[j-nsp] Limitations of MPLS support on EX4200
Colleagues, Is MPLS support on EX4200 not complete? It is not a router after all, it is an L3 switch, so I expect there to be limitations. Where can I read more about EX4200 MPLS limitations and supported features? E.g. I cannot find ldp under edit protocols. I have an Advanced license installed with says: admin@sw-us-parabel show system license License usage: Licenses LicensesLicensesExpiry Feature name usedinstalled needed bgp 01 0permanent isis 01 0permanent mpls 01 0permanent -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:suda...@sibptus.tomsk.ru ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Limitations of MPLS support on EX4200
Hi Victor, On Thu, May 1, 2014 at 5:15 PM, Victor Sudakov v...@mpeks.tomsk.su wrote: Is MPLS support on EX4200 not complete? It is not a router after all, it is an L3 switch, so I expect there to be limitations. Where can I read more about EX4200 MPLS limitations and supported features? This may help; see: http://www.juniper.net/techpubs/en_US/release-independent/nce/information-products/topic-collections/nce/nce0115-mpls-switching-faq/mpls-switching-frequently-asked-questions.pdf cheers, Dale ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Limitations of MPLS support on EX4200
My favorite place to go and find out if a feature is available for any platform vs release is the feature explorer. It really does a nice quick job and produces a nice savable output http://pathfinder.juniper.net/feature-explorer/ On May 1, 2014, at 2:15 AM, Victor Sudakov v...@mpeks.tomsk.su wrote: Colleagues, Is MPLS support on EX4200 not complete? It is not a router after all, it is an L3 switch, so I expect there to be limitations. Where can I read more about EX4200 MPLS limitations and supported features? E.g. I cannot find ldp under edit protocols. I have an Advanced license installed with says: admin@sw-us-parabel show system license License usage: Licenses LicensesLicensesExpiry Feature name usedinstalled needed bgp 01 0permanent isis 01 0permanent mpls 01 0permanent -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:suda...@sibptus.tomsk.ru ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Limitations of MPLS support on EX4200
-Original Message- From: juniper-nsp [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Jerry Jones Sent: Thursday, May 01, 2014 7:57 AM To: Victor Sudakov Cc: juniper-nsp@puck.nether.net Subject: Re: [j-nsp] Limitations of MPLS support on EX4200 My favorite place to go and find out if a feature is available for any platform vs release is the feature explorer. It really does a nice quick job and produces a nice savable output http://pathfinder.juniper.net/feature-explorer/ Yeah, if only the data it produced was actually correct. I wasn't aware that the MX80 supported Virtual Chassis, 100-Gigabit Ethernet MICs, MX-MPC2-3D MPCs, and any number of DPCs, but according to Feature Explorer, all these things are supported. -evt ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Enhanced Web Filtering and Websense
Hey all, I have a license for Enhanced Web Filtering for a cluster of SRX550's but... there is a site being caught 'by reputation' that shouldn't be: www.9to5mac.com We seem to have no access to tools on their website or anyway to lookup a site and see why the reputation is bad. Does anyone have any thoughts or know of a way to access to the tool... or ? Thanks all. ...Skeeve *Skeeve Stevens - *eintellego Networks Pty Ltd ske...@eintellegonetworks.com ; www.eintellegonetworks.com Phone: 1300 239 038; Cell +61 (0)414 753 383 ; skype://skeeve facebook.com/eintellegonetworks ; http://twitter.com/networkceoau linkedin.com/in/skeeve twitter.com/theispguy ; blog: www.theispguy.com The Experts Who The Experts Call Juniper - Cisco - Cloud - Consulting - IPv4 Brokering ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Enhanced Web Filtering and Websense
Sorry, here is the web log. 10.x.x.x - - [28/Apr/2014:10:27:32 +1000] x HTTP/1.1 304 - http://blocked.x.com/?JNI_URL=www.9to5mac.com/JNI_REASON=BY_SITE_REPUTATIONJNI_CATEGORY=Enhanced_Information_TechnologyJNI_REPUTATION=HARMFULJNI_POLICY=POLICY_EWF_STANDARDJNI_SRCIP=x.x.x.xJNI_SRCPORT=11742JNI_DSTIP=x.x.x.xJNI_DSTPORT=80; Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.116 Safari/537.36 ...Skeeve *Skeeve Stevens - *eintellego Networks Pty Ltd ske...@eintellegonetworks.com ; www.eintellegonetworks.com Phone: 1300 239 038; Cell +61 (0)414 753 383 ; skype://skeeve facebook.com/eintellegonetworks ; http://twitter.com/networkceoau linkedin.com/in/skeeve twitter.com/theispguy ; blog: www.theispguy.com The Experts Who The Experts Call Juniper - Cisco - Cloud - Consulting - IPv4 Brokering On Fri, May 2, 2014 at 12:36 AM, Skeeve Stevens skeeve+juniper...@eintellegonetworks.com wrote: Hey all, I have a license for Enhanced Web Filtering for a cluster of SRX550's but... there is a site being caught 'by reputation' that shouldn't be: www.9to5mac.com We seem to have no access to tools on their website or anyway to lookup a site and see why the reputation is bad. Does anyone have any thoughts or know of a way to access to the tool... or ? Thanks all. ...Skeeve *Skeeve Stevens - *eintellego Networks Pty Ltd ske...@eintellegonetworks.com ; www.eintellegonetworks.com Phone: 1300 239 038; Cell +61 (0)414 753 383 ; skype://skeeve facebook.com/eintellegonetworks ; http://twitter.com/networkceoau linkedin.com/in/skeeve twitter.com/theispguy ; blog: www.theispguy.com The Experts Who The Experts Call Juniper - Cisco - Cloud - Consulting - IPv4 Brokering ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Junos Dynamic VPN
FYI: Pulse supports Dynamic VPN on the MacOS Client as of release 5.0.3. Regards, Phil On May 1, 2014, at 12:38 AM, Tim Dykes ttdy...@gmail.com wrote: Dynamic VPN on SRX is a pain in the ass. doesnt do half of what you would expect it to do. Go a SA instead. Its built on IPSec (unlike the MAG which is ssl vpn) Pulse from a mobile will work, Pulse on a Mac wont. Heres the official list: *Junos Pulse* - Vista (32-bit and 64-bit) - Windows XP (32-bit and 64-bit) - Windows 7 (32-bit and 64-bit) - Windows 8.0 (32-bit and 64-bit) - Windows 8.1 (32-bit and 64-bit) *Junos Access Manager* - Windows XP 32-bit and 64-bit with any service pack - Windows Vista 32-bit and 64-bit with any service pack - Windows 7 32-bit and 64-bit with any service pack (Junos 10.4 and above only) I dont think you can route from a client though the ipsec session (if thats what you mean). Once you are in the VPN public IP's dont mean much and return routes are hard to install for a dynamic session. I would suggest a true IPSec (device to device) vpn for that. Tim Dykes M: 041 962 0603 E: ttdykes at gmail.com On Wed, Apr 30, 2014 at 12:50 PM, Ali Sumsam ali+juniper...@eintellego.netwrote: Hi all, I have a SRX240 cluster and doing VPN to it using Junos pulse client. My first question is, can we use a mac or windows client to connect this VPN rather than the Junos Pulse? One of the options, Junose pulse shows is the SRX. What is the protocol behind VPN Type SRX? My second question is about the routing through the VPN session. Is it possible to run the internet through the VPN. Has someone ever done that? My rough idea is, If I send default route to the VPN client and on the client's PC, set a route in which pointing SRX's public IP towards the main internet connection of the PC. This way SRX public IP will be reachable from the client's PC and default route will be pointing towards the VPN. Please comment. Thanks, *Ali Sumsam - *eintellego Networks Pty Ltd Senior Network Engineer a...@eintellegonetworks.com ; www.eintellegonetworks.com Phone: 1300 239 038; Cell +61 (0)450 609 592 ; skype://sumsam.ali80 facebook.com/eintellegonetworks ; http://twitter.com/networkceoau linkedin.com/in/alisumsam The Experts Who The Experts Call Juniper - Cisco - Cloud ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Enhanced Web Filtering and Websense (Skeeve Stevens)
Hi Skeeve, I haven't used this feature but this is what would I check first. Looking at web log provided: 10.x.x.x - - [28/Apr/2014:10:27:32 +1000] x HTTP/1.1 304 - http://blocked.x.com/?JNI_URL=www.9to5mac.com/JNI_REASON=BY_SITE_REPUTATIONJNI_CATEGORY=Enhanced_Information_TechnologyJNI_REPUTATION=HARMFULJNI_POLICY=POLICY_EWF_STANDARDJNI_SRCIP=x.x.x.xJNI_SRCPORT=11742JNI_DSTIP=x.x.x.xJNI_DSTPORT=80; Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.116 Safari/537.36 What is IP in DSTIP=x.x.x.x ? Source PC that requested the page might be infected with malware, if destination IP does not match dns record of www.9to5mac.com that can be a hint. Also what ishttp://blocked.x.com/?; in that web log? Is it part of original request? Regards, Sinisa Pesa Senior Network and Security Specialist www.bluecentral.com From: juniper-nsp [juniper-nsp-boun...@puck.nether.net] On Behalf Of juniper-nsp-requ...@puck.nether.net [juniper-nsp-requ...@puck.nether.net] Sent: Friday, 2 May 2014 2:00 AM To: juniper-nsp@puck.nether.net Subject: juniper-nsp Digest, Vol 138, Issue 1 Send juniper-nsp mailing list submissions to juniper-nsp@puck.nether.net To subscribe or unsubscribe via the World Wide Web, visit https://puck.nether.net/mailman/listinfo/juniper-nsp or, via email, send a message with subject or body 'help' to juniper-nsp-requ...@puck.nether.net You can reach the person managing the list at juniper-nsp-ow...@puck.nether.net When replying, please edit your Subject line so it is more specific than Re: Contents of juniper-nsp digest... Today's Topics: 1. Re: Junos Dynamic VPN (Tim Dykes) 2. Re: Rstp or stp (Tim Dykes) 3. Limitations of MPLS support on EX4200 (Victor Sudakov) 4. Re: Limitations of MPLS support on EX4200 (Dale Shaw) 5. Re: Limitations of MPLS support on EX4200 (Jerry Jones) 6. Re: Limitations of MPLS support on EX4200 (Eric Van Tol) 7. Enhanced Web Filtering and Websense (Skeeve Stevens) 8. Re: Enhanced Web Filtering and Websense (Skeeve Stevens) -- Message: 1 Date: Thu, 1 May 2014 14:38:06 +1000 From: Tim Dykes ttdy...@gmail.com To: Ali Sumsam ali+juniper...@eintellego.net Cc: juniper-nsp@puck.nether.net juniper-nsp@puck.nether.net Subject: Re: [j-nsp] Junos Dynamic VPN Message-ID: CAJ=3pYFDk=rGm+wx=jjeloscaw0ajg3kuo0anm9nrhfz0fz...@mail.gmail.com Content-Type: text/plain; charset=UTF-8 Dynamic VPN on SRX is a pain in the ass. doesnt do half of what you would expect it to do. Go a SA instead. Its built on IPSec (unlike the MAG which is ssl vpn) Pulse from a mobile will work, Pulse on a Mac wont. Heres the official list: *Junos Pulse* - Vista (32-bit and 64-bit) - Windows XP (32-bit and 64-bit) - Windows 7 (32-bit and 64-bit) - Windows 8.0 (32-bit and 64-bit) - Windows 8.1 (32-bit and 64-bit) *Junos Access Manager* - Windows XP 32-bit and 64-bit with any service pack - Windows Vista 32-bit and 64-bit with any service pack - Windows 7 32-bit and 64-bit with any service pack (Junos 10.4 and above only) I dont think you can route from a client though the ipsec session (if thats what you mean). Once you are in the VPN public IP's dont mean much and return routes are hard to install for a dynamic session. I would suggest a true IPSec (device to device) vpn for that. Tim Dykes M: 041 962 0603 E: ttdykes at gmail.com On Wed, Apr 30, 2014 at 12:50 PM, Ali Sumsam ali+juniper...@eintellego.netwrote: Hi all, I have a SRX240 cluster and doing VPN to it using Junos pulse client. My first question is, can we use a mac or windows client to connect this VPN rather than the Junos Pulse? One of the options, Junose pulse shows is the SRX. What is the protocol behind VPN Type SRX? My second question is about the routing through the VPN session. Is it possible to run the internet through the VPN. Has someone ever done that? My rough idea is, If I send default route to the VPN client and on the client's PC, set a route in which pointing SRX's public IP towards the main internet connection of the PC. This way SRX public IP will be reachable from the client's PC and default route will be pointing towards the VPN. Please comment. Thanks, *Ali Sumsam - *eintellego Networks Pty Ltd Senior Network Engineer a...@eintellegonetworks.com ; www.eintellegonetworks.com Phone: 1300 239 038; Cell +61 (0)450 609 592 ; skype://sumsam.ali80 facebook.com/eintellegonetworks ; http://twitter.com/networkceoau linkedin.com/in/alisumsam The Experts Who The Experts Call Juniper - Cisco - Cloud ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp -- Message: 2 Date: Thu, 1 May 2014 14:54:22 +1000
Re: [j-nsp] Limitations of MPLS support on EX4200
Label depth - EX4200 only supports a single MPLS label on a packet. See http://www.juniper.net/techpubs/en_US/junos13.3/topics/concept/mpls-label-operations-ex-series.html On Thu, 1 May 2014 14:15:36 +0700, Victor Sudakov wrote: Colleagues, Is MPLS support on EX4200 not complete? It is not a router after all, it is an L3 switch, so I expect there to be limitations. Where can I read more about EX4200 MPLS limitations and supported features? E.g. I cannot find ldp under edit protocols. I have an Advanced license installed with says: admin@sw-us-parabel show system license License usage: Licenses LicensesLicenses Expiry Feature name usedinstalled needed bgp 01 0 permanent isis 01 0 permanent mpls 01 0 permanent ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp