[j-nsp] 2x EX4200 Virtual Chassis Layer2/3 - Which JunOS Version ?

Chuck Anderson cra at WPI.EDU
Sat Feb 19 13:03:30 EST 2011 

On Sat, Feb 19, 2011 at 04:13:25PM +0000, Giovanni Bellac wrote:
> Hello all
> 
> I have now spend a lot of time to find out the optimal version of JunOS for our 
> newly ordered 2x EX4200s.
> 
> 1) We will run a 2x EX4200 Virtual Chassis.
> 2) We will run BGP default routes (NO full table) and announce our /21.
> 3) We will connect our rack-switches to the Virtual Chassis.
> 
> So, we will do Layer2 and some (basic) Layer3.
> 
> Should we use the latest service release of 10.0 (= 10.0s11 / 10.0s12) or use 
> directly 10.4R2.6 ?

I'm the adventurous type, so I'm running 10.4R2.6 on a newly deployed 
edge switch now.  I have 10.4R1 on a couple others that have been 
running for awhile now without issues, and 10.3R1.9 on some EX2200's 
since before that.  L2-only, though, no L3 or BGP.  I am using lots of 
L2 security features such as filtering IPv6 frames (as a stop-gap 
until RA Guard is available), DHCP Snooping/ARP Inspection/IP Source 
Guard, MAC security, MAC limits, and BPDU Filtering.

On most of my EX4200s I still have 10.1S6.2 which I plan on upgrading 
to 10.4R2.6 soon.  10.1 has several issues related to PFEs 
disconnecting in a VC, some issues with storm-control, and issues with 
online uplink module switching from 1g -> 10g mode (reboot right after 
making this change or you may find your switches hung up a day later).  
10.1S6.2 seems to have fixed some of these issues--a few remain but 
they are rare enough in occurance that it isn't a big problem.

I went with 10.1 over 10.0 originally due to the IPv6 filtering 
features and online insertion/removal of the uplink modules.  Everyone 
who runs untrusted edge LANs needs L2 IPv6 filtering features today, 
whether or not they are deploying IPv6 today.  Otherwise rogue RAs 
(mainly from Windows ICS boxes) will cause issues for your users 
trying to connect to parts of the Internet that have IPv6 
reachability.  I hope Juniper implements RA Guard soon, because the 
trick of dropping ethertype 0x86dd frames won't work once we start 
enabling native IPv6 on our local subnets.

Everything here is converging on 10.4, which I think will be a good 
place to be given its E-EOL status.

More information about the juniper-nsp mailing list