Re: [j-nsp] destination nat, 8 rule limit
he said he did that already.. unfortunately i don't think the limits were upped for source/destination nat rules, i think it is still 8 on 9.6r1 On Tue, Nov 3, 2009 at 8:39 AM, Derick Winkworth dwinkwo...@att.net wrote: Upgrade to 9.6. You can have many more rules per rule-set... From: Christopher M. Hobbs ch...@altbit.org To: juniper-nsp@puck.nether.net Sent: Tue, November 3, 2009 10:08:13 AM Subject: [j-nsp] destination nat, 8 rule limit If I try to set up more than 8 rules per rule-set on our SRX240 boxes, Junos gets cranky. Here's the error I receive: --- cho...@ss0101# commit check [edit security nat destination rule-set mail] 'rule' number of elements exceeds limit of 8 error: configuration check-out failed: (number of elements exceeds limit) --- I can't break our rules out into different rule sets because it complains of context at that point (which I believe is tied to the destination address?): --- cho...@ss0101# commit check error: Destination NAT rule-set mail and test have same context. [edit security nat destination] 'rule-set test' Destination NAT rule-set(test) sanity check failed. error: configuration check-out failed --- All of our incoming addresses exist on the same subnet and the majority of our destination addresses are on the same subnet as well, so I clearly can't split up our rules to work around this issue if the context is based on either the incoming or destination addresses. I've read a couple of threads concerning a similar issue and the fix was to upgrade to 9.6, which I did. The upgrade didn't appear to solve anything at all. Does anyone know why this restriction is here other than just poor programming? How can I get past this limitation? Thanks for your time! -- C.M. Hobbs, http://altbit.org ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] [c-nsp] Network Liberation Movement???
On Sun, Nov 1, 2009 at 9:54 PM, Omachonu Ogali oog...@gmail.com wrote: How much is buzz worth? About the same as YouTube views. (In South Park speak, theoretical dollars). If you can't convert *positive* buzz into revenue, your marketing efforts will serve as nothing more than brand awareness campaigns. By this point in the conversation, it should be obvious the buzz is turning negative: a) overtones of disinterest due to dubious marketing, b) people biting the bait on what seems to be a month long viral campaign that *still* has 15 more days to go before phase 2, c) conversation shift from the mystery product, to debating whether the marketing works -- and we still don't know what's being marketed other than common sense (You hate vendor lock-in, I hate vendor lock-in, let's be friends) well said, and agreed -ck ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] [c-nsp] Network Liberation Movement???
looks as if its working based on the activity in this thread... ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Refurbished Hardware
anyone know of a reputable reseller where I may be able to find an SCB for an old M40 chassis? christian ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Inactive/Disabled Interface Reporting Link Down via SNMP
thanks to all that replied activating the interface, deleting the disable, then re-adding the disable, seemed to fix my issue christian On Wed, Sep 10, 2008 at 11:31 PM, Christian Koch [EMAIL PROTECTED] wrote: Hi - I have an interface on an old M40, which i have 'deactivated', 'set disable' on that is still alarming Link Down via SNMP polling, and showing up/down on a show int terse and Enabled on show interface outputs... There is nothing connected on this interface Am I missing something? Software is JUNOS 7.0R2.7 [edit interfaces ge-6/1/0] # show ## ## inactive: interfaces ge-6/1/0 ## inactive: disable; no-traps; [edit interfaces ge-6/1/0] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] show interfaces terse | match ge-6/1/0 ge-6/1/0updown [EMAIL PROTECTED] show interfaces ge-6/1/0 | match Enabled | last Physical interface: ge-6/1/0, Enabled, Physical link is Down Thanks! Christian ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] vpls ping control-plane-response
read the following kompella draft, i am pretty sure vpls ping operation is covered http://tools.ietf.org/html/draft-stokes-vkompella-l2vpn-vpls-oam-01 On Wed, Aug 13, 2008 at 2:24 PM, Marlon Duksa [EMAIL PROTECTED] wrote: Does anyone know what control-plane-response in vpls ping cmd mean? VPLS ping in my scenario without that keyword works, but with it, it doesn't. [EMAIL PROTECTED] run ping vpls instance vpls destination-mac 00:00:07:00:00:01 source-ip 1.1.1.1 ! - re-0:vpls:ge-5/0/4.0 ! - re-0:vpls:ge-5/0/4.0 [EMAIL PROTECTED] run ping vpls instance vpls destination-mac 00:00:07:00:00:01 source-ip 1.1.1.1 control-plane-response . Thanks, Marlon ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] J-web installation-j6300 router
request system software delete jweb request system software add /var/tmp/blahblah system services web-management http On Tue, Aug 5, 2008 at 5:02 PM, Mohd Arshad [EMAIL PROTECTED] wrote: I have juniper j6300 router i want to install j web graphic interface on it previsly it was installed on it but i have disabled it from jweb now i want to do again\ can any bodey help me for giving the commands and process for jweb installation of jweb in J6300 router software version is 7.3R1.5 thanks arshad From Chandigarh to Chennai - find friends all over India. Go to http://in.promos.yahoo.com/groups/citygroups/ ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Supporting Audit Requirements in JUNOS
i think a combination of things like this is fine, in most case, auditors just want to verify you are actually doing what you say you are...how you do it, whether ideal, complicated or simple, doesn't really matter to them for the most part. like i said if you have some type of change control procedure or policy, you can associate the changes and the requester of the change with actual proof of the change (logs/rancid/tftp/etc) On Wed, Jul 23, 2008 at 9:32 AM, Jose Madrid [EMAIL PROTECTED] wrote: Going back to Christian's point, Rancid doesn't know who made the changes and if there are multiple changes between rancid run-times, it will pick up various changes and not just the one in particular. I currently use a mixture of rancid and logs from devices to see who logged in at a time nearest when the change was picked up. This is less than ideal solution, but all we currently have. On Tue, Jul 22, 2008 at 5:17 PM, Stefan Fouant [EMAIL PROTECTED] wrote: Yes, we have a change management process in place, but my job is to enforce it. Normally, we get the change request submitted, approved, then we push the change to the firewall. However, there is no simple way to correlate the committed change to the actual change request. My idea was to enforce the use of comments on commits along the lines of: commit comment This is for Change Request Ticket # 123 As I alluded and Ben Bird confirmed, it seems that the most reasonable way to accomplish this goal is through the use of deny-commands to force the use of any commit which does not contain the string 'comment' in it. This is easier said than done, and I'll need to brush up on my RegEx skills: I wanted to do something along the lines of : set system login class engineering deny-commands ^commit.*!comment.*$ but the damn * is being greedy and matching everything... so, I just need to play around with it a bit. On Tue, Jul 22, 2008 at 5:06 PM, Christian Koch [EMAIL PROTECTED] wrote: Hello Stefan - I have been going through multiple SAS70's for the past year now... however, we have a change management process, which changes need to go through in order for a change to be allowed. so everything is all documented.. submit change request - review - approve - push change - archive/document i realize this may not be feasible for everyone and being in different situations, environments, etc.. but its not too much of a hassle, also if you are using something like rancid, or some script or other network management product to fetch and save configs when changes are made, i think you are in the clear. on a side note, if the commit script thing works well, i think that's an awesome idea christian On Tue, Jul 22, 2008 at 3:38 PM, Stefan Fouant [EMAIL PROTECTED] wrote: Hi folks, As part of SAS 70 Audit requirements, I need to ensure that anytime a firewall change is made on my routers a description of that change is recorded. I suppose I could force this by using commit scripts and forcing the use of annotate on anything in the firewall-filters stanza, although this could be rather unwieldy in it's implementation. My preference would be to ensure that anytime the configuration is committed a 'commit comment comment' is used, but doesn't seem that I can use commit-scripts to force that since a commit is not a configuration variable. I wonder if I could use allow-commands or deny-commands to accomplish something along these lines... Has anyone attempted anything similar? What have you folks done to support SAS 70 Audit requirements? Thanks, -- Stefan Fouant Principal Network Engineer NeuStar, Inc. - http://www.neustar.biz GPG Key ID: 0xB5E3803D ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp -- Stefan Fouant Principal Network Engineer NeuStar, Inc. - http://www.neustar.biz GPG Key ID: 0xB5E3803D ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp -- It has to start somewhere, it has to start sometime. What better place than here? What better time than now? ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Supporting Audit Requirements in JUNOS
Hello Stefan - I have been going through multiple SAS70's for the past year now... however, we have a change management process, which changes need to go through in order for a change to be allowed. so everything is all documented.. submit change request - review - approve - push change - archive/document i realize this may not be feasible for everyone and being in different situations, environments, etc.. but its not too much of a hassle, also if you are using something like rancid, or some script or other network management product to fetch and save configs when changes are made, i think you are in the clear. on a side note, if the commit script thing works well, i think that's an awesome idea christian On Tue, Jul 22, 2008 at 3:38 PM, Stefan Fouant [EMAIL PROTECTED] wrote: Hi folks, As part of SAS 70 Audit requirements, I need to ensure that anytime a firewall change is made on my routers a description of that change is recorded. I suppose I could force this by using commit scripts and forcing the use of annotate on anything in the firewall-filters stanza, although this could be rather unwieldy in it's implementation. My preference would be to ensure that anytime the configuration is committed a 'commit comment comment' is used, but doesn't seem that I can use commit-scripts to force that since a commit is not a configuration variable. I wonder if I could use allow-commands or deny-commands to accomplish something along these lines... Has anyone attempted anything similar? What have you folks done to support SAS 70 Audit requirements? Thanks, -- Stefan Fouant Principal Network Engineer NeuStar, Inc. - http://www.neustar.biz GPG Key ID: 0xB5E3803D ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Enforcing CLI Idle-Timeouts
i tried this a while back and came across the same issue, i've yet to be able to find a 'hack' since.. christian On Mon, Jul 21, 2008 at 4:56 PM, Stefan Fouant [EMAIL PROTECTED] wrote: Hey Folks, Wondering if anyone knows how to enforce CLI Idle-Timeouts on Juniper using default login classes such as Super-User. I see that there is a command 'idle-timeout' which can be configured under a login class, but I want to modify the default class 'super-user' which has a default of idle-timeout 0/disabled. It does not appear that I can modify the default login classes. Anyone here ever attempt anything similar? -- Stefan Fouant Principal Network Engineer NeuStar, Inc. - http://www.neustar.biz GPG Key ID: 0xB5E3803D ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] RD usage in BGP based VPLS
if you're using bgp signaling for auto discovery then you need RD, if you are using LDP, you do not if you still dont know why you need an RD when using bgp, i suggest you read the following RFC's http://tools.ietf.org/html/rfc4761 http://tools.ietf.org/html/rfc4762 On Tue, Jun 17, 2008 at 8:07 AM, narasimha murthy [EMAIL PROTECTED] wrote: Hi can any one tell me why RD is required for BGP based VPLS configaration. in case of L3 vpn RD is used to make customer ipv4 address globally unique in MPLS domain. But i dont understand the usage of RD in case of VPLS. Murthy ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] /31 subnet mask
/31 is useless/unuseable /31 = 255.255.255.254 - 2 addresses network address and broadcas, there is no room for host addresses On Sat, Mar 22, 2008 at 8:49 AM, sunnyday [EMAIL PROTECTED] wrote: hello can any one explain the use of a /31 subnet mask i know its for saving ip addresses etc etc but i need to know how it works,limitations and how to implement it. thank you ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp