[afnog] J-uniper setup
Mark Tinka
mtinka at globaltransit.net
Wed Jun 30 15:57:50 UTC 2010
On Wednesday 30 June 2010 10:03:53 pm Frank Habicht wrote:
> I just unpacked the first router from the J-vendor. in my
> life. It's a J-series and greeting me with "version
> 9.2R1.10". Is that a good one?
Really old version of JUNOS this, riddled with bugs on other
platforms, which I suspect may also be present on the J-
series routers.
Having said that, JUNOS on this platform is a little
complicated recently. With Juniper's entry into the
enterprise, the J-series platform can be morphed into a
firewall with a new branch of JUNOS called JUNOS-ES
(Enhanced Services).
JUNOS-ES basically makes the J-series router a stateful
firewall with routing capabilities. If you're familiar with
the SSG (Secure Services Gateway), migrating the SSG's
native ScreenOS to JUNOS-ES turns those boxes into J-series
routers.
The default mode the router operates in with JUNOS-ES is
'flow' mode. If you're a network (and not a security) guy,
and you're looking for a router, you need to change that to
'packet' mode, otherwise regular routing stuff that works in
regular JUNOS won't work (or will work weirdly).
That said, both JUNOS and JUNOS-ES are available up to
release 9.3R4.4. After this, i.e., 9.4 and later, the only
branch available for the J-series is JUNOS-ES. I haven't run
JUNOS-ES, so if you asked me, unless you require certain
features that are only available in 9.4 or later, JUNOS
9.3R4.4 (non-ES) is decent. If you would like something more
recent, 9.5R4.3 is pretty stable (ES-based). I haven't yet
tested 9.6, and I'd stay away from 10.x for now.
> For starting things up, are
> http://www.cymru.com/gillsr/documents/junos-template.pdf
> and
> http://www.cymru.com/gillsr/documents/junos-bgp-template
> .pdf from
> http://www.team-cymru.org/ReadingRoom/Templates/ still
> state or the art?
>
> Is http://tnt.aufbix.org/juniper/routerconfiguration
> good? better? Yes, I admit I haven't read them yet....
There's much to implement re: BCP's in JUNOS, and the links
above build on that. I'd recommend taking a look at this so
you have a basic understanding of the router's capabilities:
http://www.juniper.net/techpubs/software/junos/junos93/swconfig-
system-basics/frameset.html
> purpose of the box will be more packet-forwarding than
> security features...
So run pre-JUNOS-ES or enable 'packet' mode on JUNOS-ES.
> ok, going through it and doing things...
> it seems like source routing is now disabled by default
> and there's a way to enabled it by
> "routing-options source-routing ip" ?
Yes, Juniper disable source routing by default, both for v4
and v6.
Why do you want source routing? It's generally disabled as a
best practice in IP networks. I wish it were disabled by
default in Cisco IOS.
Hope this helps.
Cheers,
Mark.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part.
URL: <http://afnog.org/pipermail/afnog/attachments/20100630/87a09852/attachment.pgp>
More information about the afnog
mailing list