Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: nsp: juniper

SRX vs. SSG

 

 

nsp juniper RSS feed   Index | Next | Previous | View Threaded


helmwork at ruraltel

May 7, 2010, 1:38 PM

Post #1 of 8 (7547 views)
Permalink
SRX vs. SSG

Hi,

Has anyone heard what Juniper's plan is moving forward with the SSG
platform? The SSG still has a much better feature set than the SRX, but
is seems that marketing is pushing people to the SRX. I am looking to
roll-out of approximately 200-300 VPN tunnels and trying to decide what
platform to go with between the two. SSG is more appealing because of
some of its feature set and proven stability. I just don't want to be
buying equipment that is slated to be phased out sometime in the future.

Thanks in advance,

/Eric
_______________________________________________
juniper-nsp mailing list juniper-nsp [at] puck
https://puck.nether.net/mailman/listinfo/juniper-nsp


cburwell at gmail

May 7, 2010, 7:48 PM

Post #2 of 8 (7448 views)
Permalink
Re: SRX vs. SSG [In reply to]

A few months back when we were looking at the SSG & SRX we were told
that there were no "Immediate" plans to phase out the SSG. Juniper
projects their product lifelines about 18 months in advance, and at
that point the SSG was still in the picture (Note: I believe 18 months
was the number given, but I'm not 100% sure).

IMO it appears that Juniper is building up the SRX line to replace the
SSG line, particularly since the SSG is running ScreenOS.

- Chris

On Fri, May 7, 2010 at 4:38 PM, Eric Helm <helmwork [at] ruraltel> wrote:
> Hi,
>
> Has anyone heard what Juniper's plan is moving forward with the SSG
> platform? The SSG still has a much better feature set than the SRX, but
> is seems that marketing is pushing people to the SRX. I am looking to
> roll-out of approximately 200-300 VPN tunnels and trying to decide what
> platform to go with between the two. SSG is more appealing because of
> some of its feature set and proven stability. I just don't want to be
> buying equipment that is slated to be phased out sometime in the future.
>
> Thanks in advance,
>
> /Eric
> _______________________________________________
> juniper-nsp mailing list juniper-nsp [at] puck
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
_______________________________________________
juniper-nsp mailing list juniper-nsp [at] puck
https://puck.nether.net/mailman/listinfo/juniper-nsp


plunin at senetsy

May 8, 2010, 2:57 PM

Post #3 of 8 (7444 views)
Permalink
Re: SRX vs. SSG [In reply to]

Hi Eric,

SSG should be available for another couple of years. Juniper likes to say
ScreenOS's roadmap is full of things do be done till the end of the next
year.

However I wouldn't say SSG has so much better featureset.

In routing SRX is far far beyond. You can even have packet-mode instances
with MPLS, reachable through a internal tunnel. Just like mature routers.
>From security point of view embedded IPS, NAT pools not linked to any
direct networks, very granular per zone or interface stateful filters for
control plane destined traffic, some more FW things.

And of course increased performance/price ratio.

JUNOS itself.

As for me, the major weaknesses are:
NHRP, which allows auto-connect IPSec VPNs, is not supported. A workaround
is possible here if you want an SRX to be a hub for SSG spokes.
IP tracking is not supported for very basic dual-homing. Sure, workarounds
are possible.
Reverse path next-hop is always chosen with reverse route lookup. Not to
much important. An ER exists for this though no idea whether someone cares
of it.

--
Pavel

2010/5/8 Eric Helm <helmwork [at] ruraltel>

> Hi,
>
> Has anyone heard what Juniper's plan is moving forward with the SSG
> platform? The SSG still has a much better feature set than the SRX, but
> is seems that marketing is pushing people to the SRX. I am looking to
> roll-out of approximately 200-300 VPN tunnels and trying to decide what
> platform to go with between the two. SSG is more appealing because of
> some of its feature set and proven stability. I just don't want to be
> buying equipment that is slated to be phased out sometime in the future.
>
> Thanks in advance,
>
> /Eric
> _______________________________________________
> juniper-nsp mailing list juniper-nsp [at] puck
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
_______________________________________________
juniper-nsp mailing list juniper-nsp [at] puck
https://puck.nether.net/mailman/listinfo/juniper-nsp


routehero at gmail

May 8, 2010, 5:52 PM

Post #4 of 8 (7457 views)
Permalink
Re: SRX vs. SSG [In reply to]

I have an SSG320, 2x ISG1000s and 4x SRX3400s.

I can say that the more mature ScreenOS platform is going to be a better fit
for anyone craving stability.

The complete lack of IPv6 support on the SRX series is a serious flaw in a
product that's been on the market for a year already. The routing
performance of the SRX, ie, taking a full route table via BGP, is
horrendous.

On the plus for the SRX is the ease of jumbo frames. Unfortunately, if you
do enable jumbo frames in an existing configuration, it will blow away your
source nat config. :)

I would say the SRX series is not quite ready for a 99.99999% environment.
If you can afford some hiccups, then it is a more forward looking device,
assuming the IPv6 support arrives soon.

Scott

On Sat, May 8, 2010 at 5:57 PM, Pavel Lunin <plunin [at] senetsy> wrote:

> Hi Eric,
>
> SSG should be available for another couple of years. Juniper likes to say
> ScreenOS's roadmap is full of things do be done till the end of the next
> year.
>
> However I wouldn't say SSG has so much better featureset.
>
> In routing SRX is far far beyond. You can even have packet-mode instances
> with MPLS, reachable through a internal tunnel. Just like mature routers.
> >From security point of view embedded IPS, NAT pools not linked to any
> direct networks, very granular per zone or interface stateful filters for
> control plane destined traffic, some more FW things.
>
> And of course increased performance/price ratio.
>
> JUNOS itself.
>
> As for me, the major weaknesses are:
> NHRP, which allows auto-connect IPSec VPNs, is not supported. A
> workaround
> is possible here if you want an SRX to be a hub for SSG spokes.
> IP tracking is not supported for very basic dual-homing. Sure,
> workarounds
> are possible.
> Reverse path next-hop is always chosen with reverse route lookup. Not to
> much important. An ER exists for this though no idea whether someone cares
> of it.
>
> --
> Pavel
>
> 2010/5/8 Eric Helm <helmwork [at] ruraltel>
>
> > Hi,
> >
> > Has anyone heard what Juniper's plan is moving forward with the SSG
> > platform? The SSG still has a much better feature set than the SRX, but
> > is seems that marketing is pushing people to the SRX. I am looking to
> > roll-out of approximately 200-300 VPN tunnels and trying to decide what
> > platform to go with between the two. SSG is more appealing because of
> > some of its feature set and proven stability. I just don't want to be
> > buying equipment that is slated to be phased out sometime in the future.
> >
> > Thanks in advance,
> >
> > /Eric
> > _______________________________________________
> > juniper-nsp mailing list juniper-nsp [at] puck
> > https://puck.nether.net/mailman/listinfo/juniper-nsp
> >
> _______________________________________________
> juniper-nsp mailing list juniper-nsp [at] puck
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
_______________________________________________
juniper-nsp mailing list juniper-nsp [at] puck
https://puck.nether.net/mailman/listinfo/juniper-nsp


fahad.khan at gmail

May 8, 2010, 11:00 PM

Post #5 of 8 (7450 views)
Permalink
Re: SRX vs. SSG [In reply to]

About which work around are u talking of IP tracking ???

thanks
Muhammad Fahad Khan
JNCIP - M/T # 834
IT Specialist
Global Technology Services, IBM
fahad [at] pk
+92-321-2370510
+92-301-8247638
Skype: fahad-ibm
http://www.linkedin.com/in/muhammadfahadkhan
http://fahad-internetworker.blogspot.com
http://www.visualcv.com/g46ptnd


On Sun, May 9, 2010 at 2:57 AM, Pavel Lunin <plunin [at] senetsy> wrote:

> Hi Eric,
>
> SSG should be available for another couple of years. Juniper likes to say
> ScreenOS's roadmap is full of things do be done till the end of the next
> year.
>
> However I wouldn't say SSG has so much better featureset.
>
> In routing SRX is far far beyond. You can even have packet-mode instances
> with MPLS, reachable through a internal tunnel. Just like mature routers.
> >From security point of view embedded IPS, NAT pools not linked to any
> direct networks, very granular per zone or interface stateful filters for
> control plane destined traffic, some more FW things.
>
> And of course increased performance/price ratio.
>
> JUNOS itself.
>
> As for me, the major weaknesses are:
> NHRP, which allows auto-connect IPSec VPNs, is not supported. A
> workaround
> is possible here if you want an SRX to be a hub for SSG spokes.
> IP tracking is not supported for very basic dual-homing. Sure,
> workarounds
> are possible.
> Reverse path next-hop is always chosen with reverse route lookup. Not to
> much important. An ER exists for this though no idea whether someone cares
> of it.
>
> --
> Pavel
>
> 2010/5/8 Eric Helm <helmwork [at] ruraltel>
>
> > Hi,
> >
> > Has anyone heard what Juniper's plan is moving forward with the SSG
> > platform? The SSG still has a much better feature set than the SRX, but
> > is seems that marketing is pushing people to the SRX. I am looking to
> > roll-out of approximately 200-300 VPN tunnels and trying to decide what
> > platform to go with between the two. SSG is more appealing because of
> > some of its feature set and proven stability. I just don't want to be
> > buying equipment that is slated to be phased out sometime in the future.
> >
> > Thanks in advance,
> >
> > /Eric
> > _______________________________________________
> > juniper-nsp mailing list juniper-nsp [at] puck
> > https://puck.nether.net/mailman/listinfo/juniper-nsp
> >
> _______________________________________________
> juniper-nsp mailing list juniper-nsp [at] puck
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
_______________________________________________
juniper-nsp mailing list juniper-nsp [at] puck
https://puck.nether.net/mailman/listinfo/juniper-nsp


plunin at senetsy

May 10, 2010, 12:25 AM

Post #6 of 8 (7434 views)
Permalink
Re: SRX vs. SSG [In reply to]

Hi,

Mainly I agree that ScreenOS is more predictable and less buggy than JUNOS
Voyager. Although I remember the times of 5.1-5.3 when loads of new features
were added and we ran into issues each new release. Specially when ISG had
just been released.

But from the features point of view, I really see SRX is at least not worse
even though some drawbacks exist like stateful processing for IPv6 or some
things we already mentioned. It is well compensated with things ScreenOS has
not ever had.

In my experience, JUNOS cli itself gives lots of benefits for
high-performance environments. Though for ScreenOS people it can be hard to
believe this, what they are used to do with a single command now requires
five :) I myself have been using all sorts of NetScreen/SSG/ISG since 2003,
and think it's one of the best products ever. Specially the old Netscreen
line. I even have a 5gt at home :) But unfortunately it is the previous
epoch. So I would recommend to buy them only if you really know why you are
doing so.

Moreover SRX3/5k is quite a different story. ScreenOS products anyway can
not compete against them.

Sorry, I didn't mean to kindle a holy war :) Just my opinion. Well, maybe
not too humble.

I have an SSG320, 2x ISG1000s and 4x SRX3400s.
>

[]


> The routing
> performance of the SRX, ie, taking a full route table via BGP, is
> horrendous.
>
>
Interesting. Did you try to load full BGP into SRX3k? Could you please shere
the experience. Any issues or something?

--
Regards,
Pavel
_______________________________________________
juniper-nsp mailing list juniper-nsp [at] puck
https://puck.nether.net/mailman/listinfo/juniper-nsp


routehero at gmail

May 10, 2010, 5:13 AM

Post #7 of 8 (7432 views)
Permalink
Re: SRX vs. SSG [In reply to]

On Mon, May 10, 2010 at 3:25 AM, Pavel Lunin <plunin [at] senetsy> wrote:

>
>
> Moreover SRX3/5k is quite a different story. ScreenOS products anyway can
> not compete against them.
>

Are you speaking from experience? Because my old ISG1000 firewalls are
superior than my SRX3400 firewalls. Not only do they support IPv6 in
"route" mode, they support it in flow-based packet filtering mode. The
SRX3400s do not support IPv6 at all.

ISG1000s on ScreenOS, on the other hand, support IPv6 no problem.


> Sorry, I didn't mean to kindle a holy war :) Just my opinion. Well, maybe
> not too humble.
>
> I have an SSG320, 2x ISG1000s and 4x SRX3400s.
>>
>
> []
>
>
>> The routing
>> performance of the SRX, ie, taking a full route table via BGP, is
>> horrendous.
>>
>>
> Interesting. Did you try to load full BGP into SRX3k? Could you please
> shere the experience. Any issues or something?
>

Yes, that is precisely the problem. 2x SRX3400s in chassis cluster mode,
receiving full route table from 2 providers, it takes approximately 5
minutes for the route process to finish injecting routes in to the kernel
routing table.

The overall process of a chassis cluster failover, when BGP is enabled, is
extremely slow. We're talking minutes of downtime. Chassis cluster
failover when upstream is configured via static route is < 10 seconds. It's
still slower than the ScreenOS failover.

Scott
_______________________________________________
juniper-nsp mailing list juniper-nsp [at] puck
https://puck.nether.net/mailman/listinfo/juniper-nsp


plunin at senetsy

May 10, 2010, 6:16 AM

Post #8 of 8 (7444 views)
Permalink
Re: SRX vs. SSG [In reply to]

2010/5/10 Scott T. Cameron <routehero [at] gmail>

> On Mon, May 10, 2010 at 3:25 AM, Pavel Lunin <plunin [at] senetsy> wrote:
>
> > Moreover SRX3/5k is quite a different story. ScreenOS products anyway can
> > not compete against them.
> >
>
> Are you speaking from experience?


Yeah. All ScreenOS products have CPU-based first packet processing. Same CPU
which does control plane. So ISG can only do 23k new sessions per second,
NS5k w/MGT3 26.5k. At close to 20k new cps those boxes can not do anything
else at all.

I deployed an SRX3400 with 3 SPC which did 40k new cps having ~50% SPU load
at all SPC. More than real-wrold experience.

And only NS5400 can do 2M simultaneous sessions, when SRX3400 w/3SPC can do
2.25M (it is real, I saw it myself). SRX5k can do up to 10M.

And for sure, NetScreen performance/price ratio is by far much higher.

--
Regards,
Pavel
_______________________________________________
juniper-nsp mailing list juniper-nsp [at] puck
https://puck.nether.net/mailman/listinfo/juniper-nsp

nsp juniper RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.