Hi,
Everything in the junos doc works as expected and I have tried a lot
of combs, if you are using this procedure to select only local BGP
routes do not forget to reject everything else too, because the
default accept policy in the junos BGP, not sure if this is the
problem.
Below a Juniper exam
> From: Dan Farrell
> Date: Mon, 21 Jun 2010 14:33:50 -0700
> Sender: juniper-nsp-boun...@puck.nether.net
>
> With 10.0.S1.1 the only headaches we encounter with our loaded
> configuration on a 2-member 4200 stack (~850+ RVI's total, some on
> OSPF) is the time it takes for the configuration to b
Just a guess but try "^ $" to match beginning and end with nothing in
between. Or you can match against "^ 1234{0,1} $" which matches the
null as or a single occurrence of only AS 1234 (just insert any unused
AS).
-J Scott
On Mon, Jun 21, 2010 at 3:10 PM, Leah Lynch wrote:
> I cannot seem to ge
I cannot seem to get any of the regular expressions that I know of for null AS
to work. I have tried "()" and <*> and neither expression returns any results.
Does anyone out there have a known working expression for this on M/MX routers?
Leah
This email may contain confidential and privileged
With 10.0.S1.1 the only headaches we encounter with our loaded configuration on
a 2-member 4200 stack (~850+ RVI's total, some on OSPF) is the time it takes
for the configuration to be checked or implemented from the CLI. The wait times
from "commit" to actually being returned to the command pro
We leverage the EX3200 and 4200's extensively in our network, for edge, core,
and access.
As far as edge (ISP connectivity) we use EX3200's in pairs- each EX3200 has a
separate peer session to each upstream provider, providing redundancy
(high-availability) without merging the two units as one
the rule-set won't be "natting", it'll be whatever rule-set "rule 214"
exists in
-Ben
On Mon, Jun 21, 2010 at 3:13 PM, Brendan Mannella
wrote:
> I have to double check but i might have missed
>
>
>
> set security nat static rule-set natting from zone untrust... I will double
> check and update t
I have to double check but i might have missed
set security nat static rule-set natting from zone untrust... I will double
check and update the list.
- Original Message -
From: "ben b"
To: "Brendan Mannella"
Cc: "Scott T. Cameron" , "juniper-nsp"
Sent: Monday, June 21,
I noticed you didn't include all of the nat config.make sure you have
the "from-zone" configured for the static nat rule-set...
ex.
"set security nat static rule-set natting from zone untrust"
"set security nat static rule-set natting rule 214 match destination-address
111.111.111.214/32"
"se
The system does default deny if you haven't specified a default policy
action.
"set security policies default-policy permit-all "
As far as the policy is concerned, the policy is applied AFTER destination
nat is performed and BEFORE source nat is performed.
What is the output of 'show securi
Nope, i actually dont see any deny statements at all. Does the system, just
deny everything thats not defined as allowed? Any other thing i should look at?
Brendan Mannella
President and CEO
TeraSwitch Networks Inc.
Office: 412.224.4333 x303
Toll-Free: 866.583.6338
Mobile: 412-592-7848
Efax: 412.
Your rules actually seem fine at a glance. Are those the only rules in your
system? No deny that might otherwise be blocking the traffic? I also
migrated from ScreenOS and ditched all the old catch-all denies that I had
at the bottom of zone policies because they don't work the same way in JunOS
Yes that makes sense. And the policy pre srx was like this. But I am
almost positive I read somewhere the srx was different in that the
policy is looked at post NAT and so the private ip should be used.
I will give that a shot though.
Brendan Mannella
TeraSwitch Networks Inc.
Office: 412.224
> -Original Message-
> From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-
> boun...@puck.nether.net] On Behalf Of Brendan Mannella
> Sent: Monday, June 21, 2010 11:20 AM
> To: juniper-nsp
> Subject: [j-nsp] SRX Config Question
>
> So main issue is the firewall does not seem to
Have a SRX210 that i am migrating to from a NS-5GT. We used a bunch of MIPs and
of course policies to allow numerous port to those MIPs on our NS-5GT. Now
converting to the SRX, i seem to have most everything correct, but the SRX does
not allow any of my "allow" policies to work.
The inter
On Mon, Jun 21, 2010 at 12:29:00PM +0200, Laurent HENRY wrote:
> Hi all,
> I am thinking about using two EX 4200 as redondant border routers of
> my main Internet link.
>
> In this design, I would then need to use BGP with my ISP and OSPF for inside
> route redistribution.
>
> Reading t
You may want to seek out new sales people, or alternatively, sign an
NDA with Juniper.
David
On 21 June 2010 04:50, Sven Juergensen (KielNET)
wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Hi list,
>
> does anybody have the slightest clue about
> the availability or hold-up of t
And power needs... MX240 is a power hog compared to an MX80..
--
Tim
On Mon, Jun 21, 2010 at 8:28 AM, matthew zeier wrote:
>
> On Jun 21, 2010, at 4:58 AM, Scott T. Cameron wrote:
>
> > Why don't you just get an MX240? They are available and on the market.
>
> Significantly different price str
On Monday 21 June 2010 06:29:00 pm Laurent HENRY wrote:
> Does anyone actually use these features actively with
> this platform ?
We once used 2x EX4200-24F's as routers located in the
centre of a core network built to drive a regional operator
conference.
They ran iBGP + IS-IS (IPv6 support
I
would use a rewrite rule to modify DSCP on egress, so
that its consistent across platforms.
I still prefer the IOS way, where TOS byte values are re-
written on ingress (I believe we began a small petition for
this capability a year or more back, but it didn't gain any
traction). However, it
On Jun 21, 2010, at 4:58 AM, Scott T. Cameron wrote:
> Why don't you just get an MX240? They are available and on the market.
Significantly different price structure!
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mai
Why don't you just get an MX240? They are available and on the market.
On Mon, Jun 21, 2010 at 6:50 AM, Sven Juergensen (KielNET) <
s.juergen...@kielnet.de> wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Hi list,
>
> does anybody have the slightest clue about
> the availability or
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi list,
does anybody have the slightest clue about
the availability or hold-up of those boxes?
Our sales representatives are shrugging, MX80
demonstrations are lacking the boxes etc pp.
Make way for the 2010 awards?
http://www.wired.com/epicenter/2
Hi all,
I am thinking about using two EX 4200 as redondant border routers of
my main Internet link.
In this design, I would then need to use BGP with my ISP and OSPF for inside
route redistribution.
Reading the archive, and on my own experience with the product too, i am
looking for fe
There are no universal rules which apply to sampling. Obviously the more
packets you can capture during a given sample, the better. Determining your
sampling rate depends on a lot of variables. You should start by looking at
the intended application for deployment of sampling. For DDoS alerting
25 matches
Mail list logo