Currently I am getting a big dose of the Juniper sauce. I like it thus far. The device that has been getting my whistle wet is the SRX110. This bad boy was plonked between my desktop and current network. I decided the best way to learn is to break my PC out to the internet. My current internal range is 192.168.1.0/24 with the ISP router residing at 192.168.1.254. The iMac and the network it resides on in the trusted network is 192.168.2.0/24. All traffic outbound has interface NAT performed on the interface ISP facing.At this stage the current topology looks like this.
By default the SRX comes with a default configuration. Below I will break this down and discuss each part. It is designed for a simple deployment via JWEB GUI for rapid deployment. SMB/Branch users can rapidly deploy using that default I assigned my un-trusted interface an IP address of 192.168.1.200 which directly connects to my ISP router. With that I had connectivity and we were good to go. Before venturing into the lab properly with this device it is important to know maximums. I am of the understanding that Juniper do not fudge and enhance their device statistics.
Junos OS version tested Junos OS 11.2.r3 Firewall performance (max) 700Mbps IPS performance (NSS 4.2.1) 60 Mbps AES256+SHA-1 / 3DES+SHA-1 VPN performance 65 Mbps Maximum concurrent sessions 32K New sessions/second (sustained, TCP, 3-way) 1,800 Maximum security policies 384 Maximum users supported Unrestricted
As you can see my grand plans are unfolding. I am going to create three vSRX devices on my SRX110. This is why I am concerned about maximums. This solution will allow me to lab three SRX devices nicely. I can perform all the features and go on all the rides. Now referring to my SRX data sheet the piece of information I want is this.
Virtualization Maximum number of security zones 10 Maximum number of virtual routers 3 Maximum number of VLANs 16
The ability to create three virtual routers will let me test everything. Now I have explained what my plans are – stay tuned for how to do this and subsequent labs. Oh and my JNCIA-JUNOS is booked for December 3.
Something to be aware of.
Virtual Routers (IE VR Instances) are NOT Virtual Systems. I don’t think you can separate Virtual Zones.
Now, you CAN do routing between the routing instances and then tie security zones and policies to those routes, etc.
Its not the same though as a fully virtualized system, as was supported on the Netscreen Firewalls. The high end SRX devices have this feature, but I doubt we will ever see it ported down to lower end models.
Thanks for that information and clarification. I am hoping to get enough familiarity with one box before expanding the lab. Looking to level out my Juniper skills set and match it to my Cisco skills set.
Sure thing.. Check this out for insight into an ACTUAL Virtual SRX (currently in Beta).
http://arrowecsevents.cz/juniperday2012/prezentace/virtualized-security.pdf (WARNING – PDF)
I could get it to you, lets talk offline. Hit me up on my twitter profile (maeltor) if you are interested.
Thanks for the offer. I have seen and used the vSRX in demonstrations from Juniper Partners. It is a great product, especially how it leverages vPath and has direct kernel access unlike vASA
No problem. Happy to help another aspiring JNCIE. I use the vSRX for my lab needs since they are still pretty expensive used..
Hi, so how how was the throughput? Was it 65Mpbs?