to build a new 10GE network and have received offers from Juniper and Cisco distributors.
Juniper seems to be a bit more expensive. It was our first choice at the beginning untill we saw many big ISP's using cisco 6509 with SUP720-3BXL for routing.
Is there anyone with experience on both products? How about support for both of these?
I am considering buying a C6509-E and I wanted to get a feel for that which I am about to do is hopefully a good move, and not a bad one. My traffic patterns are similar to what I suspect many of you experience. My traffic levels hovers around 2 - 300 mbit, but we are about to start offering more colocation services.
I also do internet facing bgp routing.
I was thinking something like this:
1 x C6509-E Chassis
1 x VS-S720-10G-3CXL 720 with 2 ports 10GbE MSFC3 PFC3C XL
1 x MEM-C6K-CPTFL1GB Compact Flash Memory 1GB
1 x WS-X6724-SFP 24-port GigE
1 x WS-C6509-E-FAN Fan tray
2 x WS-CAC-3000W
I will probably add on the forwarding card to the 6724 once my traffic levels rises more.
Additionally I would probably be getting one more identical box a little later.
Could I get any feedback on this setup, is there anything I've missed?
Also, if you have bought a similar setup before I would love to to be given an idea of what I should expect for pricing?
I've been reading and searching on here as much as I can to try to help me in making a decision, unfortunately when I think I know what to do, I read something else and get confused again.
We are in the process of moving networks within our datacenter and will have 2 drops coming into our half-cabinet. We have about 7 servers in there, some for our own use and some for clients. In all cases, we manage the servers and are the only ones with root access (no need for VLANs for the purpose of protecting IPs etc).
We currently have a single drop and use an HP procurve 2524 layer2 switch that has been in there for over 6 years and never had a single hiccup. We also don't push much traffic at all though. Under 5mbps combined.
My question though is this: moving to the new network we will have 2 drops that are set up as HSRP on their end (upstream of me, I don't have to worry about having two switches). In order to use the dual feeds, we will need a Layer3 switch. One feed will be active, the other is not, both are connected to the switch via a VLAN and provide a gateway for VLAN2 to use. I have never used a layer3 switch, though I'm not *too* concerned since I don't expect we'll be doing anything too complex. My understanding is that one VLAN (VLAN1) will be set up with an IP address assigned to each drop and that VLAN1 will create a gateway for VLAN2. The second VLAN (VLAN2) will be all our "inside" client IPs that will then route through VLAN1.
I was briefly checking out the cisco 3750, but I think it's overkill...? I don't want to spend too much money, since I don't think we need any complex setups, at the same time, I don't want to waste money by buying something that won't work efficiently down the road.
My immediate short-list is now an HP procurve 2610, an HP procurve 3500 J9470A (not the YL), and a Cisco 3560 24-TS.
Of course, then someone mentioned Juniper (whom I have zero experience with either) and hence the title to my thread... I'm thoroughly confused. I was looking at the EX3200-24T.
Ok, so if I have to boil this down to some simple requirements/thoughts... here goes:
1. I only need 24 ports for now.
2. I use SNMP currently to monitor usage for clients (and overall)
3. I like HPs and have used them for layer2, I like their lifetime warranty and software availability
4. I don't have direct experience with Cisco at all.
5. Aside from routing from one VLAN (provider side) to another VLAN (my side), I don't think I need any other special features (hence the hp 2610 being ok I think, since it offers "lite layer3")
6. Some people say HP is great for layer2 but not for layer3? Now I dont' know what to think.
7. Currently use about 2mbps and might jump to 3 or 4mbps, but don't have major needs. I'd like for this switch to be able to last me a while though... so maybe 20~40mbps+? (but still not the hundreds of mbps that others here push
8. If possible, I'd LIKE to limit some servers to 1mbps or 2mbps on a per-port basis... but this is not a hard requirement. (I think this takes the 2610 out).
Budget: I like the $500 price tag of the 2610, but can spend the $1500~$2000 for the HP 3500, Cisco 3560, or Juniper. I would just rather not, if the price/features are not justifiable.
Hopefully I've provided enough information for someone to offer their insight? I think a few strategic key points or questions from someone with more experience might be what I need to help me bust through the "too many choices" fog and end up with the best switch for my situation...
We are searching a firewall for our small colocation.
We have chosen the Juniper SSG 520/550 or a Cisco ASA 5520 (eventually the 5540).
We want primaly filter ddos attacks on our webservers (bot-network, attacking a domain, port 80) and syn flood attacks (port 80).
Do you have real experience with the Juniper or Cisco devices?
Can we integrate such device in the fellowing network design:
(where to put the firewall ?)
- Uplink 1gbit datacenter -> our HP Procurve gigabit switch
- HP Procurve switch -> Servers
We are using /30 as eth0 "bridged", and /29 /28 /27 "routed" over eth0.
I would prefer a "live analysis" of our traffic. Is that possible?
I've been looking at these two Firewalls for a quite some time and I am not sure which one I should go with. Price is not a factor since both are around the same price range.
The firewall is going to be in between my DROP and LAYER3 Switch.
So...FastE -> Firewall -> Layer3
As you can see, I dont want any fancy VLAN stuff or anything like that since my switch can take care of all that. I just want a firewall which is easy to configure and manage and has DDoS protection built-in.
If you have any other hardware based firewalls in the price range of ASA 5505 and Netscreen 5GT then I would want to hear about those as well.
I am setting up a small ccna lab and i have RIP working and i can ping my lan from both routers, but only certain hosts on the lan from the one router the setup is
LAN (192.168.1.0/255.255.255.0)
|
/
router 1 E0 192.168.1.45
Serial0 10.10.10.1
|
/
Serial0 10.10.10.2 (of router2)
|
/
E0 192.168.3.250
E1 192.168.2.250
Lo 192.168.5.4
I can ping 192.168.1.102 from router 2 and 192.168.1.45 but no not 192.168.1.201 ... or 192.168.1.1
also i can ping 192.168.5.4 from 192.168.1.102 which is a linux box and an ip route to tell it that 192.168.5.0 can be gotten from 192.168.1.45
My host has helped me to install a switch. However, I don't know how to configure using the command line. Could anyone help me?
I need to be able to connect to my Cisco switch using Cisco Network Assistant. If you know the command sequence,
I need to protect about 80 servers from certain attacks some of them are being victim of. Altogether, these servers use about 200Mbps being almost all of them webservers. The last time, one of them was a victim of a DDoS attack which made all the rest get some packet loss (because this attack was consuming all the bandwidth we had available).
I was looking at Juniper solutions, however I get a bit confused with all the products they have to offer. First, I was looking at IDP series, but they seem a bit pricey and I believe I donīt need all those IDP functions those devices are capable of. NetScreen is also too expensive for me. Iīm looking at a budget of 10.000$ aprox.
I found SRX series and after taking a look at SRX240 and SRX650 specs [url] those firewall numbers seem very nice and perfect for my problem. Would this be a wise choice? This device would act also as the main router for our racks. Please let me know if there are other recommendations that fit the specified budget (10K).
Can anyone give any real world numbers as to what each model of the Juniper-J series router is capable of? How much do these routers cost, and where is the best place to get them from?
View 14 Replies View RelatedDoes anyone have any experience running Juniper SSG-550 firewalls in a high-traffic hosting environment?
I run network operations for a hosting provider in Australia. We currently have two J4350s running as border routers, and we are looking at putting two Juniper SSG-550s behind the border routers to do stateful firewalling / NAT.
We'll be using active/active NSRP on the SSGs for load balancing and failover.
My concern is that these devices may not be able to handle our traffic load. They have a hard-set limit of 256,000 "concurrent sessions" which may not be enough for us in peak times. Almost all of our traffic is HTTP though, so I would imagine sessions would timeout quite quickly?
In one of our racks, we now just have two Procurve (J4900B) switches, and run software firewalls on our CentOS servers. We are now looking towards a hardware firewall to ease managment and reduce load on our servers.
One of our suppliers reccomends the SSG140 from Juniper, and it seems to cover our needs. The SSG320 however seems to have more features, like layer3 routing. Could this device replace our Procurve switches, and act as a firewall/switch?
Anyone familiar with these devices and have some input on what to choose? How does the anti-ddos and bruteforce attack functions work out, do they hold up? Anyone tested the Deep Inpspection Signature module? Is it worth having for a ISP/Webhost?
any experience and feedback on Juniper J-series routers?
View 4 Replies View RelatedI am tried of not finding a good documentation on now to configure netscreen-25 firewall.
This is the current setup;
Ethernet Drop -> Netscreen (connected via straight RJ-45)
NetScreen -> Switch (Connected via cross-over cable)
This is the what I want to be able to do...
I am assigned a 76.36.57.32/27 subnet
Netmask 255.255.255.224
Gateway 76.36.57.33
1) Make Netscreen accessible via IP 76.36.57.34 for remote management.
2) I dont want netscreen to assign IPs for my wired devices because I've already set all their IPs and those are the ones I want to use.
Now, I did read the manual [url] and went to Network -> Interfaces -> Ethernet 1 Trust *edit* and in the "IP address" box I typed 76.36.57.34 and netmask "/27".
In the "Manage IP" box, I typed 76.36.57.39/27 according to the manual.
After doing all that, I cant access any of my "wired" devices behind firewall and neither can I access the firewall itself with the IP I assigned.
we have this Juniper SSG5 firewall, our very first Juniper and wanted to use it.
While I am able to use it in NAT mode, I have been unsuccessful to use it in route mode.
We have Public IPs from the same segment and I wanted to use it with the firewall but it appears that I can't assign IPs for each port if the IP is from the same segment.
Does it mean that we can't use it other than in NAT mode?
What we want to accomplish is to have one of IPs to act as gateway and filter or route in/out traffic to/from our other IPs.
I have a SSG-320M I manage, and would like to know if I can block traffic to our web servers based on the user agent hitting us? I know user agents that keep using more and more IP addresses to crawl us, one already taking up some 30 or 40 addresses under my policies and its a pain to identify these by hand and keep updating the firewall every few days to add new IP addresses for them. Is there somewhere I can add part of the user agent I do not want to ever see again? Right now I do this by having a policy at the top saying "BadBotsGroup" is denied. But I want to deny anyone with a user agent "OneUserAgent" or "SecondUserAgent"
It seems so important and simple, but I do not see anything about being able to do this. Thanks for help and pointers. Right now we have special code at the top of our sites that blocks these bots, but I would much rather do it in one location at the firewall.
Looking to upgrade to a new switch and have the following in mind. Budget is around 1-2k. We're pushing 500mbps upstream so i want to make sure that the unit can handle that well. Lots of full speed traffic between servers too.
No fancy features required, and the only need is port trunking, which all of these have.
I look at the specs for latency and pps, but I'm not sure if you can trust these figures.
Anyone have experience with the following.
HP Procurve 2910al-24
$1430
latency <2.9us
131 Mpps
176 Gbps
Bonus: 10Gb capability with expansion module
Extreme Networks Summit x350
$1300
latency < ?
65 Mpps
88 Gbps
Bonus: 10Gb capability with expansion module
Juniper Juniper EX3200-24T
$1800
latency < ?
65 Mpps
88Gbps
Bonus: 10Gb capability with expansion module
Bonus: 8 ports are POE
Netgear GS724AT
$350
latency <3us
??? Mpps
48Gbps
if there is any way to forward an external IP to an internal subnet without NAT.
I have a server that is configured with a 10.0.100.101 IP and the L3 switch doesn't support NAT, so I can't get on it right now without manually changing the IP on the NIC to a public IP address.
I have a linux router with 2 external and 2 internal ports.
Each port needs to route traffic to one of the internal ports, and the internal traffic between the 2 internal ports should not go out the external ports.
The IPS on the internal networks are global. ie. no NAT required.
I think what I need is this..
$ext_net1 = external nework IP/MASK 1
$EXT_IP1 = ip of external interface 1
$ext_net2 = external nework IP/MASK 2
$EXT_IP2 = ip of external interface 2
$int_net1 = internal network IP/MASK 1
$int_net2 = internal network IP/MASK 2
ip route add $ext_net1 dev eth0 src $EXT_IP1 table 1
ip route add default via $ext1_gw table 1
ip route add $int_net1 dev eth1
ip route add $ext_net2 dev eth2 src $EXT_IP2 table 2
ip route add default via $ext2_gw table 2
ip route add $int_net1 dev eth3
ip rule add from $int_net1 table 1
ip rule add from $int_net2 table 2
I have a Webmux load balancer and behind that a Cisco Pix. Behind that I have several servers. The Webmux and Cisco Pix do double NAT so his servers have public IPs.
The problem is that I've added a 4th server, I added it to the Webmux and it's get NATted to an 192.168.x.x IP. Now I just need to add it to the Cisco Pix, natting it back to the real IP BUT the Pix can only have one IP on its inside interface and the Server IP is not on the same subnet as that IP.
So when I try to add the real IP it asks me how to route it....
I'm trying to implement VLANs on my network and can't get connectivity to host servers. Here's how the network is configured. Pardon the bad ascii diagram.
In this example my upstream is providing two subnets:
111.111.111.16/28 (I'm using an IP from this subnet to manage the 3550)
222.222.222.16/29
I am attempting subdivide the /29 into two /30's in order to place a server into it's own /30 subnet & VLAN ............
I have a server that has multiple IPs, one of which I'm using for a VM that is bridged.
The issue is, internally, that IP is trying to point to itself rather then the bridged nic (which is technically a whole other server plugged into the same switch, logically).
I think I know why, I just don't know how to fix it. This is the config file for the ranges:
Quote:
# Intel Corporation 82546EB Gigabit Ethernet Controller (Copper)
DEVICE=eth1
BOOTPROTO=static
DHCPCLASS=
HWADDR=....
ONBOOT=yes
IPADDR_START=....243
IPADDR_END=....254
CLONENUM_START=0
GATEWAY=....241
NETMASK=255.255.255.240
NO_ALIASROUTING=yes
(edited a few things out just in case)
Basically, there's a start and an end, is there a way to exclude an IP?
to expand our existing DNS setup with nodes in North America and Asia.
Therefore, we are searching ISPs that can provide dedicated servers and route an existing (RIPE PI) IP range to that server which will be anycastet for DNS service?
What company would be able to provide that service?
I put together a router running Zebra(yes, I know, should have used Quagga) with a few public ip addresses taking in a full BGP table.
There is a Win2k3 server behind the router running routing and remote access for VPN clients to connect to. Our team's project was to get the win2k3 server VPN clients out onto the public internet with public IP addresses.
I installed another NIC card onto the Win2k3 server and connected it with the router, and assigned the router and the server a private IP address. Both are pingable from both devices.
I then had a VPN client connect in, RRAS assigned the client a public IP address, the router was able to ping the VPN client and so was the Win2k3 server.
I tried pinging the VPN client from another machine on the network with a default gateway pointed toward the router, and there is no response.
Is there something I don't know about with Zebra and Redhat?
I'm experiencing some odd issues, I have a cpanel setup, however on port 2086 the server is currently listening however on port 80 it fails to listen. Apache is running and no errors appear in the errors log.
Running ifconfig shows that there are errors and dropped packets.
I was changing ip routes earlier that day however all seems fine...
Oddly I can ping internally on the network and noticed a number of other servers in the broadcast range. These respond fine, however pinging google or outside the data center fails.
ping google.com
ping: unknown host google.com
HTML Code:
eth0 Link encap:Ethernet HWaddr 00:14:85:3D:A2:20
inet addr:122.252.4.* Bcast:122.252.4.255 Mask:255.255.255.0
inet6 addr: fe80::214:85ff:fe3d:a220/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:289198921 errors:4 dropped:182 overruns:0 frame:3
TX packets:230175646 errors:19 dropped:0 overruns:0 carrier:19
collisions:8927682 txqueuelen:10
RX bytes:3521641159 (3.2 GiB) TX bytes:2563591520 (2.3 GiB)
Base address:0x2400 Memory:dd100000-dd120000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:127443475 errors:0 dropped:0 overruns:0 frame:0
TX packets:127443475 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1102069037 (1.0 GiB) TX bytes:1102069037 (1.0 GiB)
I have the following problem with a CentOS server:
The main IP of the server is yyy.zzz.www.qqq
We've just purchased 3 additional IPs: aaa.bbb.ccc.100, aaa.bbb.ccc.101, aaa.bbb.ccc.102.
First, all outgoing traffic used aaa.bbb.ccc.100, but after deleting the gateways from the additional IPs it seemed to work fine, until we found out the following:
Now all traffic to aaa.bbb.ccc.XXX uses aaa.bbb.ccc.100 as outgoing IP.
What command would change this to use our main IP?
Can someone recommend me good (and cheapest) routing or switching gear for the following scenario?
Multiple 1Gbit links, possibility to have a single 10GE link
Sustained 2Gbps of traffic, 4Gbps of peak traffic (streaming media)
I've been doing some traceroutes between Chicago and Dallas. Tracing from Chicago -> Dallas, I go through Denver almost 100% of the time. Tracing from Dallas -> Chicago, I go through Denver or Atlanta before routing to Chicago.
Is this normal? Looking at the Level 3 network map there seems to be several, much shorter routes.
I run a game server on The Planet, and lot of people have huge routing issues where their route randomly changes, and when it does, they'll get horrible packet loss and lag. It's totally random, one day it may happen to me, while it's not happening to someone else, then it will switch. But it's definately the host and not our home connections as it affects about half the server at any given time, it just picks different people.
Just wondering if anyone who uses The Planet has had issues like this? I pretty much debugged everything and tried everything to no avail and of course their support just said it's not at their end (all isps of any type say that regardless of the situation).
This is how a typical trace route would look like:
Code:
3 9 ms 9 ms 19 ms GE-2-1-ur01.N3Alpharetta.ga.atlanta.comcast.net
[68.86.110.17]
4 8 ms 12 ms 7 ms 68.86.106.133
5 8 ms 14 ms 13 ms 68.86.106.129
6 9 ms 8 ms 19 ms 68.86.106.125
7 9 ms 7 ms 8 ms 68.86.106.13
8 22 ms 7 ms 8 ms 68.86.106.9
9 11 ms 11 ms 8 ms 68.86.90.121
10 29 ms 21 ms 39 ms te-0-7-0-0-cr01.nashville.tn.ibone.comcast.net [
68.86.84.65]
11 31 ms 66 ms 30 ms te-0-0-0-4-cr01.chicago.il.ibone.comcast.net [68
.86.84.77]
12 50 ms 41 ms 56 ms 68.86.84.17
13 44 ms 45 ms 53 ms 68.86.85.38
14 53 ms 49 ms 50 ms 68.86.85.45
15 49 ms 51 ms 59 ms te-7-3.car1.Washington1.Level3.net [63.210.62.57
]
16 57 ms 53 ms 54 ms ae-32-52.ebr2.Washington1.Level3.net [4.68.121.6
2]
17 79 ms 93 ms 86 ms ae-2.ebr2.Chicago1.Level3.net [4.69.132.69]
18 * * 103 ms ae-1-100.ebr1.Chicago1.Level3.net [4.69.132.41]
19 115 ms 110 ms 126 ms ae-3.ebr2.Denver1.Level3.net [4.69.132.61]
20 125 ms 178 ms 126 ms ae-1-100.ebr1.Denver1.Level3.net [4.69.132.37]
21 132 ms 128 ms * ae-2.ebr1.Dallas1.Level3.net [4.69.132.106]
22 141 ms 130 ms 131 ms ae-14-55.car4.Dallas1.Level3.net [4.68.122.144]
23 130 ms 140 ms 129 ms THE-PLANET.car4.Dallas1.Level3.net [4.71.122.2]
24 130 ms 141 ms 130 ms te7-2.dsr02.dllstx3.theplanet.com [70.87.253.26]
25 * 130 ms 134 ms vl42.dsr02.dllstx4.theplanet.com [70.85.127.91]
26 135 ms 138 ms * gi1-0-1.car11.dllstx4.theplanet.com [67.19.255.4
2]
27 127 ms 135 ms 133 ms a.c4.1343.static.theplanet.com [67.19.196.10]
Another:
Code:
4 209.226.50.77 (209.226.50.77) 49.145 ms 46.724 ms 47.563 ms
5 142.46.7.1 (142.46.7.1) 55.852 ms 56.377 ms 55.110 ms
6 142.46.128.53 (142.46.128.53) 59.420 ms 56.865 ms 59.141 ms
7 142.46.128.5 (142.46.128.5) 59.277 ms 61.681 ms 59.702 ms
8 ge-1-1-0.ar1.YYZ1.gblx.net (64.212.16.81) 59.951 ms 58.555 ms 58.397 ms
9 por4-0-0-10G.ar2.DAL2.gblx.net (67.17.105.38) 95.604 ms 98.524 ms 97.206 ms
10 The-Planet.GigabitEthernet7-3.ar2.DAL2.gblx.net (64.208.170.198) 252.656 ms 251.881 ms 251.271 ms
11 te7-2.dsr01.dllstx3.theplanet.com (70.87.253.10) 253.416 ms te9-2.dsr02.dllstx3.theplanet.com (70.87.253.30) 252.040 ms te7-2.dsr02.dllstx3.theplanet.com (70.87.253.26) 251.873 ms
12 vl41.dsr01.dllstx4.theplanet.com (70.85.127.83) 255.683 ms vl42.dsr02.dllstx4.theplanet.com (70.85.127.91) 257.144 ms vl41.dsr01.dllstx4.theplanet.com (70.85.127.83) 263.597 ms
13 gi1-0-1.car11.dllstx4.theplanet.com (67.19.255.42) 259.076 ms gi1-0-2.car11.dllstx4.theplanet.com (67.19.255.170) 262.143 ms gi1-0-1.car11.dllstx4.theplanet.com (67.19.255.42) 263.775 ms
14 a.c4.1343.static.theplanet.com (67.19.196.10) 264.516 ms 265.046 ms 264.407 ms
-bash-3.1$
Actually if anyone is interested in looking this more I posted a thread here. But not needed. Just want to know if anyone else has had issues like this with The Planet. The only thing I can think of right now is switching hosts, but thats an expensive process as for the transition time I'll be paying for two hosts.
Our colo has two carriers, call them A and B. I have discovered the colo provider is round-robining traffic out it's two carriers on a per-packet basis, not per flow.
Assume we want to reach destination IP a.b.c.d.
%> traceroute -q5 a.b.c.d
Results show that at the hop leaving the colo's border router, some packets transit Carrier A and some Carrier B, to the same destination IP, during the same traceroute.
Is this a routing Best Practice, or am I correct in thinking this is the Lazy Man's way of load balancing across multiple circuits, multiple carriers? BGP route selection does not seem to apply here (i.e., either Carrier A or Carrier B but not both at the same time).
if using the Internap FCP technology to optimize the routing. I want a feedback on it, since I want to deploy this solution for have a better traffict routing.
Also, is anyone using avaya? i have looked in their website, but I have no information about their routing optimizer. Basically I want to go beyond of normal BGP since I will be deploying VoIP services soon.
We have a weird CentOS routing problem:
We need traffic to a certain subnet to go out via a second interface IP, rather than the main IP.
I.E, eth0 has IP x.x.x.x and eth0:1 has IP x.x.x.y (on the same subnet). I want traffic to z.z.z.z to go with a source of x.x.x.y rather than x.x.x.x like all the other traffic.
However I add the route and specifiy the device eth0:1 it accepts it but it goes into the routing table as eth0, whether I do it through network-scripts/route-eth0:1 or route add -host z.z.z.z gw a.b.c.d dev eth0:1.
When I ping with the -I command for eth0:1 it works, so the idea works fine, I just don't want to have to specify the interface in the application, but to do it within the routing table.
This is on CentOS 5 under Xen but I've tested on CentOS 4 under Virtuozzo too and it's the same.