Re: [j-nsp] ISG-2000 to ASA converstion

2016-10-12 Thread Hugo Slabbert 


On Wed 2016-Oct-12 12:24:10 -0700, Payam Chychi  wrote:


crazy questions... why?

normally its Cisco to Juniper specially when it comes to the 
vpn/firewall/security devices


ISGs are old.  If I were a betting man, I'd say it's hardware refresh time 
and the ASAs won the day in the comparison shopping or a POC face-off.  
Bonus points if the differentiator was UTM-type stuff or anything with 
"Source" or "Fire" in the name...


--
Hugo Slabbert   | email, xmpp/jabber: h...@slabnet.com
pgp key: B178313E   | also on Signal



signature.asc
Description: Digital signature
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] ISG-2000 to ASA converstion

2016-10-12 Thread Payam Chychi 

crazy questions... why?

normally its Cisco to Juniper specially when it comes to the 
vpn/firewall/security devices



On 10/12/16 12:04 PM, Nik Geyer wrote:

https://fwmig.cisco.com/

-Original Message-
From: juniper-nsp [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of 
Mohammad Khalil
Sent: Wednesday, 12 October 2016 5:11 AM
To: juniper-nsp@puck.nether.net
Subject: [j-nsp] ISG-2000 to ASA converstion

Dears
Is there a tool that can help in converting from Juniper ISG-2000 to Cisco ASA ?

Thanks in advance

BR,
Mohammad
___
juniper-nsp mailing list juniper-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp


___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] ISG-2000 to ASA converstion

2016-10-12 Thread Nik Geyer 
https://fwmig.cisco.com/

-Original Message-
From: juniper-nsp [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of 
Mohammad Khalil
Sent: Wednesday, 12 October 2016 5:11 AM
To: juniper-nsp@puck.nether.net
Subject: [j-nsp] ISG-2000 to ASA converstion

Dears
Is there a tool that can help in converting from Juniper ISG-2000 to Cisco ASA ?

Thanks in advance

BR,
Mohammad
___
juniper-nsp mailing list juniper-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Recommended firmware for QFX5100-48T

2016-10-12 Thread Nik Geyer 
You should be able to fix the ae cosmetic issue with "set interfaces aeX 
aggregated-ether-options link-speed 1g".

The latency just seems to be a QFX5100 thing and doesn't actually impact 
anything operationally, i.e. transitive latency through the switch (which is 
what matters after all right?) is fine and in the microsecond range as one 
would expect. I have run various iterations of 14, 15 and 16 and all exhibit 
the same behaviour.

Tried Junos 16.1R1 on some of our lab switches (24Q and 48S) and it was an 
instant train wreck, as expected for the first release of a major revision 
change. We run *lots* of these things some weird and wonderful configurations 
and the JTAC recommended version, 14.1X53-D35, is what I would recommend unless 
you have a reason not to use it, e.g. feature requirement.

-Original Message-
From: juniper-nsp [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of 
Paul S.
Sent: Tuesday, 11 October 2016 1:16 AM
To: Dale Shaw ; Graham Brown 

Cc: juniper-nsp@puck.nether.net
Subject: Re: [j-nsp] Recommended firmware for QFX5100-48T

Hi Dale,

Yeah, seems to be the case. I tried configuring one as GE, the show command 
simply said it couldn't find that interface afterwards.

Auto negotiation being turned on doesn't seem to matter, it linked up even 
without it.

On sh int xe-0/0/0 media, you can however find these:

 Link mode: Full-duplex, Flow control: None, Remote fault: OK, Link 
partner Speed: 1000 Mbps

So I think that part's OK. monitor interface and ae interfaces still claim 
to run  at 10g, but I think that's cosmetic?

I just need to figure out where the latency is coming from now. Does the QFX do 
any ICMP deprio by default now? This is a VC of two 5100-48Ts.

Has anyone tried any of the newer firmwares? Juniper says 16.1 is latest now.

On 10/11/2016 05:34 AM, Dale Shaw wrote:
>
> Hi all,
>
> On 11 Oct 2016 6:23 AM, "Graham Brown"  > wrote:
> >
> > Hi Paul,
> >
> > Correct, just use 'replace pattern xe-0/0/0 with ge-0/0/0' etc and 
> > you should be fine.
>
> I don't think that's how it works on qfx5100-48**T**
>
> It's more like copper based EX, where the interfaces are configured as 
> ge-x/x/x even if they're plugged into something capable of only 10 or 
> 100BASE-T operation.
>
> I seem to recall that there is a trick to making it work that involves 
> autoneg but I'm currently using a tiny screen and an imaginary 
> keyboard so digging up the details isn't possible right now.
>
> I'm certain that JTAC could help but I'll try to find something when 
> I'm properly online.
>
> Cheers,
> Dale
>
> > On 11 October 2016 at 07:05, Paul S.  > wrote:
> >
> > > Hi Joel,
> > >
> > > Thanks for replying.
> > >
> > > What are the steps to configure the ports as "ge." Do I just get
> rid of xe
> > > from the config and replace it with ge for that port, that's all?
> > >
> > >
> > > On 10/11/2016 12:21 AM, joel jaeggli wrote:
> > >
> > >> On 10/10/16 7:34 AM, Paul S. wrote:
> > >>
> > >>> Hi folks,
> > >>>
> > >>> Are everyone running the JTAC recommended 14.1X53-D35.3 or have 
> > >>> you found better stability at some newer revision?
> > >>>
> > >>> My problem is that the "tri state" 10g ports (copper) don't seem 
> > >>> to want to run at anything less than 10g. It links up when
> connected to a
> > >>> 1g device, but still claims that the port is operating in 10g mode.
> > >>>
> > >>> The biggest issue I have is that if I assign a /30 to the p2p 
> > >>> interfaces (between the qfx and any copper 1g device), my p2p
> latency
> > >>> is somewhere from 10 to 40ms.
> > >>>
> > >>> I asked around to see if there's any way to force the ports into 
> > >>> 1g mode, but the "speed" knob is missing. I deliberately turned 
> > >>> on auto-negotiation, does not seem to help.
> > >>>
> > >>> 802.3ad LAGs created using any of these links also claim to have 
> > >>> speeds of 20g/40g when there's in reality only 4g of capacity.
> > >>>
> > >>> Can someone hit me with a clue stick? Thanks!
> > >>>
> > >> I presume that you're specifing the port config as ge-0/0/foo 
> > >> rather than xe-0/0/foo
> > >>
> > >> joel@ show interfaces ge-0/0/46
> > >> Physical interface: ge-0/0/46, Enabled, Physical link is Up
> > >>Interface index: 701, SNMP ifIndex: 616
> > >>Description:
> > >>Link-level type: Ethernet, MTU: 1514, Speed: 1000mbps, BPDU Error:
> > >> None, MAC-REWRITE Error: None, Loopback: Disabled, Source filtering:
> > >> Disabled, Flow control: Disabled, Auto-negotiation: Enabled,
> > >>Remote fault: Online, Media type: Copper
> > >>Device flags   : Present Running
> > >>Interface flags: SNMP-Traps Internal: 0x4000
> > >>Link flags : None
> > >>CoS queues : 12 supported, 12 maximum usable queues
> > >>Current address:
> > >>Last flapped   : 2016-08-26 03:31:56 UTC (6w3d 19:46 ago)
> > >>Input rate : 0 bps (0 pps)
> > >>Output rate: 0 bps (0

[j-nsp] ISG-2000 to ASA converstion

2016-10-12 Thread Mohammad Khalil 
Dears
Is there a tool that can help in converting from Juniper ISG-2000 to Cisco
ASA ?

Thanks in advance

BR,
Mohammad
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp