Juniper Routers

routerdork · April 01, 2016, 04:48:09 PM

Anyone using Junipers for routing? If so what are you using? I am looking at the Cisco ISR 4K's for some 100M circuits and when I asked Juniper for their comparable model they suggested the SRX 300 series. I'm not really up on Juniper's smaller boxes but it seems weird to be comparing an SRX340 from their firewall lineup to an ISR 4K in Cisco's router lineup.

wintermute000 · April 01, 2016, 05:53:01 PM

Srx is all in one and are as good routers as Cisco isrs. Every routing nerd knob is there except eigrp of course. If you turn off firewall then they even run full mpls. With firewall vs isr it's not even in the same ballpark. Not sure about ngfw vs sourcefire as this is a new software release with massive changes.

If I were building a network from scratch and skill set was not an issue then srx would likely be my wan router of choice whether internet facing or traditional WAN.
Taking aside staff skillset, integration into existing ecosystem and the IWAN related stuff the only major factor it loses against ISR is DMVPN/flexvpn. Even in automation it runs rings around Cisco e.g. Native ansible plugin, python api, actually working web ui, etc

Reggle · April 02, 2016, 01:32:26 AM

Managed some MX'es here with full BGP tables. Pretty solid stuff.

wintermute000 · April 02, 2016, 02:45:55 AM

Mxes are everywhere in isp land

icecream-guy · April 04, 2016, 07:14:35 AM

...and no Cisco Vulnerabilities.

routerdork · April 04, 2016, 08:17:15 AM

Quote from: wintermute000 on April 01, 2016, 05:53:01 PM
Srx is all in one and are as good routers as Cisco isrs. Every routing nerd knob is there except eigrp of course. If you turn off firewall then they even run full mpls. With firewall vs isr it's not even in the same ballpark. Not sure about ngfw vs sourcefire as this is a new software release with massive changes.

If I were building a network from scratch and skill set was not an issue then srx would likely be my wan router of choice whether internet facing or traditional WAN.
Taking aside staff skillset, integration into existing ecosystem and the IWAN related stuff the only major factor it loses against ISR is DMVPN/flexvpn. Even in automation it runs rings around Cisco e.g. Native ansible plugin, python api, actually working web ui, etc

Good information. Have not run across them in the wild ever but I have an SRX 100b in my lab. Throughput kills the ISRs and no need for license upgrade. Plus way cheaper. Skill set was my main concern originally but we are a small shop and only two of use will ever be in them.

deanwebb · April 04, 2016, 11:47:24 AM

Junipers syntax requires a little memorization at first, but it quickly becomes second nature with use.

wintermute000 · April 05, 2016, 02:24:32 AM

Its one of my technical regrets in life that I never got the chance (or tried to get a chance) to become a proper Juniper guy.

As it is I know enough to get by but despite doing the study/homelab up to Specialist level, nothing beats the tens of thousands of hours of IOS console time LOL, I have to look stuff up every time I need to touch a Juniper for real (which is about once every 6-12 months). Its not helped by the fact that SRX firewall deployments are usually handelled by our security specialists, + Cisco rules Australian Enterprise (and there is a perception that SRX = firewall, not SRX = ASA AND ISR in same box).

JunOS syntax/CLI is so good, Cisco bloody ripped it off wholesale for IOS-XR.

routerdork · April 05, 2016, 04:14:55 PM

I've had some experience on the EX series switches and really liked the commit options. Boss really liked the idea of the cost when I brought it up today.
I also really liked how IOS-XR worked but yeah very much a Juniper copy.

GeorgeS · April 06, 2016, 01:47:41 AM

Small experience also here, have worked with few srx240 and some small boxes, i even studied the jncia but just that

. The more i was working and studying the more i liked them. commit was a great feature, commit and restore previous config if i do not login in 10 minutes was also pretty amazing.
If it was up to me i would be giving a try on them at least to some small sites for the beginning. Even though i know from a friend who works on the core of one of the biggest ISP, if not the biggest at world, that are using almost only junipers and they are replacing the cisco ones with juniper.

scottsee · April 09, 2016, 12:23:20 AM

Juno is solid. SRX had a couple nasty exploits recently, just keep up on the firmware. Having the ability to "roll" a configure change back and "compare" configure changes is per'd rad!

SimonV · April 09, 2016, 03:54:22 AM

Quote from: scottsee on April 09, 2016, 12:23:20 AM
Juno is solid. SRX had a couple nasty exploits recently, just keep up on the firmware.

Something specific to SRX? Have some links for that?

scottsee · April 09, 2016, 10:23:02 AM

This one specifically. looks like it was actually the netscreen.

Released late December 2015.

http://www.securityweek.com/backdoor-juniper-firewalls-enables-remote-access
https://www.cvedetails.com/cve/CVE-2015-7755/

deanwebb · April 09, 2016, 10:32:07 AM

Quote from: SimonV on April 09, 2016, 03:54:22 AM
Quote from: scottsee on April 09, 2016, 12:23:20 AM
Juno is solid. SRX had a couple nasty exploits recently, just keep up on the firmware.

Something specific to SRX? Have some links for that?

There was the EC encryption thing recently, but it's out of the code in the latest version.

flipmode · April 11, 2016, 09:47:03 AM

Can you guys recommend a "cheap" (sub $125) SRX that I can use at home to learn on?