Re: [j-nsp] console switch to access juniper devices
Experts, now I can share with you the solution for the OpenGear CM4148 that could help someone (at least it helped me). First of all OpenGear console needs to be upgraded to the latest stable firmware, now it's 3.5.2u11. Then just apply following to both of your console and tacacs server configuration. All admin users will get full access to all management options and to all ports. tac_plus.conf: group = some-group { # default reverse-telnet-based access devices like consoles service = raccess { groupname = admin # you may want to use groupname = users in the case you need to restrict access to mgmt functions } } # you need to assign specific user(s) to the group described above CM console CLI: config -s config.auth.tacacs.acct_server=10.10.10.10,10.10.20.20 config -s config.auth.tacacs.auth_method=login config -s config.auth.tacacs.auth_server=10.10.10.10,10.10.20.20 config -s config.auth.tacacs.password=YourTacacsServerKeyHere config -s config.auth.type=TACACSDownLocal config -s config.auth.useremotegroups=on You may want to limit sessions time: config -s config.auth.cli.sessionlifetime=20 config -s config.auth.pmshell.sessionlifetime=20 config -s config.auth.sessionlifetime=20 Issue this command in the end: config -a Thanks to OpenGear tech support! On 2 April 2012 11:35, Alexey Lanetskiy lanets...@gmail.com wrote: Experts, I'm sorry for the offtopic, but could you please tell how do you use TACACS+ auth on these shiny bright OpenGear consoles? I found tac+ setup pretty unusable there and have to use local auth. Working part of the config of tac_plus system will be highly appreciated. p.s. here goes what I've tried; it works, but up to the point of having 1-2 consoles: group = some-group { ... # default reverse-telnet-based access devices like consoles service = raccess { priv-lvl = 15 # OpenGear CM4148 port0101 = opengear-console01/port01 ...and so on; OpenGear does lose tacacs connection when number of line such this goes over 100 or 200... } } Seems like there is a command to allow access to any port on any device, but I missed it. On 31 March 2012 21:31, Misha Gzirishvili misha.gzirishv...@gmail.comwrote: Opengear is our console server of choice :-) It Has all the features we want and is stable. On Mar 31, 2012 7:52 PM, Sachin Rai sachinrai1...@hotmail.com wrote: Thank you everyone for sharing your thoughts. They will really help me. Date: Fri, 30 Mar 2012 21:33:25 -0400 From: ja...@freedomnet.co.nz To: a...@eldamar.org.uk CC: juniper-nsp@puck.nether.net Subject: Re: [j-nsp] console switch to access juniper devices Digi work pretty well. No need for the dongle. On Fri, Mar 30, 2012 at 7:38 PM, Alexander Frolkin a...@eldamar.org.uk wrote: We went with OpenGear, it is inexpensive and has all the features we need. We also went with OpenGear. Another advantage is that the company is very responsive to queries and feature requests. They implemented several features for us (in a matter of weeks --- with any other company this would probably have taken years) and they're now in the production release. As far as I understand, they also allow you to put custom firmware on their boxes without voiding the warranty (although we were pretty happy with the OpenGear firmware). Alex -- wbr, Alexey Lanetskiy. cell: +7 931 256 56 31 skype: lanetskey ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] CGN ob MX5?
Recently heard so many times about CGN, but i still don't understand what is the difference between NAT and CGN, can any expert explain what's the CGN. 2012/4/12 Saku Ytti s...@ytti.fi On (2012-04-12 16:31 +0200), Matthias Brumm wrote: I would like to know, if no, some or all implementations of CGN will be working on a MX5? This seems in realms of possibility (1ipv6 statically to 1ipv4) for trio. But if you know you will need CGN I would assume that MX5 will never get it, this way you'll avoid disappointment and possibly need for another box while waiting for needed feature to appear. NAPT (port based, nto1) is not possible as far as I understand on trio, then you'd need some service slot in the behind, which also I would assume never to exist when making purchase decision. -- ++ytti ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] CGN ob MX5?
On (2012-04-13 15:20 +0800), Xu Hu wrote: Recently heard so many times about CGN, but i still don't understand what is the difference between NAT and CGN, can any expert explain what's the CGN. That is good question :). I think it's just marketing for doing NAT in very high scale, regardless how the NAT is done. Usually with CGN it is implied that you are addressing problem of address exhaustion. And when ever it is 1-to-1, trio should be able to do it technically, but n-to-1 isn't going to fly without additional hardware. EVen IPv6 to IPV4 I think should be doable in Trio, like when IPv6 DADDR has embedded IPV4 address of IPV4 only host, I think that could be implementable in trio. But never buy anything, if you can't deploy it today, in long-term supported software release. Otherwise consider feature non-existing. Which is the case for CGN and MX5. -- ++ytti ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] CGN ob MX5?
CGN used to be known/also known as Large Scale NAT (LSN) Compare this http://tools.ietf.org/html/draft-nishitani-cgn-01 and this http://tools.ietf.org/html/draft-ietf-behave-lsn-requirements-05 Same IETF draft, different versions. - Original Message - From: Xu Hu jstuxuhu0...@gmail.com To: Saku Ytti s...@ytti.fi Cc: juniper-nsp@puck.nether.net Sent: Friday, April 13, 2012 8:20 AM Subject: Re: [j-nsp] CGN ob MX5? Recently heard so many times about CGN, but i still don't understand what is the difference between NAT and CGN, can any expert explain what's the CGN. 2012/4/12 Saku Ytti s...@ytti.fi On (2012-04-12 16:31 +0200), Matthias Brumm wrote: I would like to know, if no, some or all implementations of CGN will be working on a MX5? This seems in realms of possibility (1ipv6 statically to 1ipv4) for trio. But if you know you will need CGN I would assume that MX5 will never get it, this way you'll avoid disappointment and possibly need for another box while waiting for needed feature to appear. NAPT (port based, nto1) is not possible as far as I understand on trio, then you'd need some service slot in the behind, which also I would assume never to exist when making purchase decision. -- ++ytti ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] CGN ob MX5?
Hi! We have bought our MX5, so this was rather a question to look, what this box is also able to do. At the moment, we do not have the need for CGN, and if we do, I now understand, that we have to look after a new solution. Regards, Matthias Am 13. April 2012 09:30 schrieb Alex Arseniev alex.arsen...@gmail.com: CGN used to be known/also known as Large Scale NAT (LSN) Compare this http://tools.ietf.org/html/draft-nishitani-cgn-01 and this http://tools.ietf.org/html/draft-ietf-behave-lsn-requirements-05 Same IETF draft, different versions. - Original Message - From: Xu Hu jstuxuhu0...@gmail.com To: Saku Ytti s...@ytti.fi Cc: juniper-nsp@puck.nether.net Sent: Friday, April 13, 2012 8:20 AM Subject: Re: [j-nsp] CGN ob MX5? Recently heard so many times about CGN, but i still don't understand what is the difference between NAT and CGN, can any expert explain what's the CGN. 2012/4/12 Saku Ytti s...@ytti.fi On (2012-04-12 16:31 +0200), Matthias Brumm wrote: I would like to know, if no, some or all implementations of CGN will be working on a MX5? This seems in realms of possibility (1ipv6 statically to 1ipv4) for trio. But if you know you will need CGN I would assume that MX5 will never get it, this way you'll avoid disappointment and possibly need for another box while waiting for needed feature to appear. NAPT (port based, nto1) is not possible as far as I understand on trio, then you'd need some service slot in the behind, which also I would assume never to exist when making purchase decision. -- ++ytti ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] CGN ob MX5?
This might also help. http://www.juniper.net/us/en/local/pdf/implementation-guides/8010076-en.pdf When testing CGN, there are some general things to keep in mind: 1. Application/Functionality. How do standard applications function behind the double-nat? 2. Performance and scale. What's the load on the service PIC? How many subs can you expect to nat behind a single, service PIC? At what point do you need to throw extra hardware at it? 3. Placement. Where in your network do you place CGN? BNG/BRAS? Regional aggregation? Core aggregation? How do you separate dedicated Internet and business customers from subscribers? Depending on how far upstream your chosen placement might be, how do you handle dual egress? 4. Logging/tracking subs. How can we log and track each individual subscriber all natting behind a single address? How verbose does that logging need to be? There are some nice knobs in 11.2 that specifically address some of theses issues. -b On Fri, Apr 13, 2012 at 12:20 AM, Xu Hu jstuxuhu0...@gmail.com wrote: Recently heard so many times about CGN, but i still don't understand what is the difference between NAT and CGN, can any expert explain what's the CGN. 2012/4/12 Saku Ytti s...@ytti.fi On (2012-04-12 16:31 +0200), Matthias Brumm wrote: I would like to know, if no, some or all implementations of CGN will be working on a MX5? This seems in realms of possibility (1ipv6 statically to 1ipv4) for trio. But if you know you will need CGN I would assume that MX5 will never get it, this way you'll avoid disappointment and possibly need for another box while waiting for needed feature to appear. NAPT (port based, nto1) is not possible as far as I understand on trio, then you'd need some service slot in the behind, which also I would assume never to exist when making purchase decision. -- ++ytti ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp -- Bill Blackford Network Engineer Logged into reality and abusing my sudo privileges. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Capturing/displaying contents of incoming packets
Here is a full link to what Saku is referring to: http://juniper.cluepon.net/Remote_port-mirror --- Ben Boyd b...@sinatranetwork.com http://about.me/benboyd On Apr 12, 2012, at 7:02 PM, Saku Ytti wrote: Setup GRE tunnel towards your *nix box (no need to config tunnel in *nix) and mirror packets to the tunnel. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Capturing/displaying contents of incoming packets
Tom, Why not just use monitor interface? I have used it in the past and its a tcp-dump like output. http://www.juniper.net/techpubs/en_US/junos10.2/topics/reference/command-summary/monitor-interface.html On Fri, Apr 13, 2012 at 10:56 AM, Ben Boyd b...@sinatranetwork.com wrote: Here is a full link to what Saku is referring to: http://juniper.cluepon.net/Remote_port-mirror --- Ben Boyd b...@sinatranetwork.com http://about.me/benboyd On Apr 12, 2012, at 7:02 PM, Saku Ytti wrote: Setup GRE tunnel towards your *nix box (no need to config tunnel in *nix) and mirror packets to the tunnel. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp -- It has to start somewhere, it has to start sometime. What better place than here? What better time than now? ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Capturing/displaying contents of incoming packets
On 13/04/12 16:11, Jose Madrid wrote: Tom, Why not just use monitor interface? I have used it in the past and its a tcp-dump like output. That just shows control-plane packets. Remote mirroring shows data-plane packets too. Which is appropriate will, of course, depend on your needs. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp