[152062] in North American Network Operators' Group
Re: Cheap Juniper Gear for Lab
daemon@ATHENA.MIT.EDU (Leo Bicknell)
Wed Apr 11 10:05:11 2012
Date: Wed, 11 Apr 2012 07:02:58 -0700
From: Leo Bicknell <bicknell@ufp.org>
To: "nanog@nanog.org" <nanog@nanog.org>
Mail-Followup-To: "nanog@nanog.org" <nanog@nanog.org>
In-Reply-To: <CAHoW-RnwO-5FPJ5C=zGakQ9ic08P3d3Cu_BQCZsW1_5Sma63Fw@mail.gmail.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
--opJtzjQTFsWo+cga
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
In a message written on Tue, Apr 10, 2012 at 08:31:04PM -0500, Tim Eberhard=
wrote:
> While I know you are a smart engineer and obviously have been working
> with this gear for a long time you're really not adding anything or
> backing up your argument besides saying yet again the packet
> forwarding is different. While this maybe true..It's my understanding
> that enabling packet mode does turn it into a normal packet based
> junos.
I honestly don't remember what caused the problem when I ran into
it, but the first time I configured IPv6 on a SRX I used per-packet
and I had all sorts of problems. After contacting Juniper support
and some friends who ran them they all told me to configure flow-based
for IPv6, and it started working properly. Juniper support basically
said IPv6 didn't work at all unless it was in flow mode.
My vague memory at least was OSPFv3 would not come up in IPv6
per-packet mode no matter what changes were made, but with flow
mode it came right up.
In any event, I will back up Owen on this one. Any JunOS box with
a security {} section (which I think means of Netscreen lineage)
does a number of weird things when you're used to the JunOS boxes
without a security section. For instance they basically default
to a stateful firewall, so when I used a pair for redundancy and
had asymmetrical paths it took way too many lines of config (4-5
features that had to be turned off) to make it not-stateful. That's
a big surprise when you come from working on M-series.
Still, they are very nice boxes, particularly for the capabilities
you get at the price point. It's just that darn security {} section
that seems to be quite poorly thought out, even all the working
parts are just laid out in a way that's not intuitive to me and
don't seem to match the rest of JunOS well. Want to list a netblock,
you have to put it in an "address book". Want to list two, it has
to be in an "address-book group", you can't just list them between
brackets, and so on. It may be the only router platform where I turn to
the web gui from time to time to configure things, otherwise it's an
exercise in frustration trying to get the syntax right.
--=20
Leo Bicknell - bicknell@ufp.org - CCIE 3440
PGP keys at http://www.ufp.org/~bicknell/
--opJtzjQTFsWo+cga
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (FreeBSD)
iQIVAwUBT4WPErN3O8aJIdTMAQI8pA//esq0jTt+metER9i2cJJU+/Mt5KD0vK9a
7lS2ZjlN3ujzKi6PSiaxEIwFTT0jR+my064Seerx6ZJtJfxtYWdVnaF7YuKQlAvf
N0P5r9FzSCdbAH+2wXzc5F3nuCI/ssOTwX2bdwBoOZtkOEI7IRxdga5ZHPS6uNBk
x+152XRY9yo5dia1gjrxkWW/15sXLnetVDZgGK2Vdgcm6696A4mTJgDEzsEiTn9k
b0lWMt3QlwdhbcByqPAoMWdY4UVHgkMgwh7obb2MO89IAH+JW693jsbrCrrN/sGB
YJhyWjcM++bur32yH83Yfx7BhdUdzfsuUzdsE0YkabxRFVL3A5mYbtUyC7rUviJP
iHj73SEyjyf4lLacUq19wAMKNIV/rhktKXQ8ErfZpfNypAguwKSbw/LgNXsfk2EF
3KipWTVdtaHOWVfSh8iVKOAzThKg87pPpCON2ZaKzhdjiOL42kKt5w2CjTBnHaH4
sdVoL0fTfe44Bs8YxdDhjTfbZeYjTGxvyepkE9ttzuS1/Y/j2KXcgVG27nG6XCTC
XEGOuNu07cOd8JPwvDUV6h9Tg/WVRCCfG4Ik/bX+oq3aCtMjm8RCECdwrx96JP1+
HMFfDwXP7IB54pbeaKECK7usZaNUtxBqeBGj1iw5oVZL8TduW/6C91XA4psShWyb
tDIgViJSa8I=
=tKHy
-----END PGP SIGNATURE-----
--opJtzjQTFsWo+cga--
