Giganet managed Juniper router for ELITE services - Additional information on what these do

Giganet supplies a carrier-grade Juniper SRX or EX router with every ELITE (leased line) service.

When organisations order an ELITE service from Giganet, they are buying the best type of internet connectivity, and this requires close management and monitoring to ensure that the service lives up to the expectations. Hence why we include the Juniper router.

Why do we provide this Juniper router?

For many reasons, and these vary depending on the type of service and options you have.

• It's our demarcation device.
  • What this means is that we can monitor the uptime, packet loss, jitter, traffic throughout end-to-end from our core network to a device that we manage and monitor and is the first device to connect to the ELITE circuit.
  • This ensures that we can offer the best support.
  • If you report any issues with the service, we can easily cross reference your reports with the data we've got.
• For managed failover services (optional extra), it's needed to facilitate the BGP failover, so mandatory:
  • We use BGP to ensure that in the event of a failure of the primary ELITE service, your internet connectivity and IP addresses automatically failover to the secondary circuit.
  • As this requires (relatively) complex configuration, and needs to perfectly match and mirror the config in our core network, we need to be able to configure this.
  • It's also how we're able to provide our enhanced SLAs for managed failover services and RO2 services to 99.99% and 100% respectively.
• If you have a MPLS PWAN from us (optional extra), it's mandatory:
  • Complex BGP router, VRFs, firewall ACLs and other configuration require us to provide a managed router.
• If you require managed QoS for VOIP, SIP trunking, etc (optional extra), it's mandatory:
  • We can only provide this if we're managing the two devices either side of the internet circuit.
• If you have any other non-standard/complex requirements, it's usually going to require some configuration on a router we managed on-site, so may be mandatory:
  • Providing multiple segregated services over the single leased line (e.g. offices sharing an internet connection, services offices etc) - (optional extra).

Is the Juniper a firewall, blocking any ports, doing NAT, slowing the service down?

No in all cases.

Our router is a router only. It is not doing any NAT. All ports and protocols are passed through without any blocking or restrictions between the carrier WAN port and the customer LAN/firewall port.

We spec the Juniper device used to ensure that is will not be a bottleneck for the service you've ordered. Therefore for all services under 800Mb/s, or our ELITE Flex service, a Juniper SRX300 is used. For all service about 800Mb/s that operate with a single circuit, we use a Juniper EX2300. For all other services, including those with 1Gb/s and any form of backup, we use an SRX340.

Does the router support IPv6?

Yes. We will issue a /48 IPv6 delegated prefix as standard to all customers.

Is there a wires-only or unmanaged option without a Juniper device available?

We really don't recommend this.

To date, Giganet has not provided any wires-only ELITE services without a Juniper router.

If you take any managed failover/backup service, have a MPLS PWAN, require managed QoS, then this is definitely not possible.

However, if you have a single ELITE circuit, and if you are really adamant about having wires-only service, then this can be arranged, but you will need to sign an addendum to your contract that waives certain performance, SLAs, and support capabilities that we're able to provide. 

There is also no discounts on any monthly rentals. The router actually makes up a very small part of the Ethernet circuit pricing also. We don't add any margin to these items.

Who owns the Juniper router?

Giganet owns the router and is responsible for its maintenance and warranty as long as you are a customer.

If you decide to leave Giganet, then we shall arrange collection of the router. It must be in good condition. If it's in poor condition or not returned at the end of your service contract, then we reserve the right to charge you the cost to replace it. This shall be the full RSP price of the device.

Will you provide me access to the Juniper configuration?

Access is heavily restricted to our support engineers only for security reasons.

However, if you have an MPLS PWAN, and the Juniper is a local DHCP server, then we can provide read-only access so you can see DHCP bindings.

How much is the router as part of the monthly quote?

Typically the router will be adding around £15/month to the quote for all single ELITE circuits up to 1Gb/s. For dual routers, this will be double. For 1Gb/s bearers that require backup, it's around £30-40/month. For dual 1Gb/s bearers with backup, it's double. This price is backed into the quote for 36m term options.

I see that there's a set up charge for 12m ELITE circuits; is this paying for the router, and would I own it?

No, the set up charge is not specifically for the router, Giganet retains ownership of the router, and we're responsible for warranty, support and maintenance of it.

I really don't like or want Juniper, and prefer Cisco (or other brand), can you provide a Cisco router equivalent?

Sadly not.

If you don't like Juniper, then Giganet is probably not a good ISP for you as our core network is based on carrier-grade Juniper MX routers.

We standardise on Juniper for customer routers too, have 100s of them deployed, lots in stock, our support and engineering teams are trained up on them, and we know them inside out.

We just don't know Cisco customer (CPE) routers as well. We don't hold them in stock. Our engineers are not experienced in them either.

I'm worried about the Juniper router being a single point of failure, what options are there for redundancy?

We have multiple options available:

1. We can provision a pair of HA (high availability) VRRP/Clustered Juniper routers - optional charge - £PoA.
   • Depending on if you have multiple uplinks and downlinks, failover can be fully automated, however if not, then you will need to move some cables around.
2. We can provision a cold-standby Juniper - optional charge - £PoA.
   • In the event the main router fails, you unbox the replacement pre-configured router, and swap in it's place.
3. We can provide a 4hr on-site with engineer replacement service - optional charge - £PoA.

As standard our Juniper routers are supported with a next business day replacement service. The cost for the replacement Juniper and delivery is included within the price of your main leased line service charges.

Is the Juniper SRX device a firewall?

Not in the way that we configure it. It will be in a router configuration only. 

The Juniper SRX devices can be used as a firewall in other use cases, but we do not enable these features and do not plan to.

I see that the Juniper SRX device can work as a firewall, do NAT etc, can you enable these features?

As above, we do not enable these firewall features. The SRX will operate in router mode only in our configuration, which we will not vary for our ELITE router demarcation device. 

We want the SRX device to perform a very limited function - routing packets. This helps us from a support/SLA perspective.

Therefore the Juniper SRX device is purely configured in router mode where it's used as our ELITE router demarcation device. As such, it is not configured with any security, filtering, NAT, VPN or other L4+ features.

Longer answer:

This is not a decision based on it being technically impossible, but this decision is due to us using the SRX in a very specific limited narrow way, as our ELITE leased line demarcation device, and if we start to enable firewall features on here as well, then our support capabilities will be more limited. This is due to us not knowing whether certain challenges are due to the circuit configuration, or whether they are due to the firewall as one example.

Therefore it's recommended to split router and firewall from one another.

So I will need a firewall as well, what will I need?

Yes, you will typically connect a firewall/security appliance to our Juniper SRX or EX device by way of an Ethernet cable.

• By default, we will hand off the connection from our Juniper device to your firewall using copper 1000BASE-T Gigabit Ethernet connection.
• If you have a preference for an optical handoff, using SX (multimode) or LX (singlemode) optics, we can arrange for this on request.

Important factors to consider when choosing your firewall:

Don't automatically assume that your existing firewall will be appropriate for your new ELITE leased line service. In particular, it may lack the performance to handle the higher bandwidths.

Your firewall must support the bandwidth of the ELITE circuit you have ordered. You may need to check the firewall's datasheets or other technical material to ensure that the bandwidth can be supported when all the features (particuraly if it's operating any IPS/DPI/anti virus capabilities) and quantity of users are operating over the circuit. As often, the firewall manufacturer's quote the highest bandwidths possible when just basic layer 3 firewall features are enabled - in reality though, the numbers could be lower.

Can Giganet help provide a firewall if I am unsure or need to purchase one?

Yes we can help.

Please let the sales person know, and also what type of features you are after, how many users/device this is needing to support us, the bandwidth should be known as we'll match this up with the bandwidth of the ELITE circuit.

Currently the firewalls we provide and recommend include:

• Cisco Meraki MX range of security appliances
• Netgate pfsense appliances
• Ubiquiti UniFi USG Pro or UDM Pro

We do not currently use or provide any Juniper SRX devices as firewalls.