[j-nsp] SRX RVI MPLS facing
Hi, I am trying to use SRX240B as a VLAN capable switch and also VPLS endpoint. VPLS works "well" for me with standard routed port, but when i tried to use uplink port as a "switch port" and use RVI (routed vlan interface) to connect to MPLS core, VPLS stop working: OSPF, BGP and RSVP works well, VPLS instances also goes UP, but VPLS instances cannot learn remote MAC adressess. Remote VPLS instance (MX series) learn MAC from SRX side, but VPLS on SRX with RVI cannot learn mac from MX side. L2 looks like works well, for example, VRRP (on lt interface) was established (because SRX master use VRRP well known dst MAC). It is Junos 12.1X46-D35 My working uplink config: interfaces { ge-0/0/1 { vlan-tagging; mtu 1590; unit 500 { vlan-id 500; family inet { mtu 1500; address 31.31.176.193/30; } family mpls; } } } And not working RVI configuration: interfaces { ge-0/0/1 { mtu 1590; unit 0 { family ethernet-switching { port-mode trunk; vlan { members [ 500 520 ]; } } } } vlan { mtu 1590; unit 500 { family inet { mtu 1500; address 31.31.176.193/30; } family mpls; } } } vlans { vl500 { vlan-id 500; l3-interface vlan.500; } vl520 { vlan-id 520; } } It looks like a junos bug for me (or maybe SRX L2 limitation). Has anyone run into the same problem? Thanks a lot, Daniel ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX for MPLS
Interesting/ disappointing to read that the top end SRXs don't support MPLS as it is clearly the intention to deploy MPLS to the edge with the smaller SRXs. So what is Juniper's solution for concentration points in the network e.g. head offices etc? Do the large SRXs have no support for Family mpls in any fashion? Is it on the roadmap (the statement below would suggest it is)? And if so when can it be expected? Thanks, Tim. -Original Message- Message: 1 Date: Fri, 22 Oct 2010 08:54:36 +0530 From: Jai Chandra Gundapaneni jaichan...@juniper.net To: EXT - xmi...@gmail.com xmi...@gmail.com Cc: 'juniper-nsp@puck.nether.net' juniper-nsp@puck.nether.net Subject: Re: [j-nsp] SRX for MPLS Message-ID: 33e45efc4b29ee4195b9440b22f885ea584a8...@embx02-bng.jnpr.net Content-Type: text/plain; charset=iso-8859-1 Sorry for the confusion. The top end SRX don't yet support the MPLS feature as yet. The top end SRX don't work in packet mode. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX for MPLS
I tested everything from mpls, ldp, rsvp, l2vpns, l3vpns, vpls and other routing protocols. There are some limitations for mtu, encapsulations, fragmentation and other small but pain in the ass things. Best thing is to get some (2 or more srx210 or better) and to do your tests . After that you will consider buying them. About security things - if you still need them you can separate the box in 2 virtual-routers or something else. On 10/22/2010 05:54 PM, Paul Stewart wrote: Has anyone done much l2vpn on them? I know that's related for sure..;) -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Miroslav Georgiev Sent: Friday, October 22, 2010 10:05 AM To: Will McLendon Cc: juniper-nsp@puck.nether.net Subject: Re: [j-nsp] SRX for MPLS Unfortunately there are some vpls limitations on SRX and J-series routers. You should check them first. Besides that everything works. On 10/22/2010 04:28 PM, Will McLendon wrote: you can definitely do MPLS on J-series and SRX gateways. It even says so on the datasheet -- however, as was mentioned, you must put the device in packet-based mode, and thus lose ALL security features (everything that is configured under [edit security] -- so Zones, Stateful Policies, NAT, etc. are all not available) to add-on to Tim's comment, you will want to use the command 'delete security' to wipe out that hierarchy, and then enable the packet-based mode: set security forwarding-options family mpls mode packet-based. there are other statements in that hierarchy to enable packet-based for inet6 etc, but i've never turned that on...just the MPLS statement will turn it into a regular router.. My main fear for your deployment would be the environmental conditions. I don't believe the SRX is specifically hardened for that kind of environment (that isn't to say it wouldn't work, though). Also, you aren't planning to put an entire BGP table into them are you? I'm not sure how well that would work on the smaller boxes. I think i've heard of it being done, but never done it myself so I can't speak to the stability of such a scenario. Good luck, Will ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp -- Regards,,, Miroslav Georgiev SpectrumNet Jsc. +(359 2)4890604 +(359 2)4890619 ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX for MPLS
On Fri, Oct 22, 2010 at 9:46 AM, Chris Evans chrisccnpsp...@gmail.comwrote: My question is what is the purpose of using a security device for pure routing purposes??? Why not just buy a router? It seems like the point was for it to be both a router and a security device. They can boast about an ethernet based routing platform cheaper than the MX80 in some cases as well as a security platform that runs JunOS. Most of the security features do not run in the routing mode and vice versa, so you decide what you want it to do before you deploy. It seems the extra abilities would only come in handy if you were looking to repurpose the box from one function to another. I suppose there's also a certain wow factor as well. I remember all the buzz before they came out about the MPLS enabled firewall. Things like being able to bring in connections over ethernet and IPSEC all on the same box while doing stateful packet inspection and such. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX for MPLS
you can definitely do MPLS on J-series and SRX gateways. It even says so on the datasheet -- however, as was mentioned, you must put the device in packet-based mode, and thus lose ALL security features (everything that is configured under [edit security] -- so Zones, Stateful Policies, NAT, etc. are all not available) to add-on to Tim's comment, you will want to use the command 'delete security' to wipe out that hierarchy, and then enable the packet-based mode: set security forwarding-options family mpls mode packet-based. there are other statements in that hierarchy to enable packet-based for inet6 etc, but i've never turned that on...just the MPLS statement will turn it into a regular router.. My main fear for your deployment would be the environmental conditions. I don't believe the SRX is specifically hardened for that kind of environment (that isn't to say it wouldn't work, though). Also, you aren't planning to put an entire BGP table into them are you? I'm not sure how well that would work on the smaller boxes. I think i've heard of it being done, but never done it myself so I can't speak to the stability of such a scenario. Good luck, Will ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX for MPLS
My question is what is the purpose of using a security device for pure routing purposes??? Why not just buy a router? On Oct 22, 2010 9:34 AM, Will McLendon wimcl...@gmail.com wrote: you can definitely do MPLS on J-series and SRX gateways. It even says so on the datasheet -- however, as was mentioned, you must put the device in packet-based mode, and thus lose ALL security features (everything that is configured under [edit security] -- so Zones, Stateful Policies, NAT, etc. are all not available) to add-on to Tim's comment, you will want to use the command 'delete security' to wipe out that hierarchy, and then enable the packet-based mode: set security forwarding-options family mpls mode packet-based. there are other statements in that hierarchy to enable packet-based for inet6 etc, but i've never turned that on...just the MPLS statement will turn it into a regular router.. My main fear for your deployment would be the environmental conditions. I don't believe the SRX is specifically hardened for that kind of environment (that isn't to say it wouldn't work, though). Also, you aren't planning to put an entire BGP table into them are you? I'm not sure how well that would work on the smaller boxes. I think i've heard of it being done, but never done it myself so I can't speak to the stability of such a scenario. Good luck, Will ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX for MPLS
Unfortunately there are some vpls limitations on SRX and J-series routers. You should check them first. Besides that everything works. On 10/22/2010 04:28 PM, Will McLendon wrote: you can definitely do MPLS on J-series and SRX gateways. It even says so on the datasheet -- however, as was mentioned, you must put the device in packet-based mode, and thus lose ALL security features (everything that is configured under [edit security] -- so Zones, Stateful Policies, NAT, etc. are all not available) to add-on to Tim's comment, you will want to use the command 'delete security' to wipe out that hierarchy, and then enable the packet-based mode: set security forwarding-options family mpls mode packet-based. there are other statements in that hierarchy to enable packet-based for inet6 etc, but i've never turned that on...just the MPLS statement will turn it into a regular router.. My main fear for your deployment would be the environmental conditions. I don't believe the SRX is specifically hardened for that kind of environment (that isn't to say it wouldn't work, though). Also, you aren't planning to put an entire BGP table into them are you? I'm not sure how well that would work on the smaller boxes. I think i've heard of it being done, but never done it myself so I can't speak to the stability of such a scenario. Good luck, Will ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp -- Regards,,, Miroslav Georgiev SpectrumNet Jsc. +(359 2)4890604 +(359 2)4890619 ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX for MPLS
Simple Answer. Cost. The SRX650 can handle about as much traffic as an M7i, at less half the price. There's no equivalent J-series at that level. (J6350 would top out at 2Gbps). Likewise, J-series runs virtually the same code now as the SRX series (in terms of security), Which begs an answer to the question: Why not just buy a router? Answer: What router? There's only security devices below the M7. - CK. P.S. there was a huge previous discussion regarding J-series only-flow-based earlier, which I'm sure you remember. =) On 2010-10-23, at 12:46 AM, Chris Evans wrote: My question is what is the purpose of using a security device for pure routing purposes??? Why not just buy a router? ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX for MPLS
We are studying it: * J Series or SRX Series devices do not support aggregated Ethernet interfaces. Therefore, aggregated Ethernet interfaces between CE devices and PE routers are not supported for VPLS routing instances on J Series or SRX Series devices. * VPLS routing instances on J Series or SRX Series devices use BGP to send signals to other PE routers. LDP signaling is not supported. * VPLS multihoming, which allows connecting a CE device to multiple PE routers to provide redundant connectivity, is not supported on J Series or SRX Series devices. * J Series or SRX Series devices do not support BGP mesh groups. * J Series or SRX Series devices support only the following encapsulation types on VPLS interfaces that face CE devices: extended VLAN VPLS, Ethernet VPLS, and VLAN VPLS. Ethernet VPLS over ATM LLC encapsulation is not supported. * Virtual ports are generated dynamically on a Tunnel Services PIC on some Juniper Networks routing platforms. J Series or SRX Series devices do not support Tunnel Services modules or virtual ports. * The VPLS implementation on J Series or SRX Series devices does not support dual-tagged frames. Therefore, VLAN rewrite operations are not supported on dual-tagged frames. VLAN rewrite operations such as pop-pop, pop-swap, push-push, swap-push, and swap-swap, which are supported on M Series and T Series routing platforms, are not supported on J Series or SRX Series devices. * Firewall filters for VPLS are not supported. BGP Signaling must be a big limitation, because of address space of this boxes. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX for MPLS
We are studying it: * J Series or SRX Series devices do not support aggregated Ethernet interfaces. Therefore, aggregated Ethernet interfaces between CE devices and PE routers are not supported for VPLS routing instances on J Series or SRX Series devices. * VPLS routing instances on J Series or SRX Series devices use BGP to send signals to other PE routers. LDP signaling is not supported. * VPLS multihoming, which allows connecting a CE device to multiple PE routers to provide redundant connectivity, is not supported on J Series or SRX Series devices. * J Series or SRX Series devices do not support BGP mesh groups. * J Series or SRX Series devices support only the following encapsulation types on VPLS interfaces that face CE devices: extended VLAN VPLS, Ethernet VPLS, and VLAN VPLS. Ethernet VPLS over ATM LLC encapsulation is not supported. * Virtual ports are generated dynamically on a Tunnel Services PIC on some Juniper Networks routing platforms. J Series or SRX Series devices do not support Tunnel Services modules or virtual ports. * The VPLS implementation on J Series or SRX Series devices does not support dual-tagged frames. Therefore, VLAN rewrite operations are not supported on dual-tagged frames. VLAN rewrite operations such as pop-pop, pop-swap, push-push, swap-push, and swap-swap, which are supported on M Series and T Series routing platforms, are not supported on J Series or SRX Series devices. * Firewall filters for VPLS are not supported. BGP Signaling must be a big limitation, because of address space of this boxes. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX for MPLS
Has anyone done much l2vpn on them? I know that's related for sure..;) -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Miroslav Georgiev Sent: Friday, October 22, 2010 10:05 AM To: Will McLendon Cc: juniper-nsp@puck.nether.net Subject: Re: [j-nsp] SRX for MPLS Unfortunately there are some vpls limitations on SRX and J-series routers. You should check them first. Besides that everything works. On 10/22/2010 04:28 PM, Will McLendon wrote: you can definitely do MPLS on J-series and SRX gateways. It even says so on the datasheet -- however, as was mentioned, you must put the device in packet-based mode, and thus lose ALL security features (everything that is configured under [edit security] -- so Zones, Stateful Policies, NAT, etc. are all not available) to add-on to Tim's comment, you will want to use the command 'delete security' to wipe out that hierarchy, and then enable the packet-based mode: set security forwarding-options family mpls mode packet-based. there are other statements in that hierarchy to enable packet-based for inet6 etc, but i've never turned that on...just the MPLS statement will turn it into a regular router.. My main fear for your deployment would be the environmental conditions. I don't believe the SRX is specifically hardened for that kind of environment (that isn't to say it wouldn't work, though). Also, you aren't planning to put an entire BGP table into them are you? I'm not sure how well that would work on the smaller boxes. I think i've heard of it being done, but never done it myself so I can't speak to the stability of such a scenario. Good luck, Will ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp -- Regards,,, Miroslav Georgiev SpectrumNet Jsc. +(359 2)4890604 +(359 2)4890619 ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX for MPLS
On 22/10/2010 11:46, Chris Evans wrote: My question is what is the purpose of using a security device for pure routing purposes??? Why not just buy a router? On Oct 22, 2010 9:34 AM, Will McLendonwimcl...@gmail.com wrote: Price and size of the box. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX for MPLS
Ahhh the cost reason. That is a huge reason we aren't buying much juniper gear at this point in time. We only use m or mx devices along with the full Cisco product catalog. Every solution we are doing lately costs 2 to 5 times using juniper versus cisco.. I just can't justify juniper at this point in time for most contexts due to cost alone. This is something I've been yelling at my account team about. On Oct 22, 2010 11:22 AM, Giuliano Cardozo Medalha giulian...@uol.com.br wrote: On 22/10/2010 11:46, Chris Evans wrote: My question is what is the purpose of using a security device for pure routing purposes??? Why not just buy a router? On Oct 22, 2010 9:34 AM, Will McLendonwimcl...@gmail.com wrote: Price and size of the box. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX for MPLS
Now we need to understand the limits for L2 VPNs e how can we use it integrated with JUNOS Space and Network Activator. Ahhh the cost reason. That is a huge reason we aren't buying much juniper gear at this point in time. We only use m or mx devices along with the full Cisco product catalog. Every solution we are doing lately costs 2 to 5 times using juniper versus cisco.. I just can't justify juniper at this point in time for most contexts due to cost alone. This is something I've been yelling at my account team about. On Oct 22, 2010 11:22 AM, Giuliano Cardozo Medalha giulian...@uol.com.br mailto:giulian...@uol.com.br wrote: On 22/10/2010 11:46, Chris Evans wrote: My question is what is the purpose of using a security device for pure routing purposes??? Why not just buy a router? On Oct 22, 2010 9:34 AM, Will McLendonwimcl...@gmail.com mailto:wimcl...@gmail.com wrote: Price and size of the box. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net mailto:juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] SRX for MPLS
People, Does anyone uses SRX routers for MPLS (VPLS) Transport ? We are thinking about the use of SRX220 under some conditions: - Use it in a not a good environment without air conditioning and a lot of dust ... external box temperature rises from 35 to 42 Celsius. - Be the point to interconnect POPs using point to point radios (100~1000 Mbps) - Using it to provide a VPLS infrastructure for L2 transport and client isolation until the start of the backbone (M7i and MX80 Routers) - SRX220 to provide OSPFv2 and OSPFv3 L3 gateway for some routed clients. The figure showed at the following link tries to resume it at all: http://www.wztech.com.br/JUNIPER/Topology.png It is possible to use this box in a such project ? Do you have any experience using it to do this type of topology ? Is is possible that SRX220 can work fine under so strength environment conditions ? Could it blow up or goes down ? If someone has implemented this kind of environment can please share the experiences ? Thanks a lot, Giuliano ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] SRX for MPLS
People, Does anyone uses SRX routers for MPLS (VPLS) Transport ? We are thinking about the use of SRX220 under some conditions: - Use it in a not a good environment without air conditioning and a lot of dust ... external box temperature rises from 35 to 42 Celsius. - Be the point to interconnect POPs using point to point radios (100~1000 Mbps) - Using it to provide a VPLS infrastructure for L2 transport and client isolation until the start of the backbone (M7i and MX80 Routers) - SRX220 to provide OSPFv2 and OSPFv3 L3 gateway for some routed clients. The figure showed at the following link tries to resume it at all: http://www.wztech.com.br/JUNIPER/Topology.png It is possible to use this box in a such project ? Do you have any experience using it to do this type of topology ? Is is possible that SRX220 can work fine under so strength environment conditions ? Could it blow up or goes down ? If someone has implemented this kind of environment can please share the experiences ? Thanks a lot, Giuliano ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX for MPLS
Hi Giuliano, We do not support MPLS on SRX platforms. Thanks Regards, Jai - Original Message - From: juniper-nsp-boun...@puck.nether.net juniper-nsp-boun...@puck.nether.net To: juniper-nsp@puck.nether.net juniper-nsp@puck.nether.net Sent: Thu Oct 21 19:48:46 2010 Subject: [j-nsp] SRX for MPLS People, Does anyone uses SRX routers for MPLS (VPLS) Transport ? We are thinking about the use of SRX220 under some conditions: - Use it in a not a good environment without air conditioning and a lot of dust ... external box temperature rises from 35 to 42 Celsius. - Be the point to interconnect POPs using point to point radios (100~1000 Mbps) - Using it to provide a VPLS infrastructure for L2 transport and client isolation until the start of the backbone (M7i and MX80 Routers) - SRX220 to provide OSPFv2 and OSPFv3 L3 gateway for some routed clients. The figure showed at the following link tries to resume it at all: http://www.wztech.com.br/JUNIPER/Topology.png It is possible to use this box in a such project ? Do you have any experience using it to do this type of topology ? Is is possible that SRX220 can work fine under so strength environment conditions ? Could it blow up or goes down ? If someone has implemented this kind of environment can please share the experiences ? Thanks a lot, Giuliano ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX for MPLS
I don't believe that's the case. You can do MPLS (I can't say I've ever done it, but I know the config is possible) the major catch with that is the SRX will be switched to packet mode (vs flow) and you loose the flow capabilities of the SRX platform. Basically you can turn the SRX into a branch router and do MPLS but the MPLS router+firewall isn't possible. security { forwarding-options { family { mpls { mode packet-based; } } } } Hope this clears things up, -Tim Eberhard On Thu, Oct 21, 2010 at 9:59 PM, Jai Chandra Gundapaneni jaichan...@juniper.net wrote: At least not yet I should say. Thanks Regards, Jai - Original Message - From: Jai Chandra Gundapaneni To: 'giulian...@uol.com.br' giulian...@uol.com.br; ' juniper-nsp@puck.nether.net' juniper-nsp@puck.nether.net Sent: Thu Oct 21 19:57:52 2010 Subject: Re: [j-nsp] SRX for MPLS Hi Giuliano, We do not support MPLS on SRX platforms. Thanks Regards, Jai - Original Message - From: juniper-nsp-boun...@puck.nether.net juniper-nsp-boun...@puck.nether.net To: juniper-nsp@puck.nether.net juniper-nsp@puck.nether.net Sent: Thu Oct 21 19:48:46 2010 Subject: [j-nsp] SRX for MPLS People, Does anyone uses SRX routers for MPLS (VPLS) Transport ? We are thinking about the use of SRX220 under some conditions: - Use it in a not a good environment without air conditioning and a lot of dust ... external box temperature rises from 35 to 42 Celsius. - Be the point to interconnect POPs using point to point radios (100~1000 Mbps) - Using it to provide a VPLS infrastructure for L2 transport and client isolation until the start of the backbone (M7i and MX80 Routers) - SRX220 to provide OSPFv2 and OSPFv3 L3 gateway for some routed clients. The figure showed at the following link tries to resume it at all: http://www.wztech.com.br/JUNIPER/Topology.png It is possible to use this box in a such project ? Do you have any experience using it to do this type of topology ? Is is possible that SRX220 can work fine under so strength environment conditions ? Could it blow up or goes down ? If someone has implemented this kind of environment can please share the experiences ? Thanks a lot, Giuliano ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX for MPLS
Sorry for the confusion. The top end SRX don't yet support the MPLS feature as yet. The top end SRX don't work in packet mode. --Original Message-- From: EXT - xmi...@gmail.com To: Jai Chandra Gundapaneni Cc: giulian...@uol.com.br Cc: juniper-nsp@puck.nether.net Subject: Re: [j-nsp] SRX for MPLS Sent: Oct 22, 2010 08:43 I don't believe that's the case. You can do MPLS (I can't say I've ever done it, but I know the config is possible) the major catch with that is the SRX will be switched to packet mode (vs flow) and you loose the flow capabilities of the SRX platform. Basically you can turn the SRX into a branch router and do MPLS but the MPLS router+firewall isn't possible. security { forwarding-options { family { mpls { mode packet-based; } } } } Hope this clears things up, -Tim Eberhard On Thu, Oct 21, 2010 at 9:59 PM, Jai Chandra Gundapaneni jaichan...@juniper.net wrote: At least not yet I should say. Thanks Regards, Jai - Original Message - From: Jai Chandra Gundapaneni To: 'giulian...@uol.com.br' giulian...@uol.com.br; 'juniper-nsp@puck.nether.net' juniper-nsp@puck.nether.net Sent: Thu Oct 21 19:57:52 2010 Subject: Re: [j-nsp] SRX for MPLS Hi Giuliano, We do not support MPLS on SRX platforms. Thanks Regards, Jai - Original Message - From: juniper-nsp-boun...@puck.nether.net juniper-nsp-boun...@puck.nether.net To: juniper-nsp@puck.nether.net juniper-nsp@puck.nether.net Sent: Thu Oct 21 19:48:46 2010 Subject: [j-nsp] SRX for MPLS People, Does anyone uses SRX routers for MPLS (VPLS) Transport ? We are thinking about the use of SRX220 under some conditions: - Use it in a not a good environment without air conditioning and a lot of dust ... external box temperature rises from 35 to 42 Celsius. - Be the point to interconnect POPs using point to point radios (100~1000 Mbps) - Using it to provide a VPLS infrastructure for L2 transport and client isolation until the start of the backbone (M7i and MX80 Routers) - SRX220 to provide OSPFv2 and OSPFv3 L3 gateway for some routed clients. The figure showed at the following link tries to resume it at all: http://www.wztech.com.br/JUNIPER/Topology.png It is possible to use this box in a such project ? Do you have any experience using it to do this type of topology ? Is is possible that SRX220 can work fine under so strength environment conditions ? Could it blow up or goes down ? If someone has implemented this kind of environment can please share the experiences ? Thanks a lot, Giuliano ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp Thanks Regards, Jai ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX for MPLS
High-end SRXs (SRX3000s and SRX5000s) do not support packet-based only processing. Branch SRX (SRX100s, SRX200s, SRX650s) support either packet-based only, flow-based only or mixed mode (selective packet services). Please refer to the following app note for some great examples: https://www.juniper.net/us/en/local/pdf/app-notes/3500192-en.pdf Thanks, Barny Sanchez Sr. Consulting Engineer, Security Products Solutions Juniper Networks On Oct 21, 2010, at 9:13 PM, Tim Eberhard wrote: I don't believe that's the case. You can do MPLS (I can't say I've ever done it, but I know the config is possible) the major catch with that is the SRX will be switched to packet mode (vs flow) and you loose the flow capabilities of the SRX platform. Basically you can turn the SRX into a branch router and do MPLS but the MPLS router+firewall isn't possible. security { forwarding-options { family { mpls { mode packet-based; } } } } Hope this clears things up, -Tim Eberhard On Thu, Oct 21, 2010 at 9:59 PM, Jai Chandra Gundapaneni jaichan...@juniper.net wrote: At least not yet I should say. Thanks Regards, Jai - Original Message - From: Jai Chandra Gundapaneni To: 'giulian...@uol.com.br' giulian...@uol.com.br; ' juniper-nsp@puck.nether.net' juniper-nsp@puck.nether.net Sent: Thu Oct 21 19:57:52 2010 Subject: Re: [j-nsp] SRX for MPLS Hi Giuliano, We do not support MPLS on SRX platforms. Thanks Regards, Jai - Original Message - From: juniper-nsp-boun...@puck.nether.net juniper-nsp-boun...@puck.nether.net To: juniper-nsp@puck.nether.net juniper-nsp@puck.nether.net Sent: Thu Oct 21 19:48:46 2010 Subject: [j-nsp] SRX for MPLS People, Does anyone uses SRX routers for MPLS (VPLS) Transport ? We are thinking about the use of SRX220 under some conditions: - Use it in a not a good environment without air conditioning and a lot of dust ... external box temperature rises from 35 to 42 Celsius. - Be the point to interconnect POPs using point to point radios (100~1000 Mbps) - Using it to provide a VPLS infrastructure for L2 transport and client isolation until the start of the backbone (M7i and MX80 Routers) - SRX220 to provide OSPFv2 and OSPFv3 L3 gateway for some routed clients. The figure showed at the following link tries to resume it at all: http://www.wztech.com.br/JUNIPER/Topology.png It is possible to use this box in a such project ? Do you have any experience using it to do this type of topology ? Is is possible that SRX220 can work fine under so strength environment conditions ? Could it blow up or goes down ? If someone has implemented this kind of environment can please share the experiences ? Thanks a lot, Giuliano ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp