[j-nsp] SRX vs. SSG

Scott T. Cameron routehero at gmail.com
Sat May 8 20:52:24 EDT 2010 

I have an SSG320, 2x ISG1000s and 4x SRX3400s.

I can say that the more mature ScreenOS platform is going to be a better fit
for anyone craving stability.

The complete lack of IPv6 support on the SRX series is a serious flaw in a
product that's been on the market for a year already.  The routing
performance of the SRX, ie, taking a full route table via BGP, is
horrendous.

On the plus for the SRX is the ease of jumbo frames.  Unfortunately, if you
do enable jumbo frames in an existing configuration, it will blow away your
source nat config. :)

I would say the SRX series is not quite ready for a 99.99999% environment.
 If you can afford some hiccups, then it is a more forward looking device,
assuming the IPv6 support arrives soon.

Scott

On Sat, May 8, 2010 at 5:57 PM, Pavel Lunin <plunin at senetsy.ru> wrote:

> Hi Eric,
>
> SSG should be available for another couple of years. Juniper likes to say
> ScreenOS's roadmap is full of things do be done till the end of the next
> year.
>
> However I wouldn't say SSG has so much better featureset.
>
> In routing SRX is far far beyond. You can even have packet-mode instances
> with MPLS, reachable through a internal tunnel. Just like mature routers.
> >From security point of view — embedded IPS, NAT pools not linked to any
> direct networks, very granular per zone or interface stateful filters for
> control plane destined traffic, some more FW things.
>
> And of course increased performance/price ratio.
>
> JUNOS itself.
>
> As for me, the major weaknesses are:
> — NHRP, which allows auto-connect IPSec VPNs, is not supported. A
> workaround
> is possible here if you want an SRX to be a hub for SSG spokes.
> — IP tracking is not supported for very basic dual-homing. Sure,
> workarounds
> are possible.
> — Reverse path next-hop is always chosen with reverse route lookup. Not to
> much important. An ER exists for this though no idea whether someone cares
> of it.
>
> --
> Pavel
>
> 2010/5/8 Eric Helm <helmwork at ruraltel.net>
>
> > Hi,
> >
> > Has anyone heard what Juniper's plan is moving forward with the SSG
> > platform? The SSG still has a much better feature set than the SRX, but
> > is seems that marketing is pushing people to the SRX. I am looking to
> > roll-out of approximately 200-300 VPN tunnels and trying to decide what
> > platform to go with between the two. SSG is more appealing because of
> > some of its feature set and proven stability. I just don't want to be
> > buying equipment that is slated to be phased out sometime in the future.
> >
> > Thanks in advance,
> >
> > /Eric
> > _______________________________________________
> > juniper-nsp mailing list juniper-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/juniper-nsp
> >
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>

More information about the juniper-nsp mailing list