[j-nsp] SRX vs. SSG

Pavel Lunin plunin at senetsy.ru
Sat May 8 17:57:53 EDT 2010


Hi Eric,

SSG should be available for another couple of years. Juniper likes to say
ScreenOS's roadmap is full of things do be done till the end of the next
year.

However I wouldn't say SSG has so much better featureset.

In routing SRX is far far beyond. You can even have packet-mode instances
with MPLS, reachable through a internal tunnel. Just like mature routers.
>From security point of view — embedded IPS, NAT pools not linked to any
direct networks, very granular per zone or interface stateful filters for
control plane destined traffic, some more FW things.

And of course increased performance/price ratio.

JUNOS itself.

As for me, the major weaknesses are:
— NHRP, which allows auto-connect IPSec VPNs, is not supported. A workaround
is possible here if you want an SRX to be a hub for SSG spokes.
— IP tracking is not supported for very basic dual-homing. Sure, workarounds
are possible.
— Reverse path next-hop is always chosen with reverse route lookup. Not to
much important. An ER exists for this though no idea whether someone cares
of it.

--
Pavel

2010/5/8 Eric Helm <helmwork at ruraltel.net>

> Hi,
>
> Has anyone heard what Juniper's plan is moving forward with the SSG
> platform? The SSG still has a much better feature set than the SRX, but
> is seems that marketing is pushing people to the SRX. I am looking to
> roll-out of approximately 200-300 VPN tunnels and trying to decide what
> platform to go with between the two. SSG is more appealing because of
> some of its feature set and proven stability. I just don't want to be
> buying equipment that is slated to be phased out sometime in the future.
>
> Thanks in advance,
>
> /Eric
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>


More information about the juniper-nsp mailing list