[j-nsp] SRX vs. SSG
Scott T. Cameron
routehero at gmail.com
Mon May 10 08:13:22 EDT 2010
On Mon, May 10, 2010 at 3:25 AM, Pavel Lunin <plunin at senetsy.ru> wrote:
>
>
> Moreover SRX3/5k is quite a different story. ScreenOS products anyway can
> not compete against them.
>
Are you speaking from experience? Because my old ISG1000 firewalls are
superior than my SRX3400 firewalls. Not only do they support IPv6 in
"route" mode, they support it in flow-based packet filtering mode. The
SRX3400s do not support IPv6 at all.
ISG1000s on ScreenOS, on the other hand, support IPv6 no problem.
> Sorry, I didn't mean to kindle a holy war :) Just my opinion. Well, maybe
> not too humble.
>
> I have an SSG320, 2x ISG1000s and 4x SRX3400s.
>>
>
> […]
>
>
>> The routing
>> performance of the SRX, ie, taking a full route table via BGP, is
>> horrendous.
>>
>>
> Interesting. Did you try to load full BGP into SRX3k? Could you please
> shere the experience. Any issues or something?
>
Yes, that is precisely the problem. 2x SRX3400s in chassis cluster mode,
receiving full route table from 2 providers, it takes approximately 5
minutes for the route process to finish injecting routes in to the kernel
routing table.
The overall process of a chassis cluster failover, when BGP is enabled, is
extremely slow. We're talking minutes of downtime. Chassis cluster
failover when upstream is configured via static route is < 10 seconds. It's
still slower than the ScreenOS failover.
Scott
More information about the juniper-nsp
mailing list