Cisco routers out, Juniper gear in at

Cisco routers out, Juniper gear in at

Building new rules in the Juniper firewalls was simpler than it had been for the Cisco firewalls, says sys admin. tossed its Cisco routers, switches and firewalls for Juniper gear and wound up saving enough in ongoing support costs that the project will pay for itself in eight months.

The firm with about 90 employees spread over three sites made the swap during the first quarter of the year with no interruption to its online custom printing and mailing operations, says Larry Prine, lead systems administrator for the company.

There were some tradeoffs, including that only certain models of the EX switches can be configured to act as part of a single logical switch, but the money the company saves on maintenance fees is worth it.

"Cost savings -- that was the motivation," Prine says. By cutting support costs from US$48,000 for Cisco to less than $6,000 per year for Juniper and selling off the two-year-old Cisco hardware, will have the Juniper gear paid off by the year-end, he says.

Along with the cost savings comes the ability to switch WAN routers when one of the company's T-1 lines fails, something that was too complex for to get running on its Cisco routers, Prine says.

Overall, he thinks the Juniper gear is more manageable because each switch, router and firewall works on the same operating system version as the rest, so any configuration changes need to be done just once for each. With Cisco, software versions could vary within device type, he says, requiring more administrative time.

Prine swapped out two Cisco Catalyst 6509 switches for four Juniper EX4200 switches. A Juniper SSG 140 security gateway and four SSG 320s replace three Cisco ASA 5520 security appliances. Prine says Cisco didn't make any special efforts to retain's business.

Juniper EX 4200 switches can be deployed in a virtual chassis that enables managing them as a single device, but that is not a feature of the EX 3200s, he says. So the two EX 3200s in his network are managed separately. In that sense, the Cisco equipment kind of had the advantage," Prine says.

In replacing firewalls in Cisco's ASA 5520 security appliances, Prine had to go through every configuration file, test whether it performed the task it was supposed to and then translate that to a policy for the firewalls in the Juniper SSG 140 and SSG 320 routers he replaced them with.

He found that many of the old firewall rules were outdated, inactive or did not do what was intended. Building new rules in the Juniper firewalls was simpler than it had been for the Cisco firewalls, he says.

Both the Juniper and the Cisco routers could switch from one WAN connection to an other if a T-1 failed, but couldn't manage to get it to work with the Cisco gear.

"I'm not saying it wasn't available, but from the standpoint of what we knew here of Cisco equipment, the equipment that we had wasn't able to do it," Prine says. "We could never get it to work correctly. It was so complicated that anything we tried to do, there was something else to it."

In the course of the project, Prine developed a comprehensive network diagram for the company that he didn't have at the outset and that he says is invaluable. In one case the firewall wasn't configured to allow access to FTP servers because they were overlooked, something that could have been avoided if he'd had the diagram at the outset.

He recommends careful planning for the actual swap of gear. He says he did it site by site, first switches then the rest of the equipment. That process went smoothly, with planned network outages lasting about 20 minutes with the network returning to normal operations immediately afterwards.

Follow Us

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.


Brand Post

Show Comments