On Sat, Feb 19, 2011 at 04:13:25PM +0000, Giovanni Bellac wrote: > Hello all > > I have now spend a lot of time to find out the optimal version of JunOS for > our > newly ordered 2x EX4200s. > > 1) We will run a 2x EX4200 Virtual Chassis. > 2) We will run BGP default routes (NO full table) and announce our /21. > 3) We will connect our rack-switches to the Virtual Chassis. > > So, we will do Layer2 and some (basic) Layer3. > > Should we use the latest service release of 10.0 (= 10.0s11 / 10.0s12) or use > directly 10.4R2.6 ?
I'm the adventurous type, so I'm running 10.4R2.6 on a newly deployed edge switch now. I have 10.4R1 on a couple others that have been running for awhile now without issues, and 10.3R1.9 on some EX2200's since before that. L2-only, though, no L3 or BGP. I am using lots of L2 security features such as filtering IPv6 frames (as a stop-gap until RA Guard is available), DHCP Snooping/ARP Inspection/IP Source Guard, MAC security, MAC limits, and BPDU Filtering. On most of my EX4200s I still have 10.1S6.2 which I plan on upgrading to 10.4R2.6 soon. 10.1 has several issues related to PFEs disconnecting in a VC, some issues with storm-control, and issues with online uplink module switching from 1g -> 10g mode (reboot right after making this change or you may find your switches hung up a day later). 10.1S6.2 seems to have fixed some of these issues--a few remain but they are rare enough in occurance that it isn't a big problem. I went with 10.1 over 10.0 originally due to the IPv6 filtering features and online insertion/removal of the uplink modules. Everyone who runs untrusted edge LANs needs L2 IPv6 filtering features today, whether or not they are deploying IPv6 today. Otherwise rogue RAs (mainly from Windows ICS boxes) will cause issues for your users trying to connect to parts of the Internet that have IPv6 reachability. I hope Juniper implements RA Guard soon, because the trick of dropping ethertype 0x86dd frames won't work once we start enabling native IPv6 on our local subnets. Everything here is converging on 10.4, which I think will be a good place to be given its E-EOL status. _______________________________________________ juniper-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/juniper-nsp
