VIRL versus Junosphere

9 06 2015

I’ve been using Junosphere a lot recently, and it’s a great tool – quick and easy creation of topologies without the need to go to a physical lab to try things out. Takes the guesswork out of a lot of things, which is a real bonus. There are obviously a few things you can’t do in a virtual environment that would be possible in a real one (e.g. QoS, MTU greater than 2000 bytes, MS-MIC in an MX), but it caters for 80% of what you need.

I always thought that it put Juniper leagues ahead of Cisco because you can buy credits to use the system right on the front page. Cisco were late to the party with something called VIRL – Virtual Internet Routing Lab.  They were late, but rumour had it that a lot of developers moved from Juniper to Cisco to bring VIRL about.  However Junosphere always had the edge for the networking student (as we all remain, whether we are JNCIE or not) because of its accessibility – with VIRL you had to be a Cisco customer and gain access through your account manager.  I’ll stick with GNS3 thanks!

That appears to have changed now, and you can get access to VIRL ‘personal edition’ for $199 per year.  Now we’re talking.  Since it runs on Openstack, you can run up other third-party VMs alongside NXOS, IOS and IOS-XE.  Network Inferno has a nice guide on integrating Juniper’s vSRX (formerly Firefly) into VIRL, which looks pretty comprehensive, although I’ve not tried it yet.

I think need to get a copy of this – only problem is it needs me to get a new quad-core laptop with the virtualization extensions in the BIOS to replace my cranky old Lenovo.  Ho hum!

Interesting – well, only if you’re really boring.

5 09 2011

Just upgrading Junos from 10.4R6 to 11.1R2 to resolve a particularly intractable IPSec VPN issue (there’s a Cisco ASA involved).  I just noticed that all the 10.4 releases of Junos for branch SRX are about 210MB, but the new 11.1 releases are 136MB.  Makes me wonder what the hell they’ve taken out.  Hopefully nothing to do with IPSec:

-rw-r--r-- 1 andrew andrew 210M 2011-02-28 16:01 junos-srxsme-10.4R2.7-domestic.tgz
-rw-r--r-- 1 andrew andrew 211M 2011-05-06 11:02 junos-srxsme-10.4R3.4-domestic.tgz
-rw-r--r-- 1 andrew andrew 211M 2011-09-01 10:27 junos-srxsme-10.4R6.5-domestic.tgz
-rw-r--r-- 1 andrew andrew 137M 2011-05-05 09:55 junos-srxsme-11.1R1.10-domestic.tgz
-rw-r--r-- 1 andrew andrew 137M 2011-06-06 17:00 junos-srxsme-11.1R2.3-domestic.tgz


Juniper SRX – Dynamic VPN Wizard

19 07 2011

Just managed to set up a Juniper Dynamic VPN using the web interface’s wizard in about half an hour – bonzer compared to the last time I did it at the CLI, which seemed to take two days.

There are a couple of things to watch out for though.  Read the rest of this entry »

Vodafone Suresignal ports

30 06 2011

Having a bit of trouble getting a handle on how the Vodafone Suresignal device we’ve got actually works – there’s limited information out there, with various people saying that ports need to be forwarded through firewalls and so on. Read the rest of this entry »

Juniper SRX 11.1 – SSL VPN termination

20 06 2011

Just seen in the release notes for Junos 11.1 for branch SRX that it will terminate SSL VPNs from Pulse clients.  Now that’s a nice thing – but calls into question why I bought my Juniper SA.  I think the SA will do some degree of network access control (NAC) for me on the corporate wired LAN as well, but perhaps I can make do with the SRX for remote access.

The thing to watch out for is that you need to have a licence for remote access on the SRX to terminate Pulse clients there. It is billed as ‘dynamic VPN’ licences, but will apparently work for Pulse clients too.  If you’ve bought licences for SSL VPNs on your SA, you won’t be able to terminate these on your SRX unless you get different licences.

I need to try this out a bit further (when time allows) and report back, I think…

‘BTLB binary’ errors from kernel in Junos SRX branch

15 05 2010

I’ve been getting this message in the messages log of various SRX-240s on a customer network, and at first I was quite concerned:

/kernel: exec_elf32_imgact: Running BTLB binary without the BTLB_FLAG env set

After consulting with JTAC, however, it turns out to be nothing to worry about. The message is produced every time you do a ‘show version detail’ or ‘request support information’ (which includes the ‘show version detail’ command.

What happens is that a new forwarding process is started up in parallel to the one that is already running (and doing the forwarding). The new process is started without a flag being set, and is only running for long enough to get the binary version from it. It then shuts down.

This message is not important so long as it is happening at these times.

This was seen on 10.0R3.10 code.

Junos SRX web filtering and Websense

26 04 2010

Ah – another bug-ette, unfortunately. It seems that if you are using a Websense server for your URL filtering, and the websense server goes away for a while (e.g. while it reboots), the SRX doesn’t bother re-connecting.

There’s a timeout you can set, and I’ve not tried that yet, but it has been verified by JTAC as happening within a few minutes.

What’s disappointing about this is that there’s no way in Junos that you can specify a secondary server – you can’t do that in the feature-profile or with a second policy. So in a way, the timeout doesn’t make any sense: there’s no second option to fall back onto.

The disconnect is going to be fixed in 10.1R2, and might be available via a special engineering build if you press hard enough. I plan to log the ‘backup server’ idea as a feature request.