[j-nsp] Security-flow TCP idle timeout at SRX

2013-02-01 Thread Robert Hass 
Hi

I have issue with one of our applications. We have two security zones: LAN
and Servers.  Computers from LAN are connecting to Servers to port TCP/2020
(it's CTI application).  Users reported that they have to re-logon due to
idle timeout - I checked security logs on SRX and sessions was disconnected
due to tcp idle-timeout which default is 30 minutes.  How I can increase
this timeout for connections TCP/2020 ?

Will below configuration will be sufficient :

security {
 policies {
  from-zone lan to-zone servers {
policy 1 {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
log {
session-init;
session-close;
}
count;
}
 }
  }
  from-zone servers to-zone lan {
policy 1 {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
log {
session-init;
session-close;
}
count;
}
  }
   }
 }
}
applications {
  application myapp {
protocol tcp;
destination-port 2020;
inactivity-timeout 10;
  }
}
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] juniper ex9200

2013-02-01 Thread Piotr 

Hi,

Someone know something about this box ? GPL price, how many ports 10G on 
line card without oversubscryption ? size of memory buffers on port ? 
Latency ? What feature will be removed in compare to MX ?



regards,
Piotr


___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Quick way to delete multiple licenses on SRX

2013-02-01 Thread Mark Menzies 
If we park the fact that this is for training courses here, I still need an
answer to how I would do this on an SRX.  :)  So the problem exists and am
just looking to see if we can find an answer.


On 1 February 2013 11:31, Eugeniu Patrascu eu...@imacandi.net wrote:

 On Thu, Jan 31, 2013 at 9:00 PM, Mark Menzies m...@deimark.net wrote:
  If I enforced that, I would be training an empty room.  :)

 I wouldn't bet on it and you might go ahead and try it.
 I also do training and have licenses for every feature (not on
 Juniper, by the way) on the equipment and if the students ask, I tell
 them that since it is training equipment they have all the licenses
 and that's that. No confusion, no nothing.

 I might be wrong, but I think you're trying to solve a non-existing
 problem :)

 Cheers,
 Eugeniu

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] OAM over LAG

2013-02-01 Thread Riccardo S 




Does anybody have implemented OAM over eth LAG configured in EX4200 virtual 
chassis ??

I saw this link that seems related to MX and not EX



http://www.juniper.net/techpubs/en_US/junos11.1/topics/example/layer-2-802-1ah-ethernet-oam-lfm-example-for-aggregated-ethernet-mx-solutions.html


Some examples ?
How it works if one of the links coupling the LAG has problems (like crc, 
flapping, etc)

Do I need only LFM to declare the link down if with error ?

Tks



  
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Quick way to delete multiple licenses on SRX

2013-02-01 Thread Eric Van Tol 
 -Original Message-
 From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-
 boun...@puck.nether.net] On Behalf Of Mark Menzies
 Sent: Friday, February 01, 2013 7:04 AM
 To: Eugeniu Patrascu
 Cc: juniper-nsp@puck.nether.net
 Subject: Re: [j-nsp] Quick way to delete multiple licenses on SRX
 
 If we park the fact that this is for training courses here, I still
 need an
 answer to how I would do this on an SRX.  :)  So the problem exists
 and am
 just looking to see if we can find an answer.
 

Does the *shudder* web GUI offer a way to do this?

-evt

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Quick way to delete multiple licenses on SRX

2013-02-01 Thread Tom Storey 
Is it feasible to make multiple copies of the CF card for each router (dd
style), customise each copy with the licenses required for a given class,
then swap CFs depending on the class?

Whats more expensive or valuable, your time, or a bunch of CF cards? :-)


On 1 February 2013 13:03, Mark Menzies m...@deimark.net wrote:

 If we park the fact that this is for training courses here, I still need an
 answer to how I would do this on an SRX.  :)  So the problem exists and am
 just looking to see if we can find an answer.


 On 1 February 2013 11:31, Eugeniu Patrascu eu...@imacandi.net wrote:

  On Thu, Jan 31, 2013 at 9:00 PM, Mark Menzies m...@deimark.net wrote:
   If I enforced that, I would be training an empty room.  :)
 
  I wouldn't bet on it and you might go ahead and try it.
  I also do training and have licenses for every feature (not on
  Juniper, by the way) on the equipment and if the students ask, I tell
  them that since it is training equipment they have all the licenses
  and that's that. No confusion, no nothing.
 
  I might be wrong, but I think you're trying to solve a non-existing
  problem :)
 
  Cheers,
  Eugeniu
 
 ___
 juniper-nsp mailing list juniper-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/juniper-nsp

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Quick way to delete multiple licenses on SRX

2013-02-01 Thread Mark Menzies 
That could potentially work but is a mighty big hammer to solve a small 
problem. :). 

I do t have a problem putting the licenses on the boxes, it's just the removal 
that's a pain. 

I suspect I am asking for the impossible and not sure I want to bother with an 
ER. 

Sent from my mobile device

On 1 Feb 2013, at 16:59, Tom Storey t...@snnap.net wrote:

 Is it feasible to make multiple copies of the CF card for each router (dd 
 style), customise each copy with the licenses required for a given class, 
 then swap CFs depending on the class?
 
 Whats more expensive or valuable, your time, or a bunch of CF cards? :-)
 
 
 On 1 February 2013 13:03, Mark Menzies m...@deimark.net wrote:
 If we park the fact that this is for training courses here, I still need an
 answer to how I would do this on an SRX.  :)  So the problem exists and am
 just looking to see if we can find an answer.
 
 
 On 1 February 2013 11:31, Eugeniu Patrascu eu...@imacandi.net wrote:
 
  On Thu, Jan 31, 2013 at 9:00 PM, Mark Menzies m...@deimark.net wrote:
   If I enforced that, I would be training an empty room.  :)
 
  I wouldn't bet on it and you might go ahead and try it.
  I also do training and have licenses for every feature (not on
  Juniper, by the way) on the equipment and if the students ask, I tell
  them that since it is training equipment they have all the licenses
  and that's that. No confusion, no nothing.
 
  I might be wrong, but I think you're trying to solve a non-existing
  problem :)
 
  Cheers,
  Eugeniu
 
 ___
 juniper-nsp mailing list juniper-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/juniper-nsp
 
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] BGP filter

2013-02-01 Thread Tom Storey 
You could simplify it a little with an as-path-group and only need a single
term to match both.

You could also combine them in to a single regex like so:

(65204|65205) .*

Here is some information about as-path regexs from Juniper that also
confirms that () is null, i.e. originated in your AS.

http://www.juniper.net/techpubs/software/junos/junos94/swconfig-policy/defining-as-path-regular-expressions.html
http://www.juniper.net/techpubs/software/junos/junos74/swconfig74-policy/html/policy-extend-match-config3.html


On 1 February 2013 08:28, Riccardo S dim0...@hotmail.com wrote:


 Or the reg-ex has to be written in this way ?

 set as-path from-AS-65204 .*65204;
 set as-path from-AS-65205 .*65205;

 Is the follwoing correct for the local bgp announcement ?

 set as-path from-local-router ();

 Tks

 From: dim0...@hotmail.com
 To: juniper-nsp@puck.nether.net
 Subject: BGP filter
 Date: Thu, 31 Jan 2013 08:51:49 +





 I'd like to filter BGP announcement based on the generating AS-path.
 In the example below I'd like to permit outbound announcement only if the
 generating AS is 65204 or 65025:

 [edit policy-options]
 # set as-path from-AS-65204 65204.*
 # set as-path from-AS-65205 65205.*

 [edit policy-options policy-statement BGP-filter-out ]
 # set term 1 from as-path from-AS-65204
 # set term 1 then accept
 # set term 2 from as-path from-AS-65205
 # set term 1 then accept
 # set term accept-others then reject

 [edit protocols bgp]
 # set group EBGP export BGP-filter-out

 Is there a better method to do it ?

 Tks
 ___
 juniper-nsp mailing list juniper-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/juniper-nsp

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] juniper ex9200

2013-02-01 Thread Skeeve Stevens 
Since I don't think it has been released yet, most of that wouldn't be
known.

Let's discuss the iPhone6 ;-)
*

*
*Skeeve Stevens, CEO - *eintellego Pty Ltd
ske...@eintellego.net ; www.eintellego.net

Phone: 1300 753 383; Cell +61 (0)414 753 383 ; skype://skeeve

facebook.com/eintellego ;  http://twitter.com/networkceoau
linkedin.com/in/skeeve

twitter.com/networkceoau ; blog: www.network-ceo.net

The Experts Who The Experts Call
Juniper - Cisco – IBM - Brocade - Cloud
-
Check out our Juniper promotion website!  eintellego.mx


On Sat, Feb 2, 2013 at 12:22 AM, Piotr piotr.1...@interia.pl wrote:

 Hi,

 Someone know something about this box ? GPL price, how many ports 10G on
 line card without oversubscryption ? size of memory buffers on port ?
 Latency ? What feature will be removed in compare to MX ?


 regards,
 Piotr


 __**_
 juniper-nsp mailing list juniper-nsp@puck.nether.net
 https://puck.nether.net/**mailman/listinfo/juniper-nsphttps://puck.nether.net/mailman/listinfo/juniper-nsp

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Quick way to delete multiple licenses on SRX

2013-02-01 Thread Tom Eichhorn 
Have you simply tried deleting the usage.db file and rebooting?

Tom

Am 01.02.2013 18:47, schrieb Mark Menzies:
 That could potentially work but is a mighty big hammer to solve a small 
 problem. :). 
 
 I do t have a problem putting the licenses on the boxes, it's just the 
 removal that's a pain. 
 
 I suspect I am asking for the impossible and not sure I want to bother with 
 an ER. 
 
 Sent from my mobile device
 
 On 1 Feb 2013, at 16:59, Tom Storey t...@snnap.net wrote:
 
 Is it feasible to make multiple copies of the CF card for each router (dd 
 style), customise each copy with the licenses required for a given class, 
 then swap CFs depending on the class?

 Whats more expensive or valuable, your time, or a bunch of CF cards? :-)


 On 1 February 2013 13:03, Mark Menzies m...@deimark.net wrote:
 If we park the fact that this is for training courses here, I still need an
 answer to how I would do this on an SRX.  :)  So the problem exists and am
 just looking to see if we can find an answer.


 On 1 February 2013 11:31, Eugeniu Patrascu eu...@imacandi.net wrote:

 On Thu, Jan 31, 2013 at 9:00 PM, Mark Menzies m...@deimark.net wrote:
 If I enforced that, I would be training an empty room.  :)

 I wouldn't bet on it and you might go ahead and try it.
 I also do training and have licenses for every feature (not on
 Juniper, by the way) on the equipment and if the students ask, I tell
 them that since it is training equipment they have all the licenses
 and that's that. No confusion, no nothing.

 I might be wrong, but I think you're trying to solve a non-existing
 problem :)

 Cheers,
 Eugeniu

 ___
 juniper-nsp mailing list juniper-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/juniper-nsp

 ___
 juniper-nsp mailing list juniper-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/juniper-nsp
 

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Redundancy with MX

2013-02-01 Thread Eugeniu Patrascu 
On Mon, Jan 21, 2013 at 10:40 PM, Markus H hauschild.mar...@gmail.com wrote:
 Hi,

 I wonder what kind of redundancy the community would prefer for
 small-medium sized PoPs.
 This is what I have come up with so far:

 a) 2xMX80
 Pro: Two seperate devices so less prone to config errors and chassis failure
 Con: Using redundant uplinks is more complicated (LB would need to be
 done via routing protocol)

 b) 1xMX240/480 with redundant SCB and RE
 Pro: Easier to use redundant uplinks (LACP)
 Con: Config error as well as chassis failure brings the whole PoP down

 Any further arguments? Best practices? What did you deploy?


I would go with the two MX80s and two L2 switches to aggregate all connections.

I did a design like this with 2 x MX80 and 2 x EX4500 in a stack (only
L2 aggregation, routing done on the MX).The switches would be
connected to the MX80s by 10G ports (2 for IN, 2 for  OUT - in each
MX80) - connected in a MC-LAG to the EX4500 stack. Redundancy all the
way :)
Yes, you would have to play with the routing protocols to balance
traffic at some point if you saturate one of your links in the MX, but
that would only happen if you want to do more than 20G one way.

Cheers,
Eugeniu
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Quick way to delete multiple licenses on SRX

2013-02-01 Thread Eugeniu Patrascu 
On Fri, Feb 1, 2013 at 7:47 PM, Mark Menzies m...@deimark.net wrote:
 That could potentially work but is a mighty big hammer to solve a small
 problem. :).


I'm not familiar with how SRX licenses work, but if the ID is always
the same when you add or remove them, you can make a script in
notepad with the required licenses for each type of class and just
copy/paste the commands in the device, or feed them from csh as stdin
for cli (running as root).

Eugeniu
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Security-flow TCP idle timeout at SRX

2013-02-01 Thread Anton Yurchenko 


The security policy you have does not use newly defined application 
myapp. If you use it in your policy then it will work, because of 
inactivity timeout you defined in the application myapp.


On 2/1/13 12:28 AM, Robert Hass wrote:

Hi

I have issue with one of our applications. We have two security zones: LAN
and Servers.  Computers from LAN are connecting to Servers to port TCP/2020
(it's CTI application).  Users reported that they have to re-logon due to
idle timeout - I checked security logs on SRX and sessions was disconnected
due to tcp idle-timeout which default is 30 minutes.  How I can increase
this timeout for connections TCP/2020 ?

Will below configuration will be sufficient :

security {
  policies {
   from-zone lan to-zone servers {
 policy 1 {
 match {
 source-address any;
 destination-address any;
 application any;
 }
 then {
 permit;
 log {
 session-init;
 session-close;
 }
 count;
 }
  }
   }
   from-zone servers to-zone lan {
 policy 1 {
 match {
 source-address any;
 destination-address any;
 application any;
 }
 then {
 permit;
 log {
 session-init;
 session-close;
 }
 count;
 }
   }
}
  }
}
applications {
   application myapp {
 protocol tcp;
 destination-port 2020;
 inactivity-timeout 10;
   }
}
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp


___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] JUNOS-secondary Path

2013-02-01 Thread Ahmed Taha 

  Hi all,I have a query , as I'm trying to establish LSP secondary tunnel , but 
that secondary one becomes up for seconds , and then became down.Here is the 
Output when using , show mpls lsp extensive:
Secondary two  State: Dn
Priorities: 7 0
SmartOptimizeTimer: 180
No computed ERO.
   119 Feb  1 02:28:03.405 Clear Call
   118 Feb  1 02:28:01.818 Record Route:  192.168.14.2 172.16.16.2 172.17.17.2 
192.168.17.2 192.168.18.2
   117 Feb  1 02:28:01.818 Up
Last message I get is  Clear call , I tried to check traceoptions for that , 
I could see these wordsno constraints to check
Feb  1 02:28:01.786712  Link overlap with primary path, adding cost 800and 
Long O/P , so could anyone advise me.  
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] JUNOS-secondary Path

2013-02-01 Thread OBrien, Will 
Config or it didn't happen

Will O'Brien

On Feb 1, 2013, at 5:06 PM, Ahmed Taha ahmedta...@hotmail.com wrote:

 
  Hi all,I have a query , as I'm trying to establish LSP secondary tunnel , 
 but that secondary one becomes up for seconds , and then became down.Here is 
 the Output when using , show mpls lsp extensive:
 Secondary two  State: Dn
Priorities: 7 0
SmartOptimizeTimer: 180
No computed ERO.
   119 Feb  1 02:28:03.405 Clear Call
   118 Feb  1 02:28:01.818 Record Route:  192.168.14.2 172.16.16.2 172.17.17.2 
 192.168.17.2 192.168.18.2
   117 Feb  1 02:28:01.818 Up
 Last message I get is  Clear call , I tried to check traceoptions for that 
 , I could see these wordsno constraints to check
 Feb  1 02:28:01.786712  Link overlap with primary path, adding cost 
 800and Long O/P , so could anyone advise me. 
 ___
 juniper-nsp mailing list juniper-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/juniper-nsp

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp