Force 10 is fine. I do suggest he go with the dual cam cards over the regular cards. I am not sure what Chris is talking about but I have used Force 10 for a long time, E, C and S series and have found it very stable. It will do everything you want and then some. The E300 is a good bang for the buck. Sure Foundry might be cheaper but I hear more complaining about Foundry than any other platform. Chris you want to share what issues you have seen with Force 10. Keith ----- Original Message ----- From: "Chris Marlatt" <cmarlatt@rxsec.com> To: "Joe Abley" <jabley@ca.afilias.info> Cc: "nanog" <nanog@merit.edu> Sent: Friday, July 18, 2008 7:43:33 AM (GMT-0500) America/New_York Subject: Re: Force10 E300 vs. Juniper MX480 Joe Abley wrote:
Hi all,
An acquaintance who runs an ISP with an M7i on its border is looking to upgrade, because the M7i is starting to creak from all the flesh-tone MPEGs his customers are sharing. (How times have changed. Back when I was chasing packets, it was flesh-tone JPEGs.)
He's looking at the MX480 and the E300.
The MX480 is attractive because the M7i has been stable as a rock, and he's familiar with JUNOS.
The E300 is attractive because it's half the price of the MX480, and has the potential to hold layer-2 cards as well as layer-3 ports which makes the price per port much more reasonable than the MX480. But he has no experience with Force10 at any ISO layer higher than 2.
He doesn't have any exotic requirements beyond OSPF, OSPFv3, BGP, IP and IPv6. There's no MPLS in the picture, for example. However, he's going to want four or five full tables plus a moderate load of peering routes in there. And maybe VRRP.
Thoughts from people who have tried one or the other, or both? Or who have faced this kind of problem, and came up with a different answer?
Feel free to send mail off-list; I can summarise if there is interest.
Joe
I would avoid Force10 if at all possible. In the network I managed I've had some fairly surprising stability problems with their S series switches and feature problems (or lack there of) on their E series. Things you kind of scratch your head at and wonder what they were thinking. Juniper on the other hand is indeed a bit pricier but quite a stable platform. If he has to look at alternatives I would suggest Foundry, either the RX-8, MLX-8, or XMR-8000 (depending on requirements) for comparable models to the MX480. Regards, Chris
Keith O'neill wrote:
Force 10 is fine. I do suggest he go with the dual cam cards over the regular cards. I am not sure what Chris is talking about but I have used Force 10 for a long time, E, C and S series and have found it very stable. It will do everything you want and then some. The E300 is a good bang for the buck. Sure Foundry might be cheaper but I hear more complaining about Foundry than any other platform.
Chris you want to share what issues you have seen with Force 10.
Keith
----- Original Message ----- From: "Chris Marlatt" <cmarlatt@rxsec.com> To: "Joe Abley" <jabley@ca.afilias.info> Cc: "nanog" <nanog@merit.edu> Sent: Friday, July 18, 2008 7:43:33 AM (GMT-0500) America/New_York Subject: Re: Force10 E300 vs. Juniper MX480
Joe Abley wrote:
Hi all,
An acquaintance who runs an ISP with an M7i on its border is looking to upgrade, because the M7i is starting to creak from all the flesh-tone MPEGs his customers are sharing. (How times have changed. Back when I was chasing packets, it was flesh-tone JPEGs.)
He's looking at the MX480 and the E300.
The MX480 is attractive because the M7i has been stable as a rock, and he's familiar with JUNOS.
The E300 is attractive because it's half the price of the MX480, and has the potential to hold layer-2 cards as well as layer-3 ports which makes the price per port much more reasonable than the MX480. But he has no experience with Force10 at any ISO layer higher than 2.
He doesn't have any exotic requirements beyond OSPF, OSPFv3, BGP, IP and IPv6. There's no MPLS in the picture, for example. However, he's going to want four or five full tables plus a moderate load of peering routes in there. And maybe VRRP.
Thoughts from people who have tried one or the other, or both? Or who have faced this kind of problem, and came up with a different answer?
Feel free to send mail off-list; I can summarise if there is interest.
Joe
I would avoid Force10 if at all possible. In the network I managed I've had some fairly surprising stability problems with their S series switches and feature problems (or lack there of) on their E series. Things you kind of scratch your head at and wonder what they were thinking. Juniper on the other hand is indeed a bit pricier but quite a stable platform. If he has to look at alternatives I would suggest Foundry, either the RX-8, MLX-8, or XMR-8000 (depending on requirements) for comparable models to the MX480.
Regards,
Chris
Considering I just had another issue pop up sure - I'd be glad to at this point. As provided to another member who contacted me off list: ========================================================== The S series problems were the worst - customer facing issues. <--snip-->. The list is noted in SFTOS and FTOS. Our design required layer 3 code on the S50N which "caused" some of these errors to present themselves: - SFTOS: Limit of 8 ACL's (total ACL line count). Secondary assignments on the switch were "unprotected". - SFTOS: OSPF required a specific ACL to form an adjacency even with a "default allow". - SFTOS: If an uplink went down with OSPF running (ECMP) when the link was brought back up the OSPF adjacency would only form half way but would add a route. A 50/50 chance of success was the result. - SFTOS: A "Transient Parity Error" crashed one of the S50's in production. No known cause. - FTOS: The switch would lock during certain ARP operations (i.e. port flap). A hard reboot was necessary to recover the switch. <--snip--> - FTOS: Random reboots preceded by "Low memory" errors. Our design would not / could not have consumed all the switch memory. - FTOS: An upgrade from SFTOS to FTOS changes all the SNMP interface indexes causing lots of internal software to no longer be able to poll switch ports or monitor accurately. - FTOS: Hard lock of the switch after an STP root change. The root change was not seen on any other switches (i.e. another bug in the S50 code) and there were no events that should have caused a change in the topology. The E series has more stable but like I said lacking some features. The most notable is the inability to do "normal" PBR. Pretty much any BGP attribute can't be used to build a policy. We were forced to dedicate vlans to certain policies as they could only match the traffic via an interface. A minor annoyance is the timing for the management cpu causing ping times to look as though there is something wrong with the router. There's a paper out there somewhere explaining the cause for this and it has to do with the polling cycles of the board. A snippet of a ping to a routing interface: 64 bytes from xxx.xxx.xxx.xxx: icmp_seq=4 ttl=252 time=0.640 ms 64 bytes from xxx.xxx.xxx.xxx: icmp_seq=5 ttl=252 time=5.376 ms 64 bytes from xxx.xxx.xxx.xxx: icmp_seq=6 ttl=252 time=12.170 ms 64 bytes from xxx.xxx.xxx.xxx: icmp_seq=7 ttl=252 time=1.106 ms 64 bytes from xxx.xxx.xxx.xxx: icmp_seq=8 ttl=252 time=8.089 ms 64 bytes from xxx.xxx.xxx.xxx: icmp_seq=9 ttl=252 time=0.715 ms 64 bytes from xxx.xxx.xxx.xxx: icmp_seq=10 ttl=252 time=3.758 ms 64 bytes from xxx.xxx.xxx.xxx: icmp_seq=11 ttl=252 time=10.636 ms The only other problem we've had with the E series is a BGP failure. The device failed over to its standby management module so the impact was limited. I don't hold that too much against them as I realize that no vendor is perfect. However the vast problems we've had with the S series and minor problems with the E bring into question the stability and unseen bugs with other software. <--snip--> Hopefully the above is helpful. I'm sure my experience isn't unique or the norm. If everyone was having issues similar to mine they'd be out of business. ========================================================== The most recent problem occuring today: %FIB6-2-FIB6_HW_WRITE_ERROR: Failed to write entry into Host table. Had to clear the fib in order to get communication with that host back up. Of all the vendors I've worked with this is by _far_ the longest list of issues I've ever come across. I'm glad that you're having better success than I am. Believe me I wish I was in the same boat. We've been using Foundry for a much longer period of time than we have Force10 and in comparison I personally no longer consider them comparable products. Regards, Chris
I worked with many Foundry models for more than 4 years in the past and never had any real serious issues. They used to be a bit loud but other than that they are very easy to manage solid devices. Another great thing with Foundry (again in my experience) is the support. Any time I ever had a real issue one of their SE's would be on site quickly and with the knowledge needed to fix the problem. _Chric On Fri, Jul 18, 2008 at 9:52 AM, Chris Marlatt <cmarlatt@rxsec.com> wrote:
Keith O'neill wrote:
Force 10 is fine. I do suggest he go with the dual cam cards over the regular cards. I am not sure what Chris is talking about but I have used Force 10 for a long time, E, C and S series and have found it very stable. It will do everything you want and then some. The E300 is a good bang for the buck. Sure Foundry might be cheaper but I hear more complaining about Foundry than any other platform.
Chris you want to share what issues you have seen with Force 10.
Keith
----- Original Message ----- From: "Chris Marlatt" <cmarlatt@rxsec.com> To: "Joe Abley" <jabley@ca.afilias.info> Cc: "nanog" <nanog@merit.edu> Sent: Friday, July 18, 2008 7:43:33 AM (GMT-0500) America/New_York Subject: Re: Force10 E300 vs. Juniper MX480
Joe Abley wrote:
Hi all,
An acquaintance who runs an ISP with an M7i on its border is looking to upgrade, because the M7i is starting to creak from all the flesh-tone MPEGs his customers are sharing. (How times have changed. Back when I was chasing packets, it was flesh-tone JPEGs.)
He's looking at the MX480 and the E300.
The MX480 is attractive because the M7i has been stable as a rock, and he's familiar with JUNOS.
The E300 is attractive because it's half the price of the MX480, and has the potential to hold layer-2 cards as well as layer-3 ports which makes the price per port much more reasonable than the MX480. But he has no experience with Force10 at any ISO layer higher than 2.
He doesn't have any exotic requirements beyond OSPF, OSPFv3, BGP, IP and IPv6. There's no MPLS in the picture, for example. However, he's going to want four or five full tables plus a moderate load of peering routes in there. And maybe VRRP.
Thoughts from people who have tried one or the other, or both? Or who have faced this kind of problem, and came up with a different answer?
Feel free to send mail off-list; I can summarise if there is interest.
Joe
I would avoid Force10 if at all possible. In the network I managed I've had some fairly surprising stability problems with their S series switches and feature problems (or lack there of) on their E series. Things you kind of scratch your head at and wonder what they were thinking. Juniper on the other hand is indeed a bit pricier but quite a stable platform. If he has to look at alternatives I would suggest Foundry, either the RX-8, MLX-8, or XMR-8000 (depending on requirements) for comparable models to the MX480.
Regards,
Chris
Considering I just had another issue pop up sure - I'd be glad to at this point.
As provided to another member who contacted me off list: ========================================================== The S series problems were the worst - customer facing issues. <--snip-->. The list is noted in SFTOS and FTOS. Our design required layer 3 code on the S50N which "caused" some of these errors to present themselves:
- SFTOS: Limit of 8 ACL's (total ACL line count). Secondary assignments on the switch were "unprotected".
- SFTOS: OSPF required a specific ACL to form an adjacency even with a "default allow".
- SFTOS: If an uplink went down with OSPF running (ECMP) when the link was brought back up the OSPF adjacency would only form half way but would add a route. A 50/50 chance of success was the result.
- SFTOS: A "Transient Parity Error" crashed one of the S50's in production. No known cause.
- FTOS: The switch would lock during certain ARP operations (i.e. port flap). A hard reboot was necessary to recover the switch. <--snip-->
- FTOS: Random reboots preceded by "Low memory" errors. Our design would not / could not have consumed all the switch memory.
- FTOS: An upgrade from SFTOS to FTOS changes all the SNMP interface indexes causing lots of internal software to no longer be able to poll switch ports or monitor accurately.
- FTOS: Hard lock of the switch after an STP root change. The root change was not seen on any other switches (i.e. another bug in the S50 code) and there were no events that should have caused a change in the topology.
The E series has more stable but like I said lacking some features. The most notable is the inability to do "normal" PBR. Pretty much any BGP attribute can't be used to build a policy. We were forced to dedicate vlans to certain policies as they could only match the traffic via an interface.
A minor annoyance is the timing for the management cpu causing ping times to look as though there is something wrong with the router. There's a paper out there somewhere explaining the cause for this and it has to do with the polling cycles of the board.
A snippet of a ping to a routing interface: 64 bytes from xxx.xxx.xxx.xxx: icmp_seq=4 ttl=252 time=0.640 ms 64 bytes from xxx.xxx.xxx.xxx: icmp_seq=5 ttl=252 time=5.376 ms 64 bytes from xxx.xxx.xxx.xxx: icmp_seq=6 ttl=252 time=12.170 ms 64 bytes from xxx.xxx.xxx.xxx: icmp_seq=7 ttl=252 time=1.106 ms 64 bytes from xxx.xxx.xxx.xxx: icmp_seq=8 ttl=252 time=8.089 ms 64 bytes from xxx.xxx.xxx.xxx: icmp_seq=9 ttl=252 time=0.715 ms 64 bytes from xxx.xxx.xxx.xxx: icmp_seq=10 ttl=252 time=3.758 ms 64 bytes from xxx.xxx.xxx.xxx: icmp_seq=11 ttl=252 time=10.636 ms
The only other problem we've had with the E series is a BGP failure. The device failed over to its standby management module so the impact was limited. I don't hold that too much against them as I realize that no vendor is perfect. However the vast problems we've had with the S series and minor problems with the E bring into question the stability and unseen bugs with other software. <--snip-->
Hopefully the above is helpful. I'm sure my experience isn't unique or the norm. If everyone was having issues similar to mine they'd be out of business. ==========================================================
The most recent problem occuring today: %FIB6-2-FIB6_HW_WRITE_ERROR: Failed to write entry into Host table.
Had to clear the fib in order to get communication with that host back up.
Of all the vendors I've worked with this is by _far_ the longest list of issues I've ever come across. I'm glad that you're having better success than I am. Believe me I wish I was in the same boat.
We've been using Foundry for a much longer period of time than we have Force10 and in comparison I personally no longer consider them comparable products.
Regards,
Chris
Hi there.. I'm looking for some constructive feedback on **real world** experiences please... We're primarily a Cisco shop today - our core and distribution are all Cisco driven and will continue to be (won't change that so not worth discussing today). My question is oriented towards two other markets primarily: Security Devices Remote Office/Customer Site Devices Let me elaborate a bit more... Security - today, we've been deploying Cisco ASA boxes (was PIX before that) with pretty good success. However, in comparison to Juniper the Cisco boxes are *really* expensive - at least to us anyways. Juniper has nice products so I'm looking at proposing a solution internally to move towards the Juniper security appliances. Feedback from folks on them vs Cisco ASA?? Remote Office/Customer Site Devices - today, we do a lot of "managed routers" to customer sites. Again, cost driven, I'm being pushed towards looking at Adtran devices for customer sites that we maintain. I have nothing against Adtran but haven't viewed them to date as being in the same "arena" as Cisco/Juniper etc.. these routers are mainly providing basic firewalling/NAT and some very small VPN activity at times. To take this one step further, some of our voice folks are really enjoying the Adtran boxes as it offers an "all in one solution" which is a router, firewall, "voice" box (many options - PRI handoff, T1, FXS/FXO) and in some of their boxes 24 POE switch ports as well. This is kinda cool I'll admit but the approach in the past has been to drop in a Cisco router, Adtran for voice applications, and then Cisco POE switches if required. This is very costly compared to Adtran's all in one approach.... so am I being stubborn on this or is the Adtran products in this case in the same league?? I had some terrible track record with Adtran a number of years ago so my back gets up when their name is mentioned...;) Any feedback would be very appreciated - we're going to have meetings internally in the next while to decide which product lines fit with which service offerings the best.... Thanks, Paul ---------------------------------------------------------------------------- "The information transmitted is intended only for the person or entity to which it is addressed and contains confidential and/or privileged material. If you received this in error, please contact the sender immediately and then destroy this transmission, including all attachments, without copying, distributing or disclosing same. Thank you."
On your last note Cisco also offers a all-in-one with all the features you talked about and more. They are called UC500's. _Chris On Fri, Jul 18, 2008 at 10:18 AM, Paul Stewart <pstewart@nexicomgroup.net> wrote:
Hi there..
I'm looking for some constructive feedback on **real world** experiences please...
We're primarily a Cisco shop today - our core and distribution are all Cisco driven and will continue to be (won't change that so not worth discussing today).
My question is oriented towards two other markets primarily:
Security Devices Remote Office/Customer Site Devices
Let me elaborate a bit more...
Security - today, we've been deploying Cisco ASA boxes (was PIX before that) with pretty good success. However, in comparison to Juniper the Cisco boxes are *really* expensive - at least to us anyways. Juniper has nice products so I'm looking at proposing a solution internally to move towards the Juniper security appliances. Feedback from folks on them vs Cisco ASA??
Remote Office/Customer Site Devices - today, we do a lot of "managed routers" to customer sites. Again, cost driven, I'm being pushed towards looking at Adtran devices for customer sites that we maintain. I have nothing against Adtran but haven't viewed them to date as being in the same "arena" as Cisco/Juniper etc.. these routers are mainly providing basic firewalling/NAT and some very small VPN activity at times.
To take this one step further, some of our voice folks are really enjoying the Adtran boxes as it offers an "all in one solution" which is a router, firewall, "voice" box (many options - PRI handoff, T1, FXS/FXO) and in some of their boxes 24 POE switch ports as well. This is kinda cool I'll admit but the approach in the past has been to drop in a Cisco router, Adtran for voice applications, and then Cisco POE switches if required. This is very costly compared to Adtran's all in one approach.... so am I being stubborn on this or is the Adtran products in this case in the same league?? I had some terrible track record with Adtran a number of years ago so my back gets up when their name is mentioned...;)
Any feedback would be very appreciated - we're going to have meetings internally in the next while to decide which product lines fit with which service offerings the best....
Thanks,
Paul
----------------------------------------------------------------------------
"The information transmitted is intended only for the person or entity to which it is addressed and contains confidential and/or privileged material. If you received this in error, please contact the sender immediately and then destroy this transmission, including all attachments, without copying, distributing or disclosing same. Thank you."
-----Original Message----- From: Paul Stewart [mailto:pstewart@nexicomgroup.net] Sent: Friday, July 18, 2008 11:18 AM To: nanog Subject: Cisco vs Adtran vs Juniper
Hi there..
I'm looking for some constructive feedback on **real world** experiences please...
We use all three, so hopefully my experience can help.
We're primarily a Cisco shop today - our core and distribution are all Cisco driven and will continue to be (won't change that so not worth discussing today).
My question is oriented towards two other markets primarily:
Security Devices Remote Office/Customer Site Devices
Let me elaborate a bit more...
Security - today, we've been deploying Cisco ASA boxes (was PIX before that) with pretty good success. However, in comparison to Juniper the Cisco boxes are *really* expensive - at least to us anyways. Juniper has nice products so I'm looking at proposing a solution internally to move towards the Juniper security appliances. Feedback from folks on them vs Cisco ASA??
They both have their pros and cons, obviously. The ASA is a big step in the right direction from the PIX. SSL VPN capabilities, antivirus, and minimal IDS. Juniper SSGs don't do SSL VPN, but do antivirus, antispam, expandable ports (on the SSG-20) for T1/ADSL/ISDN, etc. We use more PIX and Juniper than ASA, but from what I've seen, the ASA is pretty decent. VPN upgrades are expensive, as are other various licenses. The Juniper SSG is also nice and reliable, but the web GUI sucks. It works on some computers and not others and it's all dependent upon stupid Java, so you'll have to learn the CLI in order to reliably do anything with them. Also, they charge you for their IPSec VPN client, which is nickel-and-diming, if you ask me. When you do install it, you can't have it co-exist with the Cisco VPN client, at least not a couple years ago when I tried it. We're split pretty evenly between Cisco and Juniper boxes and are happy with both. It all really depends on the services you want to sell or support for your customers, as each box can do different things.
Remote Office/Customer Site Devices - today, we do a lot of "managed routers" to customer sites. Again, cost driven, I'm being pushed towards looking at Adtran devices for customer sites that we maintain. I have nothing against Adtran but haven't viewed them to date as being in the same "arena" as Cisco/Juniper etc.. these routers are mainly providing basic firewalling/NAT and some very small VPN activity at times.
Both Cisco and Juniper offer great options for this. CPE from both is typically very solid. Juniper has the added benefit of being able to convert their J-series boxes to Netscreen SSG firewalls and the cards are interchangeable between the security/J-series platforms. Of course, this does cost you in license fees. NAT on the J-series is a pain to set up and unfortunately, the default 256M flash on them is just too small to support an easy JUNOS upgrade. The Adtran routers are very Cisco-like. Haven't done VPN and last time (years ago) we used the firewall, it continually crashed the router. I'm sure things have improved. Main reason to use Adtran is price. I'm personally more biased towards Juniper because JUNOS blows IOS out of the water, but Cisco CPE in our experience is very reliable. Believe it or not, we still have 2500s out in the field!
To take this one step further, some of our voice folks are really enjoying the Adtran boxes as it offers an "all in one solution" which is a router, firewall, "voice" box (many options - PRI handoff, T1, FXS/FXO) and in some of their boxes 24 POE switch ports as well. This is kinda cool I'll admit but the approach in the past has been to drop in a Cisco router, Adtran for voice applications, and then Cisco POE switches if required. This is very costly compared to Adtran's all in one approach.... so am I being stubborn on this or is the Adtran products in this case in the same league?? I had some terrible track record with Adtran a number of years ago so my back gets up when their name is mentioned...;)
Adtran makes *decent* products. We have hundreds of 900s and 600s deployed and physical/network stability is excellent. With VoIP, they are reliable and depending on what type of signalling you're using them with, along with what type of softswitch, you might see some bugs and have to provide their support with debug info. The SNMP support on them is pretty horrible, though. We use the TotalAccess 600s and 900s, but I've tested the NetVanta switch before. It's a decent switch, but I couldn't attest to its voice capabilities as we were only testing PoE and basic layer-2 and layer-3 capabilities at the time. One awesome thing about Adtran is their support - they do have a good support team and have 10-year warranties on their products. And one more annoying thing about them - console access is done by proprietary DB-9 connectors and cables which they don't actually ship with the boxes. As for the Cisco VoIP solution, I can tell you that we investigated Cisco a couple years ago and their solutions were so cost-prohibitive that it was an impossibility for our customer base. They also required a certified CVP on-staff just to be able to order certain equipment. Not sure if that's changed over the years, but it was not an option for us at all at the time. -evt
On Jul 18, 2008, at 10:49 AM, Eric Van Tol wrote:
I'm looking for some constructive feedback on **real world** experiences please...
We're split pretty evenly between Cisco and Juniper boxes and are happy with both. It all really depends on the services you want to sell or support for your customers, as each box can do different things.
I've been using both these boxes for a while, the SSGs in particular, so I'll chime in. Eric is right, the WebUI for ScreenOS is not very good, but it's far better than any of the interfaces I've seen on any other security devices. It has its quirks, but it does get the job done. I have no complaints about the SSG hardware, you get decent port density across the line and 90% of the functionality you will want is there out of the box with no additional licensing required (stateful firewall, IPSec, all routing protocols, etc). Don't bother with the Antivirus and Antispam on ScreenOS, it sucks and Juniper knows it. The web filtering works pretty well, though. They're very flexible with regards to interoperability with other vendors (even Cisco). I've connected one to just about every vendor imaginable and there is always a way to make it work. If you're looking for a cheap router/firewall/VPN box, then the SSGs from Juniper are the way to go right now. JunOS Enhanced Services could make our lives even better too...
Both Cisco and Juniper offer great options for this. CPE from both is typically very solid. Juniper has the added benefit of being able to convert their J-series boxes to Netscreen SSG firewalls and the cards are interchangeable between the security/J-series platforms. Of course, this does cost you in license fees. NAT on the J-series is a pain to set up and unfortunately, the default 256M flash on them is just too small to support an easy JUNOS upgrade.
What he said -- with the J series you get JunOS and now JunOS Enhanced Services, so you get a full-fledged firewall as well. No need to convert them to ScreenOS (unless you need a feature that hasn't been ported from ScreenOS to JunOS ES yet). The only thing I really don't like in the J series is the lack of a non rack mount form factor. A lot of small and branch offices don't necessarily have racks and it can be cumbersome to convince someone they need a 19" wide noisebox to be their router. More on JunOS ES: http://www.juniper.net/techpubs/software/junos-es/ Regards, M
Thanks very much.... we're looking a series of models currently and all the feedback I've received so far has been extremely helpful... Best regards! Paul -----Original Message----- From: Matthew Elmore [mailto:nanog@mattelmore.com] Sent: Monday, July 21, 2008 9:19 AM To: nanog Subject: Re: Cisco vs Adtran vs Juniper On Jul 18, 2008, at 10:49 AM, Eric Van Tol wrote:
I'm looking for some constructive feedback on **real world** experiences please...
We're split pretty evenly between Cisco and Juniper boxes and are happy with both. It all really depends on the services you want to sell or support for your customers, as each box can do different things.
I've been using both these boxes for a while, the SSGs in particular, so I'll chime in. Eric is right, the WebUI for ScreenOS is not very good, but it's far better than any of the interfaces I've seen on any other security devices. It has its quirks, but it does get the job done. I have no complaints about the SSG hardware, you get decent port density across the line and 90% of the functionality you will want is there out of the box with no additional licensing required (stateful firewall, IPSec, all routing protocols, etc). Don't bother with the Antivirus and Antispam on ScreenOS, it sucks and Juniper knows it. The web filtering works pretty well, though. They're very flexible with regards to interoperability with other vendors (even Cisco). I've connected one to just about every vendor imaginable and there is always a way to make it work. If you're looking for a cheap router/firewall/VPN box, then the SSGs from Juniper are the way to go right now. JunOS Enhanced Services could make our lives even better too...
Both Cisco and Juniper offer great options for this. CPE from both is typically very solid. Juniper has the added benefit of being able to convert their J-series boxes to Netscreen SSG firewalls and the cards are interchangeable between the security/J-series platforms. Of course, this does cost you in license fees. NAT on the J-series is a pain to set up and unfortunately, the default 256M flash on them is just too small to support an easy JUNOS upgrade.
What he said -- with the J series you get JunOS and now JunOS Enhanced Services, so you get a full-fledged firewall as well. No need to convert them to ScreenOS (unless you need a feature that hasn't been ported from ScreenOS to JunOS ES yet). The only thing I really don't like in the J series is the lack of a non rack mount form factor. A lot of small and branch offices don't necessarily have racks and it can be cumbersome to convince someone they need a 19" wide noisebox to be their router. More on JunOS ES: http://www.juniper.net/techpubs/software/junos-es/ Regards, M No virus found in this incoming message. Checked by AVG - http://www.avg.com Version: 8.0.138 / Virus Database: 270.5.3/1564 - Release Date: 7/21/2008 6:42 AM ---------------------------------------------------------------------------- "The information transmitted is intended only for the person or entity to which it is addressed and contains confidential and/or privileged material. If you received this in error, please contact the sender immediately and then destroy this transmission, including all attachments, without copying, distributing or disclosing same. Thank you."
-----Original Message----- From: Keith O'neill [mailto:keith@pando.com] Sent: Friday, July 18, 2008 10:35 AM To: Chris Marlatt Cc: nanog Subject: Re: Force10 E300 vs. Juniper MX480
... Sure Foundry might be cheaper but I hear more complaining about Foundry than any other platform.
I'd like to hear about the complaints regarding Foundry. Off-list is fine, as I believe this may be off-topic for NANOG. We've been considering using Foundry and during testing they seemed to work just fine, but as everyone knows, a lab environment rarely mimics real life. I found a few highly annoying quirks, most of them with the CLI (why are my config mode commands shown in my operational mode command history, including partial question-marked commands? argh!), but interoperability with both Juniper and Cisco in an MPLS lab environment didn't present any showstoppers. -evt
-----Original Message----- From: Eric Van Tol [mailto:eric@atlantech.net] Sent: Friday, July 18, 2008 11:03 AM To: 'Keith O'neill' Cc: nanog Subject: RE: Force10 E300 vs. Juniper MX480
-----Original Message----- From: Keith O'neill [mailto:keith@pando.com] Sent: Friday, July 18, 2008 10:35 AM To: Chris Marlatt Cc: nanog Subject: Re: Force10 E300 vs. Juniper MX480
... Sure Foundry might be cheaper but I hear more complaining about Foundry than any other platform.
I'd like to hear about the complaints regarding Foundry. Off-list is fine, as I believe this may be off-topic for NANOG. We've been considering using Foundry and during testing they seemed to work just fine, but as everyone knows, a lab environment rarely mimics real life. I found a few highly annoying quirks, most of them with the CLI (why are my config mode commands shown in my operational mode command history, including partial question-marked commands? argh!), but interoperability with both Juniper and Cisco in an MPLS lab environment didn't present any showstoppers.
http://puck.nether.net/mailman/listinfo/ The CLI quirks are much lower on the totem pole than cost or performance. Best Regards, -M<
participants (7)
-
Chris Heighway
-
Chris Marlatt
-
Eric Van Tol
-
Keith O'neill
-
Martin Hannigan
-
Matthew Elmore
-
Paul Stewart