Friday, March 12, 2010

Juniper SRX 240's

Well we got a pair of these bad boys at work....We clustered them and have them configured for stateful failover.  I am happy to say that for about 3 months I have been immersed in Junos.  All in all, it is a pretty decent operating system.  Coming from Cisco, the information is kind-of similiar, but not really (if that makes any sense).  I did learn through the process that a firm understanding of the technology is needed to be successful.  For a while, I was approaching these guys from a "Cisco" perspective; but I finally accepted the Juniper way of doing things, and it all seemed to work out.  They fail over nicely.  The one HUGE complaint I have is their misrepresented "dynamic" vpn.  First off, every users needs their own IKE gateway, ipsec policy, dynamic-vpn gateway, and vpn acl.  It is ALOT of administrative overhead to get someone configured.  They say this all will be fixed with version 11 next year...we are on 10.1.  Anywho...in order for the "dynamic IPSEC vpn to work...you have to have HTTPS enabled on the external interface they are coming in on.....ridiculous...it make it impossible to NAT anything through 443 on that same IP.  Yet I digress.  They are now working, and will probably be implemented in 2 months after we do VSS on our core switches next month.  Back out to transfer my homebrew into the fermenter :)

No comments:

Post a Comment