Cheap Juniper Gear for Lab

Thu Apr 12 15:14:41 UTC 2012

I was bitten by a similar issue when I deployed a couple of J2350s at
our edge.

On 4/11/12 2:33 PM, Carl Rosevear wrote:
> Yeah, I have to apply the term "awful" and "annoying" to the packet
> mode implementation on SRX/J-series. Anyway, I spent *hours* with JTAC
> on the phone trying to get the thing to just pass packets.  Best part
> was, I didn't know how to do it and nor did they!  I escalated, worked
> with many engineers.  My key statement was "I just want my router to
> route.  Make it do what it is supposed to do.  No session tracking!
> This is not a firewall."  So, now it doesn't require valid sessions to
> pass packets but it does still appear to *track* sessions in some
> tables and I am, of course, very curious when some attack vector will
> fill up some table.
>
> Anyway, not the best devices for an edge router that is for sure.
> Which is too bad...  for very small DC edge applications, the J6350
> was a pretty cool router in earlier versions of JunOS that didn't
> decide to re-engineer your network and transit for you.
>
> Anyway I digress.  But this had, in the past, been a frustrating
> enough issue for me that I had to share.
>
>
> --Carl
>
>
>
> On Tue, Apr 10, 2012 at 6:30 PM, Owen DeLong <owen at delong.com> wrote:
>> On Apr 10, 2012, at 6:02 PM, Mark Kamichoff wrote:
>>
>>> On Tue, Apr 10, 2012 at 11:57:31AM -0700, Owen DeLong wrote:
>>>>> The fact that you can't put it into flow mode.
>>>> s/flow/packet/
>>>> (oops, wasn't awake yet)
>>> Actually, this is possible:
>>>
>>> prox at asgard> show configuration security
>>> forwarding-options {
>>>    family {
>>>        inet6 {
>>>            mode packet-based;
>>>        }
>>>        mpls {
>>>            mode packet-based;
>>>        }
>>>    }
>>> }
>>>
>>> The above is from an SRX210B, but the same configuration will work on
>>> any J-series or /branch/ SRX-series platform.
>>>
>> Right, sort of. To the extent that it works. It doesn't actually do everything you
>> think it should, and, it's somewhat dependent on the version of JunOS as to
>> how well it does or doesn't work.
>>
>>> Don't let the "mpls" keyword throw you off.  This actually causes the
>>> box to run the inet /and/ mpls address families in packet mode.
>>>
>> I'm not unfamiliar or uninitiated in this regard. I had tickets with Juniper for
>> over a year and it escalated quite high up their escalation chain before they
>> finally admitted "Yeah, Services JunOS is different and it behaves differently
>> and if you need to do what you're trying to do, you should buy an M or MX
>> series."
>>
>> It's quite unfortunate. I'd really like for the SRX series to not be so crippled for
>> my purposes.
>>
>> Owen
>>
>>
>
>