Re: [j-nsp] License : Juniper ISG-2000
On Fri, Feb 20, 2009 at 5:43 PM, Ross Vandegrift wrote: > > Just to be clear - the vsys licenses and the vrouter licenses are > different. A vsys license enables a vrouter for each purchased vsys, > but the converse does not hold. > AFAIK vrouter license don't exist. And if you buy a 5 vsys license, you can choose to exclusively use the 5 VR provided with it on the root vsys (but you can't create VSYS anymore as a VSYS needs its own VR). This was tested on an ISG2000 with ScreenOS 6.0. Sidney ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] bgp maxas-limit - JUNOS equivalent ???
On Fri, 20 Feb 2009, Richard A Steenbergen wrote: >> Don't get too overzealous here. From my perspective I currently see over >> 160 prefixes with as-path >= 20 There was a research papre somewhere (although a bit outdated - from 2005), stating that the optimal value is 75. That was used as the foundation for the default value of maxas-limit within the Cisco IOS. I can't find the URL to that paper right now, though ... And yes, the standards do allow inifinitely long AS paths, but AS path space is finite, as well as the buffer for communities and other BGP attributes. A BCP for implementors would be nice to have though ... Regards, Beri ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SNMP issue...
Thats correct. Sorry. My bad. It should be "instance-n...@community-name". I am sure he must have figured it out by now after checking the logs :). BTW, if you think this is not documented well enough, please open a JTAC case. They will open a doc bug to fix this. Thanks, Nilesh. Masood Ahmad Shah wrote: This is what it should be like r...@testcommunity HTH Regards, Masood -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Nilesh Khambal Sent: Saturday, February 21, 2009 12:53 AM To: Derick Winkworth Cc: juniper-nsp@puck.nether.net Subject: Re: [j-nsp] SNMP issue... Are you querying like "communityn...@instance-name". In your case it will be "testcommun...@rdi". If not can you try that. Thanks, Nilesh. Derick Winkworth wrote: # Feb 20 17:44:54 snmpd[4d88b0c2] Feb 20 17:44:54 snmpd[4d88b0c2] >>> Get-Next-Request Feb 20 17:44:54 snmpd[4d88b0c2] >>> Source: 10.254.0.33 Feb 20 17:44:54 snmpd[4d88b0c2] >>> Destination: 10.254.23.2 Feb 20 17:44:54 snmpd[4d88b0c2] >>> Version: SNMPv2 Feb 20 17:44:54 snmpd[4d88b0c2] >>> Request_id: 0x4d88b0c2 Feb 20 17:44:54 snmpd[4d88b0c2] >>> Community: testcommunity Feb 20 17:44:54 snmpd[4d88b0c2] >>> Error: status=0 / vb_index=0 Feb 20 17:44:54 snmpd[4d88b0c2] >>> OID : mib_2 Feb 20 17:44:54 snmpd[4d88b0c2] Feb 20 17:44:54 SNMPD_AUTH_FAILURE: nsa_initial_embedcomm: unauthorized SNMP community from 10.254.0.33 to unknown community name (testcommunity) ### and here is the config... [edit snmp] juni...@bd-bottom-m120# show community testcommunity { authorization read-only; routing-instance RDI; } routing-instance-access; traceoptions { file snmp; flag all; } The traffic is coming in on the RDI routing-instance, which is what we want... Any ideas? The community string is valid. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SNMP issue...
This is what it should be like r...@testcommunity HTH Regards, Masood -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Nilesh Khambal Sent: Saturday, February 21, 2009 12:53 AM To: Derick Winkworth Cc: juniper-nsp@puck.nether.net Subject: Re: [j-nsp] SNMP issue... Are you querying like "communityn...@instance-name". In your case it will be "testcommun...@rdi". If not can you try that. Thanks, Nilesh. Derick Winkworth wrote: > # > Feb 20 17:44:54 snmpd[4d88b0c2] >> > Feb 20 17:44:54 snmpd[4d88b0c2] >>> Get-Next-Request > Feb 20 17:44:54 snmpd[4d88b0c2] >>> Source: 10.254.0.33 > Feb 20 17:44:54 snmpd[4d88b0c2] >>> Destination: 10.254.23.2 > Feb 20 17:44:54 snmpd[4d88b0c2] >>> Version: SNMPv2 > Feb 20 17:44:54 snmpd[4d88b0c2] >>> Request_id: 0x4d88b0c2 > Feb 20 17:44:54 snmpd[4d88b0c2] >>> Community: testcommunity > Feb 20 17:44:54 snmpd[4d88b0c2] >>> Error: status=0 / vb_index=0 > Feb 20 17:44:54 snmpd[4d88b0c2] >>> OID : mib_2 > Feb 20 17:44:54 snmpd[4d88b0c2] >> > Feb 20 17:44:54 SNMPD_AUTH_FAILURE: nsa_initial_embedcomm: unauthorized SNMP community from 10.254.0.33 to unknown community name (testcommunity) > ### > > > > and here is the config... > > > > [edit snmp] > juni...@bd-bottom-m120# show > > community testcommunity { > authorization read-only; > routing-instance RDI; > } > routing-instance-access; > traceoptions { > file snmp; > flag all; > } > > > > The traffic is coming in on the RDI routing-instance, which is what we want... > > Any ideas? The community string is valid. > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SNMP issue...
Are you querying like "communityn...@instance-name". In your case it will be "testcommun...@rdi". If not can you try that. Thanks, Nilesh. Derick Winkworth wrote: # Feb 20 17:44:54 snmpd[4d88b0c2] >> Feb 20 17:44:54 snmpd[4d88b0c2] >>> Get-Next-Request Feb 20 17:44:54 snmpd[4d88b0c2] >>> Source: 10.254.0.33 Feb 20 17:44:54 snmpd[4d88b0c2] >>> Destination: 10.254.23.2 Feb 20 17:44:54 snmpd[4d88b0c2] >>> Version: SNMPv2 Feb 20 17:44:54 snmpd[4d88b0c2] >>> Request_id: 0x4d88b0c2 Feb 20 17:44:54 snmpd[4d88b0c2] >>> Community: testcommunity Feb 20 17:44:54 snmpd[4d88b0c2] >>> Error: status=0 / vb_index=0 Feb 20 17:44:54 snmpd[4d88b0c2] >>> OID : mib_2 Feb 20 17:44:54 snmpd[4d88b0c2] >> Feb 20 17:44:54 SNMPD_AUTH_FAILURE: nsa_initial_embedcomm: unauthorized SNMP community from 10.254.0.33 to unknown community name (testcommunity) ### and here is the config... [edit snmp] juni...@bd-bottom-m120# show community testcommunity { authorization read-only; routing-instance RDI; } routing-instance-access; traceoptions { file snmp; flag all; } The traffic is coming in on the RDI routing-instance, which is what we want... Any ideas? The community string is valid. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] ex4200 static arp
Ross Vandegrift wrote: On Mon, Jan 19, 2009 at 10:16:47AM +0100, Benny Amorsen wrote: In practice most vendors ignore the "multicast" word in that sentence. The functionality is really useful and hard to achieve in any other way. RFC 1812 should be amended. I disagree. It doesn't make any sense to accept a multicast address for a unicast neighbor resolution protocol - especially since I could use that as a denial-of-service vector by maliciously answering ARP queries and forcing others to multicast. Microsoft's old NLB implementations used to answer ARP with the multicast MAC address for the cluster. We had Cisco gear that refused to learn it. That makes Cisco and Juniper that don't learn them - who works that way? Nokia should generate a virtual MAC if they want a MAC that can float past device failover. That's how VRRP, HSRP and NSRP work and it's great. I encountered this problem a few years ago and the resolution on Nokia TAC site was to manually set the ARP on the Cisco switches that we were using. And from what I know, this behavior hasn't changed recently. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] SNMP issue...
# Feb 20 17:44:54 snmpd[4d88b0c2] >> Feb 20 17:44:54 snmpd[4d88b0c2] >>> Get-Next-Request Feb 20 17:44:54 snmpd[4d88b0c2] >>> Source: 10.254.0.33 Feb 20 17:44:54 snmpd[4d88b0c2] >>> Destination: 10.254.23.2 Feb 20 17:44:54 snmpd[4d88b0c2] >>> Version: SNMPv2 Feb 20 17:44:54 snmpd[4d88b0c2] >>> Request_id: 0x4d88b0c2 Feb 20 17:44:54 snmpd[4d88b0c2] >>> Community: testcommunity Feb 20 17:44:54 snmpd[4d88b0c2] >>> Error: status=0 / vb_index=0 Feb 20 17:44:54 snmpd[4d88b0c2] >>> OID : mib_2 Feb 20 17:44:54 snmpd[4d88b0c2] >> Feb 20 17:44:54 SNMPD_AUTH_FAILURE: nsa_initial_embedcomm: unauthorized SNMP community from 10.254.0.33 to unknown community name (testcommunity) ### and here is the config... [edit snmp] juni...@bd-bottom-m120# show community testcommunity { authorization read-only; routing-instance RDI; } routing-instance-access; traceoptions { file snmp; flag all; } The traffic is coming in on the RDI routing-instance, which is what we want... Any ideas? The community string is valid. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] bgp maxas-limit - JUNOS equivalent ???
I agreed with something Jared said. You never know whom you are going to connect next to (Cisco :)). Save yourself n Save Others Regards, Masood -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Jared Mauch Sent: Friday, February 20, 2009 10:34 PM To: Richard A Steenbergen Cc: juniper-nsp@puck.nether.net Subject: Re: [j-nsp] bgp maxas-limit - JUNOS equivalent ??? On Feb 20, 2009, at 12:13 PM, Richard A Steenbergen wrote: > On Fri, Feb 20, 2009 at 02:21:24PM +0100, david@orange- > ftgroup.com wrote: >> >> Hi, >> >> You can do it via a policy like this : >> >> Here MAX AS PATH equal to 20. > > Don't get too overzealous here. From my perspective I currently see > over > 160 prefixes with as-path >= 20, so blocking them would break > legitimate > announcements for no good reason. There was nothing out-of-spec or > invalid about the > 255 as-path, it was purely an implementation bug > on > vendor C's part. I really feel the need to echo this, if you have a cisco device that reset the bgp session as a result of this (technically) valid AS-PATH you need to be careful to not suppress valid routes and isolate your network from part of the world. Perhaps you don't care, but having seen people not update bogon prefix lists, I fear the same here if not well maintained. You really should manage your IOS code as necessary and not add these config bits until you know when you're removing them. - Jared ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] bgp maxas-limit - JUNOS equivalent ???
On Feb 20, 2009, at 12:13 PM, Richard A Steenbergen wrote: On Fri, Feb 20, 2009 at 02:21:24PM +0100, david@orange- ftgroup.com wrote: Hi, You can do it via a policy like this : Here MAX AS PATH equal to 20. Don't get too overzealous here. From my perspective I currently see over 160 prefixes with as-path >= 20, so blocking them would break legitimate announcements for no good reason. There was nothing out-of-spec or invalid about the > 255 as-path, it was purely an implementation bug on vendor C's part. I really feel the need to echo this, if you have a cisco device that reset the bgp session as a result of this (technically) valid AS-PATH you need to be careful to not suppress valid routes and isolate your network from part of the world. Perhaps you don't care, but having seen people not update bogon prefix lists, I fear the same here if not well maintained. You really should manage your IOS code as necessary and not add these config bits until you know when you're removing them. - Jared ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] bgp maxas-limit - JUNOS equivalent ???
On Fri, Feb 20, 2009 at 02:21:24PM +0100, david@orange-ftgroup.com wrote: > > Hi, > > You can do it via a policy like this : > > Here MAX AS PATH equal to 20. Don't get too overzealous here. From my perspective I currently see over 160 prefixes with as-path >= 20, so blocking them would break legitimate announcements for no good reason. There was nothing out-of-spec or invalid about the > 255 as-path, it was purely an implementation bug on vendor C's part. -- Richard A Steenbergenhttp://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] License : Juniper ISG-2000
On Fri, Feb 20, 2009 at 11:30:39AM +0100, Sidney Boumendil wrote: > VR are routing instance, 3 is generally enough for most setups. If you need > additional ones you have to buy a vsys licence. > Instructions on how to generate and install it are provided by Juniper with > the licence file. Just to be clear - the vsys licenses and the vrouter licenses are different. A vsys license enables a vrouter for each purchased vsys, but the converse does not hold. Ross -- Ross Vandegrift r...@kallisti.us "If the fight gets hot, the songs get hotter. If the going gets tough, the songs get tougher." --Woody Guthrie ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] bgp maxas-limit - JUNOS equivalent ???
Hi, You can do it via a policy like this : Here MAX AS PATH equal to 20. Regards, David as-path MAXAS ".{20,}"; policy-statement MAXASPATH { term MAXAS { from { protocol bgp; as-path MAXAS; } then reject; } } -Message d'origine- De : juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] De la part de Berislav Todorovic Envoyé : vendredi 20 février 2009 13:01 À : juniper-nsp@puck.nether.net Objet : [j-nsp] bgp maxas-limit - JUNOS equivalent ??? Hello, Having in mind some recent unpleasent events: http://www.renesys.com/blog/2009/02/the-flap-heard-around-the-worl.shtml I'm wondering if there is a way to limit the AS path length in JUNOS. Yeah, bgp maxas-limit is available in JUNOSe, as well as in Cisco IOS, but I can't find any reference to it for JUNOS (M/MX/T Series). Any info will be greatly appreciated. Regards, Beri ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp * This message and any attachments (the "message") are confidential and intended solely for the addressees. Any unauthorised use or dissemination is prohibited. Messages are susceptible to alteration. France Telecom Group shall not be liable for the message if altered, changed or falsified. If you are not the intended addressee of this message, please cancel it immediately and inform the sender. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] bgp maxas-limit - JUNOS equivalent ???
Hi, Am 20.02.2009 13:00 Uhr, Berislav Todorovic schrieb: > I'm wondering if there is a way to limit the AS path length in JUNOS. > Yeah, bgp maxas-limit is available in JUNOSe, as well as in Cisco IOS, > but I can't find any reference to it for JUNOS (M/MX/T Series). > > Any info will be greatly appreciated. policy-options { policy-statement block-very-long-paths { from as-path too-many-hops; then reject; } as-path too-many-hops ".{64,}"; } protocols { bgp { group foo { import block-very-long-paths } } } Kind regards, .m signature.asc Description: OpenPGP digital signature ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] bgp maxas-limit - JUNOS equivalent ???
On Fri, 2009-02-20 at 12:00 +, Berislav Todorovic wrote: > I'm wondering if there is a way to limit the AS path length in JUNOS. > Yeah, bgp maxas-limit is available in JUNOSe, as well as in Cisco IOS, > but I can't find any reference to it for JUNOS (M/MX/T Series). > > Any info will be greatly appreciated. define an AS path regex, eg ".{75,}", and match on it using a policy. --Daniel. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] bgp maxas-limit - JUNOS equivalent ???
Hello, Having in mind some recent unpleasent events: http://www.renesys.com/blog/2009/02/the-flap-heard-around-the-worl.shtml I'm wondering if there is a way to limit the AS path length in JUNOS. Yeah, bgp maxas-limit is available in JUNOSe, as well as in Cisco IOS, but I can't find any reference to it for JUNOS (M/MX/T Series). Any info will be greatly appreciated. Regards, Beri ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] License : Juniper ISG-2000
On Fri, Feb 20, 2009 at 11:06 AM, Ibariouen Khalid < ibariouen.kha...@ericsson.com> wrote: > > Can someone tell me if I need to look for a license on my firewall ? I > have only a maximum of 3 VR. > > If yes please let me know how to install it ?? > > BR/ > khalid > Hi Khalid, VR are routing instance, 3 is generally enough for most setups. If you need additional ones you have to buy a vsys licence. Instructions on how to generate and install it are provided by Juniper with the licence file. Sidney ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] License : Juniper ISG-2000
Hi all, I'm working now with ISG-2000 Firewall; I got the following output from "attahced file" : get license-key command. Can someone tell me if I need to look for a license on my firewall ? I have only a maximum of 3 VR. If yes please let me know how to install it ?? BR/ khalid ISG-1-NAHDA(M)-> get license-key advanced_key: 2AP97bhnXnN6Ar9navCViKRUVtYUMGso3ZG8LJU+Z// zKBg1i55FIu6fqNopRMFPk4X0ZlXdA7o2l8Ny4AM3CK/sk/F/ yZFc1ULPocfVjzQr0pWX8aM6n9jufLxcfjDysrqv3nC6ZLq0gm 4Y/ n6pzwqjHBTYKtPua73E29JsLe2IHhyBJ7Vn6Ibx79i3umFqYOk ipdnuhBm3ffUcdd5codAqjpmyYWyk6vZItX+twqjJ7gjxeBuFl cqGIulg5E72uqt8JTgQkRoME+KTk5JY18VKfgy6nyKs73JH42v cR/lcVTA8kKaxWviwP8i8F6UYMYvZltgapzjc/ GhUVitZF2Q== Model: Advanced Sessions: 1048576 sessions Capacity: unlimited number of users NSRP: ActiveActive VPN tunnels:1 tunnels Vsys: None Vrouters: 3 virtual routers Zones: 34 zones VLANs: 2000 vlans Drp:Enable Deep Inspection:Enable Deep Inspection Database Expire Date: Disable Signature pack: Signature update key is missing IDP:Disable AV: Enable(1) Anti-Spam: Disable(0) Url Filtering: Disable Update server url: nextwave.netscreen.com/key_retrieval License key auto update : Disabled Auto update interval : 0 days ISG-1-NAHDA(M)-> ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] 802.1ad betwen Cisco and extreme network Alpine Switch
Hello Adimi, >> could someone tell me how to implement the QinQ solution between Cisco >> Switch and Extreme networks Alpine >> >> You can get some good help from [e-nsp] and [c-nsp]. -- Regards, Ronald Nsubuga, skype: nsptash "I don't speak for anybody but myself - that's enough trouble" ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp