Re: [j-nsp] SRX Adding Second ISP
May be something like below would help. show configuration security nat source { pool isp-1 { address { x.x.x.x/x; } } pool isp-2 { address { y.y.y.y/y; } } rule-set TRUST-TO-UNTRUST { from zone TRUST; to zone UNTRUST; rule nat-isp1 { match { source-address [ server-ip1 server-ip2 ]; } then { source-nat { pool { isp-1; } } rule nat-isp2 { match { source-address [ server-ip3 server-ip4 ]; } then { source-nat { pool { isp-2; } } } ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Juniper Product against DDoS
Hi Experts, Does Juniper provide any DDoS solution ? would you please recommend the product line for this solution if there is? thanks, -- Samol Khoeurn (855) 077 55 64 02 / (855) 067 41 88 66 Network Engineer Cisco: CCNA/CCNP SP/CCIP/ Juniper: JNCIA/JNCIS-ENT,SP,SEC/JNCIP-ENT www.linkedin.com/in/samolkhoeurn ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Juniper Product against DDoS
On 18/02/14 14:46, Samol wrote: Hi Experts, Does Juniper provide any DDoS solution ? would you please recommend the product line for this solution if there is? Funnily enough I was just talking to our Juniper account team about various things, and they mentioned this: http://www.juniper.net/as/en/products-services/security/junos-webapp-secure/ddos/ No idea if it's any good; haven't used it, but I know it has been deployed in front of some large sites. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Juniper Product against DDoS
Yes, Juniper's product is called Junos DDoS Secure. It's really quite excellent. http://www.juniper.net/as/en/products-services/security/junos-webapp-secure/ddos/ Cheers, Matt On Tue, Feb 18, 2014 at 9:46 AM, Samol molas...@gmail.com wrote: Hi Experts, Does Juniper provide any DDoS solution ? would you please recommend the product line for this solution if there is? thanks, -- Samol Khoeurn (855) 077 55 64 02 / (855) 067 41 88 66 Network Engineer Cisco: CCNA/CCNP SP/CCIP/ Juniper: JNCIA/JNCIS-ENT,SP,SEC/JNCIP-ENT www.linkedin.com/in/samolkhoeurn ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp -- Matt McGuirl m...@mcguirl.net Voice: +1-610-579-3718 Skype: MLMcGuirl ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Juniper Product against DDoS
yes junos-ddos Sent from my iPhone On 18/02/2014, at 11:46, Samol molas...@gmail.com wrote: Hi Experts, Does Juniper provide any DDoS solution ? would you please recommend the product line for this solution if there is? thanks, -- Samol Khoeurn (855) 077 55 64 02 / (855) 067 41 88 66 Network Engineer Cisco: CCNA/CCNP SP/CCIP/ Juniper: JNCIA/JNCIS-ENT,SP,SEC/JNCIP-ENT www.linkedin.com/in/samolkhoeurn ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Juniper Product against DDoS
Another option - http://www.juniper.net/us/en/products-services/security/ddos/ Depends on the use case. On 2/18/14, 4:08 PM, Dobbins, Roland rdobb...@arbor.net wrote: On Feb 18, 2014, at 9:46 PM, Samol molas...@gmail.com wrote: Does Juniper provide any DDoS solution ? They have this: http://www.juniper.net/as/en/products-services/security/junos-webapp-secu re/ddos/ I've never run into anyone using it, so I've no idea as to its capabilities. Perhaps someone else on the list has experience with it and can comment . . . They also have flowspec capabilities on many (all?) of their routers; flowspec can be utilized to leverage the routers to mitigate DDoS attacks using layer-4 classification. --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Luck is the residue of opportunity and design. -- John Milton ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Juniper Product against DDoS
Le 18/02/2014 15:46, Samol a écrit : Hi Experts, Does Juniper provide any DDoS solution ? would you please recommend the product line for this solution if there is? thanks, Hi, No expert here but there is the DDoS Secure appliance on there sales list, something from a company recently bougth (http://www.webscreen-technology.com/). It's a dell computer server hardware apparently, with a custom (up to where?) software. I should receive one shortly so shall see ... ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Juniper Product against DDoS
So I had a tech session on the DDoS Secure product a while back and my takeaway was that it is targeted at the low'n'slow style of DDoS rather than volumetric attacks that products like Arbour et. al. assist with mitigating - at the end of the day, you position it logically in front of your servers/LB (it's a transparent bridge). In drastically simplified terms, it uses a truck load of heuristics and other magic™ to determine whether requests to your infrastructure are machine-based or interactive, and then depending on whether traffic flows are in profile or not (servers under load etc.), reacts. Webcrawlers and other legit machine traffic are also handled gracefully. The technology behind it looks quite interesting, and coupled with WebApp Secure/Mykonos it is certainly a different take on the typical mod_secure/WAF story for any content providers. It would be nice if product marketing had picked a slightly less evocative name though - when someone says DDoS, I'm sure most think instantly of pipe-filling packet storms. Ben On 19 Feb 2014, at 1:06 am, Benoit Plessis b.ples...@doyousoft.com wrote: Le 18/02/2014 15:46, Samol a écrit : Hi Experts, Does Juniper provide any DDoS solution ? would you please recommend the product line for this solution if there is? thanks, Hi, No expert here but there is the DDoS Secure appliance on there sales list, something from a company recently bougth (http://www.webscreen-technology.com/). It's a dell computer server hardware apparently, with a custom (up to where?) software. I should receive one shortly so shall see ... ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Juniper Product against DDoS
On Feb 19, 2014, at 7:10 AM, Darius Jahandarie djahanda...@gmail.com wrote: It is worth pointing out that no transit providers actually accept flowspec. Some transit providers do in fact utilize flowspec, keeping in mind various implementation and performance issues. I don't know of any who accept it from downstream customers, but that doesn't mean there aren't any, of course. --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Luck is the residue of opportunity and design. -- John Milton ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Juniper Product against DDoS
On Tue, Feb 18, 2014 at 10:08 AM, Dobbins, Roland rdobb...@arbor.net wrote: They also have flowspec capabilities on many (all?) of their routers; flowspec can be utilized to leverage the routers to mitigate DDoS attacks using layer-4 classification. It is worth pointing out that no transit providers actually accept flowspec. Mainly due to the flowspec code in Juniper being being bit-rotted, bug-riddled, and slow. So they only have flowspec capabilities for very limited meanings of have. :-( -- Darius Jahandarie ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] VLAN's on EX4300 with 13.2X50-D15.3
Hi, Why when I have below config: ge-0/0/44 { description test; unit 0 { family ethernet-switching { vlan { members vlan103; } storm-control default; unit 103 { description test; family inet { address 10.46.163.1/29; vlan103 { description test; vlan-id 103; l3-interface vlan.103; I cannot ping from EX4300 10.46.163.1 and I cannot ping 10.46.163.1 from server connected to ge-0/0/44 But when I add below: irb { unit 103 { family inet { address 10.46.163.1/29; and delete : vlan103 { description SGI; vlan-id 103; l3-interface vlan.103 ping works correctly. On EX3300, EX4200 and EX2200 I not need setup irb interface, why I need on EX4300 ? Br, Janusz ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] VLAN's on EX4300 with 13.2X50-D15.3
It's a name change. vlan is now irb. It depends on platform, but the newer ones use irb instead of vlan. So it doesn't work with vlan.103 because the vlan interface physically does not exist. But you can configure nonexistent interfaces in JunOS. On Feb 18, 2014, at 9:44 PM, Janusz Wełna wrote: Hi, Why when I have below config: ge-0/0/44 { description test; unit 0 { family ethernet-switching { vlan { members vlan103; } storm-control default; unit 103 { description test; family inet { address 10.46.163.1/29; vlan103 { description test; vlan-id 103; l3-interface vlan.103; I cannot ping from EX4300 10.46.163.1 and I cannot ping 10.46.163.1 from server connected to ge-0/0/44 But when I add below: irb { unit 103 { family inet { address 10.46.163.1/29; and delete : vlan103 { description SGI; vlan-id 103; l3-interface vlan.103 ping works correctly. On EX3300, EX4200 and EX2200 I not need setup irb interface, why I need on EX4300 ? Br, Janusz ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] VLAN's on EX4300 with 13.2X50-D15.3
Hi Janusz, You may want to read through this document too: http://www.juniper.net/techpubs/en_US/junos13.2/topics/task/configuration/getting-started-els.html there are quite a few changes to the way you're used to doing things with VLANs and interfaces on EX4300s, which you'll find incredibly frustrating after using any of the other EXs up until now. Also, upgrade your code to 13.2X50-D18 right now. No, really. You'll thank me later. It's not actually available on the download page, but if you follow the link on right where it shows JTAC recommended code which redirects you to the password-protected KB Article on recommended versions, which you can then dig through to find the link to the specific EX4300 software Technical Services Bulletin, which lists the 13-odd critical PRs that seemed to make it out the door and finally the link to the actual software... or for Hitchhikers fans: It was on display in the bottom of a locked filing cabinet stuck in a disused lavatory with a sign on the door saying 'Beware of the Leopard'. https://download.juniper.net/software/junos/regressed/13.2X50-D18/jinstall-ex-4300-13.2X50-D18-domestic-signed.tgz On 19 Feb 2014, at 1:44 pm, Janusz Wełna janusz.we...@gmail.com wrote: Hi, Why when I have below config: ge-0/0/44 { description test; unit 0 { family ethernet-switching { vlan { members vlan103; } storm-control default; unit 103 { description test; family inet { address 10.46.163.1/29; vlan103 { description test; vlan-id 103; l3-interface vlan.103; I cannot ping from EX4300 10.46.163.1 and I cannot ping 10.46.163.1 from server connected to ge-0/0/44 But when I add below: irb { unit 103 { family inet { address 10.46.163.1/29; and delete : vlan103 { description SGI; vlan-id 103; l3-interface vlan.103 ping works correctly. On EX3300, EX4200 and EX2200 I not need setup irb interface, why I need on EX4300 ? Br, Janusz ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp