[j-nsp] SRX deployment / issues

Julien Goodwin jgoodwin at studio442.com.au
Mon Mar 22 20:45:22 EDT 2010

On 23/03/10 04:05, Hoogen wrote:
> I think the EX thread was really good and the feedback was awesome. I would
> like hear about similar experiences while deploying SRX Series gateways, I
> am assuming I would hear a lot on the branch boxes SRX 210,240,650 I would
> also love to hear feedback on SRX 3000/5000 if people have been using it in
> their setup, problems that their facing, improvements and general deployment
> scenario that have been used.

So the big gotcha with the SRX line is the lack of IPv6 support. I've
been assured by a Juniper tech rep that over 10.2-10.4 it should get
closer to parity.

From my big evil list:
* SRX650 allowed me to configure {{family ethernet-switching}} on the
internal ports, which isn't supported
* SRX650 only supports LACP on {{family ethernet-switching}} ports,
which excludes the internal ports, EX4200 doesn't have this problem

From the firewall section (much of these are feature reqs)
* Allow to change the default policy per {{from-zone a to-zone d}}
* Allow to do {{from-zone any ...}} or perhaps just {{from-zone [ a b c
] to-zone d}}, this would be a *major* PITA in a hosting environment
with a zone per customer.
* Allow to have {{from-zone ... to-zone ...}} with no rules, I know the
default is implied with it not there
* Allow to have {{address-set}} inside {{address-set}} (ie, group of
groups), this is a *huge* PITA for us now
* The warning on {{show}} for an undefined application is {{Warning:
application or application-set must be defined}} which sucks when
multiple apps are defined, {{commit check}} is fine
* Documentation is unclear re NAT pool IP addresses. I had to add the
pool address to a loopback to get things working, until then the route
was never offered.

Julien Goodwin
"Blue Sky Solutioneering"

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
URL: <https://puck.nether.net/pipermail/juniper-nsp/attachments/20100323/c0efff2e/attachment-0001.bin>

More information about the juniper-nsp mailing list