[j-nsp] SRX GTP inspection and firewall
HI, I need firewall for mobile SP environment, customer requested capability for 2M concurrent sessions with roadmap up to 4M sessions. Another point in network is also Gn interface and GTP intratunnel inspection. Do we have this capabilities and what platform fits best? I looked at SRX5k series. Thanks, d. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Logical System on an MX80
Hi, We're looking to deploy MX80 (48T) routers in several locations and we'd like to use logical systems to partition them for different clients. I can't find any documentation that definitely says the MX80 supports this, specifically the tunnelling-services (ls-x/y/z interface) needed to interconnect the routers. I've implemented the proposed design on an M7i in our lab, but the M7i is just too slow (and too EOL) for our requirements. If anyone can give a definitive Yes or No it would be a big help. Cheers Dave ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX for MPLS
you can definitely do MPLS on J-series and SRX gateways. It even says so on the datasheet -- however, as was mentioned, you must put the device in packet-based mode, and thus lose ALL security features (everything that is configured under [edit security] -- so Zones, Stateful Policies, NAT, etc. are all not available) to add-on to Tim's comment, you will want to use the command 'delete security' to wipe out that hierarchy, and then enable the packet-based mode: set security forwarding-options family mpls mode packet-based. there are other statements in that hierarchy to enable packet-based for inet6 etc, but i've never turned that on...just the MPLS statement will turn it into a regular router.. My main fear for your deployment would be the environmental conditions. I don't believe the SRX is specifically hardened for that kind of environment (that isn't to say it wouldn't work, though). Also, you aren't planning to put an entire BGP table into them are you? I'm not sure how well that would work on the smaller boxes. I think i've heard of it being done, but never done it myself so I can't speak to the stability of such a scenario. Good luck, Will ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX for MPLS
My question is what is the purpose of using a security device for pure routing purposes??? Why not just buy a router? On Oct 22, 2010 9:34 AM, Will McLendon wimcl...@gmail.com wrote: you can definitely do MPLS on J-series and SRX gateways. It even says so on the datasheet -- however, as was mentioned, you must put the device in packet-based mode, and thus lose ALL security features (everything that is configured under [edit security] -- so Zones, Stateful Policies, NAT, etc. are all not available) to add-on to Tim's comment, you will want to use the command 'delete security' to wipe out that hierarchy, and then enable the packet-based mode: set security forwarding-options family mpls mode packet-based. there are other statements in that hierarchy to enable packet-based for inet6 etc, but i've never turned that on...just the MPLS statement will turn it into a regular router.. My main fear for your deployment would be the environmental conditions. I don't believe the SRX is specifically hardened for that kind of environment (that isn't to say it wouldn't work, though). Also, you aren't planning to put an entire BGP table into them are you? I'm not sure how well that would work on the smaller boxes. I think i've heard of it being done, but never done it myself so I can't speak to the stability of such a scenario. Good luck, Will ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX for MPLS
Unfortunately there are some vpls limitations on SRX and J-series routers. You should check them first. Besides that everything works. On 10/22/2010 04:28 PM, Will McLendon wrote: you can definitely do MPLS on J-series and SRX gateways. It even says so on the datasheet -- however, as was mentioned, you must put the device in packet-based mode, and thus lose ALL security features (everything that is configured under [edit security] -- so Zones, Stateful Policies, NAT, etc. are all not available) to add-on to Tim's comment, you will want to use the command 'delete security' to wipe out that hierarchy, and then enable the packet-based mode: set security forwarding-options family mpls mode packet-based. there are other statements in that hierarchy to enable packet-based for inet6 etc, but i've never turned that on...just the MPLS statement will turn it into a regular router.. My main fear for your deployment would be the environmental conditions. I don't believe the SRX is specifically hardened for that kind of environment (that isn't to say it wouldn't work, though). Also, you aren't planning to put an entire BGP table into them are you? I'm not sure how well that would work on the smaller boxes. I think i've heard of it being done, but never done it myself so I can't speak to the stability of such a scenario. Good luck, Will ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp -- Regards,,, Miroslav Georgiev SpectrumNet Jsc. +(359 2)4890604 +(359 2)4890619 ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX for MPLS
Simple Answer. Cost. The SRX650 can handle about as much traffic as an M7i, at less half the price. There's no equivalent J-series at that level. (J6350 would top out at 2Gbps). Likewise, J-series runs virtually the same code now as the SRX series (in terms of security), Which begs an answer to the question: Why not just buy a router? Answer: What router? There's only security devices below the M7. - CK. P.S. there was a huge previous discussion regarding J-series only-flow-based earlier, which I'm sure you remember. =) On 2010-10-23, at 12:46 AM, Chris Evans wrote: My question is what is the purpose of using a security device for pure routing purposes??? Why not just buy a router? ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX for MPLS
We are studying it: * J Series or SRX Series devices do not support aggregated Ethernet interfaces. Therefore, aggregated Ethernet interfaces between CE devices and PE routers are not supported for VPLS routing instances on J Series or SRX Series devices. * VPLS routing instances on J Series or SRX Series devices use BGP to send signals to other PE routers. LDP signaling is not supported. * VPLS multihoming, which allows connecting a CE device to multiple PE routers to provide redundant connectivity, is not supported on J Series or SRX Series devices. * J Series or SRX Series devices do not support BGP mesh groups. * J Series or SRX Series devices support only the following encapsulation types on VPLS interfaces that face CE devices: extended VLAN VPLS, Ethernet VPLS, and VLAN VPLS. Ethernet VPLS over ATM LLC encapsulation is not supported. * Virtual ports are generated dynamically on a Tunnel Services PIC on some Juniper Networks routing platforms. J Series or SRX Series devices do not support Tunnel Services modules or virtual ports. * The VPLS implementation on J Series or SRX Series devices does not support dual-tagged frames. Therefore, VLAN rewrite operations are not supported on dual-tagged frames. VLAN rewrite operations such as pop-pop, pop-swap, push-push, swap-push, and swap-swap, which are supported on M Series and T Series routing platforms, are not supported on J Series or SRX Series devices. * Firewall filters for VPLS are not supported. BGP Signaling must be a big limitation, because of address space of this boxes. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX for MPLS
We are studying it: * J Series or SRX Series devices do not support aggregated Ethernet interfaces. Therefore, aggregated Ethernet interfaces between CE devices and PE routers are not supported for VPLS routing instances on J Series or SRX Series devices. * VPLS routing instances on J Series or SRX Series devices use BGP to send signals to other PE routers. LDP signaling is not supported. * VPLS multihoming, which allows connecting a CE device to multiple PE routers to provide redundant connectivity, is not supported on J Series or SRX Series devices. * J Series or SRX Series devices do not support BGP mesh groups. * J Series or SRX Series devices support only the following encapsulation types on VPLS interfaces that face CE devices: extended VLAN VPLS, Ethernet VPLS, and VLAN VPLS. Ethernet VPLS over ATM LLC encapsulation is not supported. * Virtual ports are generated dynamically on a Tunnel Services PIC on some Juniper Networks routing platforms. J Series or SRX Series devices do not support Tunnel Services modules or virtual ports. * The VPLS implementation on J Series or SRX Series devices does not support dual-tagged frames. Therefore, VLAN rewrite operations are not supported on dual-tagged frames. VLAN rewrite operations such as pop-pop, pop-swap, push-push, swap-push, and swap-swap, which are supported on M Series and T Series routing platforms, are not supported on J Series or SRX Series devices. * Firewall filters for VPLS are not supported. BGP Signaling must be a big limitation, because of address space of this boxes. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX for MPLS
Has anyone done much l2vpn on them? I know that's related for sure..;) -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Miroslav Georgiev Sent: Friday, October 22, 2010 10:05 AM To: Will McLendon Cc: juniper-nsp@puck.nether.net Subject: Re: [j-nsp] SRX for MPLS Unfortunately there are some vpls limitations on SRX and J-series routers. You should check them first. Besides that everything works. On 10/22/2010 04:28 PM, Will McLendon wrote: you can definitely do MPLS on J-series and SRX gateways. It even says so on the datasheet -- however, as was mentioned, you must put the device in packet-based mode, and thus lose ALL security features (everything that is configured under [edit security] -- so Zones, Stateful Policies, NAT, etc. are all not available) to add-on to Tim's comment, you will want to use the command 'delete security' to wipe out that hierarchy, and then enable the packet-based mode: set security forwarding-options family mpls mode packet-based. there are other statements in that hierarchy to enable packet-based for inet6 etc, but i've never turned that on...just the MPLS statement will turn it into a regular router.. My main fear for your deployment would be the environmental conditions. I don't believe the SRX is specifically hardened for that kind of environment (that isn't to say it wouldn't work, though). Also, you aren't planning to put an entire BGP table into them are you? I'm not sure how well that would work on the smaller boxes. I think i've heard of it being done, but never done it myself so I can't speak to the stability of such a scenario. Good luck, Will ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp -- Regards,,, Miroslav Georgiev SpectrumNet Jsc. +(359 2)4890604 +(359 2)4890619 ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] master banner on EX4200
Hi Team, Can we remove the {master: 0} banner ,when we are using Ex4200 switch as standalone? Regards Regards Rehan ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX for MPLS
On 22/10/2010 11:46, Chris Evans wrote: My question is what is the purpose of using a security device for pure routing purposes??? Why not just buy a router? On Oct 22, 2010 9:34 AM, Will McLendonwimcl...@gmail.com wrote: Price and size of the box. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX for MPLS
Ahhh the cost reason. That is a huge reason we aren't buying much juniper gear at this point in time. We only use m or mx devices along with the full Cisco product catalog. Every solution we are doing lately costs 2 to 5 times using juniper versus cisco.. I just can't justify juniper at this point in time for most contexts due to cost alone. This is something I've been yelling at my account team about. On Oct 22, 2010 11:22 AM, Giuliano Cardozo Medalha giulian...@uol.com.br wrote: On 22/10/2010 11:46, Chris Evans wrote: My question is what is the purpose of using a security device for pure routing purposes??? Why not just buy a router? On Oct 22, 2010 9:34 AM, Will McLendonwimcl...@gmail.com wrote: Price and size of the box. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX for MPLS
Now we need to understand the limits for L2 VPNs e how can we use it integrated with JUNOS Space and Network Activator. Ahhh the cost reason. That is a huge reason we aren't buying much juniper gear at this point in time. We only use m or mx devices along with the full Cisco product catalog. Every solution we are doing lately costs 2 to 5 times using juniper versus cisco.. I just can't justify juniper at this point in time for most contexts due to cost alone. This is something I've been yelling at my account team about. On Oct 22, 2010 11:22 AM, Giuliano Cardozo Medalha giulian...@uol.com.br mailto:giulian...@uol.com.br wrote: On 22/10/2010 11:46, Chris Evans wrote: My question is what is the purpose of using a security device for pure routing purposes??? Why not just buy a router? On Oct 22, 2010 9:34 AM, Will McLendonwimcl...@gmail.com mailto:wimcl...@gmail.com wrote: Price and size of the box. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net mailto:juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Juniper UAC
Hi, Does anyone know if the switch ports on the SRX models (not the highend for datacenter) have similar functionality to the EX switches when it comes to integrating with Juniper's UAC product? Specifically, can we block/assign vlan membership, etc on the SRX based on posture that UAC determines? Thanks! ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] m10 Hard Disk Crashed
FTA: Note: You need to jumper the SSD to CS (cable select) I thought I had to set the drive jumper to Slave (not CS) to get a replacement drive to work. But that was over a year ago so my memory is fuzzy. - Kevin Jonas Frey (Probe Networks) wrote: See cluepon: http://juniper.cluepon.net/index.php/Replacing_the_harddisk_with_solid_state_flash Am Mittwoch, den 20.10.2010, 17:19 -0400 schrieb Fernando Atilano: Anybody that can provide as to how to replace a m10 hard disk? one of them failed. any feedback is greatly appreciated. Fernando Atilano| Transtelco| Networking Support MX 52.656.257.1114 US1.915.217.2286 ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Juniper UAC
I believe it depends on what mode it's it. For example when they are configured as a firewall pair the switching functions are unavailable. On Fri, Oct 22, 2010 at 1:37 PM, Herro91 herr...@gmail.com wrote: Hi, Does anyone know if the switch ports on the SRX models (not the highend for datacenter) have similar functionality to the EX switches when it comes to integrating with Juniper's UAC product? Specifically, can we block/assign vlan membership, etc on the SRX based on posture that UAC determines? Thanks! ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Junos route based vpn with Cisco
Hi all, Question regarding JunOS (SRX) route based VPN with Cisco remote end. In such a route-based configuration, how are the SA's generated with the Cisco? On the Cisco side you match an ACL as interesting traffic and the SA's are created based on that. On JunOS route-based vpn, is it the policy that creates the SA or does the policy simply enforce the FW rules on the tunnel? If that is the case, can I have many such rules and specify ports for each rule? In the below configuration I would like to specify application ports for each rule (rather than the current any), but I am unsure how the remote Cisco would respond depending on how the Juniper creates the SA (note unnumbered ST interface used)... I used the following tool to generate this config: https://www.juniper.net/customers/support/configtools/vpnconfig.html# ###Configure interface IP and route for tunnel traffic set interfaces st0.0 family inet set routing-options static route 2.16.68.0/24 next-hop st0.0 set routing-options static route 2.16.69.0/24 next-hop st0.0 ## Configure security zones, assign interfaces to the zones host-inbound services for each zone set security zones security-zone vpn interfaces st0.0 set security zones security-zone Vpn host-inbound-traffic system-services bgp ## Configure address book entries for each zone set security zones security-zone Silver address-book address net-cfgr_10-25-56-64--26 10.25.56.64/26 set security zones security-zone Silver address-book address net-cfgr_10-25-7-96--27 10.25.7.96/27 set security zones security-zone Silver address-book address net-cfgr_10-25-194-96--27 10.25.194.96/27 ## Configure IKE policy for main mode set security ike policy ike-policy-cfgr mode main set security ike policy ike-policy-cfgr pre-shared-key ascii-text yaright ## Configure IKE gateway with peer IP address, IKE policy and outgoing interface set security ike gateway ike-gate-cfgr ike-policy ike-policy-cfgr set security ike gateway ike-gate-cfgr address 1.1.1.1 set security ike gateway ike-gate-cfgr external-interface ge-0/0/12.0 ## Configure IKE authentication, encryption, DH group, and Lifetime set security ike proposal ike-proposal-cfgr authentication-method pre-shared-keys set security ike policy ike-policy-cfgr proposals ike-proposal-cfgr set security ike proposal ike-proposal-cfgr encryption-algorithm 3des-cbc set security ike proposal ike-proposal-cfgr authentication-algorithm sha1 set security ike proposal ike-proposal-cfgr dh-group group2 set security ike proposal ike-proposal-cfgr lifetime-seconds ## Configure IPsec policy set security ipsec vpn ipsec-vpn-cfgr ike gateway ike-gate-cfgr set security ipsec vpn ipsec-vpn-cfgr ike ipsec-policy ipsec-policy-cfgr set security ipsec vpn ipsec-vpn-cfgr bind-interface st0.0 ## Configure IPsec authentication and encryption set security ipsec proposal ipsec-proposal-cfgr protocol esp set security ipsec policy ipsec-policy-cfgr proposals ipsec-proposal-cfgr set security ipsec policy ipsec-policy-cfgr perfect-forward-secrecy keys group2 set security ipsec proposal ipsec-proposal-cfgr encryption-algorithm 3des-cbc set security ipsec proposal ipsec-proposal-cfgr authentication-algorithm hmac-sha1-96 ## Configure security policies for tunnel traffic in outbound direction set security policies from-zone Silver to-zone Vpn policy Silver-Vpn-cfgr match source-address net-cfgr_10-25-56-64--26 set security policies from-zone Silver to-zone Vpn policy Silver-Vpn-cfgr match source-address net-cfgr_10-25-7-96--27 set security policies from-zone Silver to-zone Vpn policy Silver-Vpn-cfgr match source-address net-cfgr_10-25-194-96--27 set security policies from-zone Silver to-zone Vpn policy Silver-Vpn-cfgr match application any set security policies from-zone Silver to-zone Vpn policy Silver-Vpn-cfgr then permit ## Configure security policies for tunnel traffic in inbound direction set security policies from-zone Vpn to-zone Silver policy Vpn-Silver-cfgr match source-address net-cfgr_2-16-68-0--24 set security policies from-zone Vpn to-zone Silver policy Vpn-Silver-cfgr match source-address net-cfgr_2-16-69-0--24 set security policies from-zone Vpn to-zone Silver policy Vpn-Silver-cfgr match destination-address net-cfgr_10-25-56-64--26 set security policies from-zone Vpn to-zone Silver policy Vpn-Silver-cfgr match destination-address net-cfgr_10-25-7-96--27 set security policies from-zone Vpn to-zone Silver policy Vpn-Silver-cfgr match destination-address net-cfgr_10-25-194-96--27 set security policies from-zone Vpn to-zone Silver policy Vpn-Silver-cfgr match application any set security policies from-zone Vpn to-zone Silver policy Vpn-Silver-cfgr then permit Thanks, Tom This e-mail (and attachment(s)) is confidential, proprietary, may be subject to copyright and legal privilege and no related rights are waived. If you are not the intended recipient or its agent, any review, dissemination, distribution or copying of this e-mail or any of its