Re: [j-nsp] JunOS route-based VPN: multiple st interfaces
On Mon, Nov 29, 2010 at 6:49 PM, Adam Leff a...@leff.co wrote: Also, for what it's worth, I do have multiple logical interfaces under st0 (i.e. st0.0 and st0.1) and it is working without requiring NHTB. Without NHTB? So the security ipsec vpn XXX hierarchy has a bind-interface statement, but the iff hierarchy under st0 *doesn't* have a next-hop-tunnel statement? Do you have all the pre-requisites set up? i.e. st0.1 in the proper security zone, a route pointed down st0.1 for the traffic to be tunneled, etc.? I'm pretty sure everything looks right (but just to me, so it's certainly possible that there's a bug or two in my config). st0.1 is in a security zone that has policies to permit vpn-monitor ICMP traffic, and I'm not even routing over the st0.1 interface yet, just pinging the remote end. Cheers, jof ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] some questions about junipter router and firewall
Derek Kwok wrote: 2/ How can I increase the line in putty? I can't find it in the setting 1. Right click on the title bar of your PuTTY window to call up a menu. 2. The 12th item on the menu is Change Settings. . . click that. 3. This calls up the PuTTY Reconfiguration window, in the Category list select Window 4. You now see options to set the size of the window and, the option you want, to control the scrollback in the window, change whatever is the default value for lines of scrollback (600, I think) to 3000 or 4000; if that turns out to be not enough, you can always go back and increase the value. Robert Robert Smales Technical Engineer CableWireless Worldwide www.cw.com This e-mail has been scanned for viruses by the Cable Wireless Worldwide e-mail security system - powered by MessageLabs. For more information on a proactive managed e-mail secure service, visit http://www.cw.com/managed-exchange The information contained in this e-mail is confidential and may also be subject to legal privilege. It is intended only for the recipient(s) named above. If you are not named above as a recipient, you must not read, copy, disclose, forward or otherwise use the information contained in this email. If you have received this e-mail in error, please notify the sender (whose contact details are above) immediately by reply e-mail and delete the message and any attachments without retaining any copies. Cable Wireless Worldwide plc Registered in England and Wales. Company Number 07029206 Registered office: Liberty House, 76 Hammersmith Road, London W14 8UD, England ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] SRX-3600 Rate limit
Hi folks , Can any one tell me how to implement rate limit on SRX-3600 .I have junos version 10.0R2.10 . i want to restrict user on 1mb. BR Atif Naeem ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] JunOS route-based VPN: multiple st interfaces
On Tue, Nov 30, 2010 at 3:58 AM, Jonathan Lassoff j...@thejof.com wrote: On Mon, Nov 29, 2010 at 6:49 PM, Adam Leff a...@leff.co wrote: Also, for what it's worth, I do have multiple logical interfaces under st0 (i.e. st0.0 and st0.1) and it is working without requiring NHTB. Without NHTB? So the security ipsec vpn XXX hierarchy has a bind-interface statement, but the iff hierarchy under st0 *doesn't* have a next-hop-tunnel statement? Yes. We run either BGP or OSPF over the tunnel links, so no next-hop-tunnel statements are required. Are you binding st0 or the full st0.1 interface to your VPN? Here's a snippet of our config. Feel free to contact me off-list with your config and I'm happy to give it a glance. in [edit security]: ike { policy phx1 { mode main; proposal-set compatible; pre-shared-key ascii-text redacted; } gateway phx1 { ike-policy phx1; address redacted; external-interface ge-4/0/0.0; } } ipsec { vpn phx1 { bind-interface st0.1; vpn-monitor; ike { gateway phx1; ipsec-policy compatible; } establish-tunnels immediately; } } in [edit interfaces]: st0 { unit 1 { description VPN to PHX1; family inet { address 10.10.11.8/31; } } } Do you have all the pre-requisites set up? i.e. st0.1 in the proper security zone, a route pointed down st0.1 for the traffic to be tunneled, etc.? I'm pretty sure everything looks right (but just to me, so it's certainly possible that there's a bug or two in my config). st0.1 is in a security zone that has policies to permit vpn-monitor ICMP traffic, and I'm not even routing over the st0.1 interface yet, just pinging the remote end. Cheers, jof ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Juniper M120 - PPM causing issues for BFD
Hi, I was wondering if anyone else has had issues with M based routers and PPM, if so, any advice would be greatly appreciated. Here is my situation: - I have a m120 router that is now running BFD and IS-IS on a few links and OSPF on a few other links (no problem here) - when I take a backup feb out of backup (N+1 group) and map it to a fpc, the router drops all ISIS neighbors. A deeper look into the issue showed that ISIS is dropping because of BFD, a 3rd look showed that BFD was dieing due to the PPM I'm assuming that the issue is related with PPM running on both feb and re. Are there any caveats in disabling PPM on the FEB and letting it run only on the RE? I assume the performance would be lower as its done in software vs the hw FEB but i cant imagine the difference to be noteworthy Thanks Payam ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] SRX and IPv6
Hi, We have SRX device. I need to configure 3 zones (Trust, Untrust, DMZ) and each zone will have one interface in inet6. The DMZ is for DNS IPv6 server and Untrust for Inet and Trust for LAN (ipv6 also). And as second I will need maybe trunk interface for inet6. Please if you have any trivial example ??? of this conf send it. Thanks Martin IT staff ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX-3600 Rate limit
Atif, I put this together to limit itunes traffic to 1mb. Use a firewall filter to police the traffic (I did specify www.apple.com but it resolved the address automatically, this may be an issue when round robin DNS happens). You can more specific (i.e. Port 80 etc..) but I was just checking base functionality. firewall { policer Apple { if-exceeding { bandwidth-limit 1m; burst-size-limit 50k; } then discard; } filter Apple-Rate-Limit { term 1 { from { destination-address { 184.85.45.15/32; } } then { policer Apple; accept; } } term 2 { then accept; } } } Then add the filter to an interface: (this is my trust interface) fe-0/0/7 { unit 0 { family inet { filter { input-list Apple-Rate-Limit; } address 192.168.200.238/24; } } } --Ben On Tue, Nov 30, 2010 at 10:11 AM, atif naeem col.a...@gmail.com wrote: Hi folks , Can any one tell me how to implement rate limit on SRX-3600 .I have junos version 10.0R2.10 . i want to restrict user on 1mb. BR Atif Naeem ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] How to connect the SSG500M to a switch 2900 cisco
Hello I am new at this mailing list, but I need to know how to connect the firewall to a switch cisco, do I need to configure the trunk mode at the cisco switch? I am new with the Juniper and Cisco equipments and I have been trying to find the configuration at the internet, but until now I don't have that information. Hope you can help me. Kind regards c...@rm@N TCoor jfcm...@yahoo.com.mx ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] How to connect the SSG500M to a switch 2900 cisco
Hey Juan, It depends on if you are wanting to pass multiple vlans to the switch or have it as a flat vlan. If you need more than 1 vlan then yes, the switch must be setup as a trunk port but if you only need 1 vlan then you can setup the switch as an access port. On the ssg500 you define a physical port to be used as a trunk by creating sub-interfaces or unit depending on if your using screenOS or junos SSG ethernet1/1 connect to Cisco SSG ethernet1/1.100 = vlan 100 SSG ethernet1/1.200 = vlan 200 Now you can assign a switch port on your cisco to be in say vlan 100 and define it as an access port. hope this helps -Payam Juan Cardoza wrote: Hello I am new at this mailing list, but I need to know how to connect the firewall to a switch cisco, do I need to configure the trunk mode at the cisco switch? I am new with the Juniper and Cisco equipments and I have been trying to find the configuration at the internet, but until now I don't have that information. Hope you can help me. Kind regards c...@rm@N TCoor jfcm...@yahoo.com.mx ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX and IPv6
Martin, I am running IPv6 Tunnelbroker from Huricane Electric on my SRX 210 10.3R1.9 no issues. The IPv6 configuration is similar to IPv4 on your SRX. Here is some examples off my SRX, hope it helps, more/better stuff out on google. -- #My Inside interface, dual-stack interfaces { ge-0/0/0 { unit 0 { family inet { address 192.168.0.1/24; } family inet6 { address 2001:470:5:fff::1/64; } } } #IPv6 Tunnel interface to Huricane Electric ip-0/0/0 { unit 0 { tunnel { source 98.1.2.4; destination 209.1.2.4; } family inet6 { address 2001:470:4:fff::2/64; } } } #IPv6 Default Route routing-options { rib inet6.0 { static { route ::/0 next-hop 2001:470:4:fff::1; } } } #For Zones, just add the interface under the security-zone section like normal ipv4 #Also under security section, add in ipv6 forward, then reboot (check out http://blog.kramse.org/blojsom/blog/default/IPv6/Juniper-SRX210-Junos-10-2-flow-based-IPv6-forwarding?smm=y) security { zones { security-zone trust { tcp-rst; address-book { } interfaces { ge-0/0/0.0 { host-inbound-traffic { system-services { ssh; ping; } } } } } forwarding-options { family { inet6 { mode packet-based; } } } --Matt On Tue, Nov 30, 2010 at 2:38 PM, martin papik pa...@utia.cas.cz wrote: Hi, We have SRX device. I need to configure 3 zones (Trust, Untrust, DMZ) and each zone will have one interface in inet6. The DMZ is for DNS IPv6 server and Untrust for Inet and Trust for LAN (ipv6 also). And as second I will need maybe trunk interface for inet6. Please if you have any trivial example ??? of this conf send it. Thanks Martin IT staff ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Files tcpdump of Junos on Wireshark.
Hi guys, I was testing the hidden command of JunOS, monitor traffic write-file name_files interface xx-X/X/X. In theory, this files is with format tcpdump but when I try to see with Wireshark, it don't show me on detail of the packet. I see that the wireshark detect a protocol juniper, I don't know how to decode this part or maybe I need a particular library to wireshark. Has someone used this command?? Thanks for all. Best regards, -- David. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Files tcpdump of Junos on Wireshark.
On Tue, Nov 30, 2010 at 08:47:10PM -0500, David Lockuan wrote: Hi guys, I was testing the hidden command of JunOS, monitor traffic write-file name_files interface xx-X/X/X. In theory, this files is with format tcpdump but when I try to see with Wireshark, it don't show me on detail of the packet. Try adding the size parameter: monitor traffic size 1500 ... ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Angry EX (STP?)
Hello, We have three EX4500's in the following configuration: EX4500#1-EX4500#2EX4500#3 | | MX80 (router) We are observing xe-0/0/16 on the EX#2 facing the EX#1 site having its port blocked and unblocked over and over(see log below). I'd prefer to disable STP, rSTP, lldp and lldp-med, but if I do we see blocking as well... We are only using point to poing VLANs and there is no physical possibility of a L2 loop. I have deleted the STP statement, and suspect rSTP has taken over. Any ideas as to how to stabilize (or eliminate) our STP, rSTP, lldp, lldp-med environment? Thanks in Advance! CB. Log Snip (yes, it is still Aug 25th in our world. Will fix. ;-) Aug 25 12:09:37 ALBQ_EX4500 init: lldpd-service (PID 20934) started Aug 25 12:09:39 ALBQ_EX4500 lldp[20934]: TASK_TASK_BEGIN: Commencing virtual chassis control daemon, version 10.3R1.9, built builder by 2010-08-13 12:56:38 UTC Aug 25 12:09:39 ALBQ_EX4500 /kernel: Aug 25 12:09:39 ALBQ_EX4500 mib2d[861]: SNMP_TRAP_LINK_DOWN: ifIndex 536, ifAdminStatus up(1), ifOperStatus down(2), ifName xe-0/0/16 Aug 25 12:10:05 ALBQ_EX4500 last message repeated 7 times Aug 25 12:12:06 ALBQ_EX4500 last message repeated 348 times Aug 25 12:13:14 ALBQ_EX4500 last message repeated 288 times Aug 25 12:13:19 ALBQ_EX4500 mgd[19934]: UI_DBASE_LOGOUT_EVENT: User 'xx' exiting configuration mode Aug 25 12:13:36 ALBQ_EX4500 mib2d[861]: SNMP_TRAP_LINK_DOWN: ifIndex 536, ifAdminStatus up(1), ifOperStatus down(2), ifName xe-0/0/16 Aug 25 12:14:04 ALBQ_EX4500 last message repeated 20 times Aug 25 12:16:06 ALBQ_EX4500 last message repeated 61 times Aug 25 12:26:05 ALBQ_EX4500 last message repeated 1679 times Aug 25 12:35:42 ALBQ_EX4500 last message repeated 1419 times Aug 25 12:40:15 ALBQ_EX4500 last message repeated 356 times Aug 25 12:40:15 ALBQ_EX4500 mgd[19934]: UI_DBASE_LOGIN_EVENT: User 'xx' entering configuration mode Aug 25 12:40:15 ALBQ_EX4500 mib2d[861]: SNMP_TRAP_LINK_DOWN: ifIndex 536, ifAdminStatus up(1), ifOperStatus down(2), ifName xe-0/0/16 Aug 25 12:40:21 ALBQ_EX4500 last message repeated 10 times Aug 25 12:41:06 ALBQ_EX4500 last message repeated 2 times Aug 25 12:41:07 ALBQ_EX4500 mgd[19934]: UI_CHILD_EXITED: Child exited: PID 20977, status 1, command '/sbin/ifinfo' Aug 25 12:41:11 ALBQ_EX4500 mib2d[861]: SNMP_TRAP_LINK_DOWN: ifIndex 536, ifAdminStatus up(1), ifOperStatus down(2), ifName xe-0/0/16 Aug 25 12:41:11 ALBQ_EX4500 mib2d[861]: SNMP_TRAP_LINK_DOWN: ifIndex 536, ifAdminStatus up(1), ifOperStatus down(2), ifName xe-0/0/16 Aug 25 12:41:12 ALBQ_EX4500 mgd[19934]: UI_CHILD_EXITED: Child exited: PID 20979, status 1, command '/sbin/ifinfo' Aug 25 12:41:15 ALBQ_EX4500 mib2d[861]: SNMP_TRAP_LINK_DOWN: ifIndex 536, ifAdminStatus up(1), ifOperStatus down(2), ifName xe-0/0/16 Aug 25 12:41:35 ALBQ_EX4500 last message repeated 16 times Aug 25 12:41:36 ALBQ_EX4500 mgd[19934]: UI_DBASE_LOGOUT_EVENT: User 'xx' exiting configuration mode Aug 25 12:41:37 ALBQ_EX4500 mib2d[861]: SNMP_TRAP_LINK_DOWN: ifIndex 536, ifAdminStatus up(1), ifOperStatus down(2), ifName xe-0/0/16 Aug 25 12:42:06 ALBQ_EX4500 last message repeated 60 times Aug 25 12:42:28 ALBQ_EX4500 last message repeated 85 times Aug 25 12:42:29 ALBQ_EX4500 mgd[19934]: UI_DBASE_LOGIN_EVENT: User 'xx' entering configuration mode Aug 25 12:42:29 ALBQ_EX4500 mib2d[861]: SNMP_TRAP_LINK_DOWN: ifIndex 536, ifAdminStatus up(1), ifOperStatus down(2), ifName xe-0/0/16 Aug 25 12:42:35 ALBQ_EX4500 last message repeated 32 times Aug 25 12:43:07 ALBQ_EX4500 last message repeated 135 times Aug 25 12:43:07 ALBQ_EX4500 mgd[19934]: UI_DBASE_LOGOUT_EVENT: User 'xx' exiting configuration mode Aug 25 12:43:07 ALBQ_EX4500 mib2d[861]: SNMP_TRAP_LINK_DOWN: ifIndex 536, ifAdminStatus up(1), ifOperStatus down(2), ifName xe-0/0/16 Aug 25 12:43:35 ALBQ_EX4500 last message repeated 104 times ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX-3600 Rate limit
Hi Ben, I configured as per given configuration but i am getting message this is not supported on SRX-3600. policer rate-limit-1mb { if-exceeding { bandwidth-limit 1m; burst-size-limit 124k; } then discard; } filter test { term 1 { from { source-address { 0.0.0.0/0; } } then { ## ## Warning: statement ignored: unsupported platform (srx3600) ## policer rate-limit-1mb; accept; } } } BR Atif Naeem On Wed, Dec 1, 2010 at 2:46 AM, DeathPacket deathpac...@gmail.com wrote: Atif, I put this together to limit itunes traffic to 1mb. Use a firewall filter to police the traffic (I did specify www.apple.combut it resolved the address automatically, this may be an issue when round robin DNS happens). You can more specific (i.e. Port 80 etc..) but I was just checking base functionality. firewall { policer Apple { if-exceeding { bandwidth-limit 1m; burst-size-limit 50k; } then discard; } filter Apple-Rate-Limit { term 1 { from { destination-address { 184.85.45.15/32; } } then { policer Apple; accept; } } term 2 { then accept; } } } Then add the filter to an interface: (this is my trust interface) fe-0/0/7 { unit 0 { family inet { filter { input-list Apple-Rate-Limit; } address 192.168.200.238/24; } } } --Ben On Tue, Nov 30, 2010 at 10:11 AM, atif naeem col.a...@gmail.com wrote: Hi folks , Can any one tell me how to implement rate limit on SRX-3600 .I have junos version 10.0R2.10 . i want to restrict user on 1mb. BR Atif Naeem ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Files tcpdump of Junos on Wireshark.
On 11/30/2010 8:47 PM, David Lockuan wrote: Hi guys, I was testing the hidden command of JunOS, monitor traffic write-file name_files interface xx-X/X/X. In theory, this files is with format tcpdump but when I try to see with Wireshark, it don't show me on detail of the packet. I see that the wireshark detect a protocol juniper, I don't know how to decode this part or maybe I need a particular library to wireshark. Has someone used this command?? Thanks for all. Best regards, I vaguely recall having to use a non-default sample size (in bytes). If the resulting output consists of sufficiently small packet sizes, the only details to typically left to decode are the L2-L4 headers. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Angry EX (STP?)
CB, Aug 25 12:13:36 ALBQ_EX4500 mib2d[861]: SNMP_TRAP_LINK_DOWN: ifIndex 536, ifAdminStatus up(1), ifOperStatus down(2), ifName xe-0/0/16 Aug 25 12:14:04 ALBQ_EX4500 last message repeated 20 times Aug 25 12:16:06 ALBQ_EX4500 last message repeated 61 times Aug 25 12:26:05 ALBQ_EX4500 last message repeated 1679 times Aug 25 12:35:42 ALBQ_EX4500 last message repeated 1419 times Aug 25 12:40:15 ALBQ_EX4500 last message repeated 356 times this does not look at all like an issue with xSTP. It's simply link flaps, most probably due to a damaged fibre run. xSTP never takes down links, and blocking looks different. Check your signal strengths (try show interfaces diagnostics optics, not sure if that works on the EXes yet) Kind regards, Felix -- Felix Schüren Head of Network --- Host Europe GmbH - http://www.hosteurope.de Welserstraße 14 - 51149 Köln - Germany Telefon: 0800 467 8387 - Fax: +49 180 5 66 3233 (*) HRB 28495 Amtsgericht Köln - USt-IdNr.: DE187370678 Geschäftsführer: Uwe Braun - Alex Collins - Mark Joseph - Patrick Pulvermüller (*) 0,14 EUR/Min. aus dem dt. Festnetz, Mobilfunkpreise ggf. abweichend ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp