[j-nsp] Very disappointed with Juniper

Mon Apr 17 18:22:10 EDT 2006

--On April 8, 2006 12:09:56 PM -0500 "W. Kevin Hunt" 
<khunt at huntbrothers.com> wrote:

> Hmm...
> I've been lurking for 3 weeks trying to decide if our next border router
>   should be another Cisco 12k or a Juniper.  We acquired a Juniper M20
> during the acquisition of a defunct carrier's assets, so I'd like to use
> it but I'm not "comfortable" enough with it yet to put it on the border
> and "learn it" while it's there.
>
> I manage 2 - 12012's right now and am somewhat disappointed in the
> feature set available on them.
> I have a few questions regarding Juniper as I've never had the pleasure
> of sitting at the console of one :
>
> 1.) JUNOS seems steeped in BSD, one of my favorite OS's, is it true you
> can run FreeBSD compiled binaries on JUNOS ?

Up to 7.5 -- they went/are going to signed bins.

> 2.) How is "controller redundancy" handled on the Juniper platform?

Ahh, I'll leave that to others as I'm not 100% clear.  The Juni has an RE 
(Routing Engine), one or more FEBs or CFEBs(M7i, M10i) (either in a load 
sharing or redundant config).

>
> 3.) Anyone here had to deal with 6-8 mpps ddos attacks on a Juniper, and
>   if so, was the juniper cli responsive during the attacks, and what
> mitigation abilities did the Juniper give you?  I'm accustomed to just
> plain ios acl's for mitigation which is tough when there are 8-9 hundred
> sources.

Yes.  It works fine.  Because there's a REAL CONTROL PLANE.  Unlike Cisco. 
One of my three main filters for all inbound and outbound traffic is 800 
lines by itself.  I've others of something like 200-500 each, probably 2k 
entries total.  'ACLs' (prefix-lists, or firewall rules in juniland) are 
done in hardware when applied as a filter.  There's almost no practical 
limit.  There are individuals who've reduced an entire 165k BGP table to 
firewall terms.  There isn't really a concept of a 'software switched' 
packet in JunOS.  Everything is done "in hardware" (actually micro engines 
or FPGA in some cases) either on the PICs, or FEBs, or ASM.

You still have to have a clear pipe to the Routing Engine (control plane) 
either IB or OOB, but even if it's being directly attacked all incoming 
traffic can easily be rate limited, and in fact is by default, in the 
hardware at the packet forwarding plane.  You can go take a look at the 
Secure JunOS template at Cymru 
http://www.cymru.com/gillsr/documents/junos-template.pdf -- any filter 
applied to lo0 applies to the whole RE, but is done *in hardware*.

General packet flow in a Juniper M series is documented at juniper 
clue....can't remember URL right now but I'm sure someone will.  Thing of 
any M series as a really fully distributed 7k or 12k ish chassis.  Packets 
can't get punted to the RE unless they're destined for the RE...OK well 
that's not 100% true, 99%, but they're rate limited to such an extent that 
you won't experience performance issues.  Also the REs are generally a LOT 
faster than the CPUs in the Cisco gear, and, they're ONLY there to handle 
control plane.  Heck, an RE can go deadlock and the FEBs will keep routing 
packets.  You lose all your control plane though in a situation like that.

> 4.) What are the support and upgrade options on equipment that one did
> not purchase "new".  i.e. we acquired this M40, it seems to have JUNOS
> 4.1 on it.  What kind of expense am I looking at to get the latest JUNOS
> on it and basic telephone support for it?

There won't be any unsual upgrade costs, a support license includes 
software.