SRX100's for Home Lab

Ryan82Ryan82 Member Posts: 428
I have been looking at the SRX100's for use in my home lab. It looks like you can pick up a SRX100B for ~550 dollars and it looks like it can do quite a bit. Particularly I noticed that you can do BGP, MPLS VPN's, VPLS, QoS, etc which would be helpful for the SP track.

Seems like this is an ideal solution for a home lab as a J2300 is usually about the same price.

Here is some more info on the specs:

http://www.juniper.net/us/en/local/pdf/datasheets/1000281-en.pdf
«1

Comments

  • AldurAldur Juniper Moderator Member Posts: 1,460
    I would highly recommend srx100's for a home lab. I might also mention that you can turn those ports into switch ports to practice with the ENT track :)
    "Bribe is such an ugly word. I prefer extortion. The X makes it sound cool."

    -Bender
  • Ryan82Ryan82 Member Posts: 428
    Thanks, yeah I noticed that as well and meant to mention that. Particularly important now that they have included switching in the SP track (as well as the ENT track)
  • AldurAldur Juniper Moderator Member Posts: 1,460
    Keep in mind though that the SP switching isn't available on any SRX device. Only the MX line can do that at the moment...
    "Bribe is such an ugly word. I prefer extortion. The X makes it sound cool."

    -Bender
  • Ryan82Ryan82 Member Posts: 428
    Oh, I see. Getting my hands on an MX is going to be difficult. Looks like an MX5 would be the most likely candidate but I couldn't find any pricing on it. I know the other models are expensive.

    Edit: MX5 model starts at 29K. Yeah, I will going to class to get the hands on that.
  • AldurAldur Juniper Moderator Member Posts: 1,460
    Yea, seriously, MXs ain't cheap. I know it might be planned from some time down the road but JunoSphere might support MX features. I know that's alot of "mights" but sure would be helpful. :)
    "Bribe is such an ugly word. I prefer extortion. The X makes it sound cool."

    -Bender
  • QHaloQHalo Member Posts: 1,488
    I've been debating the use of either an ASA5505 or an SRX100 at home to replace my current firewall/router. I'm familiar with configuration of the ASA but I've been toying with picking up a real Juniper device to learn to use and possibly to study with for JNCIA-JUNOS and maybe further if I decide to do so. Anything I should watch out for?

    Sorry if I thread-jacked ya Ryan
  • AldurAldur Juniper Moderator Member Posts: 1,460
    QHalo wrote: »
    I've been debating the use of either an ASA5505 or an SRX100 at home to replace my current firewall/router. I'm familiar with configuration of the ASA but I've been toying with picking up a real Juniper device to learn to use and possibly to study with for JNCIA-JUNOS and maybe further if I decide to do so. Anything I should watch out for?

    Setting up a srx100 as your home gateway router is a great way to learn how to use them. I remember when I did this a few years ago and I ran into a few stumbling blocks that turned out to be great learning experiences. Two things come to mind:

    Be aware of the necessary MTU setting for the interface going out to your ISP. I can't remember what I had it set to but it was a fun problem to troubleshoot, some web pages would load and some would not.

    And the next issue; at first I had the outside interface in the untrust zone and the host-inbound-traffic set to allow all protocols/services. Later I wanted to secure this a bit more. So I specified, at the zone level, the list of services I thought I needed. Well two or three days later I noticed that I couldn't go anywhere on the internet. Checked the interface, things looked good. After some troubleshooting I was able to figure out that the DHCP service isn't a option that can be set at the zone level and must be set at the interface level in the zone for the host-inbound-traffic.

    Good times indeed, and doing this actually gave me some real world experience that I wasn't getting from self study (at the time my job didn't have anything to do with security).

    So I say have at it and let us know how it goes. :)
    "Bribe is such an ugly word. I prefer extortion. The X makes it sound cool."

    -Bender
  • gaby_978gaby_978 Member Posts: 222
    Hey guys,

    I been reading about the juniper SRX100 and it seems likt it is exactly what I need. Currently I am studying for the CCNA Security but after that I want to get familiarized with Juniper. I want to go for the JNCIA. Will this device be enough for the JNCIA? I plan on adding it to my home lab which is based on Cisco devices.
    ‎"If you spend too much time thinking about a thing,
    you'll never get it done"
  • AldurAldur Juniper Moderator Member Posts: 1,460
    Adding a srx100 into an existing topology is a great way to learn. Plus you'll be able to get some inter-opt experience at the same time. :)

    You may want to think about picking up 2 srx100s though so you can practice some chassis clustering stuff.
    "Bribe is such an ugly word. I prefer extortion. The X makes it sound cool."

    -Bender
  • jahsouljahsoul Member Posts: 453
    I'm trying to sell off some stuff to get a SRX100... icon_sad.gif
    Reading: What ever is on my desk that day :study:
  • AldurAldur Juniper Moderator Member Posts: 1,460
    I know that feeling. Had to sell of some of my J routers to get some SRX back in the day. I'll keep a lookout and post any good deals I find.
    "Bribe is such an ugly word. I prefer extortion. The X makes it sound cool."

    -Bender
  • AldurAldur Juniper Moderator Member Posts: 1,460
    Also, don't forget to looks for deals on SRX210s. The last 210 I picked up on ebay was for around 500$.
    "Bribe is such an ugly word. I prefer extortion. The X makes it sound cool."

    -Bender
  • AhriakinAhriakin SupremeNetworkOverlord Member Posts: 1,800 ■■■■■■■■□□
    I just picked up 2 for my home lab also, very feature rich for an entry level device.
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • CCIEWANNABECCIEWANNABE Banned Posts: 465
    great discussion, I just wanted ask a few questions to the Juniper Gurus:

    1) with the SRX100's, how much config goes into making all interfaces pass traffic to all other interfaces? Is there alot of config that needs to be done so that it acts like a normal router?

    2) Are there any syntax/CLI differences in an SRX100 compared to any other JUNOS router?

    Thanks for the help, I am working with a Juniper Sales rep to see if I can get a good discount on about 4-5 SRX 100's for my home lab. MSRP is $699 and I can find them on the web for about $500, but I think I can still get them for even cheaper :)

    Take it easy!
  • Ryan82Ryan82 Member Posts: 428
    Also just picked up 3 for my home lab. Really need to get up to snuff as I still feel much more comfortable on a Cisco box and the production T320's are not the place to practice.
  • AldurAldur Juniper Moderator Member Posts: 1,460
    1) with the SRX100's, how much config goes into making all interfaces pass traffic to all other interfaces? Is there alot of config that needs to be done so that it acts like a normal router?

    Depends, if you want to bypass stateful firewall features then it's just a few lines of code. However, if you want to keep the stateful firewall features then it's a little more work, but in all truth I think it's more then worth it.
    2) Are there any syntax/CLI differences in an SRX100 compared to any other JUNOS router?

    Difference in syntax; syntax that is on a M or T router is the same on a SRX router. However, there are many syntax additions, and a few deletions, to accommodate security flow mode. Put it this way, if you're familiar with Junos it's very easy to learn the security flow mode side of things.

    Also, keep bugging your sales rep, that's the best way to get cheap gear :)
    "Bribe is such an ugly word. I prefer extortion. The X makes it sound cool."

    -Bender
  • CCIEWANNABECCIEWANNABE Banned Posts: 465
    Aldur wrote: »
    Depends, if you want to bypass stateful firewall features then it's just a few lines of code. However, if you want to keep the stateful firewall features then it's a little more work, but in all truth I think it's more then worth it.



    Difference in syntax; syntax that is on a M or T router is the same on a SRX router. However, there are many syntax additions, and a few deletions, to accommodate security flow mode. Put it this way, if you're familiar with Junos it's very easy to learn the security flow mode side of things.

    Also, keep bugging your sales rep, that's the best way to get cheap gear :)

    Thanks for the help. I just want to make sure that my purchase of 4-5 SRX100's will be worth it. I thought about doing the olive thing, but I am siding more in this case to just go physical equipment.

    Don't worry, I used to work for a reseller, so I know the ins and outs of that side of the house :)
  • CCIEWANNABECCIEWANNABE Banned Posts: 465
    Also, heres a question for you:

    Would it be better to buy one SRX210 and just practice all the protocols (IS-IS, OSPF, IPv6, MPLS, MPLS VPN, etc..) using the 10 virtual routers that it supports? That way you can connect the virtual routers together anyway you want using virtual interfaces.

    The SRX100 only supports 5 virtual routers, where as the SRX210 supports 10. I think I may go with this route as 4 100's would cost atleast $1500 after discount, where as 1 210 would cost about half that after the discount.

    That seems like a more cost effective solution to me, while being able to scale the network with twice as many devices.

    what do you guys think?
  • AldurAldur Juniper Moderator Member Posts: 1,460
    Are you referring to logical systems, or virtual routers? I know from experience that you can configure more then 5 VRs on a srx100. But I can see this being a possible limitation for logical systems which are much more resource intensive.
    "Bribe is such an ugly word. I prefer extortion. The X makes it sound cool."

    -Bender
  • wasatchbillwasatchbill Registered Users Posts: 6 ■□□□□□□□□□
    Hi all-
    This datasheet says the SRX100 does 3 Virtual routers:
    http://www.juniper.net/us/en/local/pdf/datasheets/1000281-en.pdf
    SRX100: Maximum number of virtual routers 3
    SRX210: Maximum number of virtual routers 10
    Is this datasheet wrong? Perhaps an SRX100H can do more?

    I found an explanation of logical system vs virtual router here:
    Difference between logical router and virtual rout... - J-Net Community
    I also found a doc stating:
    "The logical systems feature runs with the Junos operating system (Junos OS) on SRX3400, SRX3600, SRX5600, and SRX5800 devices."
    So it doesn't sound like logical systems are on the branch SRXs.

    Very interested in the SRX100 vs 210 discussion, for a home lab. Also B vs H; sounds like H (high mem, which allows UTM features) is needed for the JNCIE-SEC; is it needed for the ENT track also? Focusing on JNCIS-ENT, JNCIS-SP, JNCIS-SEC, then JNCIP-ENT (seems that a couple SRXs would be good for this? And I have an EX2200 on the way), maybe an IE eventually.

    Thanks-
    Bill
  • AldurAldur Juniper Moderator Member Posts: 1,460
    Yes, that is correct. The branch SRX cannot do logical systems.

    But it really looks like that doc is wrong. Below is a srx100b in which I've configured 11 virtual routers.
    [edit routing-instances]
    [email protected]# run show version 
    Hostname: HQ-1
    Model: srx100b
    JUNOS Software Release [10.2R1.7]
    
    [edit routing-instances]
    [email protected]# show 
    1 {
        instance-type virtual-router;
    }
    10 {
        instance-type virtual-router;
    }
    11 {
        instance-type virtual-router;
    }
    2 {
        instance-type virtual-router;
    }
    3 {
        instance-type virtual-router;
    }
    4 {
        instance-type virtual-router;
    }
    5 {
        instance-type virtual-router;
    }
    6 {
        instance-type virtual-router;
    }                                       
    7 {
        instance-type virtual-router;
    }
    8 {
        instance-type virtual-router;
    }
    9 {
        instance-type virtual-router;
    }
    
    [edit routing-instances]
    [email protected]# top 
    
    [edit]
    [email protected]# run show version 
    Hostname: HQ-1
    Model: srx100b
    JUNOS Software Release [10.2R1.7]
    
    [edit]
    [email protected]# show routing-instances 
    1 {
        instance-type virtual-router;
    }
    10 {
        instance-type virtual-router;
    }
    11 {
        instance-type virtual-router;
    }
    2 {
        instance-type virtual-router;
    }
    3 {
        instance-type virtual-router;
    }
    4 {
        instance-type virtual-router;
    }
    5 {
        instance-type virtual-router;
    }
    6 {
        instance-type virtual-router;
    }                                       
    7 {
        instance-type virtual-router;
    }
    8 {
        instance-type virtual-router;
    }
    9 {
        instance-type virtual-router;
    }
    
    [edit]
    [email protected]# run show route summary 
    Autonomous system number: 192
    Router ID: 192.168.0.100
    
    inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)
                  Direct:      1 routes,      1 active
                   Local:      1 routes,      1 active
               Aggregate:      2 routes,      2 active
    
    1.inet.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)
                  Direct:      1 routes,      1 active
                   Local:      1 routes,      1 active
    
    2.inet.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)
                  Direct:      1 routes,      1 active
                   Local:      1 routes,      1 active
    
    3.inet.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)
                  Direct:      1 routes,      1 active
                   Local:      1 routes,      1 active
    
    4.inet.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)
                  Direct:      1 routes,      1 active
                   Local:      1 routes,      1 active
                                            
    10.inet.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)
                  Direct:      1 routes,      1 active
                   Local:      1 routes,      1 active
    
    11.inet.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)
                  Direct:      1 routes,      1 active
                   Local:      1 routes,      1 active
    
    5.inet.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)
                  Direct:      1 routes,      1 active
                   Local:      1 routes,      1 active
    
    6.inet.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)
                  Direct:      1 routes,      1 active
                   Local:      1 routes,      1 active
    
    7.inet.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)
                  Direct:      1 routes,      1 active
                   Local:      1 routes,      1 active
    
    8.inet.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)
                  Direct:      1 routes,      1 active
                   Local:      1 routes,      1 active
    
    9.inet.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)
                  Direct:      1 routes,      1 active
                   Local:      1 routes,      1 active
    
    The configuration is accepting the 11 VRs and there are routes present in all of their routing tables.

    I haven't taken the time to test each routing table to see if they can pass traffic, but this looks like more than 3 VRs will work on a srx100.

    And a couple of SRXs and an EX would be great for SEC or ENT study. I'm only aware of the UTM feature needing the high memory version. However, I'm not all that familiar with the ENT track.
    "Bribe is such an ugly word. I prefer extortion. The X makes it sound cool."

    -Bender
  • wasatchbillwasatchbill Registered Users Posts: 6 ■□□□□□□□□□
    Interesting, thanks Aldur.

    So, there are SRX210H-POE units on ebay for $450, for one more day, they say "new", but "may have been registered". Not sure if its possible to cover them with a support contract, but it sounds like a good price.
  • AldurAldur Juniper Moderator Member Posts: 1,460
    450$ is an amazing deal for a srx210 POE, I saw that but the previously registered thing does raise some red flags. Those two factors makes me think that those units were stolen from a legitimate customer. Maybe not, but I'd proceed with caution.
    "Bribe is such an ugly word. I prefer extortion. The X makes it sound cool."

    -Bender
  • AldurAldur Juniper Moderator Member Posts: 1,460
    Also, virtual routers are not a feasable way to increase your topology. Virtual routers are very limited with their features, for example, all security policies/zones can only be done in the main routing instance, which will be inherited into the virtual routers.
    "Bribe is such an ugly word. I prefer extortion. The X makes it sound cool."

    -Bender
  • AhriakinAhriakin SupremeNetworkOverlord Member Posts: 1,800 ■■■■■■■■□□
    The main use we've had for VRs so far are Filter Based Forwarding and setting up Data-Plane logging via hardware to the same syslog server as the control-plane. I agree, on this platform they are more mechanisms for improving efficiency for certain functions than providing true virtual topologies.
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • wasatchbillwasatchbill Registered Users Posts: 6 ■□□□□□□□□□
    Aldur wrote: »
    450$ is an amazing deal for a srx210 POE, I saw that but the previously registered thing does raise some red flags. Those two factors makes me think that those units were stolen from a legitimate customer. Maybe not, but I'd proceed with caution.

    Hmm; I was wondering why they were selling so slowly, for that price. I did buy one finally. I don't see how stolen goods that are serialized could be sold on eBay; that would be easily traceable back to the seller. I guess I will find out
    :). Has anyone been able to get a support contract on a Juniper device that they bought on ebay?

    Thanks for the info on virtual routers; I am coming from E-series, where 10 virtual routers are commonly used for lab topologies (for all the standard routing and MPLS labs for example); I can see that I have alot to learn about SRX and Junos. At least I should be able to do all the JEX labs with one SRX210 and one EX2200.
  • AldurAldur Juniper Moderator Member Posts: 1,460
    If I was in the market to pick up some SRX the $450 price tag would be hard to pass up, and I'd probably pick up some.

    To your other question, yes you can register a router you bought off of ebay for a Juniper support contract. Never done it before, but I think you just call the 1 800 jtac number.

    Also, I believe that VRs in E-Series are similar to logical systems in Junos. In which you pretty much get another router every time. VRs in Junos, not so much unfortunately.
    "Bribe is such an ugly word. I prefer extortion. The X makes it sound cool."

    -Bender
  • naturalmysticnaturalmystic Registered Users Posts: 1 ■□□□□□□□□□
    Hi guys, I just bought an SRX210H and I'm trying to setup an mpls lab using routing-instances, but I am not able to figure out how to implement mpls on the VR... In fact I can't enable mpls protocol in the VR, nor create the family mpls under the subinterfaces...

    I'm running Junos 9.5R2.7, maybe MPLS is supported only in the master instance with this SW version? icon_sad.gif

    If yes, can anyone please advise on how to build a lab with just one device?
    Thanks in advance!
  • msteinhilbermsteinhilber Member Posts: 1,480 ■■■■■■■■□□
    Was just checking out the Juniper sub-forum and saw this thread and figured I would chime in. If you're looking for inexpensive SRX's, you can look for Dell PowerConnect SRX's on ebay as well. People sometimes overlook them but they're the same, just badged Dell instead and can often be had for cheaper than the Juniper branded gear.
  • chongch01chongch01 Member Posts: 41 ■■□□□□□□□□
    Hi Guru,

    Can SRX 100/210 supports BGP router reflection? From the SRX product datasheet, only SRX650 is supported.
Sign In or Register to comment.