[j-nsp] DCU SNMP MIB - Cacti

2009-09-30 Thread Mark Tinka 
Hello all.

Wondering whether anyone has come across a Cacti plug-in to 
read Juniper's Destination Class Usage MIB.

All help appreciated.

Cheers,

Mark.


signature.asc
Description: This is a digitally signed message part.
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] EX8200

2009-09-30 Thread Quoc Hoang 
Hi,
   I'm considering purchasing the big iron EX8216 chassis for our core 
switching. These switches are pretty brand new to the market. Anyone running 
these and care to share their operational experience/feedback/issues seen so 
far?

thanks,
quoc
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] ex4200 throughput trouble on 10GE interface

2009-09-30 Thread Mircho Mirchev 
Hi Michael,
We ran into a very similar issue with EX-series. The performance drops
drastically and no errors or suspicious counters are increasing.
This happens only in live environment and, no matter how I try, I can't
reproduce it in lab.
We have several switches with similar setup and only one makes the problem.
Tried changing the hardware - no difference. The only clue the that the
problematic switch has ae- (LAG w/ LACP) interface.

Please, share your experience with this problem. Did you find any solution?
Do you know if 9.3 is having this issue?
Any help and clues will be helpful.

Best Regards,
Mircho


-- 
Dipl. eng. Mircho Mirchev
JNCIS-M, JNCIS-ES, JNCIA-EX


On Thu, Aug 6, 2009 at 10:16 AM, Michael Schedrin 
wrote:
> I had issue with bootp helper. It had stopped forwarding packets at the
> moment. Also only reboot resolved the problem.
>
> 2009/8/5 Chuck Anderson 
>
>> On Wed, Aug 05, 2009 at 11:00:31AM +0200, Malte von dem Hagen wrote:
>> > Hi,
>> >
>> > Michael schrieb:
>> > > I use 9.5R2.7. Very interesting information about 9.3. Where did you
>> hear
>> > > about it?
>> >
>> > we ran into several severe bugs on our EX switches, regarding different
>> > functions (aggregated ethernet, virtual chassis, spanning tree etc.
etc.)
>> and
>> > got that recommendation from our Juniper SE. That statement is some
>> weeks/months
>> > old though, so I can't say if the situation changed.
>>
>> Interesting.  I've been using aggregated ethernet and virtual chassis
>> on 9.5R2.7 without major issues since May.  Also dhcp-snooping, ARP
>> inspection, IP Source Guard, and secure-access-port allowed-mac.  One
>> minor issue I had was failure to save/restore the persistent
>> dhcp-binding-table on reboot.
>> ___
>> juniper-nsp mailing list juniper-nsp@puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>
>
>
>
> --
> С уважением,
> Щедрин Михаил
> Начальник отдела ТП2
> SkyNet Telecom http://sknt.ru
> тел. +7 911 934-79-83
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Block traceroute and Allow Ping

2009-09-30 Thread Stefan Fouant 
On Wed, Sep 30, 2009 at 11:44 AM, David Ball  wrote:

>   If I'm not mistaken, this year's migration to DNS servers
> supporting randomized source UDP ports (based on the Kaminsky thing)
> may throw a wrench into some notions of filtering UDP traffic across
> their network.  I know we had issues with it.
>
> > On Wed, Sep 30, 2009 at 5:09 AM, Masood Shah 
> wrote:
> >
> >>
> >> If you are REALLY paranoid, you can DROP all UDP traffic and then only
> open
> >> the ports that you have services running on. Sometimes this is easier
> said
> >> than done though.
>

I think it really boils down to whether you are filtering Source Ports vs.
Destination Ports.  In the DNS case, there is rarely a need to block Source
Ports, but it certainly would be prudent in certain circumstances to allow
Destination Port 53 and then block everything else.  Those who support this
model shouldn't be affected by the newer versions of BIND and other
resolvers which support larger Source Port pools... (BTW, I am talking from
the perspective of a DNS provider... if we're dealing with a customer side
filtering inbound traffic, the above model should be reversed).

-- 
Stefan Fouant
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Block traceroute and Allow Ping

2009-09-30 Thread Jared Mauch 
Any "blind" filtering will have side-effects.  Setting the bar  
correctly can be difficult.  It is important to regularly review  
filtering policies, remove the ones that are not of value and place  
new ones in.  If it's just something where people pile on block-more,  
MORE, MOOORRRE! you will end up with a really poor  
user experience.  Make sure the reviews are part of a scheduled  
business practice, put the guy who runs around with the tapes in  
charge of nagging you.


- Jared

On Sep 30, 2009, at 11:44 AM, David Ball wrote:


  If I'm not mistaken, this year's migration to DNS servers
supporting randomized source UDP ports (based on the Kaminsky thing)
may throw a wrench into some notions of filtering UDP traffic across
their network.  I know we had issues with it.

David


2009/9/30 Stefan Fouant :
On Wed, Sep 30, 2009 at 5:09 AM, Masood Shah  
 wrote:




If you are REALLY paranoid, you can DROP all UDP traffic and then  
only open
the ports that you have services running on. Sometimes this is  
easier said

than done though.



I wouldn't call this paranoia.  I would call this "good security  
posture".


--
Stefan Fouant
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp


___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp


___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Block traceroute and Allow Ping

2009-09-30 Thread David Ball 
   If I'm not mistaken, this year's migration to DNS servers
supporting randomized source UDP ports (based on the Kaminsky thing)
may throw a wrench into some notions of filtering UDP traffic across
their network.  I know we had issues with it.

David


2009/9/30 Stefan Fouant :
> On Wed, Sep 30, 2009 at 5:09 AM, Masood Shah  wrote:
>
>>
>> If you are REALLY paranoid, you can DROP all UDP traffic and then only open
>> the ports that you have services running on. Sometimes this is easier said
>> than done though.
>>
>
> I wouldn't call this paranoia.  I would call this "good security posture".
>
> --
> Stefan Fouant
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] OT: Arbor 2009 Infrastructure Security Report - Request for Participation.

2009-09-30 Thread Roland Dobbins 


We're in the process of collecting feedback for the 2009
Infrastructure Security Report; this is the Fifth Edition of the
report, and we'd really be grateful for your participation!

The 2009 Infrastructure Security Survey is up and available for
input.  You can register to complete the survey at this URL:



We've again added many questions this time from past participants
of the survey, this should be evidenced throughout.  Feedback
collection will end as soon as we've reached the desired number
of respondents (ideally, 80+).

We hope to make the results available by November 2009 at the
latest.  Also, please recall that NO personally- (or organizationally-)
identifiable information will be shared in any manner.

The 2008 edition of the survey is available here:



Or on the Arbor web site (reg required):



Thanks in advance for your participation!

---
Roland Dobbins  // 

Sorry, sometimes I mistake your existential crises for technical
insights.

-- xkcd #625

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] EX Routing Throughput

2009-09-30 Thread Jay Hanke 
Yep, should NOT be.

-Original Message-
From: Shane Ronan [mailto:sro...@fattoc.com] 
Sent: Tuesday, September 29, 2009 7:58 PM
To: Jay Hanke
Cc: 'Paul Stewart'; juniper-nsp@puck.nether.net
Subject: Re: [j-nsp] EX Routing Throughput

Did you mean should NOT be?

Shane

On Sep 29, 2009, at 2:59 PM, Jay Hanke wrote:

> The layer 3 throughputs listed should be any issue for the EX switches

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Block traceroute and Allow Ping

2009-09-30 Thread Stefan Fouant 
On Wed, Sep 30, 2009 at 5:09 AM, Masood Shah  wrote:

>
> If you are REALLY paranoid, you can DROP all UDP traffic and then only open
> the ports that you have services running on. Sometimes this is easier said
> than done though.
>

I wouldn't call this paranoia.  I would call this "good security posture".

-- 
Stefan Fouant
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Event / OP Script

2009-09-30 Thread Nahrux M 
Hi

Take a look at

http://junos.juniper.net/content/Resources/Day_One_Guide/JSA1_DO_JUNOS_Auto_-_THIRD.pdf


Regards


Nahrux


2009/9/27 Cheikh-Moussa, Ahmad 

> Hi Guys,
>
> I try to write an event script, but the documentation I have found is not
> really well.
> Did someone wrote an event/op script ?
>
> Can someone point me out, how can I write an op script, which is triggered
> by an event (timer) ?
> I try something like show chassis fpc and search for a special string
> within the output.
> Has someone an example ?
>
> Thanks in advance,
>  Ahmad
>
>
> Ahmad Cheikh-Moussa
> Consultant
> Business Unit Carrier & Service Provider
>
> AXIANS
> NK Networks & Services GmbH
> Fischertwiete 2, Chilehaus A
> 20095 Hamburg
>
> Tel.:  +49 40 237 899 - 72
> Fax:   +49 40 237 899 - 69
>
> ahmad.cheikh-mou...@axians.de
> acheikh-mou...@axians.de
> a...@axians.de
> www.axians.com
>
>
>
>
> Sitz der NK Networks & Services GmbH: Von-der-Wettern-Straße 15, 51149 Köln
> Registergericht: Amtsgericht Köln, Registernummer HRB 30805
> Geschäftsführer: Tonis Rüsche
>
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Ospf preference

2009-09-30 Thread SunnyDay 

yes for that prefix if it is possible.
Matthew Walster wrote:
Do you mean just for that prefix, or that the route via router 3 is 
preferred for everything but router 2? If the latter, surely you just 
adjust the OSPF metric?


Matthew Walster



2009/9/30 SunnyDay mailto:cscosu...@gmail.com>>

Hello i have 3 routers and they are all configured with ospf
router 1 has 10.0.0.0 subnet from router 2 and router 3 with the
same preference
i want to make the preference advertised from router 2 to be
preferred over router 3 for network
10.0.0.0.Is <http://10.0.0.0.Is> this done via policy options?

Thank You




Β  Β  Β  Β  Β  router 1




router 2 Β  Β  Β  Β  Β  Β  Β  Β router 3




Β  Β  Β  Β  Β 10.0.0.0


__ Information from ESET NOD32 Antivirus, version of virus
signature database 4469 (20090930) __

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com


___
juniper-nsp mailing list juniper-nsp@puck.nether.net
<mailto:juniper-nsp@puck.nether.net>
https://puck.nether.net/mailman/listinfo/juniper-nsp







__ Information from ESET NOD32 Antivirus, version of virus signature 
database 4469 (20090930) __

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Ospf preference

2009-09-30 Thread Matthew Walster 
Do you mean just for that prefix, or that the route via router 3 is
preferred for everything but router 2? If the latter, surely you just adjust
the OSPF metric?

Matthew Walster



2009/9/30 SunnyDay 

> Hello i have 3 routers and they are all configured with ospf
> router 1 has 10.0.0.0 subnet from router 2 and router 3 with the same
> preference
> i want to make the preference advertised from router 2 to be preferred over
> router 3 for network
> 10.0.0.0.Is this done via policy options?
>
> Thank You
>
>
>
>
>   router 1
>
>
>
>
> router 2router 3
>
>
>
>
>  10.0.0.0
>
>
> __ Information from ESET NOD32 Antivirus, version of virus
> signature database 4469 (20090930) __
>
> The message was checked by ESET NOD32 Antivirus.
>
> http://www.eset.com
>
>
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Juniper-Cisco VRRP Problem

2009-09-30 Thread Matthew Walster 
2009/9/30 Muhammad Jawwad Paracha 

> I have cisco 3845 and juniper J2320 router. Configured VRRP on both
> devices. With the change in priority cisco router goes to master and
> backup state. But Juniper J2320 router still remains in master state
> even when priority on cisco device is increased.
>
> Need help urgent.
>


Set:

preempt {
hold-time 600;
}

Pre-emption allows the higher priority router to assume control of the
session.

Matthew Walster
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] Ospf preference

2009-09-30 Thread SunnyDay 

Hello i have 3 routers and they are all configured with ospf
router 1 has 10.0.0.0 subnet from router 2 and router 3 with the same 
preference
i want to make the preference advertised from router 2 to be preferred 
over router 3 for network

10.0.0.0.Is this done via policy options?

Thank You




   router 1




router 2router 3




  10.0.0.0


__ Information from ESET NOD32 Antivirus, version of virus signature 
database 4469 (20090930) __

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com


___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] Juniper-Cisco VRRP Problem

2009-09-30 Thread Muhammad Jawwad Paracha 
I have cisco 3845 and juniper J2320 router. Configured VRRP on both
devices. With the change in priority cisco router goes to master and
backup state. But Juniper J2320 router still remains in master state
even when priority on cisco device is increased.
 
Need help urgent.


  
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Block traceroute and Allow Ping

2009-09-30 Thread Masood Shah 
Truman is correct, blocking traceroute is not straightforward...

To block traceroute on Linux, start by DROPping ports 33434 to 33600. Of 
course, Truman makes a good point that this range can be overridden, for 
example in Linux with the -p option. If you are REALLY paranoid, you can DROP 
all UDP traffic and then only open the ports that you have services running on. 
Sometimes this is easier said than done though.

Windows uses "normal" ICMP echo requests with low TTL values. And the replies 
are ICMP type 11 (TTL exceeded), or ICMP type 0 (echo reply, when the 
destination has been reached). 

So if you want to block both Windows and *NIX traceroutes, you need to either:
-block outgoing messages destined to UDP ports 33434 to 33534, AND outgoing 
ICMP echo-request messages 
or
-block incoming ICMP type 11 and type 0 messages

To avoid a long discussion on this topic I would add that UNIX version of 
Tracert performs the same function as the Windows version except that the IP 
payload is a UDP packet. According to RFC1393, traceroute implementations are 
supposed to use the ICMP protocol. Indeed, the windows implementation does use 
ICMP. However, by default, the Linux implementation uses UDP, unless you apply 
the "-I" option, in which case it will use ICMP.

Regards,
Masood
Blog: http://weblogs.com.pk/jahil/



-Original Message-
From: juniper-nsp-boun...@puck.nether.net on behalf of Truman Boyes
Sent: Wed 9/30/2009 10:34
To: Iftikhar Ahmed
Cc: juniper-nsp@puck.nether.net; Pekka Savola
Subject: Re: [j-nsp] Block traceroute and Allow Ping
 
This will block some types of traceroute, but a client can always use  
different ports.

Why do you want to block traceroute?

On 29/09/2009, at 8:42 PM, Iftikhar Ahmed wrote:

> Atif,
>
> Try to apply a filter to loop-back interface with somthing like
>
>
> term traceroute {   /* permit traceroute udp packets */
>from {
> protocol udp;
>destination-port 33434-33678;
>}
>then {
> count traceroute;
>discard;
>}
> term default
> then {
> accept
> }
> }
>
>
>
> Regards,
> iftikhar Ahmed
>
> On Tue, Sep 29, 2009 at 3:23 PM, Pekka Savola   
> wrote:
>
>> On Tue, 29 Sep 2009, Muhammad Atif Jauahar wrote:
>>
>>> I want to block traceroute transit traffic on router but I want to  
>>> allow
>>> ping transit traffic. Kindly let me know ICMP Type and Code for  
>>> traceroute
>>> and kindly let me know procedure to block traceroute but allow ping.
>>>
>>
>> You can't if you want to support all flavours of traceroute as some  
>> of
>> those use the equivalent of ping.  Maybe you could match by both  
>> TTL and
>> ICMP type/code but that would be hackish.  To learn more about how
>> traceroute works, see:
>>
>> http://en.wikipedia.org/wiki/Traceroute
>>
>> --
>> Pekka Savola "You each name yourselves king, yet the
>> Netcore Oykingdom bleeds."
>> Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
>>
>> ___
>> juniper-nsp mailing list juniper-nsp@puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] vrrp groups

2009-09-30 Thread Matthew Walster 
2009/9/28 luis barrios 

> Hello .. Does anybody know how many vrrp groups can i config in a m10i
> router.
> Propably i will have 300 vlans in one interface in a router , and i need to
> configure vrrp group too.  One vrrp group for each vlan.
> But i need to know the performance in this part of my juniper m10i.
>

In the lab, I've done 1024 VRRP sessions, which were 256 vlans with 4
VRRP-groups per vlan. Additionally, I did the reverse (4 vlans of 256 VRRP
groups) and that worked just fine too.

The important thing here is "in the lab" - but it should be fine.

Matthew Walster
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp