[afnog] J-uniper setup

Frank Habicht geier at geier.ne.tz
Thu Jul 1 08:44:15 UTC 2010 

Hi Mark,

(i knew I would get a very good answer from the east!)

On 6/30/2010 6:57 PM, Mark Tinka wrote:
> On Wednesday 30 June 2010 10:03:53 pm Frank Habicht wrote:
> 
>> I just unpacked the first router from the J-vendor. in my
>>  life. It's a J-series and greeting me with "version
>>  9.2R1.10". Is that a good one?
> 
> Really old version of JUNOS this, riddled with bugs on other 
> platforms, which I suspect may also be present on the J-
> series routers.

Will upgrade. not sure yet if ES or not.
Thanks for all your explanations!


> Having said that, JUNOS on this platform is a little 
> complicated recently. With Juniper's entry into the 
> enterprise, the J-series platform can be morphed into a 
> firewall with a new branch of JUNOS called JUNOS-ES 
> (Enhanced Services).
> 
> JUNOS-ES basically makes the J-series router a stateful 
> firewall with routing capabilities. If you're familiar with 
> the SSG (Secure Services Gateway), migrating the SSG's 
> native ScreenOS to JUNOS-ES turns those boxes into J-series 
> routers.
> 
> The default mode the router operates in with JUNOS-ES is 
> 'flow' mode. If you're a network (and not a security) guy, 
> and you're looking for a router, you need to change that to 
> 'packet' mode, otherwise regular routing stuff that works in 
> regular JUNOS won't work (or will work weirdly).
> 
> That said, both JUNOS and JUNOS-ES are available up to 
> release 9.3R4.4. After this, i.e., 9.4 and later, the only 
> branch available for the J-series is JUNOS-ES. I haven't run 
> JUNOS-ES, so if you asked me, unless you require certain 
> features that are only available in 9.4 or later, JUNOS 
> 9.3R4.4 (non-ES) is decent. If you would like something more 
> recent, 9.5R4.3 is pretty stable (ES-based). I haven't yet 
> tested 9.6, and I'd stay away from 10.x for now.
> 
>> For starting things up, are
>> http://www.cymru.com/gillsr/documents/junos-template.pdf
>>  and
>>  http://www.cymru.com/gillsr/documents/junos-bgp-template
>> .pdf from
>>  http://www.team-cymru.org/ReadingRoom/Templates/ still
>>  state or the art?
>>
>> Is   http://tnt.aufbix.org/juniper/routerconfiguration  
>>  good? better? Yes, I admit I haven't read them yet....
> 
> There's much to implement re: BCP's in JUNOS, and the links 
> above build on that. I'd recommend taking a look at this so 
> you have a basic understanding of the router's capabilities:
> 
> http://www.juniper.net/techpubs/software/junos/junos93/swconfig-
> system-basics/frameset.html
> 
>> purpose of the box will be more packet-forwarding than
>>  security features...
> 
> So run pre-JUNOS-ES or enable 'packet' mode on JUNOS-ES.

ack.

[...]
> Yes, Juniper disable source routing by default, both for v4 
> and v6.
> 
> Why do you want source routing? It's generally disabled as a 
> best practice in IP networks. I wish it were disabled by 
> default in Cisco IOS.

Same here and I don't want to do it. Just stumbled over the statement on
cymru page and wanted a confirmation that it is off by default.

Thanks again,
Frank

PS: didn't see your mail via the list yet...

More information about the afnog mailing list