Security & Mobility Now
Security is top-of-mind everywhere, especially right here where Juniper experts share their thoughts on the latest security breakthroughs and product advancements
crouchingbadger

All I want for Christmas is a Juniper Networks SRX 100

by Ben Ward (crouchingbadger) on ‎12-21-2011 03:48 AM

This is a guest blog post. Views expressed in this post are original thoughts posted by Ben Ward, Network Design Engineer at MLL Telecom. These views are his own and in no way do they represent the views of the company he works for.

 

Early on in my first career (i.e. childhood), I learnt about features. I would pore over the Argos catalogue with a biro - “got! got! want! want! got! - choosing the toys I was going to ask for at Christmas. I had a budget (roughly based on how good I’d been that year) and a deadline (Christmas shopping), and I then had to put forward a business case (Christmas list). I’d embellish this business case with facts about the toys I most wanted. This was made easier by Argos because they’d listed the features from the side of the toy’s box: “With realistic laser canon sounds”, “operating tipper wagons”, “TV AM’s resident rodent superstar” and so on. So, I was glad to discover that choosing and justifying a Juniper SRX is nearly as easy.

 

Usually if a network device has its features written on the side of the box, you’d only ever want it on your broadband at home. But what if someone made an affordable device which could service your home or small office, runs Junos, has a stateful firewall, switchports and most of the protocols you’ve grown up with, wouldn’t you put that on your Christmas list?  SRX100 - want!”

 

Juniper SRX100 Services Gateway

 

Over the past year we’ve rolled out over 700 SRX210s, and I’ve grown to like them.  MLL Telecom are technology agnostic meaning the SRX210 was chosen for its combination of features, extendibility and price. The SRX210 has 8 switchports, a gigabit uplink, a WIC style expansion slot called a PIM (for an ADSL/3G card), and all the features listed above. Because of this versatility we can use the same device with any of our uplink technologies (EAD, MPF, ADSL, even 3G). The SRX100 is similar, but with a fast Ethernet uplink port and no ADSL (you’ll need an SRX110 for that).

 

Admittedly you’d need to have been pretty well behaved this year to get an SRX210 for Christmas (they’re more of a small branch office spec), but if you were building a home lab then a couple of SRX100s would be a lot easier to get past the wife than an M160 off eBay.

 

With the SRX branch devices you still get a separate routing engine and forwarding engine, but the forwarding engine is running in software using a real-time thread. This enables a number of things to happen including Junos RPM (Real-time Performance Monitoring) with hardware time stamping (more on that in another blog post).


The SRX Series origins lie in taking the best design elements of the ScreenOS platform and then merging them into Junos, and taking the features from the J-Series routers and adding some extras. Several years ago the J-Series was given flow-mode operation, which at the time was unpopular due to memory utilisation issues alongside BGP.  Flow mode can be turned off if you wish, and the SRX will operate as a standard packet mode device, but that might not be the best use of this hardware. Rather than have either-or, however, you can also configure an SRX to filter off packet mode traffic from the default flow mode processing path, giving you the best of both worlds.

 

What flow mode does give you is a stateful firewall, Intrusion Detection and Prevention (IDP), and Application-Layer Gateway (ALG), antivirus, anti-spam and web filtering. That’s most of the firewall features you previously had to do in a separate device. It can also terminate IPSEC VPNs. We’ve terminated nearly 200 IPSEC VPNs into two SRX650s (SRX210s on the remote end, naturally) for our off-net customers.

 

Traffic segregation can be enabled per-interface by using VLANs, but it can do better than that. Zones allow you to segregate interfaces into groups, e.g. Trusted, Untrusted, DMZ, and apply policy on the transit of data between those zones. You can also segregate routing information using routing instances. Even on an SRX100. This is ideal for RPM, where a probe can be configured in each VPN while the SRX only carries a default route for each, effectively turning one box into several.

 

Because the SRX runs Junos it can do BGP (table size permitting). The SRX650 has specific features to do BGP Route Reflection. Some caution has to be taken with the limits of both the forwarding and routing tables, but it’s certainly useful for experimentation in lab environments, and can provide BGP to remote sites over IPSEC.

 

The SRX100 might seem expensive when compared with a low-end Linksys E4200 or a Netgear FVS318G, but it packs in a full Junos device capable of many things you wouldn’t expect in a device this size. With full SNMP, Radius, NTP, OSPF, ISIS and of course IPv6, you have many of the features you’ve grown to know on the M-Series and MX-Series, but available on something you could stick on your home broadband. It fits in a stocking, too!

 

Although I’m starting to sound like an advert, I’m genuinely very happy with the SRX. I’d like to know your thoughts and experiences with the SRX series and would welcome your feedback, thanks.

 

Comments
by Tu Nguyen(anon) on ‎12-22-2011 09:09 AM

Very interesting article and thanks for sharing your knowledge and experiences you have with the product. I were thinking of the same thing in preparation for the lab exam, is to put together a small little labs of SRX. The low end SRX would definatley make a perfect sense for home situation. It a little less of features on swithching, but Juniper have the EX-2200-C(baby form factor) that probably goes nicely with the SRX-210. Especially if anyone are targeting ENT exam, it have switching and routing and I probably think combo of 210(packet-based)/2200-C are a good matched. SRX branch doesn't support logical system, but routing-instances(virtualization) are working like a charm;especially if you have a need for supporting L2VPN/mBGP.

by kranthi(anon) on ‎12-28-2011 02:05 AM

 SRX 100 with latest Junos should support 3G also.Please Check once.

by Recognized Expert ‎02-28-2012 04:00 PM - edited ‎02-28-2012 04:03 PM

Hello, does anybody know if on a SRX210 is it possible to configure RSVP signalled LSPs from one virtual-router to another?

I am able to create LDP signaled LSP but RSVP seems not to be supported:

 

root@host# set routing-instances R1 protocols ?
Possible completions:
> amt                  AMT relay configuration
+ apply-groups         Groups from which to inherit configuration data
+ apply-groups-except  Don't inherit configuration data from these groups
> bgp                  BGP options
> esis                 ES-IS configuration
> igmp-snooping        IGMP snooping configuration
> isis                 IS-IS configuration
> l2vpn                Layer 2 VPN configuration
> ldp LDP configuration
> msdp                 MSDP configuration
> mvpn                 BGP-MVPN configuration
> ospf                 OSPF configuration
> ospf3                OSPF3 configuration
> pim                  PIM configuration
> rip                  RIP options
> ripng                RIPng options
> router-discovery     ICMP router discovery options
> vpls                 VPLS configuration

! I'm running 11.4R1.6.

 

Thanks in advance for your help!

by Terry Wade(anon) on ‎05-31-2012 02:29 PM
Awesome post, thanks man. I have managed to get my hands on a spare 210 and was looking to get an ADSL+ pim card for it. I would just like a little clarification if it will work with my O2 dal line at home. I have the premium service from them, before I cough up 300 quid for the pim. Any pointers welcome and gladly accepted
by on ‎12-17-2012 12:03 AM

I want a SRX solution which allows mobile devices to VPN (IPSEC, L2TP, PPTP) in, pls.

 

Thanks

Post a Comment
Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
About Security & Mobility Now

Discussing a wide range of topics impacting enterprises and
data center security.

Subscribe RSS Icon

Our Bloggers

Kyle Adams
Senior Software Engineer

Profile | Subscribe

Ritesh Agrawal
Director
Software Engineering

Profile | Subscribe

Erin K. Banks
Senior Technical Marketing Manager

Profile | Subscribe

Ajay Bharadwaj
Product Manager

Profile | Subscribe

Paul Bristow
Senior Director
Product Management

Profile | Subscribe

Michael Callahan
Vice President
Product Marketing

Profile | Subscribe

Henrik Davidsson
Director
Security Sales

Profile | Subscribe

Scott Emo
Director
Product Marketing

Profile | Subscribe

Mora Gozani
Senior Manager
Product Marketing

Profile | Subscribe

Steve Hanna
Distinguished Engineer

Profile | Subscribe

Ashur Kanoon
Sr. Manager
Technical Marketing

Profile | Subscribe

Seema Kathuria
Manager
Product Marketing

Profile | Subscribe

Kevin Kennedy
Senior Director
Product Management

Profile | Subscribe

Dave Killion
Software Engineer

Profile | Subscribe

Rebecca Lawson
Senior Director
Product Marketing

Profile | Subscribe

Rajoo Nagar
Senior Manager
Product Marketing

Profile | Subscribe

Erin O'Malley
Manager
Product Marketing

Profile | Subscribe

Galina Pildush
Strategy & Planning
Architect

Profile | Subscribe

Edward Roberts
Director
Product Marketing

Profile | Subscribe

Bill Shelton
Director Field Sales

Profile | Subscribe

Ashutosh Thakur
Product Line Manager

Profile | Subscribe

Troy Vennon
Software Engineer

Profile | Subscribe

Brad Woodberg
Product Manager

Profile | Subscribe

Labels
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.