[j-nsp] Best device to fit for a project
For a project (70 branch offices and 2 Headquarters connected in an hubspoke topology with IPSEC over MPLS among branch and HQ) I’m looking for the best device which cover the following items: Branch: Single device At least two Ethernet interfaces (WAN/LAN) Ipsec supporting 10-50-100 Mbs Routing protocols such as BGP-OSPF NAT Redundant power supply (some site not but in principle I need it) HeadQuarter: Single device with XE intf At least two Ethernet interfaces (WAN/LAN) IPSEC supporting up to 7-10 Gbs of IPSEC (the sum of branches) Routing protocols such as BGP-OSPF NAT Redundant power supply Firewall is not needed, MPLS will be runned by the carrier, the devices and IPSEC are on-top of MPLS. I’m looking for the best solution in terms of scalability and price (very important). Also any advice with experience for the decision is appreciated. Regards ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Best device to fit for a project
SRX550 is pretty much your only option in the branch if you require dual power supply, but is in every other way overspecced (and thus priced) for the remainder of your branch requirements. If you can do without the RPS, then I'd go with either an SRX220 or 240, which will easily handle the remainder of your requirements. Are you sure you want 7-10GBps of IPSEC? I'm not sure what market you're in, but I don't imagine a 10Gbps WAN port is particularly cheap from your carrier (since you list price as being important). If you absolutely need this much crypto though, then you'll be looking at somewhere between an SRX650 and an SRX1400 plus appropriate 10G XPM/IOC. As for scalability - no issues - the 650 will support up to 3,000 tunnels and the 1400 was good for about 15,000 last time I looked - it's probably gotten better since then. Ben On 1 Apr 2014, at 4:37 pm, R S dim0...@hotmail.com wrote: For a project (70 branch offices and 2 Headquarters connected in an hubspoke topology with IPSEC over MPLS among branch and HQ) I’m looking for the best device which cover the following items: Branch: Single device At least two Ethernet interfaces (WAN/LAN) Ipsec supporting 10-50-100 Mbs Routing protocols such as BGP-OSPF NAT Redundant power supply (some site not but in principle I need it) HeadQuarter: Single device with XE intf At least two Ethernet interfaces (WAN/LAN) IPSEC supporting up to 7-10 Gbs of IPSEC (the sum of branches) Routing protocols such as BGP-OSPF NAT Redundant power supply Firewall is not needed, MPLS will be runned by the carrier, the devices and IPSEC are on-top of MPLS. I’m looking for the best solution in terms of scalability and price (very important). Also any advice with experience for the decision is appreciated. Regards ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] maximum BGP multipath ECMP supported on M7i or M10i routers?
Hi, Two types of balancing supported: per prefix (bgp multipath) and per flow (ECMP next-hop including bgp multipath) Up to 64 ECMP next-hops on MX(DPC, MPC), M120, M10i(Enhanced CFEB), M320( FPC dependent), T(FPC dependent) for RSVP, LDP, ISIS(ipv4/6), OSPF(ipv4/6), IBGP(ipv4/6), EBGP(ipv4/6). Symmetric load balancinghttp://www.juniper.net/techpubs/en_US/junos12.2/topics/usage-guidelines/interfaces-configuring-symmetrical-load-balancing-lag-on-mx-routers.htmlover 802.3ad link aggregation groups (LAGs) on MX routers with MPCs. Best Regards, Krasi On 31 March 2014 22:14, Yucong Sun sunyuc...@gmail.com wrote: Do anyone have in-sight on this? More over, I guess my quest is to find a device that support 1) per flow hashing with as many as ECMP route as possible. (not sure how many ECMP route is supported) 2) consistent hashing (existing flow don't break if route is added or removed) (juniper doc didn't mention this) Your opinion/experience on this is greatly appreciated. Thanks. On Fri, Mar 28, 2014 at 12:44 PM, Yucong Sun sunyuc...@gmail.com wrote: Hi, Does anyone know how many BGP multipath ECMP routes does a M7i/M10i router support? 16? 32 ? 64? I found this document : http://www.juniper.net/techpubs/en_US/junos13.3/topics/reference/configuration-statement/maximum-ecmp-edit-chassis.html which says 16/32/64 but it was only mentioning MPLS routes, not BGP multipath routes . I think they might be the samething, but just want to be sure. Thanks! ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] maximum BGP multipath ECMP supported on M7i or M10i routers?
Thanks, do you have any insight on the consistent hashing? if i started with pre flow 8 ecmp route to a single /32, later removed one route, would packets all be redistributed over 7 route? this would break in flight tcp sessions to the vip. Cheers. On Tuesday, April 1, 2014 12:59:50 AM, Krasimir Avramski kr...@smartcom.bg wrote: Hi, Two types of balancing supported: per prefix (bgp multipath) and per flow (ECMP next-hop including bgp multipath) Up to 64 ECMP next-hops on MX(DPC, MPC), M120, M10i(Enhanced CFEB), M320( FPC dependent), T(FPC dependent) for RSVP, LDP, ISIS(ipv4/6), OSPF(ipv4/6), IBGP(ipv4/6), EBGP(ipv4/6). Symmetric load balancinghttp://www.juniper.net/techpubs/en_US/junos12.2/topics/usage-guidelines/interfaces-configuring-symmetrical-load-balancing-lag-on-mx-routers.htmlover 802.3ad link aggregation groups (LAGs) on MX routers with MPCs. Best Regards, Krasi On 31 March 2014 22:14, Yucong Sun sunyuc...@gmail.com wrote: Do anyone have in-sight on this? More over, I guess my quest is to find a device that support 1) per flow hashing with as many as ECMP route as possible. (not sure how many ECMP route is supported) 2) consistent hashing (existing flow don't break if route is added or removed) (juniper doc didn't mention this) Your opinion/experience on this is greatly appreciated. Thanks. On Fri, Mar 28, 2014 at 12:44 PM, Yucong Sun sunyuc...@gmail.com wrote: Hi, Does anyone know how many BGP multipath ECMP routes does a M7i/M10i router support? 16? 32 ? 64? I found this document : http://www.juniper.net/techpubs/en_US/junos13.3/topics/reference/configuration-statement/maximum-ecmp-edit-chassis.html which says 16/32/64 but it was only mentioning MPLS routes, not BGP multipath routes . I think they might be the samething, but just want to be sure. Thanks! ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] MX80-48T rear slot and 2XGE MIC
Hello everybody ) I`ve been thinking about very interesting thing. All MX80 Routers have rear slot for MS MIC, even MX80-48T. MX80-48T have a fixed structure but, we can put a 2XGE MIC in a rear slot i think. And Got 6XGE router. Any one have some thoughts or experience on this? Thx ^) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] MX80-48T rear slot and 2XGE MIC
One my friend put 2XGE MIC in a rear slot of MX80-AC router and it was shown in sh cha hard output ) so i `m thinking it will do the trick, but i`m not shure about MX80-48T model 2014-04-01 14:47 GMT+06:00 Jayaraj Shantharam jay_shantha...@rediffmail.com : Hi, What I understand is the rear slot is for the services card/MIC either MS DPC or MS-MIC. Regards Jay On Tue, 01 Apr 2014 14:12:20 +0530 wrote Hello everybody ) I`ve been thinking about very interesting thing. All MX80 Routers have rear slot for MS MIC, even MX80-48T. MX80-48T have a fixed structure but, we can put a 2XGE MIC in a rear slot i think. And Got 6XGE router. Any one have some thoughts or experience on this? Thx ^) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp http://sigads.rediff.com/RealMedia/ads/click_nx.ads/www.rediffmail.com/signatureline.htm@Middle? Get your own *FREE* website, *FREE* domain *FREE* mobile app with Company email. *Know More *http://track.rediff.com/click?url=___http://businessemail.rediff.com/company-email-hosting-services?sc_cid=sign-1-10-13___cmp=hostlnk=sign-1-10-13nsrv1=host ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Best device to fit for a project
the hub have to support the sum of all the branches, hence definetely more than 1 Gbs... you're arrived to my same conclusion, I'd a look to MX but it's a bit more expensive... tks From: bd...@comlinx.com.au To: dim0...@hotmail.com CC: juniper-nsp@puck.nether.net Subject: Re: [j-nsp] Best device to fit for a project Date: Tue, 1 Apr 2014 07:36:37 + SRX550 is pretty much your only option in the branch if you require dual power supply, but is in every other way overspecced (and thus priced) for the remainder of your branch requirements. If you can do without the RPS, then I'd go with either an SRX220 or 240, which will easily handle the remainder of your requirements. Are you sure you want 7-10GBps of IPSEC? I'm not sure what market you're in, but I don't imagine a 10Gbps WAN port is particularly cheap from your carrier (since you list price as being important). If you absolutely need this much crypto though, then you'll be looking at somewhere between an SRX650 and an SRX1400 plus appropriate 10G XPM/IOC. As for scalability - no issues - the 650 will support up to 3,000 tunnels and the 1400 was good for about 15,000 last time I looked - it's probably gotten better since then. Ben On 1 Apr 2014, at 4:37 pm, R S dim0...@hotmail.com wrote: For a project (70 branch offices and 2 Headquarters connected in an hubspoke topology with IPSEC over MPLS among branch and HQ) I’m looking for the best device which cover the following items: Branch: Single device At least two Ethernet interfaces (WAN/LAN) Ipsec supporting 10-50-100 Mbs Routing protocols such as BGP-OSPF NAT Redundant power supply (some site not but in principle I need it) HeadQuarter: Single device with XE intf At least two Ethernet interfaces (WAN/LAN) IPSEC supporting up to 7-10 Gbs of IPSEC (the sum of branches) Routing protocols such as BGP-OSPF NAT Redundant power supply Firewall is not needed, MPLS will be runned by the carrier, the devices and IPSEC are on-top of MPLS. I’m looking for the best solution in terms of scalability and price (very important). Also any advice with experience for the decision is appreciated. Regards ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Best device to fit for a project
2 x SRX1k or 2k could be a good idea but it's not what I was asked for... I'll try a poll from the price list seems cheaper SRX6k or SRX14k than MX5... GDOI works just with single box ? and what about SSG ? regards Subject: Re: [j-nsp] Best device to fit for a project From: p...@westerlund.se Date: Tue, 1 Apr 2014 10:17:00 +0200 CC: juniper-nsp@puck.nether.net; bd...@comlinx.com.au To: dim0...@hotmail.com Another possibility is a cluster of units to take care of the dual PSU requirement. For the low end you can mount 2 SRX100 in a 1U tray, and make them a cluster. Will not handle 100Mbps IPsec, but will do 10 Mbps easily, perhaps 50 Mbps depending on how you count and configure (50 bidir is actually 100 in processing power etc). None of the branch SRX have crypto chip, all IPsec is done in CPU, have to watch that. Clustered 220/240 would take care of dual PSU for 100 Mbps IPsec, but unfortunately two boxes. I don’t have pricing available and don’t run any of these myself, but what about a small MX5 (or similar) with service-card (MS-MIC) for the hub site? It claims throughput of 9Gbps. Would that fit the bill instead of the bigger SRX boxes? /Per PS: With plain IPsec, no internet tunnel requirement, and SRX everywhere, you can use GDOI (Group VPN, Cisco: GET VPN), but unfortunately that does not work with clusters. Can’t have both right now, sorry. Saves lots of problems managing pre-shared keys etc. 1 apr 2014 kl. 09:36 skrev Ben Dale bd...@comlinx.com.au: SRX550 is pretty much your only option in the branch if you require dual power supply, but is in every other way overspecced (and thus priced) for the remainder of your branch requirements. If you can do without the RPS, then I'd go with either an SRX220 or 240, which will easily handle the remainder of your requirements. Are you sure you want 7-10GBps of IPSEC? I'm not sure what market you're in, but I don't imagine a 10Gbps WAN port is particularly cheap from your carrier (since you list price as being important). If you absolutely need this much crypto though, then you'll be looking at somewhere between an SRX650 and an SRX1400 plus appropriate 10G XPM/IOC. As for scalability - no issues - the 650 will support up to 3,000 tunnels and the 1400 was good for about 15,000 last time I looked - it's probably gotten better since then. Ben On 1 Apr 2014, at 4:37 pm, R S dim0...@hotmail.com wrote: For a project (70 branch offices and 2 Headquarters connected in an hubspoke topology with IPSEC over MPLS among branch and HQ) I’m looking for the best device which cover the following items: Branch: Single device At least two Ethernet interfaces (WAN/LAN) Ipsec supporting 10-50-100 Mbs Routing protocols such as BGP-OSPF NAT Redundant power supply (some site not but in principle I need it) HeadQuarter: Single device with XE intf At least two Ethernet interfaces (WAN/LAN) IPSEC supporting up to 7-10 Gbs of IPSEC (the sum of branches) Routing protocols such as BGP-OSPF NAT Redundant power supply Firewall is not needed, MPLS will be runned by the carrier, the devices and IPSEC are on-top of MPLS. I’m looking for the best solution in terms of scalability and price (very important). Also any advice with experience for the decision is appreciated. Regards ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] maximum BGP multipath ECMP supported on M7i or M10i routers?
if i started with pre flow 8 ecmp route to a single /32, later removed one route, would packets all be redistributed over 7 route? this would break in flight tcp sessions to the vip. Well flows utilizing the failed path would be spread across the remaining 7 paths. But any particular flow would be using only a single path. So this would break the existing session only if different (per path) security/nat/balancer devices are crossed and states are nod synced among them. adam -Original Message- From: juniper-nsp [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Yucong Sun Sent: Tuesday, April 01, 2014 10:08 AM To: kr...@smartcom.bg Cc: juniper-nsp@puck.nether.net Subject: Re: [j-nsp] maximum BGP multipath ECMP supported on M7i or M10i routers? Thanks, do you have any insight on the consistent hashing? if i started with pre flow 8 ecmp route to a single /32, later removed one route, would packets all be redistributed over 7 route? this would break in flight tcp sessions to the vip. Cheers. On Tuesday, April 1, 2014 12:59:50 AM, Krasimir Avramski kr...@smartcom.bg wrote: Hi, Two types of balancing supported: per prefix (bgp multipath) and per flow (ECMP next-hop including bgp multipath) Up to 64 ECMP next-hops on MX(DPC, MPC), M120, M10i(Enhanced CFEB), M320( FPC dependent), T(FPC dependent) for RSVP, LDP, ISIS(ipv4/6), OSPF(ipv4/6), IBGP(ipv4/6), EBGP(ipv4/6). Symmetric load balancinghttp://www.juniper.net/techpubs/en_US/junos12.2/topics/usag e-guidelines/interfaces-configuring-symmetrical-load-balancing-lag-on-mx- routers.htmlover 802.3ad link aggregation groups (LAGs) on MX routers with MPCs. Best Regards, Krasi On 31 March 2014 22:14, Yucong Sun sunyuc...@gmail.com wrote: Do anyone have in-sight on this? More over, I guess my quest is to find a device that support 1) per flow hashing with as many as ECMP route as possible. (not sure how many ECMP route is supported) 2) consistent hashing (existing flow don't break if route is added or removed) (juniper doc didn't mention this) Your opinion/experience on this is greatly appreciated. Thanks. On Fri, Mar 28, 2014 at 12:44 PM, Yucong Sun sunyuc...@gmail.com wrote: Hi, Does anyone know how many BGP multipath ECMP routes does a M7i/M10i router support? 16? 32 ? 64? I found this document : http://www.juniper.net/techpubs/en_US/junos13.3/topics/reference/confi guration-statement/maximum-ecmp-edit-chassis.html which says 16/32/64 but it was only mentioning MPLS routes, not BGP multipath routes . I think they might be the samething, but just want to be sure. Thanks! ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] maximum BGP multipath ECMP supported on M7i or M10i routers?
Thanks, that's what I mean by consistent hashing :-D But just to clarify, were you talking about juniper routing device that has this feature or are you referring to security device? On Tue, Apr 1, 2014 at 4:26 AM, Vitkovský Adam adam.vitkov...@swan.skwrote: if i started with pre flow 8 ecmp route to a single /32, later removed one route, would packets all be redistributed over 7 route? this would break in flight tcp sessions to the vip. Well flows utilizing the failed path would be spread across the remaining 7 paths. But any particular flow would be using only a single path. So this would break the existing session only if different (per path) security/nat/balancer devices are crossed and states are nod synced among them. adam -Original Message- From: juniper-nsp [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Yucong Sun Sent: Tuesday, April 01, 2014 10:08 AM To: kr...@smartcom.bg Cc: juniper-nsp@puck.nether.net Subject: Re: [j-nsp] maximum BGP multipath ECMP supported on M7i or M10i routers? Thanks, do you have any insight on the consistent hashing? if i started with pre flow 8 ecmp route to a single /32, later removed one route, would packets all be redistributed over 7 route? this would break in flight tcp sessions to the vip. Cheers. On Tuesday, April 1, 2014 12:59:50 AM, Krasimir Avramski kr...@smartcom.bg wrote: Hi, Two types of balancing supported: per prefix (bgp multipath) and per flow (ECMP next-hop including bgp multipath) Up to 64 ECMP next-hops on MX(DPC, MPC), M120, M10i(Enhanced CFEB), M320( FPC dependent), T(FPC dependent) for RSVP, LDP, ISIS(ipv4/6), OSPF(ipv4/6), IBGP(ipv4/6), EBGP(ipv4/6). Symmetric load balancinghttp://www.juniper.net/techpubs/en_US/junos12.2/topics/usag e-guidelines/interfaces-configuring-symmetrical-load-balancing-lag-on-mx- routers.htmlover 802.3ad link aggregation groups (LAGs) on MX routers with MPCs. Best Regards, Krasi On 31 March 2014 22:14, Yucong Sun sunyuc...@gmail.com wrote: Do anyone have in-sight on this? More over, I guess my quest is to find a device that support 1) per flow hashing with as many as ECMP route as possible. (not sure how many ECMP route is supported) 2) consistent hashing (existing flow don't break if route is added or removed) (juniper doc didn't mention this) Your opinion/experience on this is greatly appreciated. Thanks. On Fri, Mar 28, 2014 at 12:44 PM, Yucong Sun sunyuc...@gmail.com wrote: Hi, Does anyone know how many BGP multipath ECMP routes does a M7i/M10i router support? 16? 32 ? 64? I found this document : http://www.juniper.net/techpubs/en_US/junos13.3/topics/reference/confi guration-statement/maximum-ecmp-edit-chassis.html which says 16/32/64 but it was only mentioning MPLS routes, not BGP multipath routes . I think they might be the samething, but just want to be sure. Thanks! ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] system archival configuration and filenames
Dear Colleagues, I have configured the following: admin@sw-us-parabel show configuration system archival configuration { transfer-on-commit; archive-sites { ftp://cfg@10.14.140.125/ password $9$WqR8X-4oGiHm24; ## SECRET-DATA } } on an EX4200 with JUNOS 12.3R3.4. The files which end up on the FTP server look like this: acc_transfer_link_3775 acc_transfer_link_3811 acc_transfer_link_3874 and they come gzipped. How can I configure the archived configs to be a) plain text (not gzipped) and b) somehow related to the name of the switch? Thanks in advance for any ideas. -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:suda...@sibptus.tomsk.ru ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Best device to fit for a project
Check out AutoVPN as well: http://www.juniper.net/techpubs/en_US/junos12.1x44/topics/concept/security-autovpn-spoke-authentication-understanding.html It's hub-and-spoke (as opposed to full-mesh) and a little simpler than GDOI, but you do take the overhead of having to managing PKI across your fleet. Ben On 1 Apr 2014, at 6:17 pm, Per Westerlund p...@westerlund.se wrote: Another possibility is a cluster of units to take care of the dual PSU requirement. For the low end you can mount 2 SRX100 in a 1U tray, and make them a cluster. Will not handle 100Mbps IPsec, but will do 10 Mbps easily, perhaps 50 Mbps depending on how you count and configure (50 bidir is actually 100 in processing power etc). None of the branch SRX have crypto chip, all IPsec is done in CPU, have to watch that. Clustered 220/240 would take care of dual PSU for 100 Mbps IPsec, but unfortunately two boxes. I don’t have pricing available and don’t run any of these myself, but what about a small MX5 (or similar) with service-card (MS-MIC) for the hub site? It claims throughput of 9Gbps. Would that fit the bill instead of the bigger SRX boxes? /Per PS: With plain IPsec, no internet tunnel requirement, and SRX everywhere, you can use GDOI (Group VPN, Cisco: GET VPN), but unfortunately that does not work with clusters. Can’t have both right now, sorry. Saves lots of problems managing pre-shared keys etc. 1 apr 2014 kl. 09:36 skrev Ben Dale bd...@comlinx.com.au: SRX550 is pretty much your only option in the branch if you require dual power supply, but is in every other way overspecced (and thus priced) for the remainder of your branch requirements. If you can do without the RPS, then I'd go with either an SRX220 or 240, which will easily handle the remainder of your requirements. Are you sure you want 7-10GBps of IPSEC? I'm not sure what market you're in, but I don't imagine a 10Gbps WAN port is particularly cheap from your carrier (since you list price as being important). If you absolutely need this much crypto though, then you'll be looking at somewhere between an SRX650 and an SRX1400 plus appropriate 10G XPM/IOC. As for scalability - no issues - the 650 will support up to 3,000 tunnels and the 1400 was good for about 15,000 last time I looked - it's probably gotten better since then. Ben On 1 Apr 2014, at 4:37 pm, R S dim0...@hotmail.com wrote: For a project (70 branch offices and 2 Headquarters connected in an hubspoke topology with IPSEC over MPLS among branch and HQ) I’m looking for the best device which cover the following items: Branch: Single device At least two Ethernet interfaces (WAN/LAN) Ipsec supporting 10-50-100 Mbs Routing protocols such as BGP-OSPF NAT Redundant power supply (some site not but in principle I need it) HeadQuarter: Single device with XE intf At least two Ethernet interfaces (WAN/LAN) IPSEC supporting up to 7-10 Gbs of IPSEC (the sum of branches) Routing protocols such as BGP-OSPF NAT Redundant power supply Firewall is not needed, MPLS will be runned by the carrier, the devices and IPSEC are on-top of MPLS. I’m looking for the best solution in terms of scalability and price (very important). Also any advice with experience for the decision is appreciated. Regards ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] system archival configuration and filenames
Hi Victor, This was discussed here a little while back - in short there is no way to archive them unzipped them except to have a server-side script monitoring the directory you FTP to and doing it for you. As for the naming, that is odd - the standard format for these files is: router-name_juniper.conf.n.gz_MMDD_HHMMSS Cheers, Ben On 2 Apr 2014, at 4:11 am, Victor Sudakov v...@mpeks.tomsk.su wrote: Dear Colleagues, I have configured the following: admin@sw-us-parabel show configuration system archival configuration { transfer-on-commit; archive-sites { ftp://cfg@10.14.140.125/ password $9$WqR8X-4oGiHm24; ## SECRET-DATA } } on an EX4200 with JUNOS 12.3R3.4. The files which end up on the FTP server look like this: acc_transfer_link_3775 acc_transfer_link_3811 acc_transfer_link_3874 and they come gzipped. How can I configure the archived configs to be a) plain text (not gzipped) and b) somehow related to the name of the switch? Thanks in advance for any ideas. -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:suda...@sibptus.tomsk.ru ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] MX80-48T rear slot and 2XGE MIC
http://paste.ubuntu.com/7189026/ http://paste.ubuntu.com/7189039/ on This url`s you can see that there an additional mic in the chassiss and it works. so we can get 6XGE in 48T, which can give us lower price for each port i think ) 2014-04-01 14:52 GMT+06:00 Шепелев Андрей xamalon...@gmail.com: One my friend put 2XGE MIC in a rear slot of MX80-AC router and it was shown in sh cha hard output ) so i `m thinking it will do the trick, but i`m not shure about MX80-48T model 2014-04-01 14:47 GMT+06:00 Jayaraj Shantharam jay_shantha...@rediffmail.com: Hi, What I understand is the rear slot is for the services card/MIC either MS DPC or MS-MIC. Regards Jay On Tue, 01 Apr 2014 14:12:20 +0530 wrote Hello everybody ) I`ve been thinking about very interesting thing. All MX80 Routers have rear slot for MS MIC, even MX80-48T. MX80-48T have a fixed structure but, we can put a 2XGE MIC in a rear slot i think. And Got 6XGE router. Any one have some thoughts or experience on this? Thx ^) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp http://sigads.rediff.com/RealMedia/ads/click_nx.ads/www.rediffmail.com/signatureline.htm@Middle? Get your own *FREE* website, *FREE* domain *FREE* mobile app with Company email. *Know More *http://track.rediff.com/click?url=___http://businessemail.rediff.com/company-email-hosting-services?sc_cid=sign-1-10-13___cmp=hostlnk=sign-1-10-13nsrv1=host ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] SRX PPPoE experience and scaling values.
Good day everyone. so far i was thinking about using SRX model as cheap PPPoE subscriber device, with radius authorization and accounting, so have anyone tried using it like this? any experience or options? thx. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Admin Password change issue !!
In Junos, username as lower case and upper case are different, ADMIN is one user and admin is another user. 2014-03-29 1:33 GMT+07:00 Harri Makela harri_mak...@yahoo.com: Hi There I am trying to change Admin password on our devices. Problem is that even after changing the admin password, I am still able to login with the old password. Following is the ocnfiguration which I have:- set system login user ADMIN uid 2004 set system login user ADMIN class super-user set system login user admin uid 2001 set system login user admin class super-user set system login user admin authentication encrypted-password xxx set system root-authentication encrypted-password XXX Can anyone point out where exactly I am making mistake ? Thanks HM ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp -- Samol Khoeurn (855) 077 55 64 02 / (855) 067 41 88 66 Network Engineer Cisco: CCNA/CCNP SP/CCIP/ Juniper: JNCIA/JNCIS-ENT,SP,SEC/JNCIP-ENT www.linkedin.com/in/samolkhoeurn ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Best device to fit for a project
As already mentioned, run an SRX220 cluster (two devices) at each branch, and then use something like an SRX1400 for the core. Could even run two of them at the core in a cluster and be super fancy :). Thanks, Morgan On Tue, Apr 1, 2014 at 3:40 PM, Ben Dale bd...@comlinx.com.au wrote: Check out AutoVPN as well: http://www.juniper.net/techpubs/en_US/junos12.1x44/topics/concept/security-autovpn-spoke-authentication-understanding.html It's hub-and-spoke (as opposed to full-mesh) and a little simpler than GDOI, but you do take the overhead of having to managing PKI across your fleet. Ben On 1 Apr 2014, at 6:17 pm, Per Westerlund p...@westerlund.se wrote: Another possibility is a cluster of units to take care of the dual PSU requirement. For the low end you can mount 2 SRX100 in a 1U tray, and make them a cluster. Will not handle 100Mbps IPsec, but will do 10 Mbps easily, perhaps 50 Mbps depending on how you count and configure (50 bidir is actually 100 in processing power etc). None of the branch SRX have crypto chip, all IPsec is done in CPU, have to watch that. Clustered 220/240 would take care of dual PSU for 100 Mbps IPsec, but unfortunately two boxes. I don't have pricing available and don't run any of these myself, but what about a small MX5 (or similar) with service-card (MS-MIC) for the hub site? It claims throughput of 9Gbps. Would that fit the bill instead of the bigger SRX boxes? /Per PS: With plain IPsec, no internet tunnel requirement, and SRX everywhere, you can use GDOI (Group VPN, Cisco: GET VPN), but unfortunately that does not work with clusters. Can't have both right now, sorry. Saves lots of problems managing pre-shared keys etc. 1 apr 2014 kl. 09:36 skrev Ben Dale bd...@comlinx.com.au: SRX550 is pretty much your only option in the branch if you require dual power supply, but is in every other way overspecced (and thus priced) for the remainder of your branch requirements. If you can do without the RPS, then I'd go with either an SRX220 or 240, which will easily handle the remainder of your requirements. Are you sure you want 7-10GBps of IPSEC? I'm not sure what market you're in, but I don't imagine a 10Gbps WAN port is particularly cheap from your carrier (since you list price as being important). If you absolutely need this much crypto though, then you'll be looking at somewhere between an SRX650 and an SRX1400 plus appropriate 10G XPM/IOC. As for scalability - no issues - the 650 will support up to 3,000 tunnels and the 1400 was good for about 15,000 last time I looked - it's probably gotten better since then. Ben On 1 Apr 2014, at 4:37 pm, R S dim0...@hotmail.com wrote: For a project (70 branch offices and 2 Headquarters connected in an hubspoke topology with IPSEC over MPLS among branch and HQ) I'm looking for the best device which cover the following items: Branch: Single device At least two Ethernet interfaces (WAN/LAN) Ipsec supporting 10-50-100 Mbs Routing protocols such as BGP-OSPF NAT Redundant power supply (some site not but in principle I need it) HeadQuarter: Single device with XE intf At least two Ethernet interfaces (WAN/LAN) IPSEC supporting up to 7-10 Gbs of IPSEC (the sum of branches) Routing protocols such as BGP-OSPF NAT Redundant power supply Firewall is not needed, MPLS will be runned by the carrier, the devices and IPSEC are on-top of MPLS. I'm looking for the best solution in terms of scalability and price (very important). Also any advice with experience for the decision is appreciated. Regards ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp