Re: [j-nsp] SRX 5800 cluster reports 100% of CPU through snmpget
maybe you can try using another junos release like 10.4r5 we are using here with no problems On Wednesday, September 12, 2012, Alberto Santos wrote: Hey everyone, I'm facing difficult times with srx5800 and snmpget. I have a cluster which reports it is running over 100% CPU for it's RE0, but it is not. Have someone ever seen this before? Routing Engine status: Slot 0: Current state Master Election priority Master (default) Temperature 33 degrees C / 91 degrees F CPU temperature 29 degrees C / 84 degrees F DRAM 2048 MB Memory utilization 20 percent CPU utilization: User 0 percent Background 0 percent Kernel 3 percent Interrupt 0 percent Idle 97 percent Model RE-S-1300 Serial ID 9009074896 Start time 2012-05-10 18:01:28 BRT Uptime 124 days, 6 hours, 35 minutes, 35 seconds Last reboot reason Router rebooted after a normal shutdown. Load averages: 1 minute 5 minute 15 minute 0.10 0.04 0.01 JUNOS Software Release [11.2R6.3] jnxOperatingCPU.9.1.0.0 = 100 jnxOperatingCPU.9.3.0.0 = 100 -- *BR/Alberto* ___ juniper-nsp mailing list juniper-nsp@puck.nether.net javascript:; https://puck.nether.net/mailman/listinfo/juniper-nsp -- Giuliano Cardozo Medalha Systems Engineer +55 (17) 3011-3811 +55 (17) 8112-5394 JUNIPER J-PARTNER ELITE giuli...@wztech.com.br http://www.wztech.com.br/ ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Ethernet switching/bridging on SRX High-End
Hi all, I'm trying to find a way to use an srx3400 as an intermediate box to provide L2 connectivity between a couple of EX switches and a J2320. This is just a short-term arrangement to get me out of a bind. If I can't do it, it's not a big deal, I'll dig up a 3rd switch. Essentially I want to use the srx3400 as a basic switch, so that the two EX switches' uplinks and the J's LAN-facing port are in the same broadcast domain. I want to use three ge- interfaces to accomplish the task. [SRX]--[J2320] / \ / \ | | [EX1] [EX2] The obvious feature seems to be bridge-domains (as ethernet-switching isn't supported on SRX-HE) but it doesn't look like I can run it if the SRX is in 'route mode'. I'm running JUNOS 10.0R4 on the SRX. Clues? cheers, Dale ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Twinax direct attach cables coming loose?
On Tue, Sep 11, 2012 at 02:35:08PM -0700, Morgan McLean wrote: Is anybody having issues with twinax / DAC cables from juniper staying secure? We run redundant L2 links just about everywhere so this hasn't caused down time, but at least 7-8 times I've had a link to a switch go down, usually at our core, and we barely nudge it inward and the link comes back up. I like the DAC cables but I'm starting to get a little nervous with them being so sensitive. Its going between EX3300 switches and the 40 port 10gig card for the 8208. Anyone else experience this? Any solutions? We have about 80 of them for connections from EX4500s to servers, in 3m, 5m, 7m lengths. They are all either Tyco or Amphenol OEM. There have been no issues so far that I've been made aware of. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] MX5 - Subscriber Management
People, Dow anyone on list is using MX series as a BRAS box ? We are looking forward some samples of configurations to apply shapping rate using only radius variables. We have found the configuration bellow ... but we did not find any RADIUS dictionary to apply it. The only way we found to controle the subscriber (PPP.) interface bandwidth was using firewall filters and policers. But with firewall filter and policers ... we need to create it statically before apply using radius. We are lookig for a soltuion where we can apply only one configuration directly on radius server only (without have to create a policer or a firewall filter). If anyone has the experience with this kind of config, could share about it ? Thanks a lot, Giuliano dynamic-profiles {subscriber_profile {interfaces {$junos-interface-ifd-name {unit $junos-underlying-interface-unit {family inet;}}}class-of-service {traffic-control-profiles {subscriber_tcp {shaping-rate $shaping-rate;guaranteed-rate $guaranteed-rate;}}interfaces {$junos-interface-ifd-name {unit $junos-underlying-interface-unit {output-traffic-control-profile subscriber_tcp; ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] SRX - tap mode?
hi everyone, do SRX firewalls support a tap mode installation? Really just looking at it for purposes of evaluation of IDP functionality where tap mode would be the least intrusive method to see data vs having to put it inline (and then deal with the inevitable you put a device inline and now XYZ doesn't work!) I seem to recall that they do not, and they have to be installed in L3 mode or in Transparent mode, but was hoping I may have missed the feature in a release note somewhere. Thanks, Will ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX - tap mode?
High end SRX's support tap mode. Branch as far as I know do not. http://www.juniper.net/techpubs/software/junos-security/junos-security10.2/junos-security-swconfig-security/topic-45272.html Hope this helps, -Tim Eberhard On Wed, Sep 12, 2012 at 10:33 AM, William McLendon wimcl...@gmail.com wrote: hi everyone, do SRX firewalls support a tap mode installation? Really just looking at it for purposes of evaluation of IDP functionality where tap mode would be the least intrusive method to see data vs having to put it inline (and then deal with the inevitable you put a device inline and now XYZ doesn't work!) I seem to recall that they do not, and they have to be installed in L3 mode or in Transparent mode, but was hoping I may have missed the feature in a release note somewhere. Thanks, Will ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX - tap mode?
hi Tim, thanks for the response - but reading the description that sounds like the firewall itself still has to be inline, which i'm trying to avoid here. I guess what does the rest of the config have to look like for it to function correctly off a span port? ie there wouldn't be any routing or IP interfaces involved. Thanks, Will On Sep 12, 2012, at 11:35 AM, Tim Eberhard wrote: High end SRX's support tap mode. Branch as far as I know do not. http://www.juniper.net/techpubs/software/junos-security/junos-security10.2/junos-security-swconfig-security/topic-45272.html Hope this helps, -Tim Eberhard On Wed, Sep 12, 2012 at 10:33 AM, William McLendon wimcl...@gmail.com wrote: hi everyone, do SRX firewalls support a tap mode installation? Really just looking at it for purposes of evaluation of IDP functionality where tap mode would be the least intrusive method to see data vs having to put it inline (and then deal with the inevitable you put a device inline and now XYZ doesn't work!) I seem to recall that they do not, and they have to be installed in L3 mode or in Transparent mode, but was hoping I may have missed the feature in a release note somewhere. Thanks, Will ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Ethernet switching/bridging on SRX High-End
Hi Dale, I have never tried to do tranarent mode bridging on an SRX while converting it to packet mode, so I am unsure if it can even be done. However, if you don't mind the additional stateful processing why not just configure bridging and then configure an any-any-any policy to allow everything through. Should be relatively straightforward... Stefan Fouant JNCIE-SEC, JNCIE-SP, JNCIE-ENT, JNCI Technical Trainer, Juniper Networks Follow us on Twitter @JuniperEducate Sent from my iPad On Sep 12, 2012, at 4:14 AM, Dale Shaw dale.shaw+j-...@gmail.com wrote: Hi all, I'm trying to find a way to use an srx3400 as an intermediate box to provide L2 connectivity between a couple of EX switches and a J2320. This is just a short-term arrangement to get me out of a bind. If I can't do it, it's not a big deal, I'll dig up a 3rd switch. Essentially I want to use the srx3400 as a basic switch, so that the two EX switches' uplinks and the J's LAN-facing port are in the same broadcast domain. I want to use three ge- interfaces to accomplish the task. [SRX]--[J2320] / \ / \ | | [EX1] [EX2] The obvious feature seems to be bridge-domains (as ethernet-switching isn't supported on SRX-HE) but it doesn't look like I can run it if the SRX is in 'route mode'. I'm running JUNOS 10.0R4 on the SRX. Clues? cheers, Dale ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX - tap mode?
You can always create your own 'tap mode' by simply configuring Filter Based Forwarding and shunting your selective traffic through your IDP. I did this all the time in my previous life when dealing with security devices that couldn't scale enough to place in-line. Stefan Fouant JNCIE-SEC, JNCIE-SP, JNCIE-ENT, JNCI Technical Trainer, Juniper Networks Follow us on Twitter @JuniperEducate Sent from my iPad On Sep 12, 2012, at 11:43 AM, William McLendon wimcl...@gmail.com wrote: hi Tim, thanks for the response - but reading the description that sounds like the firewall itself still has to be inline, which i'm trying to avoid here. I guess what does the rest of the config have to look like for it to function correctly off a span port? ie there wouldn't be any routing or IP interfaces involved. Thanks, Will On Sep 12, 2012, at 11:35 AM, Tim Eberhard wrote: High end SRX's support tap mode. Branch as far as I know do not. http://www.juniper.net/techpubs/software/junos-security/junos-security10.2/junos-security-swconfig-security/topic-45272.html Hope this helps, -Tim Eberhard On Wed, Sep 12, 2012 at 10:33 AM, William McLendon wimcl...@gmail.com wrote: hi everyone, do SRX firewalls support a tap mode installation? Really just looking at it for purposes of evaluation of IDP functionality where tap mode would be the least intrusive method to see data vs having to put it inline (and then deal with the inevitable you put a device inline and now XYZ doesn't work!) I seem to recall that they do not, and they have to be installed in L3 mode or in Transparent mode, but was hoping I may have missed the feature in a release note somewhere. Thanks, Will ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Ethernet switching/bridging on SRX High-End
Unfortunately, as far as I know, there's no ethernet-switching or bridging capability on the high-end SRX that I know of, even though the branch can do ethernet-switching. -bn 0216331C On Wed, Sep 12, 2012 at 1:14 AM, Dale Shaw dale.shaw+j-...@gmail.com wrote: Hi all, I'm trying to find a way to use an srx3400 as an intermediate box to provide L2 connectivity between a couple of EX switches and a J2320. This is just a short-term arrangement to get me out of a bind. If I can't do it, it's not a big deal, I'll dig up a 3rd switch. Essentially I want to use the srx3400 as a basic switch, so that the two EX switches' uplinks and the J's LAN-facing port are in the same broadcast domain. I want to use three ge- interfaces to accomplish the task. [SRX]--[J2320] / \ / \ | | [EX1] [EX2] The obvious feature seems to be bridge-domains (as ethernet-switching isn't supported on SRX-HE) but it doesn't look like I can run it if the SRX is in 'route mode'. I'm running JUNOS 10.0R4 on the SRX. Clues? cheers, Dale ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX - tap mode?
Will, Here is a config for using a port on a branch device as a packet capture device. Port ge-0/0/1 is put into promiscuous mode (has to be a gig port btw) and getting forwarded packets from a switch. You need the: forwarding-options { packet-capture { setting and the packet filter. Interface does not need to be in a zone. --Ben On Wed, Sep 12, 2012 at 11:31 AM, Stefan Fouant sfou...@shortestpathfirst.net wrote: You can always create your own 'tap mode' by simply configuring Filter Based Forwarding and shunting your selective traffic through your IDP. I did this all the time in my previous life when dealing with security devices that couldn't scale enough to place in-line. Stefan Fouant JNCIE-SEC, JNCIE-SP, JNCIE-ENT, JNCI Technical Trainer, Juniper Networks Follow us on Twitter @JuniperEducate Sent from my iPad On Sep 12, 2012, at 11:43 AM, William McLendon wimcl...@gmail.com wrote: hi Tim, thanks for the response - but reading the description that sounds like the firewall itself still has to be inline, which i'm trying to avoid here. I guess what does the rest of the config have to look like for it to function correctly off a span port? ie there wouldn't be any routing or IP interfaces involved. Thanks, Will On Sep 12, 2012, at 11:35 AM, Tim Eberhard wrote: High end SRX's support tap mode. Branch as far as I know do not. http://www.juniper.net/techpubs/software/junos-security/junos-security10.2/junos-security-swconfig-security/topic-45272.html Hope this helps, -Tim Eberhard On Wed, Sep 12, 2012 at 10:33 AM, William McLendon wimcl...@gmail.com wrote: hi everyone, do SRX firewalls support a tap mode installation? Really just looking at it for purposes of evaluation of IDP functionality where tap mode would be the least intrusive method to see data vs having to put it inline (and then deal with the inevitable you put a device inline and now XYZ doesn't work!) I seem to recall that they do not, and they have to be installed in L3 mode or in Transparent mode, but was hoping I may have missed the feature in a release note somewhere. Thanks, Will ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Nextgen Multicast on MX boxes
Hi all, I'm after some advice on setting up nextgen multicast on an RSVP based MPLS network. The network is quite simple - MX5's with static lsp's, rsvp signalling fast reroute. But setting up multicast over this is not something I'm very familiar with. I've looked at the Juniper extranet doc, but it's not exactly clear with explanations of why the configs are done that way. e.g. if I want to pass a stream from one vrf to another vrf on the same router, I need to configure a vt- interface. That's fine, but what (if any) additional steps are required to actually establish a stream between the 2 vrf's? The routers are set up as redundant pairs (vrrp between interfaces) - is PIM sparse my best option, or should I be looking to anycast for redundancy, or something else? Can I dictate the group membership at the router, or do the endpoints need to be statically configured for the correct group membership? The docs show both ldp rsvp configured together - is the mLDP functionality a requirement to get mvpn to work correctly? Sorry for all the questions. Trying to get a better understanding on what the best solution is and what the box limitations are Cheers, Gordon ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp