[j-nsp] SNMP Interface counters on PPP interfaces - branch SRX

2015-05-07 Thread Andrew Jones 

Hi all,
Is there a way of obtaining the byte counters for individual ppp 
interfaces on a brach SRX using SNMP?
Using the standard IF-MIB seems to give no traffic on pp0.X but just 
the straight pp0 interface counters show what looks like the aggregate 
of all the PPP unit interfaces on the box?

Thanks,
Andrew

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] SRX1xx Temperature Thresholds

2015-01-18 Thread Andrew Jones 
I'd be surprised if you can change them. They're there to protect the 
device from damage, and running them hotter than designed will almost 
certainly reduce the life of the device.



On 19.01.2015 10:28, Skeeve Stevens wrote:

Hi guys,

I have two SRX 100 series (100 + 110) which both sit on or near the 
yellow
alarm threshold at all times.  On a warm day they hit reach the Red 
alarm

and shut down.

I would like to increase the threshold by a few degrees on both 
units.

Does anyone know how to do this?


==

admin@SS-*SRX100*-GW> show chassis temperature-thresholds
   Fan speed  Yellow alarm  Red alarm
 Fire Shutdown
  (degrees C)  (degrees C) (degrees 
C)

 (degrees C)
Item Normal  High   Normal  Bad fan   Normal  Bad 
fan

  Normal
Chassis default N/A   N/A   63  N/A   72  
N/A

90
Routing Engine  N/A   N/A   63  N/A   72  
N/A

90

admin@SS-*SRX100*-GW> show chassis environment
Class Item   Status Measurement
Temp  Routing Engine OK 63 degrees C / 145 
degrees F


---

admin@SS-*SRX110*-GW> show chassis temperature-thresholds
   Fan speed  Yellow alarm  Red alarm
 Fire Shutdown
  (degrees C)  (degrees C) (degrees 
C)

 (degrees C)
Item Normal  High   Normal  Bad fan   Normal  Bad 
fan

  Normal
Chassis default N/A   N/A   70  N/A   92  
N/A

95
Routing Engine  N/A   N/A   70  N/A   92  
N/A

95

admin@SS-*SRX110*-GW> show chassis environment
Class Item   Status Measurement
Temp  Routing Engine OK 68 degrees C / 154 
degrees F



...Skeeve

*Skeeve Stevens - Founder & Chief Network Architect*
eintellego Networks Pty Ltd
Email: ske...@eintellegonetworks.com ; Web: eintellegonetworks.com

Phone: 1300 239 038 ; Cell +61 (0)414 753 383 ; Skype: skeeve

Facebook: eintellegonetworks  
;

Twitter: eintellego 

LinkedIn: /in/skeeve  ; Expert360: 
Profile




The Experts Who The Experts Call
Juniper - Cisco - Cumulus Linux - Cloud - Consulting - IPv4 Brokering
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp


___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] TCP

2014-11-19 Thread Andrew Jones 
It could be to do with the TCP stack not being tuned for the latency of 
the PIPE.
It also could be due to a small amount of packet loss, which will kill 
TCP performance.


On your UDP iperf, were there any dropped or out of order packets?

On 20.11.2014 08:18, Johan Borch wrote:

Hi!


I'm doing some performance troubleshooting between two linux systems, 
the

servers are located in each end of an L3VPN, with a bunch of routers
between them.

Using Iperf and UDP I get ~1Gbps in both directions
Using iperf and TCP i get ~400Mbps in one direction and ~60Mbps in 
the

other direction

Could this still be a network problem or should I dig on the linux 
side?


Johan
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp


___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] rpm / ip-monitoring

2014-08-27 Thread Andrew Jones 
Surely the test will never recover without intervention, as the 
interface it uses gets disabled?


On 28.08.2014 02:28, Tyler Christiansen wrote:
I could be mistaken, but I believe it automatically reverts when the 
test

is successful unless you specify no-preempt.


On Wed, Aug 27, 2014 at 12:50 AM, Mattias Gyllenvarg 


wrote:


Dear List

I have a rpm /ip-monitor setup that is supposed to test the function 
of a

local internet line (ping internet destination).

And disable it if it is not responding.

This works fine BUT, how do I get it to re-enable when it is working 
again.


I need this to work with DHCP so I cannot work with a default route.


**

services {
rpm {
probe Internet {
test PING-GOOGLE-DNS {
target address 8.8.8.8;
probe-count 5;
probe-interval 2;
test-interval 20;
thresholds {
total-loss 4;
}
destination-interface fe-0/0/3.0;
}
}
}
ip-monitoring {
policy Local-Internet-Test {
match {
rpm-probe Internet;
}
then {
interface fe-0/0/3 {
disable;
}
}
}
}
}

*

--
*Med Vänliga Hälsningar / Best Regards*
*Mattias Gyllenvarg*
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp


___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] ACX1xxx Images

2014-05-13 Thread Andrew Jones 

Hi Skeeve,
There's a line drawing on this page, which illustrates what you're 
asking:

http://www.juniper.net/techpubs/en_US/release-independent/junos/topics/task/installation/acx1100-power-connecting-ac.html



On 14.05.2014 08:56, Skeeve Stevens wrote:

Hey all,

I am trying to find a picture of the ACX1000 and ACX1100 so I can see 
how
they do the redundant power that they claim in the sales information, 
but
all the images on the Juniper Image Library and google are of DC 
units.


If anyone could shoot me a couple of photos, that would be awesome.

If someone could also confirm they do redundant power, that would be
fantastic.

...Skeeve

*Skeeve Stevens - *eintellego Networks Pty Ltd
ske...@eintellegonetworks.com ; www.eintellegonetworks.com

Phone: 1300 239 038; Cell +61 (0)414 753 383 ; skype://skeeve

facebook.com/eintellegonetworks ;  
linkedin.com/in/skeeve

twitter.com/theispguy ; blog: www.theispguy.com


The Experts Who The Experts Call
Juniper - Cisco - Cloud - Consulting - IPv4 Brokering
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp


___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] SRX Active/Passive cluster with redundant route based IPSec - connectivity to AWS VPC

2014-05-05 Thread Andrew Jones 
You don't need to do anything special to make the st0 interface 
redundant, it will always run on the active node.


On 06.05.2014 08:38, Andy Litzinger wrote:

Hi Morgan,

I presume that with regards to the loopback you are referring to the
external interface I use as my IPSec peer toward Amazon?

what about the internal logical st interface that I need to create in 
order
to route my internal traffic into the tunnel?  How do I make that 
redundant?


thanks!
 -andy


On Mon, May 5, 2014 at 3:30 PM, Morgan McLean  
wrote:



Use your loopback and put that in a reth.

Thanks,
Morgan


On Mon, May 5, 2014 at 3:23 PM, Andy Litzinger <
andy.litzinger.li...@gmail.com> wrote:


Hi All,
  Two related questions.  I have a pair of SRX 3400s in an 
Active/Passive
cluster.  They rely on an external gateway for internet access 
(i.e. my
ISPs don't terminate on the SRXs).  I am setting up redundant 
tunnels to

an
AWS VPC.  Amazon has an example for J-Series (

http://docs.aws.amazon.com/AmazonVPC/latest/NetworkAdminGuide/Juniper.html
),
but I don't think it's for a cluster set-up.

Here are my questions:

1 - If I want to set up a redundant secure tunnel interface (e.g. 
st0),

should i bind it to an reth interface?

2 - Has anyone connected an Active/Passive SRX cluster to an AWS 
VPC?  Any

tips or tricks you care to share?

regards,
 -andy
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp





___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp


___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Dynamic VPN with Pulse, AD Integration and more

2014-03-24 Thread Andrew Jones 
I'd be very interested in seeing a dynamic vpn config that works with 
OSX's built-in IPSEC client.
When I've looked into this previously, I've only found people using 
third-party VPN clients on mac, such as VPN Tracker:

https://www.cryptomonkeys.com/2013/10/juniper-srx-and-mobile-ipsec/



On 25.03.2014 10:04, Chris Jones wrote:

Well thats exactly it, Pulse on Windows does SSLVPN and IPSec. On OSX
and mobile, its SSL only. Dynamic VPN is an IPSec remote access VPN,
so that's why it doesn't work.

Yes, built in IPSec clients for OSX will connect to Dynamic VPN just
fine AFAIK, you just can't use Pulse. I'm not sure about iOS and
Android though. 

On Mon, Mar 24, 2014 at 3:57 PM, Skeeve Stevens
 wrote:

Any other way to get OSX/mobile devices, etc to connect to an SRX 
VPN?

PPTP? IPSEC?

...Skeeve

*Skeeve Stevens - *eintellego Networks Pty Ltd
ske...@eintellegonetworks.com ; www.eintellegonetworks.com [1]

Phone: 1300 239 038; Cell +61 (0)414 753 383 [2] ; skype://skeeve

facebook.com/eintellegonetworks [3] ; 
 <http://twitter.com/networkceoau [4]>

linkedin.com/in/skeeve [5]

twitter.com/theispguy [6] ; blog: www.theispguy.com [7]

The Experts Who The Experts Call
Juniper - Cisco - Cloud - Consulting - IPv4 Brokering

On Tue, Mar 25, 2014 at 9:54 AM, Andrew Jones  
wrote:


> I've been told that they have no plans to support OSX on Dynamic 
VPN. I
> got the impression that Juniper weren't investing in the Dynamic 
VPN

> product and were pushing people toward MAG etc.
>
> From 
http://kb.juniper.net/InfoCenter/index?page=content&id=KB17436 [8]

>
> The Dynamic VPN feature (Pulse or Juniper Access Manager) is not 
supported

> on the following Operating Systems:
> * Linux
> * Macintosh Desktop Systems including Pulse 3.0 (for more 
information,
> refer to KB23960 - [SRX] Junos Pulse 3.0 installed on a Mac OS X 
system

> fails to connect to a SRX device with the dynamic VPN feature).
> * Windows Server
> * iPad/iPhone
> * Android OS
>
>
> On 25.03.2014 09 [9]:46, Skeeve Stevens wrote:
>
>> What THE HELL?!
>>
>> Documentation on this?
>>
>> Thanks Chris.
>>
>>
>> ...Skeeve
>>
>> *Skeeve Stevens - *eintellego Networks Pty Ltd
>> ske...@eintellegonetworks.com ; www.eintellegonetworks.com [1]
>>
>> Phone: 1300 239 038; Cell +61 (0)414 753 383 [2] ; skype://skeeve
>>
>> facebook.com/eintellegonetworks [3] ; 
 <http://twitter.com/networkceoau [4]>

>> linkedin.com/in/skeeve [5]
>>
>> twitter.com/theispguy [6] ; blog: www.theispguy.com [7]
>>
>>
>> The Experts Who The Experts Call
>> Juniper - Cisco - Cloud - Consulting - IPv4 Brokering
>>
>>
>> On Tue, Mar 25, 2014 at 5:36 AM, Chris Jones 


>> wrote:
>>
>>  I don't know if this matters to you, but Pulse does not work in 
OSX or
>>> iOS/Android when connecting to a SRX with Dynamic VPN. It only 
works in

>>> Windows. Just a caveat if you weren't already aware.
>>>
>>>
>>> On Mon, Mar 24, 2014 at 12:21 AM, Skeeve Stevens <
>>> skeeve+juniper...@eintellegonetworks.com> wrote:
>>>
>>>  Hey all,
>>>>
>>>> I am setting up an SRX with Dynamic VPN with Pulse clients. 
I know

>>>> some
>>>> don't like it, but it is what we're doing (customer choice).
>>>>
>>>> One thing I am looking for is if anyone has seen any docs on 
how to

>>>> integrate the Dynamic VPN auth with Active Directory.
>>>>
>>>> Also, does anyone know what flexibility we have with the VPN on 
a per

>>>> use
>>>> basis... such as different IP ranges, different VRF's, firewall 
filters,

>>>> etc etc based against those AD groups.
>>>>
>>>> While this is for a specific rollout, it would be nice to know 
these

>>>> capabilities across the board for other solutions.
>>>>
>>>> Any pointers to any docs would be fantastic.  I've tried 
googling, but

>>>> came
>>>> up blah.
>>>>
>>>> ...Skeeve
>>>>
>>>> *Skeeve Stevens - *eintellego Networks Pty Ltd
>>>> ske...@eintellegonetworks.com ; www.eintellegonetworks.com [1]
>>>>
>>>> Phone: 1300 239 038; Cell +61 (0)414 753 383 [2] ; 
skype://skeeve

>>>>
>>>> facebook.com/eintellegonetworks [3] ; 
 <http://twitter.com/networkceoau [4]>

>>>> linkedin.com/in/skeeve [5]
>>>>
>>>> twitter.com/theispguy [6] ; blog: www.theispguy.com [7]
>>>>
>>>>
>>>> The E

Re: [j-nsp] Dynamic VPN with Pulse, AD Integration and more

2014-03-24 Thread Andrew Jones 
I've been told that they have no plans to support OSX on Dynamic VPN. I 
got the impression that Juniper weren't investing in the Dynamic VPN 
product and were pushing people toward MAG etc.


From http://kb.juniper.net/InfoCenter/index?page=content&id=KB17436

The Dynamic VPN feature (Pulse or Juniper Access Manager) is not 
supported on the following Operating Systems:

* Linux
* Macintosh Desktop Systems including Pulse 3.0 (for more information, 
refer to KB23960 - [SRX] Junos Pulse 3.0 installed on a Mac OS X system 
fails to connect to a SRX device with the dynamic VPN feature).

* Windows Server
* iPad/iPhone
* Android OS


On 25.03.2014 09:46, Skeeve Stevens wrote:

What THE HELL?!

Documentation on this?

Thanks Chris.


...Skeeve

*Skeeve Stevens - *eintellego Networks Pty Ltd
ske...@eintellegonetworks.com ; www.eintellegonetworks.com

Phone: 1300 239 038; Cell +61 (0)414 753 383 ; skype://skeeve

facebook.com/eintellegonetworks ;  
linkedin.com/in/skeeve

twitter.com/theispguy ; blog: www.theispguy.com


The Experts Who The Experts Call
Juniper - Cisco - Cloud - Consulting - IPv4 Brokering


On Tue, Mar 25, 2014 at 5:36 AM, Chris Jones  
wrote:


I don't know if this matters to you, but Pulse does not work in OSX 
or
iOS/Android when connecting to a SRX with Dynamic VPN. It only works 
in

Windows. Just a caveat if you weren't already aware.


On Mon, Mar 24, 2014 at 12:21 AM, Skeeve Stevens <
skeeve+juniper...@eintellegonetworks.com> wrote:


Hey all,

I am setting up an SRX with Dynamic VPN with Pulse clients. I 
know

some
don't like it, but it is what we're doing (customer choice).

One thing I am looking for is if anyone has seen any docs on how to
integrate the Dynamic VPN auth with Active Directory.

Also, does anyone know what flexibility we have with the VPN on a 
per use
basis... such as different IP ranges, different VRF's, firewall 
filters,

etc etc based against those AD groups.

While this is for a specific rollout, it would be nice to know 
these

capabilities across the board for other solutions.

Any pointers to any docs would be fantastic.  I've tried googling, 
but

came
up blah.

...Skeeve

*Skeeve Stevens - *eintellego Networks Pty Ltd
ske...@eintellegonetworks.com ; www.eintellegonetworks.com

Phone: 1300 239 038; Cell +61 (0)414 753 383 ; skype://skeeve

facebook.com/eintellegonetworks ;  


linkedin.com/in/skeeve

twitter.com/theispguy ; blog: www.theispguy.com


The Experts Who The Experts Call
Juniper - Cisco - Cloud - Consulting - IPv4 Brokering
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp





--
Chris Jones
JNCIE-ENT #272
CCIE# 25655 (R&S)


___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp


___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] SRX with Avaya IP Office

2014-03-13 Thread Andrew Jones 
My default is to disable it, I've found that it's caused more issues 
than it's solved - particularly in routed environments. Perhaps there's 
a use case for it when NAT's involved.


On 14.03.2014 11:43, Skeeve Stevens wrote:

I actually haven't had much (anything) to do with the SIP ALG any
pointers?


...Skeeve

*Skeeve Stevens - *eintellego Networks Pty Ltd
ske...@eintellegonetworks.com ; www.eintellegonetworks.com

Phone: 1300 239 038; Cell +61 (0)414 753 383 ; skype://skeeve

facebook.com/eintellegonetworks ;  
linkedin.com/in/skeeve

twitter.com/theispguy ; blog: www.theispguy.com


The Experts Who The Experts Call
Juniper - Cisco - Cloud - Consulting - IPv4 Brokering


On Fri, Mar 14, 2014 at 11:29 AM, Craig Askings
wrote:

As wary as I am suggesting anything to do with ALGs, have you 
considered
letting the SIP ALG on the SRX pin hole through the RTP sessions as 
needed

for each call?

That and rewriting SIP packets to account for NAT are it's main 
functions



On 12 March 2014 22:04, Skeeve Stevens <
skeeve+juniper...@eintellegonetworks.com> wrote:


Hi all,

I have an SRX at a customer which has an Avaya voip system.  We 
require

external access for SIP softphones.

The Avaya people are asking for like 500+ ports to be opened on 
NAT, to

which I said no.

Does anyone here have experience with the X One system and NAT 
through

SRX?

...Skeeve

*Skeeve Stevens - *eintellego Networks Pty Ltd
ske...@eintellegonetworks.com ; www.eintellegonetworks.com

Phone: 1300 239 038; Cell +61 (0)414 753 383 ; skype://skeeve

facebook.com/eintellegonetworks ;  


linkedin.com/in/skeeve

twitter.com/theispguy ; blog: www.theispguy.com


The Experts Who The Experts Call
Juniper - Cisco - Cloud - Consulting - IPv4 Brokering
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp





--

Regards,

Craig Askings

io Networks Pty Ltd.



mobile: 0404 019365

phone: 1300 1 2 4 8 16


___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp


___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Configuring in-band management over trunk interfaces in EX2200

2014-03-03 Thread Andrew Jones 

Paul,
I would need to double-check the behaviour when 'all' is used for vlan 
members, but certainly when a list of vlans are added as members of a 
trunk, and then one of those is added as the native vlan as well, 
packets output on the interface for that vlan (137 in your example), 
leave the interface with a tag attached.


It may be that you were seeing this behaviour, and it could possibly be 
worked around by using 'vlan members except 137' rather than 'vlan 
members all'.



show ethernet-switching interface ae0.0


Would show if this were the case.

Andrew


On 28.02.2014 21:59, Paul S. wrote:

Mark,

It was the native-vlan-id, actually.

Removing it made it all start working.

Thank you!

On 2/28/2014 午後 07:58, Mark Tinka wrote:

On Friday, February 28, 2014 12:31:00 PM Paul S. wrote:


However, if I move the unit 137 stanza from vlan.137
directly to ae0 (Removing its trunk status in the
process), and config it with vlan-tagging, and vlan-id
137 -- it becomes accessible just fine, and can route
traffic.

On my EX4550's (and EX3200/4200's), the below works:

ae0 {
 description "SOMETHING";
 aggregated-ether-options {
 link-speed 10g;
 lacp {
 passive;
 }
 }
 unit 0 {
 description "SOMETHING";
 bandwidth 20g;
 family ethernet-switching {
 port-mode trunk;
 vlan {
 members all;
 }
 }
 }
}

vlan {
 unit 999 {
 description "SOMETHING - Management VLAN";
 bandwidth 20g;
 family inet {
 filter {
 input filter-incoming;
 output filter-outgoing;
 }
 address a.b.c.d/30;
 }
 family iso;
 family inet6 {
 filter {
 input filter-incoming6;
 inactive: output filter-outgoing6;
 }
 address ::c:d::e/126;
 }
 }
}

vlans {
 Edge-Network {
 vlan-id 999;
 l3-interface vlan.999;
 }
}

Hope this helps.

Mark.


___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp


___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Netscreen to SRX config Migration and Global Policy

2014-02-09 Thread Andrew Jones 
If you’re using JunOS 11.4 or later on a branch SRX, there is global policy 
support now.

http://kb.juniper.net/InfoCenter/index?page=content&id=KB28109

Regards,

Andrew Jones

From: Muhammad Atif Jauhar<mailto:atif.jau...@gmail.com>
Sent: ‎Sunday‎, ‎February‎ ‎9‎, ‎2014 ‎11‎:‎23‎ ‎PM
To: juniper-nsp@puck.nether.net<mailto:juniper-nsp@puck.nether.net>

Hi,

I am migrating Netscreen to SRX Firewall. I am facing issue to migrate
configuration of Global Policy.

In Netscreen we have few policies from (Specific Zone) to Global Zone.

set policy id 100 from "Trust" to "Global"  "x.x.x.x" "Any-IPv4" "HTTP"
permit log
set policy id 100
set service "HTTPS"
exit

I have configure same in SRX under GROUP hierarchy.

groups {
node0 {
security {
policies {
from-zone Trust to-zone <*> {
policy test {
match {
source-address x.x.x.x;
destination-address any;
application [junos-http
junos-https];}
then {
permit;
}
}
}
}
}
}
node1 {
security {
policies {
from-zone Trust  to-zone <*> {
policy test {
match {
source-address x.x.x.x;
destination-address any;
application [junos-http junos-https];
}
then {
permit;
}
}
}
}
}
}
}
apply-groups "${node}";


Similar I have few more policies from different specific zones to Global.

My question is that will I migrated this part correctly or not. If this is
not correct, kindly let me know correct way to configure similar to
netscreen policy.

Regards,

Muhammad Atif Jauhar
(+966-56-00-04-985)
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] SRX CoS Bandwidth

2014-01-27 Thread Andrew Jones 
It’s covered in the Enterprise switching and routing book, but essentially the 
SRX works on a priority based scheduler instead of a weight based scheduler, 
where it will max out a higher priority queue before serving a lower priority 
one even if you have a transmit-rate configured. You can sort of get around it 
by setting all your queues to be the same priority, or putting in a rate limit 
on the higher priority queue so it can’t use all of the available bandwidth.

From: tim.h...@bt.com
Sent: ‎Tuesday‎, ‎January‎ ‎28‎, ‎2014 ‎3‎:‎15‎ ‎AM
To: juniper-nsp@puck.nether.net

Hi,

Can anybody explain the QoS operation of a SRX when a higher priority queue is 
in negative credit and a lower priority queue is in positive credit yet has 
traffic to transmit?

The documentation suggests:
"Transmission Scheduling
The packets in a queue are transmitted based on their transmission priority, 
transmit
rate, and the available bandwidth.
By default, each queue can exceed the assigned bandwidth if additional 
bandwidth is
available from other queues. When a forwarding class does not fully use the 
allocated
transmission bandwidth, the remaining bandwidth can be used by other forwarding
classes if they receive a larger amount of offered load than the bandwidth 
allocated."

Yet we have observed starvation of lower priority queues in preference to 
higher (not strict-high). This appears to be at odds with say the MX or 
J-series routers mode of operation.

Thanks for your help,

Tim.

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] SRX's and Wireless

2013-11-18 Thread Andrew Jones 
Depends which distro... it's an apt-get install away on debian/ubuntu, 
once you add the unifi and mongodb apt sources.

http://wiki.ubnt.com/UniFi




On 19.11.2013 08:09, Skeeve Stevens wrote:
Unfortunately, to get it running on Linux is a hack, not a simple 
install.



...Skeeve

*Skeeve Stevens - *eintellego Networks Pty Ltd
ske...@eintellegonetworks.com ; www.eintellegonetworks.com

Phone: 1300 239 038; Cell +61 (0)414 753 383 ; skype://skeeve

facebook.com/eintellegonetworks ;  
linkedin.com/in/skeeve

twitter.com/theispguy ; blog: www.theispguy.com


The Experts Who The Experts Call
Juniper - Cisco - Cloud


On Tue, Nov 19, 2013 at 5:27 AM, Jared Mauch  
wrote:


The software is "free" with the UBNT hardware.. what is really 
missing?

 I'm always curious when folks say it's not there...

(I dislike that the software requires java for example, but it's at 
least

there and gets updated often).

- Jared

On Nov 18, 2013, at 8:55 AM, Skeeve Stevens <
skeeve+juniper...@eintellegonetworks.com> wrote:

> Yeah, I just bought some to test it out.  But it really needs the
software to make it run well...
>
>
> ...Skeeve
>
> Skeeve Stevens - eintellego Networks Pty Ltd
> ske...@eintellegonetworks.com ; www.eintellegonetworks.com
> Phone: 1300 239 038; Cell +61 (0)414 753 383 ; skype://skeeve
> facebook.com/eintellegonetworks ; linkedin.com/in/skeeve
> twitter.com/theispguy ; blog: www.theispguy.com
>
> The Experts Who The Experts Call
> Juniper - Cisco - Cloud
>
>
> On Tue, Nov 19, 2013 at 12:26 AM, Jared Mauch 


wrote:
> I've gone with dedicated wireless hardware these days. If you are 
cheap

check out the ubnt hardware. Their unifi stuff works well and can do
payment and other services. The 802.11ac unit is sub $300
>
> Jared Mauch
>
> > On Nov 18, 2013, at 7:51 AM, Mark Menzies  
wrote:

> >
> > Thats very interesting.  :)
> >
> > $50 isnt too much tbh.
> >
> > All I need now is to find the download link for it.  :)
> >
> > Thanks for letting us know.
> >
> >
> > On 18 November 2013 12:28, Skeeve Stevens <
> > skeeve+juniper...@eintellegonetworks.com> wrote:
> >
> >> Actually... the product code has changed to JUNOSVWLC-BASE and 
is in

the
> >> global price list at $50 which isn't bad.
> >>
> >>
> >> ...Skeeve
> >>
> >> *Skeeve Stevens - *eintellego Networks Pty Ltd
> >> ske...@eintellegonetworks.com ; www.eintellegonetworks.com
> >>
> >> Phone: 1300 239 038; Cell +61 (0)414 753 383 ; skype://skeeve
> >>
> >> facebook.com/eintellegonetworks ;  


> >> linkedin.com/in/skeeve
> >>
> >> twitter.com/theispguy ; blog: www.theispguy.com
> >>
> >>
> >> The Experts Who The Experts Call
> >> Juniper - Cisco - Cloud
> >>
> >>
> >> On Mon, Nov 18, 2013 at 7:50 PM, Maarten van der Hoek <
> >> maar...@vanderhoek.nl> wrote:
> >>
> >>> Hi Guys,
> >>>
> >>> Don't forget the 'virtual-road' they're heading!
> >>>
> >>> Especially for deployments of 1 / 2 AP's (but far more 
scalable..till

> >>> 100's!
> >>> ) the VWLC is great (both price and performance - of course
depending on
> >>> your VMWare server).
> >>> Listprice $320 for a VWLC-10 (for 10 Accesspoints...)
> >>>
> >>> Brgds,
> >>>
> >>> Maarten
> >>>
> >>> -Oorspronkelijk bericht-
> >>> Van: juniper-nsp [mailto:juniper-nsp-boun...@puck.nether.net]
Namens Mark
> >>> Menzies
> >>> Verzonden: maandag 18 november 2013 9:15
> >>> Aan: Skeeve Stevens
> >>> CC: juniper-nsp@puck.nether.net
> >>> Onderwerp: Re: [j-nsp] SRX's and Wireless
> >>>
> >>> That seems to be the gist of it bud.
> >>>
> >>> To be honest the AX411s were not that stable an AP and 
basically

needs
> >>> resetting every so often (I use event scripts to reset every 
morning

at
> >>> 3am).  With the purchase of Trapeze Juniper seems to be moving 
the

AP mgmt
> >>> off SRXs and onto dedicated kit.
> >>>
> >>> I agree that the price hike from the WLC2 to the WLC100 is 
steep but

as I
> >>> said above, it seems to be the way that Juniper are going.
> >>>
> >>> M
> >>>
> >>>
> >>> On 18 November 2013 04:30, Skeeve Stevens <
> >>> skeeve+juniper...@eintellegonetworks.com> wrote:
> >>>
>  Hey all,
> 
>  I'd like to get some clarification.
> 
>  I've been informed that the AX411 AP is being discontinued.  
While

in
>  itself this isn't an issue, it is the only AP that the SRX's 
can

>  manage directly (afaik).
> 
>  I also see that the WLC2 (4 AP's) has been discontinued and 
replaced

>  by the
>  WLC100 (comes license to manage 4 - up to 32)... which 
essentially
>  doubles the price of having a controller for a few AP's. 
(from $1000

>  to $2000)
> 
>  I have no problem with Juniper EOL'ing products, but at the 
moment,

it
>  looks like the AP management function of the SRX's is going 
to

become
>  useless with nothing to manage.
> 
> 
>  ...Skeeve
> 
>  *Skeeve Stevens - *eintellego Networks Pty Ltd
>  ske...@eintellegonetworks.c

Re: [j-nsp] Juniper MX104

2013-11-12 Thread Andrew Jones 
The datasheet for the MX-104 ( 
http://www.juniper.net/us/en/local/pdf/datasheets/1000446-en.pdf ) has 
the MIC listed:
MS-MIC-16G Multiservices MIC with 16GB of memory for the MX5, MX10, 
MX40, MX80 and MX104 as well as Type 1, Type 2, Type 3 and Type 4 MPCs 
for the MX240, MX480, MX960, MX2010 and MX2020. supports separately 
licensed Junos Address Aware (CGNAT); Junos Traffic vision (flow 
monitoring) Junos vPN Site Secure (IPsec) and Junos Network Secure 
(Stateful Firewall)


No mention of MPC anywhere.



On 13.11.2013 16:33, Skeeve Stevens wrote:

Isn't that using the front MIC slot though?

The rear 'Services Slot' is an MPC slot isn't it?

Based on the following:

MS-MIC 16G - MS-MIC with 16 GB of memory provides 9GB of service
throughput, occupies single MIC slot on MX5, MX10, MX40, and MX80 3D
Universal Edge Routers, as well as on the MPC1, MPC2, and MPC3 cards 
for

the MX2020, MX2010, MX960, MX480,
and MX240 3D Universal Edge Router.

MS-MPC-128 - MS-MPC with 128 GB of memory (32 GB per NPU), provides 
60Gbps
of service throughput, occupies a single slot in MX2020, MX2010, 
MX960,

MX480, and MX240 3D Universal Edge Routers

The rear picture of the MX80 at

http://www.juniper.net/shared/img/products/mx-series/mx80/mx80-rear-high.jpg

Says "MPC 0" and "MIC 1" in smaller writing under it.

From front right slot is also called "1/MIC 1"

I think we need further clarification.




...Skeeve

*Skeeve Stevens - *eintellego Networks Pty Ltd
ske...@eintellegonetworks.com ; www.eintellegonetworks.com

Phone: 1300 239 038; Cell +61 (0)414 753 383 ; skype://skeeve

facebook.com/eintellegonetworks ;  
linkedin.com/in/skeeve

twitter.com/theispguy ; blog: www.theispguy.com


The Experts Who The Experts Call
Juniper - Cisco - Cloud


On Wed, Nov 13, 2013 at 4:04 PM, Ben Dale  
wrote:



MS-MIC is out for the MX5-80:

http://www.juniper.net/us/en/local/pdf/datasheets/1000454-en.pdf

doesn't look like there isn't a services port on the back of the 104
though:



http://www.juniper.net/shared/img/products/mx-series/mx104/mx104-rear-high.jpg

maybe you can use one of the front slots?

On 13 Nov 2013, at 2:52 pm, Skeeve Stevens <
skeeve+juniper...@eintellegonetworks.com> wrote:

> Does anyone know how many users the MX104 will be able to handle 
though?

>
> The 4000 user limit on the MX80 was quite low.
>
> Does the MX104 have the services port on the back like the MX80?  
I'm
waiting for the CGN Services card which was supposed to be released 
around

now.
>
>
> ...Skeeve
>
> Skeeve Stevens - eintellego Networks Pty Ltd
> ske...@eintellegonetworks.com ; www.eintellegonetworks.com
> Phone: 1300 239 038; Cell +61 (0)414 753 383 ; skype://skeeve
> facebook.com/eintellegonetworks ; linkedin.com/in/skeeve
> twitter.com/theispguy ; blog: www.theispguy.com
>
> The Experts Who The Experts Call
> Juniper - Cisco - Cloud
>
>
> On Wed, Nov 13, 2013 at 3:46 PM, Ben Dale  
wrote:
> That and I think a lot of the BRAS "migration" functionality 
(LNS/LAC
etc) was late to the party after being told it wasn't going to 
happen for

anything lower than the 240.
>
> On 13 Nov 2013, at 12:51 pm, Bill Blackford 
wrote:
>
> > My personal feeling is the MX80 wasn't widely adopted as a lower
density
> > subscriber box given the lack of redundant REs. The MX104 may 
find it's

> > niche as a BRAS.
> >
> >
> >
> >
> > On Tue, Nov 12, 2013 at 5:25 PM, Eric Van Tol 


wrote:
> >
> >> One thing to keep in mind about these boxes is that, like the
> >> MX5/10/40/80, the built-in 10G ports do not do hierarchical QoS
(per-unit
> >> scheduling).  I'm confused as to why this is, considering they 
are
> >> Trio-based routers, but I digress.  I personally don't think 
that the

> >> astronomical cost to enable the 10G ports on all the low-end MX
routers is
> >> worth it, considering they can't even do per-unit scheduling.
> >>
> >> -evt
> >>
> >>> -Original Message-
> >>> From: juniper-nsp [mailto:juniper-nsp-boun...@puck.nether.net] 
On

> >> Behalf Of
> >>> joel jaeggli
> >>> Sent: Tuesday, November 12, 2013 4:00 PM
> >>> To: Saku Ytti
> >>> Cc: juniper-nsp@puck.nether.net
> >>> Subject: Re: [j-nsp] Juniper MX104
> >>>
> >>>
> >>> On Nov 12, 2013, at 12:46 PM, Saku Ytti  wrote:
> >>>
>  On (2013-11-12 20:14 +), Tom Storey wrote:
> 
> > Why so much just to enable some ports? How do they come up 
with

that
> > kind of price? Pluck it out of thin air?
> >
> > The hardware has been paid for, and I know thats only list 
pricing,

> > but it still seems ridiculous.
> 
>  The question might have been rhetoric. But I'll bite.
> 
>  The BOM on these boxes is nothing, I'm guessing less than 
1kUSD. But

> >> the
>  volume you can sell them also is very very small, so the 
margins

need
> >> to
> >>> be
>  very high to be able to design and support them.
>  Licensing allows you to sell to larger group of people, 
people who

> >>> normally
>  would buy

[j-nsp] Throughput monitoring on pp0 units (Branch SRX)

2013-08-29 Thread Andrew Jones 

Hi,
I'm trying to monitor throughput on individual pppoe connections on a 
branch SRX, using SNMP. For example, SRX110 with a PPP dialer on the DSL 
port and another PPPoE connection on an ethernet interface.


If I monitor pp0, I seem to get the aggregate throughput, but if I 
monitor pp0.0, for instance, I hardly see any traffic at all, even 
though the link is being heavily used.


Am I doing something incorrectly, or is this a junos bug/limitation? 
How are others monitoring this type of thing?

Thanks,
Andrew
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] I've got some bone head problem on an srx...but I don't see it.

2013-06-11 Thread Andrew Jones 
Turn on some flow traceoptions and look at what source address the 
packets contain... it sounds like the srx might be picking an 
inappropriate source address, and finding out what that address is will 
aid troubleshooting.


On 12.06.2013 12:12, Morgan McLean wrote:

--- JUNOS 10.4R7.5 built 2011-09-08 07:12:35 UTC
{primary:node0}
mmclean@srxhost> show route 4.2.2.2

inet.0: 248 destinations, 251 routes (244 active, 4 holddown, 0 
hidden)

+ = Active Route, - = Last Active, * = Both

0.0.0.0/0  *[Static/5] 2w5d 01:07:06
> to x.x.x.237 via ge-2/0/23.0

{primary:node0}
mmclean@srxhost > ping 4.2.2.2
PING 4.2.2.2 (4.2.2.2): 56 data bytes
^C
--- 4.2.2.2 ping statistics ---
1 packets transmitted, 0 packets received, 100% packet loss

{primary:node0}
mmclean@srxhost> ping 4.2.2.2 source x.x.x.238
PING 4.2.2.2 (4.2.2.2): 56 data bytes
64 bytes from 4.2.2.2: icmp_seq=0 ttl=59 time=12.020 ms
^C
--- 4.2.2.2 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/stddev = 12.020/12.020/12.020/0.000 ms

{primary:node0}


On Tue, Jun 11, 2013 at 7:09 PM, Morgan McLean  
wrote:


I've gotten a couple replies off list. There is an any policy from 
trust

to untrust, and the untrust zone does have host inbound traffic ping
enabled. I think the ping not responding is a byproduct of whatever 
is

going on, though.

Morgan


On Tue, Jun 11, 2013 at 6:29 PM, Morgan McLean  
wrote:


I have an SRX cluster at an office with a single connection to the 
web at
the moment. It has a couple ipsec connections out to our 
datacenters, and a

couple local subnets hanging on RETH interfaces.

For the life of me, I can't figure out why I'm unable to ping out 
from
this system. Even if I try to ping the point to point between us 
and
Verizon, a direct route, it won't work unless I specify the source 
address

as our local interface address.

Outbound nat from clients behind the SRX works fine. The loopback 
is in
trust, and I have a couple zones + trust with a source nat rule 
using the
verizon interface IP as the egress point. Destination nat rules 
work.


So everything seems to work...except from the SRX. As a result, we 
cannot

ping the SRX remotely...but again IPSEC works.

Any great tips? None of our other SRX's behave like this...and its
driving me nuts!


--
Thanks,
Morgan





--
Thanks,
Morgan


___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] srx cluster - control and data link throuigh cisco nexus switches

2013-05-29 Thread Andrew Jones 
There is a  hidden command you can use which is "show chassis cluster
information detail" which will give you a lot more information about how
the cluster is set up on each node and if there are any errors in regards
to the control link and fabric link. In particular check that the control
port tagging is enabled or disabled on both nodes and not mismatched.


On Thu, May 30, 2013 at 4:09 AM, pkc_mls  wrote:

> Hi all,
>
> I'm currently trying to setup a cluster of srx3400 using a pair of cisco
> nexus to connect
> control and data link for redundancy. Junos Version is 11.4r7.
>
> Each SRX3400 uses one RE, one CRM, one SPC and one NPC.
>
> The first node from the cluster is fine but the second node doesn't come
> up correctly.
>
> The "show chassis fpc pic" indicates that the slot 0, 5 and 6 (RE, NPC and
> SPC) stay in testing state.
>
> The same hardware works correctly when wworking outside of the cluster.
>
> Badfully I can't remove the presumably faulty srx3400 from the rack to
> plug it directly to the node0.
>
> Did anyone manage to setup a cluster using nexus to connect control and
> data link ?
>
> I tried junos 12.1 but the cluster was not stable at all (jsrpd and
> chassisd keeps crashing).
>
> thanks.
> __**_
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/**mailman/listinfo/juniper-nsp
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] SRX - Static Routing Out Same Interface

2013-05-01 Thread Andrew Jones 
If the SRX is in flow mode, make sure that the return traffic takes the 
same path back, including passing through the SRX. Otherwise the SRX may 
only see half the conversation and time out connections due to it not 
seeing the full TCP handshake.



On 02.05.2013 01:01, OBrien, Will wrote:

Do you have a policy allowing traffic from that zone to that zone?

On Nov 3, 2010, at 7:33 AM, Bruce Buchanan wrote:

Hi List –

Can anyone give any suggestion/guidance on the following.

I’m trying to do a static route *out* the same interface that the
traffic came *in* on.  This is on an SRX-240

Here are the details:
“Private”: 192.168.20.0/24
“Public”: 216.168.x.x/32
Static route: 172.30.200.0/24 to  to 
192.168.20.121


192.168.20.121 is the IP on a VPN appliance.

Traffic from a client computer never gets routed to the VPN
appliance.  This works on a Cisco 2800 without a problem, but I can’t
get it working on the SRX.

Thanks,
Bruce

Bruce Buchanan
Senior Network Technician
Nexicom
5 King St. E., Millbrook, ON, LOA 1GO
Phone: 705-932-4147
FAX: 705-932-3027
Cell: 705-750-7705
Web: http://www.nexicom.net
Nexicom – Connected. Naturally.



___
juniper-nsp mailing list
juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp


___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] SRX1400 opinions

2013-04-28 Thread Andrew Jones 
Scratch that, branch SRX's only!


On Mon, Apr 29, 2013 at 3:44 PM, Andrew Jones wrote:

> You will also need to follow this if adding a New/RMA SRX into a cluster
> which is 10.4 or older, should save you a few days of troubleshooting :)
>
> http://kb.juniper.net/InfoCenter/index?page=content&id=KB23929
>
>
> On Mon, Apr 29, 2013 at 3:33 PM, Craig Askings  > wrote:
>
>> Hi Jim,
>>
>> On 29 April 2013 05:49, James Howlett  wrote:
>>
>> > Hi Paul,
>> >
>> > Thank You very much for the clarification. I will have only one ASBR. As
>> > for redundancy I'll go with a single 1400 unit and add a second in the
>> > future. Still, a single SRX1400 will be probably more stable then a
>> single
>> > J6350.
>> >
>>
>> I recently had a client that had a simliar plan to you of a single SRX1400
>> now to a HA pair later. No BGP though, when we setup the first SRX we
>> configured it as if it was part of a HA pair and left it running in a
>> Active/Lost state.
>>
>> Once we got the second SRX we followed the SRX HA Hardware replacement
>> procedure in the Juniper KB and it all went smoothly with no hiccups or
>> outages.
>>
>> http://kb.juniper.net/InfoCenter/index?page=content&id=KB21134
>>
>>
>> --
>>
>> Regards,
>>
>> Craig Askings
>>
>> io Networks Pty Ltd.
>>
>>
>>
>> mobile: 0404 019365
>>
>> phone: 1300 1 2 4 8 16
>> ___
>> juniper-nsp mailing list juniper-nsp@puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>
>
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] SRX1400 opinions

2013-04-28 Thread Andrew Jones 
You will also need to follow this if adding a New/RMA SRX into a cluster
which is 10.4 or older, should save you a few days of troubleshooting :)

http://kb.juniper.net/InfoCenter/index?page=content&id=KB23929


On Mon, Apr 29, 2013 at 3:33 PM, Craig Askings
wrote:

> Hi Jim,
>
> On 29 April 2013 05:49, James Howlett  wrote:
>
> > Hi Paul,
> >
> > Thank You very much for the clarification. I will have only one ASBR. As
> > for redundancy I'll go with a single 1400 unit and add a second in the
> > future. Still, a single SRX1400 will be probably more stable then a
> single
> > J6350.
> >
>
> I recently had a client that had a simliar plan to you of a single SRX1400
> now to a HA pair later. No BGP though, when we setup the first SRX we
> configured it as if it was part of a HA pair and left it running in a
> Active/Lost state.
>
> Once we got the second SRX we followed the SRX HA Hardware replacement
> procedure in the Juniper KB and it all went smoothly with no hiccups or
> outages.
>
> http://kb.juniper.net/InfoCenter/index?page=content&id=KB21134
>
>
> --
>
> Regards,
>
> Craig Askings
>
> io Networks Pty Ltd.
>
>
>
> mobile: 0404 019365
>
> phone: 1300 1 2 4 8 16
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Best route reflector platform

2013-04-15 Thread Andrew Jones 
I know that it's not apples and apples but, for what it's worth, 
Juniper are about to release JunOS Firefly V - a virtualised SRX 
(running JunOS of course). It's downloadable now with a test license, 
and can run in VMWare.




On 16.04.2013 10:37, Phil Bedard wrote:

I think at some point in the future there will be a virtualized Junos
which can be deployed on a server, with limitations, but should be
something that supports route reflection.

Juniper has JCS today but it's obviously not as small of a box as I 
would

like.

Phil

On 4/15/13 12:20 PM, "Jeff Aitken"  wrote:


On Sun, Apr 14, 2013 at 06:47:41PM +0200, Mark Tinka wrote:

ASR1001 with 16GB DRAM. What more do you want, really?


Well, it fails my "must run IOS-XR or JUNOS" requirement, for 
starters.

;-)
And seriously, who wants to implement routing policy in IOS?!  
Bletch.


What I want is something based on a generic compute platform, ala
JUNOSphere/VIRL.  That lets me scale the control plane as big as I 
need

to,
avoids wasting money on purpose-built hardware optimized for 
forwarding,

and comes with the added bonus of using the same OS & policy language
that's already widely deployed in my network, so at least I don't get 
any

NEW interop issues.  The downside is that neither vendor sells such a
thing
right now, and so we're stuck arguing about which square peg fits 
best

into
the round hole.  ("small" ASR9k and MX here, FWIW)

Oh and I also want a two-vendor solution so that I'm (hopefully) not
completely screwed the next time one of them discovers a new 
attribute-

handling bug.


--Jeff

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp



___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp


___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Can someone tell me the reason?

2013-03-17 Thread Andrew Jones 
Looks like someone doing some testing, inserting a route and seeing how 
different ASes handle seeing a default with their own AS in the path. 
What provider are you seeing it from?



On 18.03.2013 10:09, Ali Sumsam wrote:

Hi All,

What could be the reason of these AS numbers appearing in the AS 
path...


myname@juniper-mx5> show route

inet.0: 450219 destinations, 450670 routes (450219 active, 0 
holddown, 397

hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0  *[Aggregate/130] 2w2d 23:35:15
  Discard
[BGP/170] 00:11:08, localpref 100, from 1.1.1.1
  AS path: {24 174 209 306 310 317 575 701 702 
719 721
1126 1221 1239 1273 1299 1491 1562 1565 1705 1733 2118 2143 2381 2497 
2519
2549 2687 2764 2828 2914 3043 3216 3257 3320 3335 3356 3471 3472 3491 
3527
3538 3544 3549 3561 3741 3786 3816 4021 4323 4436 4451 4538 4589 4610 
4637
4648 4651 4657 4678 4725 4755 4761 4768 4809 4826 4830 5078 5087 5180 
5387
5400 5410 5416 5531 5580 5588 5606 5714 5730 5800 6006 6045 6057 6128 
6150
6221 6429 6453 6461 6473 6503 6539  6667 6713 6762 6828 6833 6939 
6983
7004 7017 7018 7065 7204 7303 7381 7470 7473 7474 7514 7598 7670 7684 
7690
7713 7714 7843 7862 7922 7936 7992 8218 8331 8359 8399 8400 8448 8492 
8551
8744 8918 8926 9304 9318 9370 9381 9398 9498 9505 9556 9607 9730 9772 
9785
9822 9829 9876 9885 9901 9971 10002 10026 10098 10213 10329 10578 
10778
10796 10848 10910 10912 10913 11051 11071 11123 11164 11190 11310 
11340
11399 11427 11664 11700 11857 11986 11992 12056 12179 12182 12315 
12389
12523 12670 12880 12956 12975 12989 13079 13194 13249 13536 13602 
13692
13693 13768 13789 13855 14105 14234 14627 15139 15290 15348 15412 
15533
15611 15935 16022 16125 16265 16345 16625 16796 16810 16813 16841 
16969
17067 17224 17225 17232 17379 17408 17444 17462 17537 17573 17645 
17659
17746 17819 17826 17888 17916 17917 18101 18150 18272 18345 18411 
18678
18747 18779 18804 18895 18990 19024 19029 19037 19048 19092 19108 
19151}
{19559 19893 19938 20183 20258 20367 20394 20460 20485 20521 20847 
20870
20926 20940 21011 21127 21191 21341 21430 21437 21497 21555 21667 
22080
22211 22286 22489 22724 22806 22822 22909 22925 23265 23308 23498 
23520
23550 23563 23649 23801 23930 24005 24115 24157 24203 24213 24273 
24279
24324 24523 24582 24626 24631 24785 25155 25178 25252 25381 25861 
25899
25973 26065 26615 26878 26982 27033 27046 27064 27065 27066 27067 
27137
27281 27288 27364 27524 27630 27668 27757 27765 27814 27978 28168 
28210
28513 28730 28745 29049 29066 29067 29170 29761 30116 30170 30458 
30628
30831 30988 31205 31765 31838 32066 32097 32556 32611 32743 33029 
33363
33860 33874 34170 34248 34772 34857 34953 34968 35176 35400 35575 
35641
35645 35735 35788 35863 36029 36075 36089 36433 36514 36682 37088 
37100
37162 37183 37209 37282 37986 38072 38144 38145 38249 38413 38418 
38496
38567 38794 38862 39179 40170 40414 41038 41221 41465 41574 41677 
41696
42465 42861 43267 43419 43531 44356 44596 44654 44953 45144 45147 
45352
45425 45725 45841 45891 45903 46043 46068 46127 46389 46837 46838 
46868
46883 46887 46996 47019 47171 47313 47909 48268 48392 48524 48539 
48645
49550 49777 49895 50189 50261 50362 50545 50607 50670 50976 51034 
51360
51696 52145 52246 52255 52349 52879 53099 53153 53157 53340 53667 
54503
55309 55318 55321 55325 55566 55666 55824 56239 56308 56442 58247 
58552
58621 59616 61141 61294 61297 131127 131215 131351 131706 131771 
132375

132447 196745 197043 197191 197377 197930 198004 198151 198235 198646
199481 262232 262271 262519 262589} ?
> to 1.1.1.1 via ge-1/0/0.100

*Ali Sumsam CCIE*
*Network Engineer - Level 3*
eintellego Pty Ltd
a...@eintellego.net ; www.eintellego.net

Phone: 1300 753 383 ; Fax: (+612) 8572 9954

Cell +61 (0)410 603 531

facebook.com/eintellego
PO Box 7726, Baulkham Hills, NSW 1755 Australia

The Experts Who The Experts Call
Juniper - Cisco – Brocade - IBM
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp


___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] SRX Remote log denied traffic

2013-02-25 Thread Andrew Jones 
There could be a few reasons you're not seeing logs:

- With the groups configuration, you need to still have a policy configured
in the configuration before the group applies (even if it is just a blank
"set security policies from-zone a to-zone b". You can confirm this with a
"| display inheritence" or simply a "show security policies from-zone a
to-zone b"
- A better way to do this in JunOS 11.2 onwards is with a Global policy now
that it is supported rather than using groups
- If the traffic you are testing is direct to the firewall, it won't be
logged because it never hits a policy. It only works for transit traffic
- On this note as well, if it is dropped for a non policy reason (No
TCP SYN, no route, etc.) it won't show up in this file either

Hope this helps

On Fri, Feb 22, 2013 at 12:39 PM, Mike Devlin  wrote:

> So fingers crossed that this is an easy one for you guys,
>
> Device is an SRX210BE running 11.4R5.5 code.
>
> ive added the syslog host to the config
>
> meeks@MeeksNet-SRX210> show configuration system syslog
> archive size 100k files 3;
> user * {
> any emergency;
> }
> host 192.168.1.12 {
> any any;
> }
> file messages {
> any critical;
> authorization info;
> }
> file interactive-commands {
> interactive-commands error;
> }
> file security {
> security any;
> }
> file default-log-messages {
> any any;
> match "(requested 'commit' operation)|(copying configuration to
> juniper.save)|(commit complete)|ifAdminStatus|(FRU power)|(FRU
> removal)|(FRU insertion)|(link UP)|(vc add)|(vc
>
> delete)|transitioned|Transferred|transfer-file|QFABRIC_NETWORK_NODE_GROUP|QFABRIC_SERVER_NODE_GROUP|QFABRIC_NODE|(license
> add)|(license delete)|(package -X update)|(package -X
> delete)|GRES|CFMD_CCM_DEFECT|LFMD_3AH|MEDIA_FLOW_ERROR|RPD_MPLS_PATH_BFD";
> structured-data;
> }
>
>
>
> and implemented the default deny template i found here:
>
> http://kb.juniper.net/InfoCenter/index?page=content&id=KB20778&actp=RSS
>
>
> meeks@MeeksNet-SRX210> show configuration groups
> default-deny-template {
> security {
> policies {
> from-zone untrust to-zone trust {
> policy default-deny {
> match {
> source-address any;
> destination-address any;
> application any;
> }
> then {
> deny;
> log {
> session-init;
> }
> }
> }
> }
> }
> }
> }
>
> meeks@MeeksNet-SRX210> show configuration apply-groups
> ## Last commit: 2013-02-21 16:05:36 EST by meeks
> apply-groups default-deny-template;
>
> however, when i log on to the syslog host, and tail the syslog file i do
> not see denies being logged remotely.
>
> if i apply the session-init and session-close options to permitted traffic,
> it does get logged remotely.
>
> Alternatively,
>
> creating a new policy has the same result, regardless if i use reject or
> deny
>
> meeks@MeeksNet-SRX210# show security policies from-zone untrust to-zone
> trust policy deny-all
> match {
> source-address any;
> destination-address any;
> application any;
> }
> then {
> deny;
> log {
> session-init;
> }
> }
>
> my google-foo is failing, so i hope you guys can help.
>
> Looking forward to hearing back from you,
>
> Mike
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Is Juniper moving features to AFL on EX Series in 12.3?

2013-02-13 Thread Andrew Jones 
Sort of unrelated, but a quick question in regards to AFL's. I'm looking to
run BGP on a EX4500/4200 mixed mode VC (2 x 4500's, 2 x 4200's for 4
switches total) with the EX4500's as the RE and backup RE (preprovisioned).
Do I only need to purchase the AFL's for the EX4500's or all members of the
VC? Any other caveats I should be aware of?

On Fri, Feb 8, 2013 at 2:46 PM, Skeeve Stevens <
skeeve+juniper...@eintellegonetworks.com> wrote:

> Ahh sorry, didn't see it.
>
> Excellent to know.   Someone was trying to scare us ;-)
>
> ...Skeeve
>
> *Skeeve Stevens - *eintellego Networks Pty Ltd
> ske...@eintellegonetworks.com ; www.eintellegonetworks.com
>
> Phone: 1300 239 038; Cell +61 (0)414 753 383 ; skype://skeeve
>
> facebook.com/eintellegonetworks ;  
> linkedin.com/in/skeeve
>
> twitter.com/networkceoau ; blog: www.network-ceo.net
>
>
> We are the bridge between business and technology
> Juniper - Cisco - Cloud
>
>
> On Fri, Feb 8, 2013 at 1:21 PM, Caillin Bathern  >wrote:
>
> > Hi Skeeve,
> >
> > This has already been discussed in the "Junos 12.3 Release Date" thread
> > and a Juniper employee has stated that this is a documentation error
> > that will fixed.
> >
> > Cheers,
> > Caillin
> >
> > -Original Message-
> > From: juniper-nsp-boun...@puck.nether.net
> > [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Skeeve Stevens
> > Sent: Friday, 8 February 2013 1:05 PM
> > To: juniper-nsp@puck.nether.net
> > Subject: [j-nsp] Is Juniper moving features to AFL on EX Series in 12.3?
> >
> > All,
> >
> > Something has just been pointed out to me, and I'd like to get the
> > communities take on it.
> >
> > It seems that Juniper has moved features to the Advanced Features
> > License in 12.3.
> >
> > *This is the link for the EX License Overview on 12.2*
> > http://www.juniper.net/techpubs/en_US/junos12.2/topics/concept/ex-series
> > -software-licenses-overview.html#jd0e146
> >
> > Features Requiring a License on EX3200, EX4200, EX4500, EX4550, EX6200,
> > and
> > EX8200 Switches
> >
> > To use the following features on Juniper Networks EX3200, EX4200,
> > EX4500, EX4550, EX6200, and EX8200 Ethernet Switches, you must install
> > an advanced feature license (AFL):
> >
> >- Border Gateway Protocol (BGP) and multiprotocol BGP (MBGP)
> >- Intermediate System-to-Intermediate System (IS-IS)
> >- IPv6 protocols: OSPFv3, RIPng, IS-IS for IPv6, IPv6 BGP
> >- MPLS with RSVP-based label-switched paths (LSPs) and MPLS-based
> >circuit cross-connects (CCCs)
> >
> > ---
> >
> > *This is the link for the EX License Overview on 12.3*
> > http://www.juniper.net/techpubs/en_US/junos12.3/topics/concept/ex-series
> > -software-licenses-overview.html#jd0e146
> >
> > Features Requiring a License on EX3200, EX4200, EX4500, EX4550, EX6200,
> > and
> > EX8200 Switches
> >
> > To use the following features on Juniper Networks EX3200, EX4200,
> > EX4500, EX4550, EX6200, and EX8200 Ethernet Switches, you must install
> > an advanced feature license (AFL):
> >
> >- Border Gateway Protocol (BGP) and multiprotocol BGP (MBGP)
> >- Generic Routing Encapsulation (GRE)
> >- Intermediate System-to-Intermediate System (IS-IS)
> >- Multicast Listener Discovery version 1 and 2 (MLDv1 and MLDv2)
> >- MPLS with RSVP-based label-switched paths (LSPs) and MPLS-based
> >circuit cross-connects (CCCs)
> >- Multicast Source Discovery Protocol (MSDP)
> >- RIPng (RIP next generation)
> >- OSPFv1/v2 (with four active interfaces)
> >- OSPFv3
> >- S-VLAN
> >- Unicast reverse-path forwarding (RPF)
> >- Virtual routing and forwarding (VRF)
> >- Virtual Router Redundancy Protocol (VRRP)
> >
> >
> > Doesn't this increase the cost of these switches by a ton of money if
> > you want features you used to get for free?
> >
> > I would have thought that IPv6 would have been something that would have
> > started to be in the base license since everyone is starting to need it
> > as standard.  This sounds a little opportunistic in my opinion.
> >
> > This looks like these layer 3 switches are becoming more and more like
> > Layer 2 dumb switches the higher the Junos version goes.
> >
> > Maybe 13.x will have IPv4 in AFL?
> >
> > ...Skeeve
> >
> > *Skeeve Stevens - *eintellego Networks Pty Ltd
> > ske...@eintellegonetworks.com ; www.eintellegonetworks.com
> >
> > Phone: 1300 239 038; Cell +61 (0)414 753 383 ; skype://skeeve
> >
> > facebook.com/eintellegonetworks ;  
> > linkedin.com/in/skeeve
> >
> > twitter.com/networkceoau ; blog: www.network-ceo.net
> >
> >
> > We are the bridge between business and technology Juniper - Cisco -
> > Cloud ___
> > juniper-nsp mailing list juniper-nsp@puck.nether.net
> > https://puck.nether.net/mailman/listinfo/juniper-nsp
> > --
> > Message  protected by MailGuard: e-mail anti-virus, anti-spam and
> > content filtering.http://www.mailguard.c

Re: [j-nsp] JUNIPER POLICER and CoS Shaping Rate

2012-10-03 Thread Andrew Jones 
I personally use the following guide,
http://www.juniper.net/techpubs/en_US/junos11.2/topics/reference/general/policer-guidelines-burst-size-calculating.html
except
with mutiples of 8ms (makes it easier on the maths).

For example, if you've got a 20mbit shaper applied to the interface than
the burst rate for all of your policers will be 20kbytes, this will allow
for a full shaped rate burst for 8ms. Can tweak to 16ms, 32ms, etc if
required.
On Thu, Oct 4, 2012 at 12:54 PM, GIULIANO (WZTECH)
wrote:

> People,
>
> Some topics where questioned today about how to limit traffic for vlan
> subscribers using MX5 routers.
>
> The main question is related to system architecture related to the main
> gear (internal machine) to control and limiting packets.
>
> Using policers (input or output) or shaping-rate we have quite the same
> result: miscalculating or error.
>
> If we create a rule like the following:
>
>
> set class-of-service interfaces ge-0/0/1 unit 530 shaping-rate 20m
>
>
> The output traffic rates 19.2~ Mbps only (using MRTG and SNMP statistics
> and graphics).
>
> We ever needs to allocate more bandwidth for the subscriber like.
>
> set class-of-service interfaces ge-0/0/1 unit 530 shaping-rate 22m
>
> To get the correct result ...
>
> Using policers generate almost the same result for output traffic.
>
> Is this because of system architecture or this is a graphic's mistake ?
>
> The burst size limit influence this result ? It must be calculated using
> what kind of parameter ?
>
> For example (same physical interface, same MTU, etc):
>
> Interface ge-0/0/0 unit 10 - VLAN 10 - 30 Mbps What is the correct burst ?
>
> Interface ge-0/0/0 unit 20 - VLAN 20 - 50 Mbps What is the correct burst ?
>
> Interface ge-0/0/0 unit 30 - VLAN 30 - 150 Mbps What is the correct burst ?
>
> Interface ge-0/0/0 unit 30 - VLAN 30 - 4 Mbps What is the correct burst ?
>
> Does anyone has solved this problems ?
>
> Is it possible to get a correct parameter and points to a correct limit
> for the contracted bandwidth ?
>
> Thanks a lot,
>
> Giuliano
>
>
> __**_
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/**mailman/listinfo/juniper-nsp
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] jflow v9 - flow start timestamp not reset

2012-08-11 Thread Andrew Jones 
Hi All,
There is a behaviour in jflow v9 which is frustrating me whereby once
flows reach the active timeout the flow is exported, the packet and byte
counters reset, but the flow remains in the flow table and the start time
is not modified. According to Juniper's docs [1], this is to make it easier
to identify long-lived flows.

This is annoying when looking at a short period of flow data (eg. 5 mins)
with tools such as nfdump, because the caculated bps and pps values are way
too low if the flow started before the beginning of the period you are
looking at.

Does anyone know if there's a hidden knob in junos to tell it to reset the
flow start time on flows that reach the active timeout?
Thanks,
Andrew

[1] http://www.juniper.net/us/en/local/pdf/app-notes/3500204-en.pdf (page
6)
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] Single SRX DSCP writing before traffic is encrypted into IPSec

2011-08-10 Thread Andrew Jones 
Hi,

I've got an SRX240 runing 10.4R4.5 running at a brach site serving as
the site gateway and I figure out a way to write DSCP values before traffic
is encrypted into an IPSec VPN due to the SRX being the only device at the
site. The only place I can apply outbound DSCP marking is on the Interface
that the IPSec VPN lies, since you can't configure dscp rewrites on the
st0.x interfaces. This works okay since the IPSec packet is marked and
scheduled correctly, but once the traffic makes it to the other site and is
decrypted, the DSCP marking is lost and needs to be re-marked again. It also
makes it hard to audit how much traffic is being put into each class when
doing J-Flow exports, or if certain types of traffic are being marked
correctly.

Has anyone else got a similar setup or experienced and fixed this issue? I'm
currently terminating VPN's on the physical interface itself, could I
potentially move this to a vlan.x interface and perform outbound DSCP
marking there?
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] netflow collector on linux

2011-03-24 Thread Andrew Jones 
I like nfcapd/nfdump, it does have a web frontend too, if that's your
thing, nfsen.
-Jonesy

On Tue, 22 Mar 2011 11:03:03 -0700, Michael Lee  wrote:
> Hello:
> 
>  I am trying to eval netflow collector for multi-vendor hardwares,
anyone
> could suggest any good commercial netflow collector running on Linux?
> 
> Thanks,
> 
> ~mike
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] Router with lots of layer 3 interfaces

2011-03-07 Thread Andrew Jones 
Hi,
I have a requirement to terminate the layer 3 for about 2000 vlans on a
pair of routers of some kind, with failover in the event of one of the
routers dying. Is this something that SRX240Hs could do? How many layer3
interfaces can the SRX240 handle? SRX650? Throughput is not a huge concern,
each vlan only requires a small amount of bandwidth.

To handle the failover, I could use the clustering, although that would
mean any software upgrades would require a simultaneous reboot of both
devices, making it a less desirable solution than having two SRXs with VRRP
on each vlan-facing layer 3 interface which would allow me to reboot the
boxes one at a time. My question with that setup is: how many VRRP
instances can I have on an SRX?
I appreciate any advice/feedback.
Thanks,
Andrew
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Static Routing - SRX

2010-11-03 Thread Andrew Jones 
I did this once on an SRX240, and (as someone mentioned earlier) the fact
that the SRX only sees the packets in one direction will mean that TCP
sessions establish and work for a little while, but as soon as the flow
record on the SRX expires, it will stop passing the traffic mid-stream.

I ended up terminating the second subnet (172.30.200.0/24 in your example)
on a separate interface on the SRX.

-Jonesy 


On Wed, 3 Nov 2010 16:52:48 -0400, "Paul Stewart" 
wrote:
> Thanks very much  we had no policy between private and private ;)
> 
> Appreciate everyone's replies... take care..
> 
> Paul
> 
> 
> -Original Message-
> From: Ben Dale [mailto:bd...@comlinx.com.au] 
> Sent: Wednesday, November 03, 2010 4:31 PM
> To: Paul Stewart
> Cc: juniper-nsp@puck.nether.net
> Subject: Re: [j-nsp] Static Routing - SRX
> 
> Hi Paul,
> 
> Router-on-a-stick with SRX will break unless you have the following:
> 
> set security policy from-zone Private to-zone Private policy 1ARM match
> source-address n192.168.20.0/24
> set security policy from-zone Private to-zone Private policy 1ARM match
> destination-address n172.30.200.0/24
> set security policy from-zone Private to-zone Private policy 1ARM match
> application any
> set security policy from-zone Private to-zone Private policy 1ARM then
> permit
> 
> 
> Cheers,
> 
> Ben
> 
> On 04/11/2010, at 1:48 AM, Paul Stewart wrote:
> 
>> Hi there.
>> 
>> 
>> 
>> Can anyone give any suggestion/guidance on the following.
>> 
>> 
>> 
>> I'm trying to do a static route *out* the same interface that the
traffic
>> came *in* on.  This is on an SRX-240
>> 
>> 
>> 
>> Here are the details:
>> 
>> "Private": 192.168.20.0/24
>> 
>> "Public": 216.168.x.x/32
>> 
>> 
>> 
>> Static route: 172.30.200.0/24 to  to
>> 192.168.20.121
>> 
>> 
>> 
>> 192.168.20.121 is the IP on a VPN appliance.
>> 
>> 
>> 
>> Traffic from a client computer never gets routed to the VPN appliance.
> This
>> works on a Cisco 2800 without a problem, but I can't get it working on
>> the
>> SRX.
>> 
>> 
>> 
>> So, to walk this through a bit more - a computer sitting on the
> 192.168.20.0
>> subnet has a default gateway of 192.168.20.224.  We want a route on the
> SRX
>> that routes any traffic coming into 192.168.20.224 that is destined to
>> 172.30.200.0/24 to be sent to 192.168.20.121.  In Cisco 2800 it's just
a
>> static route.
>> 
>> 
>> 
>> Ran across this challenge in the Cisco PIX world as well..
>> 
>> 
>> 
>> Thanks for any input..
>> 
>> 
>> 
>> Paul
>> 
>> ___
>> juniper-nsp mailing list juniper-nsp@puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>> 
> 
> 
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Multiple ospf process on juniper EX

2010-09-14 Thread Andrew Jones 
If you have to go down this road, the following is a good guide:

http://www.juniper.net/techpubs/software/junos/junos50/swconfig50-routing/html/instance-config5.html
 

Note if you want to put the BGP default route in the other instance as well, 
you have to define the rib-group under edit protocols bgp

-Original Message-
From: juniper-nsp-boun...@puck.nether.net 
[mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Henri Khou
Sent: Tuesday, 14 September 2010 6:37 PM
To: juniper-nsp@puck.nether.net
Subject: [j-nsp] Multiple ospf process on juniper EX

Hello,

I'm trying to find the best way to redistribute BGP default route to 2 
independant organizations running OSPF with a different cost for each 
organization.
I am used to Cisco IOS where you can run 2 OSPF instance by specifying a 
process ID for every OSPF instance.
How can I do that under JunoS?

Thank you very much.

-- 
Henri KHOU
Administrateur Systèmes&   Réseaux
EHESS - CRI
54 Bd Raspail
75006 Paris
Tel: 01 49 54 24 79


___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp


___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Screening logs on SRX

2010-09-08 Thread Andrew Jones 
You can log events to a traceoptions file:

security {
 screen {
  traceoptions {
   file {
;
files x; (number of tracefiles)
no-world-readable; | world-readable;
size x; (max size)
match regular-expression; (Can trim the traceoption as required to get your 
particular screens)
   }
   flag configuration | flow | all'
  }
 }
}

Not the cleanest or most resource friendly solution. 

-Original Message-
From: juniper-nsp-boun...@puck.nether.net 
[mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Fahad Khan
Sent: Tuesday, 7 September 2010 6:02 PM
To: juniper-nsp@puck.nether.net
Subject: [j-nsp] Screening logs on SRX

Hi Folks,

Can some body tell me that how can I see the logs of the attack packets
generated by some source for let say "port scan", "IP spoof" etc

Thanks in adv,

regards,

Muhammad Fahad Khan
JNCIP - M/T # 834
IT Specialist
Global Technology Services, IBM
fa...@pk.ibm.com
+92-301-8247638
Skype: fahad-ibm
http://pk.linkedin.com/in/muhammadfahadkhan
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp


___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp