab without going broke? Thanks!
Re: Cheap Juniper Gear for Lab
On Apr 10, 2012, at 5:58 AM, Julien Goodwin wrote: On 10/04/12 14:31, Steven King wrote: I am tasked with replacing an old linux router setup with Juniper gear in the near future. Though I am a Cisco guy myself. Does anyone know of any older cheap Juniper gear I might find on Ebay so that I may build a home lab without going broke? A slightly more useful way of answering this then just pointing to eBay is to give some candidates. Routing/switching *config*, firewalling - Branch SRX / J The lower end SRX, and J series devices are nice as they take nearly all the config (except MX-type bridging, and some EX bits), including MPLS. But not so nice in that they run Services JunOS instead of real JunOS meaning that they behave like Netscreens with a JunOS style configuration file instead of behaving like Junipers. If you're wanting to model Services JunOS, then, yes, the SRX-100 is a good candidate and dirt cheap. If you want real JunOS, avoid SRX or J series at all costs. Juniper do have a bunch more lines, but those are the most common (there's also the E/ERX BRAS boxes and ScreenOS firewalls, but both are not long for this world). Don't forget their SSL VPN boxes which are an acquired doesn't behave at all like a Juniper device line of products. If you just want one box to get to know the OS an SRX2X0 (or possibly a 100) is by far the most flexible way, and can be had for $500 used). With the caveat about Services JunOS above. Owen
Re: Cheap Juniper Gear for Lab
I find it humorous that you think J/SRX junos isn't real junos. So what makes it not real junos? The fact it has a flowd process? Lets technically talk about this for a moment. Realistically one of the only differences between flow based junos and the legacy packet based junos is the flowd process. Which can be easily bypassed by issuing a couple of configuration commands. So what exactly makes this platform/code so horrible and not real junos? If anything to me it's a better platform to deploy and learn on. It's more flexible as it comes with more advanced flow based features but they are optional. There are certain limitations as mentioned previously around the switching and class of service however these same feature limitations were also in the real junos low end devices. If there are other differences that I am unaware of then by all means feel free to educate me. I am well aware that branch devices don't have the capabilities of the MX/M series in regards to ATM and other such specific platforms, but you called this not real junos. So lets keep any responses limited to that aspect. -Tim Eberhard On Tue, Apr 10, 2012 at 1:33 PM, Owen DeLong o...@delong.com wrote: If you want real JunOS, avoid SRX or J series at all costs. Juniper do have a bunch more lines, but those are the most common (there's also the E/ERX BRAS boxes and ScreenOS firewalls, but both are not long for this world). Don't forget their SSL VPN boxes which are an acquired doesn't behave at all like a Juniper device line of products. If you just want one box to get to know the OS an SRX2X0 (or possibly a 100) is by far the most flexible way, and can be had for $500 used). With the caveat about Services JunOS above. Owen
Re: Cheap Juniper Gear for Lab
On 4/10/2012 5:31 AM, Steven King wrote: Hello All, I am tasked with replacing an old linux router setup with Juniper gear in the near future. Though I am a Cisco guy myself. Does anyone know of any older cheap Juniper gear I might find on Ebay so that I may build a home lab without going broke? Thanks! Have you considered this http://www.juniper.net/us/en/products-services/software/junos-platform/junosphere/lab/ Regards, N.
Re: Cheap Juniper Gear for Lab
On Apr 10, 2012, at 7:24 AM, Tim Eberhard wrote: I find it humorous that you think J/SRX junos isn't real junos. So what makes it not real junos? The fact it has a flowd process? Lets technically talk about this for a moment. The fact that you can't put it into flow mode. Realistically one of the only differences between flow based junos and the legacy packet based junos is the flowd process. Which can be easily bypassed by issuing a couple of configuration commands. So what exactly makes this platform/code so horrible and not real junos? Actually, not. Try again. It can be partially bypassed. There are real and serious differences in how forwarding works in flow-based JunOS and how it behaves under many circumstances. If anything to me it's a better platform to deploy and learn on. It's more flexible as it comes with more advanced flow based features but they are optional. There are certain limitations as mentioned previously around the switching and class of service however these same feature limitations were also in the real junos low end devices. They aren't entirely optional and that is the problem. You can't actually completely bypass them and they do sometimes get in the way. If there are other differences that I am unaware of then by all means feel free to educate me. I am well aware that branch devices don't have the capabilities of the MX/M series in regards to ATM and other such specific platforms, but you called this not real junos. So lets keep any responses limited to that aspect. I believe that the flow-based routing goes quite a bit deeper than just having a flowd. It causes a number of problems with tunnel recursion among other things. Sure, if you want a firewall, flow-based JunOS is a pretty nice set of firewall features. However, if you just want to forward packets, it can really suck to have to work around it's flow-based features. Owen -Tim Eberhard On Tue, Apr 10, 2012 at 1:33 PM, Owen DeLong o...@delong.com wrote: If you want real JunOS, avoid SRX or J series at all costs. Juniper do have a bunch more lines, but those are the most common (there's also the E/ERX BRAS boxes and ScreenOS firewalls, but both are not long for this world). Don't forget their SSL VPN boxes which are an acquired doesn't behave at all like a Juniper device line of products. If you just want one box to get to know the OS an SRX2X0 (or possibly a 100) is by far the most flexible way, and can be had for $500 used). With the caveat about Services JunOS above. Owen
Re: Cheap Juniper Gear for Lab
http://www.juniper.net/us/en/products-services/software/junos-platform/junosphere/lab/ On Mon, Apr 9, 2012 at 10:31 PM, Steven King sk...@kingrst.com wrote: Hello All, I am tasked with replacing an old linux router setup with Juniper gear in the near future. Though I am a Cisco guy myself. Does anyone know of any older cheap Juniper gear I might find on Ebay so that I may build a home lab without going broke? Thanks! -- Steve King Network/Linux Engineer - AdSafe Media Cisco Certified Network Professional CompTIA Linux+ Certified Professional CompTIA A+ Certified Professional -- -B
Re: Cheap Juniper Gear for Lab
Does anyone know of any older cheap Juniper gear I might find on Ebay so that I may build a home lab without going broke? I got my J series cheap off of ebay because it wouldn't power on. Turns out getting a replacement power supply was very difficult from Juniper or the manufacturer of the power supply. I ended up rebuilding a PC supply to do the job. Now to find rack ears and a module slot cover. Juniper quoted $150+ for the rack ears. If I can find a set, I think I might look to make a bunch of them.
Re: Cheap Juniper Gear for Lab
There is no olives. ;-) -- Eduardo Schoedler Em 10 de abril de 2012 10:03, Dan Brisson dbris...@uvm.edu escreveu: I think GNS3 can emulate Juniper devices. http://www.gns3.net/ -dan Dan Brisson Network Engineer University of Vermont (Ph) 802.656.8111 dbris...@uvm.edu On 4/10/12 12:31 AM, Steven King wrote: Hello All, I am tasked with replacing an old linux router setup with Juniper gear in the near future. Though I am a Cisco guy myself. Does anyone know of any older cheap Juniper gear I might find on Ebay so that I may build a home lab without going broke? Thanks! -- Eduardo Schoedler ESDS Consultoria de TI
Re: Cheap Juniper Gear for Lab
On Apr 10, 2012, at 7:58 AM, Owen DeLong wrote: On Apr 10, 2012, at 7:24 AM, Tim Eberhard wrote: I find it humorous that you think J/SRX junos isn't real junos. So what makes it not real junos? The fact it has a flowd process? Lets technically talk about this for a moment. The fact that you can't put it into flow mode. s/flow/packet/ (oops, wasn't awake yet) Realistically one of the only differences between flow based junos and the legacy packet based junos is the flowd process. Which can be easily bypassed by issuing a couple of configuration commands. So what exactly makes this platform/code so horrible and not real junos? Actually, not. Try again. It can be partially bypassed. There are real and serious differences in how forwarding works in flow-based JunOS and how it behaves under many circumstances. If anything to me it's a better platform to deploy and learn on. It's more flexible as it comes with more advanced flow based features but they are optional. There are certain limitations as mentioned previously around the switching and class of service however these same feature limitations were also in the real junos low end devices. They aren't entirely optional and that is the problem. You can't actually completely bypass them and they do sometimes get in the way. If there are other differences that I am unaware of then by all means feel free to educate me. I am well aware that branch devices don't have the capabilities of the MX/M series in regards to ATM and other such specific platforms, but you called this not real junos. So lets keep any responses limited to that aspect. I believe that the flow-based routing goes quite a bit deeper than just having a flowd. It causes a number of problems with tunnel recursion among other things. Sure, if you want a firewall, flow-based JunOS is a pretty nice set of firewall features. However, if you just want to forward packets, it can really suck to have to work around it's flow-based features. Owen -Tim Eberhard On Tue, Apr 10, 2012 at 1:33 PM, Owen DeLong o...@delong.com wrote: If you want real JunOS, avoid SRX or J series at all costs. Juniper do have a bunch more lines, but those are the most common (there's also the E/ERX BRAS boxes and ScreenOS firewalls, but both are not long for this world). Don't forget their SSL VPN boxes which are an acquired doesn't behave at all like a Juniper device line of products. If you just want one box to get to know the OS an SRX2X0 (or possibly a 100) is by far the most flexible way, and can be had for $500 used). With the caveat about Services JunOS above. Owen
Re: Cheap Juniper Gear for Lab
On Tue, Apr 10, 2012 at 9:24 AM, Tim Eberhard xmi...@gmail.com wrote: I find it humorous that you think J/SRX junos isn't real junos. If it runs JunOS, then yeah, it's real JunOS. It might not have the feature you're looking for, but that's something different. The Juniper ERX edge routers are what isn't real JunOS. It's as if they were trying to make a clone of the IOS CLI: http://www.juniper.net/techpubs/en_US/junose10.2/information-products/topic-collections/swconfig-system-basics/id-21972.html#jd0e9955 -- -JH
Re: Cheap Juniper Gear for Lab
http://www.juniper.net/us/en/products-services/software/junos-platform/junosphere/lab/ use. like. randy
Re: Cheap Juniper Gear for Lab
On Tue, Apr 10, 2012 at 11:57:31AM -0700, Owen DeLong wrote:
The fact that you can't put it into flow mode.
s/flow/packet/
(oops, wasn't awake yet)
Actually, this is possible:
prox@asgard show configuration security
forwarding-options {
family {
inet6 {
mode packet-based;
}
mpls {
mode packet-based;
}
}
}
The above is from an SRX210B, but the same configuration will work on
any J-series or /branch/ SRX-series platform.
Don't let the mpls keyword throw you off. This actually causes the
box to run the inet /and/ mpls address families in packet mode.
- Mark
--
Mark Kamichoff
p...@prolixium.com
http://www.prolixium.com/
signature.asc
Description: Digital signature
Re: Cheap Juniper Gear for Lab
On Apr 10, 2012, at 4:05 PM, Jimmy Hess wrote: On Tue, Apr 10, 2012 at 9:24 AM, Tim Eberhard xmi...@gmail.com wrote: I find it humorous that you think J/SRX junos isn't real junos. If it runs JunOS, then yeah, it's real JunOS. It might not have the feature you're looking for, but that's something different. No, it's not. Flow mode is NOT packet mode and it doesn't really ever run packet mode in the current version. This has fundamental and significant impacts on the way packets are handled when being forwarded through the box which come with side-effects that cannot be overcome by mere configuration changes. The Juniper ERX edge routers are what isn't real JunOS. It's as if they were trying to make a clone of the IOS CLI: Those are not JunOS at all. They don't really try to pretend to be. The SRX and J-Series Services routers, OTOH, are most definitely pretending to be JunOS while not behaving like JunOS at certain fundamental levels. Owen
Re: Cheap Juniper Gear for Lab
Owen, While I know you are a smart engineer and obviously have been working with this gear for a long time you're really not adding anything or backing up your argument besides saying yet again the packet forwarding is different. While this maybe true..It's my understanding that enabling packet mode does turn it into a normal packet based junos. Admittedly I have limited experience with turning these branch devices into pure packet mode so instead of repeating the same thing over and over why not provide links and other documentation showing the difference? On Tue, Apr 10, 2012 at 8:23 PM, Owen DeLong o...@delong.com wrote: On Apr 10, 2012, at 4:05 PM, Jimmy Hess wrote: On Tue, Apr 10, 2012 at 9:24 AM, Tim Eberhard xmi...@gmail.com wrote: I find it humorous that you think J/SRX junos isn't real junos. If it runs JunOS, then yeah, it's real JunOS. It might not have the feature you're looking for, but that's something different. No, it's not. Flow mode is NOT packet mode and it doesn't really ever run packet mode in the current version. This has fundamental and significant impacts on the way packets are handled when being forwarded through the box which come with side-effects that cannot be overcome by mere configuration changes. The Juniper ERX edge routers are what isn't real JunOS. It's as if they were trying to make a clone of the IOS CLI: Those are not JunOS at all. They don't really try to pretend to be. The SRX and J-Series Services routers, OTOH, are most definitely pretending to be JunOS while not behaving like JunOS at certain fundamental levels. Owen
Re: Cheap Juniper Gear for Lab
On Apr 10, 2012, at 6:02 PM, Mark Kamichoff wrote:
On Tue, Apr 10, 2012 at 11:57:31AM -0700, Owen DeLong wrote:
The fact that you can't put it into flow mode.
s/flow/packet/
(oops, wasn't awake yet)
Actually, this is possible:
prox@asgard show configuration security
forwarding-options {
family {
inet6 {
mode packet-based;
}
mpls {
mode packet-based;
}
}
}
The above is from an SRX210B, but the same configuration will work on
any J-series or /branch/ SRX-series platform.
Right, sort of. To the extent that it works. It doesn't actually do everything
you
think it should, and, it's somewhat dependent on the version of JunOS as to
how well it does or doesn't work.
Don't let the mpls keyword throw you off. This actually causes the
box to run the inet /and/ mpls address families in packet mode.
I'm not unfamiliar or uninitiated in this regard. I had tickets with Juniper for
over a year and it escalated quite high up their escalation chain before they
finally admitted Yeah, Services JunOS is different and it behaves differently
and if you need to do what you're trying to do, you should buy an M or MX
series.
It's quite unfortunate. I'd really like for the SRX series to not be so
crippled for
my purposes.
Owen
Re: Cheap Juniper Gear for Lab
--- mysi...@gmail.com wrote: From: Jimmy Hess mysi...@gmail.com The Juniper ERX edge routers are what isn't real JunOS. It's as if they were trying to make a clone of the IOS CLI: http://www.juniper.net/techpubs/en_US/junose10.2/information-products/topic-collections/swconfig-system-basics/id-21972.html#jd0e9955 -- That's because Juniper bought the ERX series from Unisphere. It's not a real JunOS. My suggestion: if you make a lot of changes stay away from the ERXs, but if you don't do much to them they will mostly purr along just fine. I was running them fairly hard, with 30K plus ATM/DSL subs per router... scott
Cheap Juniper Gear for Lab
Hello All, I am tasked with replacing an old linux router setup with Juniper gear in the near future. Though I am a Cisco guy myself. Does anyone know of any older cheap Juniper gear I might find on Ebay so that I may build a home lab without going broke? Thanks! -- Steve King Network/Linux Engineer - AdSafe Media Cisco Certified Network Professional CompTIA Linux+ Certified Professional CompTIA A+ Certified Professional
