Cheap Juniper Gear for Lab
Leo Bicknell
bicknell at ufp.org
Wed Apr 11 14:02:58 UTC 2012
In a message written on Tue, Apr 10, 2012 at 08:31:04PM -0500, Tim Eberhard wrote:
> While I know you are a smart engineer and obviously have been working
> with this gear for a long time you're really not adding anything or
> backing up your argument besides saying yet again the packet
> forwarding is different. While this maybe true..It's my understanding
> that enabling packet mode does turn it into a normal packet based
> junos.
I honestly don't remember what caused the problem when I ran into
it, but the first time I configured IPv6 on a SRX I used per-packet
and I had all sorts of problems. After contacting Juniper support
and some friends who ran them they all told me to configure flow-based
for IPv6, and it started working properly. Juniper support basically
said IPv6 didn't work at all unless it was in flow mode.
My vague memory at least was OSPFv3 would not come up in IPv6
per-packet mode no matter what changes were made, but with flow
mode it came right up.
In any event, I will back up Owen on this one. Any JunOS box with
a security {} section (which I think means of Netscreen lineage)
does a number of weird things when you're used to the JunOS boxes
without a security section. For instance they basically default
to a stateful firewall, so when I used a pair for redundancy and
had asymmetrical paths it took way too many lines of config (4-5
features that had to be turned off) to make it not-stateful. That's
a big surprise when you come from working on M-series.
Still, they are very nice boxes, particularly for the capabilities
you get at the price point. It's just that darn security {} section
that seems to be quite poorly thought out, even all the working
parts are just laid out in a way that's not intuitive to me and
don't seem to match the rest of JunOS well. Want to list a netblock,
you have to put it in an "address book". Want to list two, it has
to be in an "address-book group", you can't just list them between
brackets, and so on. It may be the only router platform where I turn to
the web gui from time to time to configure things, otherwise it's an
exercise in frustration trying to get the syntax right.
--
Leo Bicknell - bicknell at ufp.org - CCIE 3440
PGP keys at http://www.ufp.org/~bicknell/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 826 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20120411/17373d93/attachment.sig>
More information about the NANOG
mailing list