Currently I am getting a big dose of the Juniper sauce. I like it thus far. The device that has been getting my whistle wet is the SRX110. This bad boy was plonked between my desktop and current network. I decided the best way to learn is to break my PC out to the internet. My current internal range is 192.168.1.0/24 with the ISP router residing at 192.168.1.254. The iMac and the network it resides on in the trusted network is 192.168.2.0/24. All traffic outbound has interface NAT performed on the interface ISP facing.At this stage the current topology looks like this.

At home with the SRX110

By default the SRX comes with a default configuration. Below I will break this down and discuss each part. It is designed for a simple deployment via JWEB GUI for rapid deployment. SMB/Branch users can rapidly deploy using that default I assigned my un-trusted interface an IP address of 192.168.1.200 which directly connects to my ISP router. With that I had connectivity and we were good to go. Before venturing into the lab properly with this device it is important to know maximums. I am of the understanding that Juniper do not fudge and enhance their device statistics.

Junos OS version tested 
Junos OS 11.2.r3
Firewall performance (max) 
700Mbps
IPS performance (NSS 4.2.1) 
60 Mbps
AES256+SHA-1 / 3DES+SHA-1 VPN performance 
65 Mbps
Maximum concurrent sessions 
32K
New sessions/second (sustained, TCP, 3-way) 
1,800
Maximum security policies 
384
Maximum users supported 
Unrestricted
Okay so here are some nice stats. From a 10/100 device the specs aren’t half bad. 65Mbps With VPNs and up to 700Mbps with IDS firewall support. Grouse! What I want to do is leverage something cheeky in the lab. I want to be able to do the following.
A virtual SRX appears

As you can see my grand plans are unfolding. I am going to create three vSRX devices on my SRX110. This is why I am concerned about maximums. This solution will allow me to lab three SRX devices nicely. I can perform all the features and go on all the rides. Now referring to my SRX data sheet the piece of information I want is this.

Virtualization

Maximum number of security zones           
10
Maximum number of virtual routers            
3
Maximum number of VLANs
16

The ability to create three virtual routers will let me test everything. Now I have explained what my plans are – stay tuned for how to do this and subsequent labs. Oh and my JNCIA-JUNOS is booked for December 3.

 

7 thoughts on “SRX110 Lab

  1. Something to be aware of.
    Virtual Routers (IE VR Instances) are NOT Virtual Systems. I don’t think you can separate Virtual Zones.

    Now, you CAN do routing between the routing instances and then tie security zones and policies to those routes, etc.

    Its not the same though as a fully virtualized system, as was supported on the Netscreen Firewalls. The high end SRX devices have this feature, but I doubt we will ever see it ported down to lower end models.

    Reply

    1. Thanks for that information and clarification. I am hoping to get enough familiarity with one box before expanding the lab. Looking to level out my Juniper skills set and match it to my Cisco skills set.

      Reply

        1. Thanks for the offer. I have seen and used the vSRX in demonstrations from Juniper Partners. It is a great product, especially how it leverages vPath and has direct kernel access unlike vASA

          Reply

          1. No problem. Happy to help another aspiring JNCIE. I use the vSRX for my lab needs since they are still pretty expensive used..

  2. Pingback: Virtual Routing Instances – SRX style < Cisco Inferno

Leave a Reply

Your email address will not be published. Required fields are marked *

CAPTCHA

*