Re: [j-nsp] M10i
https://www.juniper.net/techpubs/en_US/release-independent/junos/topics/reference/general/mic-mx-series-supported.html#toc-table-mics-mx80 -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of joel jaeggli Sent: Thursday, April 11, 2013 7:58 AM To: nsp-juniper Subject: Re: [j-nsp] M10i On 4/10/13 5:45 PM, Chris Adams wrote: Once upon a time, Correa Adolfo acor...@mcmtelecom.com.mx said: I tought MX series were purely ethernet. I think that was true initially, but (for example) there are MX5-80 MICs to handle circuits from T1 up to OC192. http://www.juniper.net/us/en/local/pdf/datasheets/1000378-en.pdf ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] DDoS protection for J-series and SRX
Hello, I have a small network with J6350 as a border router (BGP) and two SRX240H in a cluster. Since few days my network is a victim of DDoS attacks. Majority of them are high pps count attacks. Are there any methods to protect my network against such attacks. My J-series can handle quite a lot of pps, but my SRX die after getting more than 8000 new sessions per second. Is there anything i can do here? Regards, jim ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] DDoS protection for J-series and SRX
Have a look at the screen options on both kits, we can apply basic DDoS protection there and limit stuff like max connections over a short period etc On 11 April 2013 09:57, James Howlett jim.howl...@outlook.com wrote: Hello, I have a small network with J6350 as a border router (BGP) and two SRX240H in a cluster. Since few days my network is a victim of DDoS attacks. Majority of them are high pps count attacks. Are there any methods to protect my network against such attacks. My J-series can handle quite a lot of pps, but my SRX die after getting more than 8000 new sessions per second. Is there anything i can do here? Regards, jim ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] DDoS protection for J-series and SRX
Hello, I think I can't use screen on my J-series in 9.x software / router context. Will SRX be able to handle it alone? all best, jim Date: Thu, 11 Apr 2013 10:10:18 +0100 Subject: Re: [j-nsp] DDoS protection for J-series and SRX From: m...@deimark.net To: jim.howl...@outlook.com CC: juniper-nsp@puck.nether.net Have a look at the screen options on both kits, we can apply basic DDoS protection there and limit stuff like max connections over a short period etc On 11 April 2013 09:57, James Howlett jim.howl...@outlook.com wrote: Hello, I have a small network with J6350 as a border router (BGP) and two SRX240H in a cluster. Since few days my network is a victim of DDoS attacks. Majority of them are high pps count attacks. Are there any methods to protect my network against such attacks. My J-series can handle quite a lot of pps, but my SRX die after getting more than 8000 new sessions per second. Is there anything i can do here? Regards, jim ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] DDoS protection for J-series and SRX
The SRX definitely supports screen options and you can upgrade the J series to something newer. I think it was in 9.4 that Juniper got rid of the 2 versions of software for J series, ie the router and enhanced services versions, so all newer versions have the security stuff built in. Upgrading the J series to use screen is fairly straightforward but if you are just looking to run the J series as a router we can turn off the main security features but you may be better off with just having all interfaces in same zone and allow intra zone traffic. Your SRX running as the firewall should be able to cater as the only screen device but it does make sense to apply DDoS protection as close to your perimeter if you can to reduce the load on the upstream boxes. On 11 April 2013 11:15, James Howlett jim.howl...@outlook.com wrote: Hello, I think I can't use screen on my J-series in 9.x software / router context. Will SRX be able to handle it alone? all best, jim -- Date: Thu, 11 Apr 2013 10:10:18 +0100 Subject: Re: [j-nsp] DDoS protection for J-series and SRX From: m...@deimark.net To: jim.howl...@outlook.com CC: juniper-nsp@puck.nether.net Have a look at the screen options on both kits, we can apply basic DDoS protection there and limit stuff like max connections over a short period etc On 11 April 2013 09:57, James Howlett jim.howl...@outlook.com wrote: Hello, I have a small network with J6350 as a border router (BGP) and two SRX240H in a cluster. Since few days my network is a victim of DDoS attacks. Majority of them are high pps count attacks. Are there any methods to protect my network against such attacks. My J-series can handle quite a lot of pps, but my SRX die after getting more than 8000 new sessions per second. Is there anything i can do here? Regards, jim ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] port mirror on EX causing crash
For anyone who is interested turns out we hit this bug PR658614 When you configure both sFlow monitoring technology and port mirroring features, parity errors might occur, which might cause the switch to crash and then reboot. We had sflow running, then turned on port mirrioring... two days later crash! From: juniper-nsp-boun...@puck.nether.net [juniper-nsp-boun...@puck.nether.net] On Behalf Of Luca Salvatore [l...@ninefold.com] Sent: Wednesday, 10 April 2013 3:35 PM To: Ben Dale Cc: juniper-nsp@puck.nether.net Subject: Re: [j-nsp] port mirror on EX causing crash Yes this is what has happened to us... twice in two days. Only change on the switch was setting up a port mirror... This would probably consume a bit more memory which may have triggered the crash. I have already organised the RMA, was just wondering about the mirroring. Luca -Original Message- From: Ben Dale [mailto:bd...@comlinx.com.au] Sent: Wednesday, 10 April 2013 3:14 PM To: Luca Salvatore Cc: juniper-nsp@puck.nether.net Subject: Re: [j-nsp] port mirror on EX causing crash Yep - listen to JTAC. The parity error is definitely a sign that the memory on your switch is flakey - I had an EX4200 completely lock-up and drop out of a VC after 6 months of flawless operation. Rebooted it and it came good, 24 hours later it dropped right back out again with the parity error again. RMA and everything is happy again. On 10/04/2013, at 2:50 PM, Luca Salvatore l...@ninefold.com wrote: Wondering if anyone has seen any issues with EX switches running port mirroring - specifically seeing the switch generate a 'parity error' and crashing? I have an EX4200 10.4r5.5, a few hours after turning on port mirroring the switch crashed. It threw some memory parity errors which JTAC tells me means the switch is faulty and should be replaced. The switch in question has been running fine for 3 years, but turning on a ingress and egress port mirror (on a single port) seems to make the switch have a bad day. The switch isn't busy, and the port that I'm mirroring has about 80 to 100Mb of traffic. I'm mirroring the port to an IDS and would like to keep it running for the foreseeable future. Any thoughts on this situation? Thanks Luca. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Config changes on VC with member down
HI, Quick question just for my own sanity :-/ If i make some config changes on a VC when one of the members is down, what happens to the config on the down member when it comes back up? I'm assuming it will just sync with the master right? thanks Luca. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] DDoS protection for J-series and SRX
On Thu, Apr 11, 2013 at 10:57:55AM +0200, James Howlett wrote: I have a small network with J6350 as a border router (BGP) and two SRX240H in a cluster. Since few days my network is a victim of DDoS attacks. Majority of them are high pps count attacks. Are there any methods to protect my network against such attacks. My J-series can handle quite a lot of pps, but my SRX die after getting more than 8000 new sessions per second. Is there anything i can do here? Definitely SCREENs, as other folks have said. However, in the corner case where you're getting traffic for a particular service or destination IP that isn't in use (maybe not in this instance), a quick way of protecting the traffic from hitting the flow module is to use a firewall filter with a discard action for that traffic. Just something to keep in your toobox.. - Mark -- Mark Kamichoff p...@prolixium.com http://www.prolixium.com/ signature.asc Description: Digital signature ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Logical tunnels on MPC2 and MICs
I am a little confused about logical tunnel-services configuration on the MPC2, for both the chassis platform and MX-80. Do you really need a MIC installed in the MPC if you want to configure a logical-tunnel (lt)? Part of me says you do not simply because the tunnel is happening on the PFE. Since the PFE is sitting on the MPC2 itself, the MIC would not be necessary. But then the other part of me knows that with the older non-Trio that the PFE is integrated with the physical interfaces, so perhaps a MIC in the Trio world is required. which I do not understand, since I do not get why the PFE needs a physical interface in order to get a tunnel to work. If someone could straighten me out, that would be great. Thanks. Clarke Morledge College of William and Mary Information Technology - Network Engineering Jones Hall (Room 18) Williamsburg VA 23187 ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Config changes on VC with member down
On 11/04/2013, at 10:08 PM, Luca Salvatore l...@ninefold.com wrote: HI, Quick question just for my own sanity :-/ If i make some config changes on a VC when one of the members is down, what happens to the config on the down member when it comes back up? I'm assuming it will just sync with the master right? That won't be a problem. Your Master and Backup REs keep the configuration for all members, so any changes will be pushed out when the down member is re-joined/replaced. Check this out if you need more detailed information on the process: http://www.juniper.net/techpubs/en_US/junos/topics/task/installation/virtual-chassis-ex4200-member-replacing-cli.html Cheers, Ben ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] DDoS protection for J-series and SRX
On Apr 11, 2013, at 3:57 PM, James Howlett wrote: Is there anything i can do here? S/RTBH, flowspec, iACLs, GTSM, et. al. --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Luck is the residue of opportunity and design. -- John Milton ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
