Force 10 is fine. I do suggest he go with the dual cam cards over the regular cards. I am not sure what Chris is talking about but I have used Force 10 for a long time, E, C and S series and have found it very stable. It will do everything you want and then some. The E300 is a good bang for the buck. Sure Foundry might be cheaper but I hear more complaining about Foundry than any other platform.
Chris you want to share what issues you have seen with Force 10.
Keith
Keith O'neill wrote:
Force 10 is fine. I do suggest he go with the dual cam cards over the regular cards. I am not sure what Chris is talking about but I have used Force 10 for a long time, E, C and S series and have found it very stable. It will do everything you want and then some. The E300 is a good bang for the buck. Sure Foundry might be cheaper but I hear more complaining about Foundry than any other platform.
Chris you want to share what issues you have seen with Force 10.
Keith
From: "Chris Marlatt" <cmarlatt@rxsec.com>
To: "Joe Abley" <jabley@ca.afilias.info>
Cc: "nanog" <nanog@merit.edu>
Sent: Friday, July 18, 2008 7:43:33 AM (GMT-0500) America/New_York
Subject: Re: Force10 E300 vs. Juniper MX480Joe Abley wrote:
Hi all,
An acquaintance who runs an ISP with an M7i on its border is looking to upgrade, because the M7i is starting to creak from all the flesh-tone MPEGs his customers are sharing. (How times have changed. Back when I was chasing packets, it was flesh-tone JPEGs.)
He's looking at the MX480 and the E300.
The MX480 is attractive because the M7i has been stable as a rock, and he's familiar with JUNOS.
The E300 is attractive because it's half the price of the MX480, and has the potential to hold layer-2 cards as well as layer-3 ports which makes the price per port much more reasonable than the MX480. But he has no experience with Force10 at any ISO layer higher than 2.
He doesn't have any exotic requirements beyond OSPF, OSPFv3, BGP, IP and IPv6. There's no MPLS in the picture, for example. However, he's going to want four or five full tables plus a moderate load of peering routes in there. And maybe VRRP.
Thoughts from people who have tried one or the other, or both? Or who have faced this kind of problem, and came up with a different answer?
Feel free to send mail off-list; I can summarise if there is interest.
Joe
I would avoid Force10 if at all possible. In the network I managed I've had some fairly surprising stability problems with their S series switches and feature problems (or lack there of) on their E series. Things you kind of scratch your head at and wonder what they were thinking. Juniper on the other hand is indeed a bit pricier but quite a stable platform. If he has to look at alternatives I would suggest Foundry, either the RX-8, MLX-8, or XMR-8000 (depending on requirements) for comparable models to the MX480.
Regards,
Chris
Considering I just had another issue pop up sure - I'd be glad to at this point.
As provided to another member who contacted me off list:
I'd like to hear about the complaints regarding Foundry. Off-list is fine, as I believe this may be off-topic for NANOG. We've been considering using Foundry and during testing they seemed to work just fine, but as everyone knows, a lab environment rarely mimics real life. I found a few highly annoying quirks, most of them with the CLI (why are my config mode commands shown in my operational mode command history, including partial question-marked commands? argh!), but interoperability with both Juniper and Cisco in an MPLS lab environment didn't present any showstoppers.
-evt
I worked with many Foundry models for more than 4 years in the past and
never had any real serious issues. They used to be a bit loud but other than
that they are very easy to manage solid devices. Another great thing with
Foundry (again in my experience) is the support. Any time I ever had a real
issue one of their SE's would be on site quickly and with the knowledge
needed to fix the problem.
_Chric
Hi there..
I'm looking for some constructive feedback on **real world** experiences
please...
We're primarily a Cisco shop today - our core and distribution are all
Cisco driven and will continue to be (won't change that so not worth
discussing today).
My question is oriented towards two other markets primarily:
Security Devices
Remote Office/Customer Site Devices
Let me elaborate a bit more...
Security - today, we've been deploying Cisco ASA boxes (was PIX before
that) with pretty good success. However, in comparison to Juniper the
Cisco boxes are *really* expensive - at least to us anyways. Juniper
has nice products so I'm looking at proposing a solution internally to
move towards the Juniper security appliances. Feedback from folks on
them vs Cisco ASA??
Remote Office/Customer Site Devices - today, we do a lot of "managed
routers" to customer sites. Again, cost driven, I'm being pushed
towards looking at Adtran devices for customer sites that we maintain.
I have nothing against Adtran but haven't viewed them to date as being
in the same "arena" as Cisco/Juniper etc.. these routers are mainly
providing basic firewalling/NAT and some very small VPN activity at
times.
To take this one step further, some of our voice folks are really
enjoying the Adtran boxes as it offers an "all in one solution" which is
a router, firewall, "voice" box (many options - PRI handoff, T1,
FXS/FXO) and in some of their boxes 24 POE switch ports as well. This
is kinda cool I'll admit but the approach in the past has been to drop
in a Cisco router, Adtran for voice applications, and then Cisco POE
switches if required. This is very costly compared to Adtran's all in
one approach.... so am I being stubborn on this or is the Adtran
products in this case in the same league?? I had some terrible track
record with Adtran a number of years ago so my back gets up when their
name is mentioned...
Any feedback would be very appreciated - we're going to have meetings
internally in the next while to decide which product lines fit with
which service offerings the best....
Thanks,
Paul
On your last note Cisco also offers a all-in-one with all the features you
talked about and more. They are called UC500's.
_Chris
Thanks guys so far for the responses....
Adtran has a 5 year warranty and support for free as of today - I'm not
aware of this changing but we've had a number of other companies change
that policy in the past couple of years after purchasing a LOT of gear
from them (Motorola, Redline come to mind among others).
Cisco has "lifetime hardware warranty" on some of their gear but nobody
has ever been able to tell me what that *really* means and how you would
ever get it covered if you did NOT have Smartnet coverage...
UC500's - nice boxes ... pure cost issues around this one. You need to
add a 24 port switch if you want some form of density at additional
cost... makes it 3X the Adtran price so gets a lot of attention here...
Keep it coming guys.. appreciate it...
Paul
From: Paul Stewart [mailto:pstewart@nexicomgroup.net]
Sent: Friday, July 18, 2008 11:18 AM
To: nanog
Subject: Cisco vs Adtran vs JuniperHi there..
I'm looking for some constructive feedback on **real world**
experiences
please...
We use all three, so hopefully my experience can help.
We're primarily a Cisco shop today - our core and distribution are
all
Cisco driven and will continue to be (won't change that so not worth
discussing today).My question is oriented towards two other markets primarily:
Security Devices
Remote Office/Customer Site DevicesLet me elaborate a bit more...
Security - today, we've been deploying Cisco ASA boxes (was PIX
before
that) with pretty good success. However, in comparison to Juniper
the
Cisco boxes are *really* expensive - at least to us anyways. Juniper
has nice products so I'm looking at proposing a solution internally
to
move towards the Juniper security appliances. Feedback from folks on
them vs Cisco ASA??
They both have their pros and cons, obviously. The ASA is a big step in the right direction from the PIX. SSL VPN capabilities, antivirus, and minimal IDS. Juniper SSGs don't do SSL VPN, but do antivirus, antispam, expandable ports (on the SSG-20) for T1/ADSL/ISDN, etc. We use more PIX and Juniper than ASA, but from what I've seen, the ASA is pretty decent. VPN upgrades are expensive, as are other various licenses.
The Juniper SSG is also nice and reliable, but the web GUI sucks. It works on some computers and not others and it's all dependent upon stupid Java, so you'll have to learn the CLI in order to reliably do anything with them. Also, they charge you for their IPSec VPN client, which is nickel-and-diming, if you ask me. When you do install it, you can't have it co-exist with the Cisco VPN client, at least not a couple years ago when I tried it.
We're split pretty evenly between Cisco and Juniper boxes and are happy with both. It all really depends on the services you want to sell or support for your customers, as each box can do different things.
Remote Office/Customer Site Devices - today, we do a lot of "managed
routers" to customer sites. Again, cost driven, I'm being pushed
towards looking at Adtran devices for customer sites that we
maintain.
I have nothing against Adtran but haven't viewed them to date as
being
in the same "arena" as Cisco/Juniper etc.. these routers are mainly
providing basic firewalling/NAT and some very small VPN activity at
times.
Both Cisco and Juniper offer great options for this. CPE from both is typically very solid. Juniper has the added benefit of being able to convert their J-series boxes to Netscreen SSG firewalls and the cards are interchangeable between the security/J-series platforms. Of course, this does cost you in license fees. NAT on the J-series is a pain to set up and unfortunately, the default 256M flash on them is just too small to support an easy JUNOS upgrade.
The Adtran routers are very Cisco-like. Haven't done VPN and last time (years ago) we used the firewall, it continually crashed the router. I'm sure things have improved. Main reason to use Adtran is price. I'm personally more biased towards Juniper because JUNOS blows IOS out of the water, but Cisco CPE in our experience is very reliable. Believe it or not, we still have 2500s out in the field!
To take this one step further, some of our voice folks are really
enjoying the Adtran boxes as it offers an "all in one solution" which
is
a router, firewall, "voice" box (many options - PRI handoff, T1,
FXS/FXO) and in some of their boxes 24 POE switch ports as well.
This
is kinda cool I'll admit but the approach in the past has been to
drop
in a Cisco router, Adtran for voice applications, and then Cisco POE
switches if required. This is very costly compared to Adtran's all
in
one approach.... so am I being stubborn on this or is the Adtran
products in this case in the same league?? I had some terrible track
record with Adtran a number of years ago so my back gets up when
their
name is mentioned...
Adtran makes *decent* products. We have hundreds of 900s and 600s deployed and physical/network stability is excellent. With VoIP, they are reliable and depending on what type of signalling you're using them with, along with what type of softswitch, you might see some bugs and have to provide their support with debug info. The SNMP support on them is pretty horrible, though. We use the TotalAccess 600s and 900s, but I've tested the NetVanta switch before. It's a decent switch, but I couldn't attest to its voice capabilities as we were only testing PoE and basic layer-2 and layer-3 capabilities at the time. One awesome thing about Adtran is their support - they do have a good support team and have 10-year warranties on their products. And one more annoying thing about them - console access is done by proprietary DB-9 connectors and cables which they don't actually ship with the boxes.
As for the Cisco VoIP solution, I can tell you that we investigated Cisco a couple years ago and their solutions were so cost-prohibitive that it was an impossibility for our customer base. They also required a certified CVP on-staff just to be able to order certain equipment. Not sure if that's changed over the years, but it was not an option for us at all at the time.
-evt
I thought this was 10 years, but if not, I do apologize. They may have changed it to 5 "recently?"...I've always been led to believe by my highly cost-sensitive superiors that it's 10 years, but they often get things wrong just to get us to purchase the most "cost-effective" product out there.
-evt
It could be 10 years.. not 100% sure .... 5 or 10 still makes a dent in
Cisco's approach to be honest...
Still wondering if anyone knows how the Cisco lifetime warranty really
works...?
Thanks again,
Paul
http://puck.nether.net/mailman/listinfo/
The CLI quirks are much lower on the totem pole than cost or performance.
Best Regards,
-M<
You call up TAC, tell them you have a problem with your catalyst.
Since the huge gray-market problem with cisco gear, they'll probably
want proof that you are original owner, so you'll most likely need to
dig up invoices showing buying from an authorized cisco dealer/distributer.
If they are happy with your documentation, you get support. If its a
security problem with the software version, they'll give you a link to
download a fixed version. If you have bad hardware, you'll get it
cross-shipped next-business-day.
You still need Smartnet to get any version upgrade, or faster shipping
than NBD.
I'm looking for some constructive feedback on **real world**
experiences
please...We're split pretty evenly between Cisco and Juniper boxes and are happy with both. It all really depends on the services you want to sell or support for your customers, as each box can do different things.
I've been using both these boxes for a while, the SSGs in particular, so I'll chime in.
Eric is right, the WebUI for ScreenOS is not very good, but it's far better than any of the interfaces I've seen on any other security devices. It has its quirks, but it does get the job done.
I have no complaints about the SSG hardware, you get decent port density across the line and 90% of the functionality you will want is there out of the box with no additional licensing required (stateful firewall, IPSec, all routing protocols, etc). Don't bother with the Antivirus and Antispam on ScreenOS, it sucks and Juniper knows it. The web filtering works pretty well, though.
They're very flexible with regards to interoperability with other vendors (even Cisco). I've connected one to just about every vendor imaginable and there is always a way to make it work.
If you're looking for a cheap router/firewall/VPN box, then the SSGs from Juniper are the way to go right now. JunOS Enhanced Services could make our lives even better too...
Both Cisco and Juniper offer great options for this. CPE from both is typically very solid. Juniper has the added benefit of being able to convert their J-series boxes to Netscreen SSG firewalls and the cards are interchangeable between the security/J-series platforms. Of course, this does cost you in license fees. NAT on the J-series is a pain to set up and unfortunately, the default 256M flash on them is just too small to support an easy JUNOS upgrade.
What he said -- with the J series you get JunOS and now JunOS Enhanced Services, so you get a full-fledged firewall as well. No need to convert them to ScreenOS (unless you need a feature that hasn't been ported from ScreenOS to JunOS ES yet). The only thing I really don't like in the J series is the lack of a non rack mount form factor. A lot of small and branch offices don't necessarily have racks and it can be cumbersome to convince someone they need a 19" wide noisebox to be their router.
More on JunOS ES:
http://www.juniper.net/techpubs/software/junos-es/
Regards,
M
Thanks very much.... we're looking a series of models currently and all
the feedback I've received so far has been extremely helpful...
Best regards!
Paul
