[j-nsp] Security-flow TCP idle timeout at SRX
Hi I have issue with one of our applications. We have two security zones: LAN and Servers. Computers from LAN are connecting to Servers to port TCP/2020 (it's CTI application). Users reported that they have to re-logon due to idle timeout - I checked security logs on SRX and sessions was disconnected due to tcp idle-timeout which default is 30 minutes. How I can increase this timeout for connections TCP/2020 ? Will below configuration will be sufficient : security { policies { from-zone lan to-zone servers { policy 1 { match { source-address any; destination-address any; application any; } then { permit; log { session-init; session-close; } count; } } } from-zone servers to-zone lan { policy 1 { match { source-address any; destination-address any; application any; } then { permit; log { session-init; session-close; } count; } } } } } applications { application myapp { protocol tcp; destination-port 2020; inactivity-timeout 10; } } ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] juniper ex9200
Hi, Someone know something about this box ? GPL price, how many ports 10G on line card without oversubscryption ? size of memory buffers on port ? Latency ? What feature will be removed in compare to MX ? regards, Piotr ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Quick way to delete multiple licenses on SRX
If we park the fact that this is for training courses here, I still need an answer to how I would do this on an SRX. :) So the problem exists and am just looking to see if we can find an answer. On 1 February 2013 11:31, Eugeniu Patrascu eu...@imacandi.net wrote: On Thu, Jan 31, 2013 at 9:00 PM, Mark Menzies m...@deimark.net wrote: If I enforced that, I would be training an empty room. :) I wouldn't bet on it and you might go ahead and try it. I also do training and have licenses for every feature (not on Juniper, by the way) on the equipment and if the students ask, I tell them that since it is training equipment they have all the licenses and that's that. No confusion, no nothing. I might be wrong, but I think you're trying to solve a non-existing problem :) Cheers, Eugeniu ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] OAM over LAG
Does anybody have implemented OAM over eth LAG configured in EX4200 virtual chassis ?? I saw this link that seems related to MX and not EX http://www.juniper.net/techpubs/en_US/junos11.1/topics/example/layer-2-802-1ah-ethernet-oam-lfm-example-for-aggregated-ethernet-mx-solutions.html Some examples ? How it works if one of the links coupling the LAG has problems (like crc, flapping, etc) Do I need only LFM to declare the link down if with error ? Tks ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Quick way to delete multiple licenses on SRX
-Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp- boun...@puck.nether.net] On Behalf Of Mark Menzies Sent: Friday, February 01, 2013 7:04 AM To: Eugeniu Patrascu Cc: juniper-nsp@puck.nether.net Subject: Re: [j-nsp] Quick way to delete multiple licenses on SRX If we park the fact that this is for training courses here, I still need an answer to how I would do this on an SRX. :) So the problem exists and am just looking to see if we can find an answer. Does the *shudder* web GUI offer a way to do this? -evt ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Quick way to delete multiple licenses on SRX
Is it feasible to make multiple copies of the CF card for each router (dd style), customise each copy with the licenses required for a given class, then swap CFs depending on the class? Whats more expensive or valuable, your time, or a bunch of CF cards? :-) On 1 February 2013 13:03, Mark Menzies m...@deimark.net wrote: If we park the fact that this is for training courses here, I still need an answer to how I would do this on an SRX. :) So the problem exists and am just looking to see if we can find an answer. On 1 February 2013 11:31, Eugeniu Patrascu eu...@imacandi.net wrote: On Thu, Jan 31, 2013 at 9:00 PM, Mark Menzies m...@deimark.net wrote: If I enforced that, I would be training an empty room. :) I wouldn't bet on it and you might go ahead and try it. I also do training and have licenses for every feature (not on Juniper, by the way) on the equipment and if the students ask, I tell them that since it is training equipment they have all the licenses and that's that. No confusion, no nothing. I might be wrong, but I think you're trying to solve a non-existing problem :) Cheers, Eugeniu ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Quick way to delete multiple licenses on SRX
That could potentially work but is a mighty big hammer to solve a small problem. :). I do t have a problem putting the licenses on the boxes, it's just the removal that's a pain. I suspect I am asking for the impossible and not sure I want to bother with an ER. Sent from my mobile device On 1 Feb 2013, at 16:59, Tom Storey t...@snnap.net wrote: Is it feasible to make multiple copies of the CF card for each router (dd style), customise each copy with the licenses required for a given class, then swap CFs depending on the class? Whats more expensive or valuable, your time, or a bunch of CF cards? :-) On 1 February 2013 13:03, Mark Menzies m...@deimark.net wrote: If we park the fact that this is for training courses here, I still need an answer to how I would do this on an SRX. :) So the problem exists and am just looking to see if we can find an answer. On 1 February 2013 11:31, Eugeniu Patrascu eu...@imacandi.net wrote: On Thu, Jan 31, 2013 at 9:00 PM, Mark Menzies m...@deimark.net wrote: If I enforced that, I would be training an empty room. :) I wouldn't bet on it and you might go ahead and try it. I also do training and have licenses for every feature (not on Juniper, by the way) on the equipment and if the students ask, I tell them that since it is training equipment they have all the licenses and that's that. No confusion, no nothing. I might be wrong, but I think you're trying to solve a non-existing problem :) Cheers, Eugeniu ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] BGP filter
You could simplify it a little with an as-path-group and only need a single term to match both. You could also combine them in to a single regex like so: (65204|65205) .* Here is some information about as-path regexs from Juniper that also confirms that () is null, i.e. originated in your AS. http://www.juniper.net/techpubs/software/junos/junos94/swconfig-policy/defining-as-path-regular-expressions.html http://www.juniper.net/techpubs/software/junos/junos74/swconfig74-policy/html/policy-extend-match-config3.html On 1 February 2013 08:28, Riccardo S dim0...@hotmail.com wrote: Or the reg-ex has to be written in this way ? set as-path from-AS-65204 .*65204; set as-path from-AS-65205 .*65205; Is the follwoing correct for the local bgp announcement ? set as-path from-local-router (); Tks From: dim0...@hotmail.com To: juniper-nsp@puck.nether.net Subject: BGP filter Date: Thu, 31 Jan 2013 08:51:49 + I'd like to filter BGP announcement based on the generating AS-path. In the example below I'd like to permit outbound announcement only if the generating AS is 65204 or 65025: [edit policy-options] # set as-path from-AS-65204 65204.* # set as-path from-AS-65205 65205.* [edit policy-options policy-statement BGP-filter-out ] # set term 1 from as-path from-AS-65204 # set term 1 then accept # set term 2 from as-path from-AS-65205 # set term 1 then accept # set term accept-others then reject [edit protocols bgp] # set group EBGP export BGP-filter-out Is there a better method to do it ? Tks ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] juniper ex9200
Since I don't think it has been released yet, most of that wouldn't be known. Let's discuss the iPhone6 ;-) * * *Skeeve Stevens, CEO - *eintellego Pty Ltd ske...@eintellego.net ; www.eintellego.net Phone: 1300 753 383; Cell +61 (0)414 753 383 ; skype://skeeve facebook.com/eintellego ; http://twitter.com/networkceoau linkedin.com/in/skeeve twitter.com/networkceoau ; blog: www.network-ceo.net The Experts Who The Experts Call Juniper - Cisco – IBM - Brocade - Cloud - Check out our Juniper promotion website! eintellego.mx On Sat, Feb 2, 2013 at 12:22 AM, Piotr piotr.1...@interia.pl wrote: Hi, Someone know something about this box ? GPL price, how many ports 10G on line card without oversubscryption ? size of memory buffers on port ? Latency ? What feature will be removed in compare to MX ? regards, Piotr __**_ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/**mailman/listinfo/juniper-nsphttps://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Quick way to delete multiple licenses on SRX
Have you simply tried deleting the usage.db file and rebooting? Tom Am 01.02.2013 18:47, schrieb Mark Menzies: That could potentially work but is a mighty big hammer to solve a small problem. :). I do t have a problem putting the licenses on the boxes, it's just the removal that's a pain. I suspect I am asking for the impossible and not sure I want to bother with an ER. Sent from my mobile device On 1 Feb 2013, at 16:59, Tom Storey t...@snnap.net wrote: Is it feasible to make multiple copies of the CF card for each router (dd style), customise each copy with the licenses required for a given class, then swap CFs depending on the class? Whats more expensive or valuable, your time, or a bunch of CF cards? :-) On 1 February 2013 13:03, Mark Menzies m...@deimark.net wrote: If we park the fact that this is for training courses here, I still need an answer to how I would do this on an SRX. :) So the problem exists and am just looking to see if we can find an answer. On 1 February 2013 11:31, Eugeniu Patrascu eu...@imacandi.net wrote: On Thu, Jan 31, 2013 at 9:00 PM, Mark Menzies m...@deimark.net wrote: If I enforced that, I would be training an empty room. :) I wouldn't bet on it and you might go ahead and try it. I also do training and have licenses for every feature (not on Juniper, by the way) on the equipment and if the students ask, I tell them that since it is training equipment they have all the licenses and that's that. No confusion, no nothing. I might be wrong, but I think you're trying to solve a non-existing problem :) Cheers, Eugeniu ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Redundancy with MX
On Mon, Jan 21, 2013 at 10:40 PM, Markus H hauschild.mar...@gmail.com wrote: Hi, I wonder what kind of redundancy the community would prefer for small-medium sized PoPs. This is what I have come up with so far: a) 2xMX80 Pro: Two seperate devices so less prone to config errors and chassis failure Con: Using redundant uplinks is more complicated (LB would need to be done via routing protocol) b) 1xMX240/480 with redundant SCB and RE Pro: Easier to use redundant uplinks (LACP) Con: Config error as well as chassis failure brings the whole PoP down Any further arguments? Best practices? What did you deploy? I would go with the two MX80s and two L2 switches to aggregate all connections. I did a design like this with 2 x MX80 and 2 x EX4500 in a stack (only L2 aggregation, routing done on the MX).The switches would be connected to the MX80s by 10G ports (2 for IN, 2 for OUT - in each MX80) - connected in a MC-LAG to the EX4500 stack. Redundancy all the way :) Yes, you would have to play with the routing protocols to balance traffic at some point if you saturate one of your links in the MX, but that would only happen if you want to do more than 20G one way. Cheers, Eugeniu ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Quick way to delete multiple licenses on SRX
On Fri, Feb 1, 2013 at 7:47 PM, Mark Menzies m...@deimark.net wrote: That could potentially work but is a mighty big hammer to solve a small problem. :). I'm not familiar with how SRX licenses work, but if the ID is always the same when you add or remove them, you can make a script in notepad with the required licenses for each type of class and just copy/paste the commands in the device, or feed them from csh as stdin for cli (running as root). Eugeniu ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Security-flow TCP idle timeout at SRX
The security policy you have does not use newly defined application myapp. If you use it in your policy then it will work, because of inactivity timeout you defined in the application myapp. On 2/1/13 12:28 AM, Robert Hass wrote: Hi I have issue with one of our applications. We have two security zones: LAN and Servers. Computers from LAN are connecting to Servers to port TCP/2020 (it's CTI application). Users reported that they have to re-logon due to idle timeout - I checked security logs on SRX and sessions was disconnected due to tcp idle-timeout which default is 30 minutes. How I can increase this timeout for connections TCP/2020 ? Will below configuration will be sufficient : security { policies { from-zone lan to-zone servers { policy 1 { match { source-address any; destination-address any; application any; } then { permit; log { session-init; session-close; } count; } } } from-zone servers to-zone lan { policy 1 { match { source-address any; destination-address any; application any; } then { permit; log { session-init; session-close; } count; } } } } } applications { application myapp { protocol tcp; destination-port 2020; inactivity-timeout 10; } } ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] JUNOS-secondary Path
Hi all,I have a query , as I'm trying to establish LSP secondary tunnel , but that secondary one becomes up for seconds , and then became down.Here is the Output when using , show mpls lsp extensive: Secondary two State: Dn Priorities: 7 0 SmartOptimizeTimer: 180 No computed ERO. 119 Feb 1 02:28:03.405 Clear Call 118 Feb 1 02:28:01.818 Record Route: 192.168.14.2 172.16.16.2 172.17.17.2 192.168.17.2 192.168.18.2 117 Feb 1 02:28:01.818 Up Last message I get is Clear call , I tried to check traceoptions for that , I could see these wordsno constraints to check Feb 1 02:28:01.786712 Link overlap with primary path, adding cost 800and Long O/P , so could anyone advise me. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] JUNOS-secondary Path
Config or it didn't happen Will O'Brien On Feb 1, 2013, at 5:06 PM, Ahmed Taha ahmedta...@hotmail.com wrote: Hi all,I have a query , as I'm trying to establish LSP secondary tunnel , but that secondary one becomes up for seconds , and then became down.Here is the Output when using , show mpls lsp extensive: Secondary two State: Dn Priorities: 7 0 SmartOptimizeTimer: 180 No computed ERO. 119 Feb 1 02:28:03.405 Clear Call 118 Feb 1 02:28:01.818 Record Route: 192.168.14.2 172.16.16.2 172.17.17.2 192.168.17.2 192.168.18.2 117 Feb 1 02:28:01.818 Up Last message I get is Clear call , I tried to check traceoptions for that , I could see these wordsno constraints to check Feb 1 02:28:01.786712 Link overlap with primary path, adding cost 800and Long O/P , so could anyone advise me. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp