Re: Cheap Juniper Gear for Lab

[Carl Rosevear <crosevear () skytap com>]

Yeah, I have to apply the term "awful" and "annoying" to the packet
mode implementation on SRX/J-series. Anyway, I spent *hours* with JTAC
on the phone trying to get the thing to just pass packets.  Best part
was, I didn't know how to do it and nor did they!  I escalated, worked
with many engineers.  My key statement was "I just want my router to
route.  Make it do what it is supposed to do.  No session tracking!
This is not a firewall."  So, now it doesn't require valid sessions to
pass packets but it does still appear to *track* sessions in some
tables and I am, of course, very curious when some attack vector will
fill up some table.

Anyway, not the best devices for an edge router that is for sure.
Which is too bad...  for very small DC edge applications, the J6350
was a pretty cool router in earlier versions of JunOS that didn't
decide to re-engineer your network and transit for you.

Anyway I digress.  But this had, in the past, been a frustrating
enough issue for me that I had to share.


--Carl



On Tue, Apr 10, 2012 at 6:30 PM, Owen DeLong <owen () delong com> wrote:
> On Apr 10, 2012, at 6:02 PM, Mark Kamichoff wrote:
>
> > On Tue, Apr 10, 2012 at 11:57:31AM -0700, Owen DeLong wrote:
> > > > The fact that you can't put it into flow mode.
> > > s/flow/packet/
> > > (oops, wasn't awake yet)
> >
> > Actually, this is possible:
> >
> > prox@asgard> show configuration security
> > forwarding-options {
> >    family {
> >        inet6 {
> >            mode packet-based;
> >        }
> >        mpls {
> >            mode packet-based;
> >        }
> >    }
> > }
> >
> > The above is from an SRX210B, but the same configuration will work on
> > any J-series or /branch/ SRX-series platform.
>
> Right, sort of. To the extent that it works. It doesn't actually do everything you
> think it should, and, it's somewhat dependent on the version of JunOS as to
> how well it does or doesn't work.
>
> > Don't let the "mpls" keyword throw you off.  This actually causes the
> > box to run the inet /and/ mpls address families in packet mode.
>
> I'm not unfamiliar or uninitiated in this regard. I had tickets with Juniper for
> over a year and it escalated quite high up their escalation chain before they
> finally admitted "Yeah, Services JunOS is different and it behaves differently
> and if you need to do what you're trying to do, you should buy an M or MX
> series."
>
> It's quite unfortunate. I'd really like for the SRX series to not be so crippled for
> my purposes.
>
> Owen



-- 
Carl Rosevear
Manager of Operations
Skytap, Inc.
direct (206) 588-8899