Re: [j-nsp] SRX - tap mode?
Will, Here is a config for using a port on a branch device as a packet capture device. Port ge-0/0/1 is put into promiscuous mode (has to be a gig port btw) and getting forwarded packets from a switch. You need the: forwarding-options { packet-capture { setting and the packet filter. Interface does not need to be in a zone. --Ben On Wed, Sep 12, 2012 at 11:31 AM, Stefan Fouant sfou...@shortestpathfirst.net wrote: You can always create your own 'tap mode' by simply configuring Filter Based Forwarding and shunting your selective traffic through your IDP. I did this all the time in my previous life when dealing with security devices that couldn't scale enough to place in-line. Stefan Fouant JNCIE-SEC, JNCIE-SP, JNCIE-ENT, JNCI Technical Trainer, Juniper Networks Follow us on Twitter @JuniperEducate Sent from my iPad On Sep 12, 2012, at 11:43 AM, William McLendon wimcl...@gmail.com wrote: hi Tim, thanks for the response - but reading the description that sounds like the firewall itself still has to be inline, which i'm trying to avoid here. I guess what does the rest of the config have to look like for it to function correctly off a span port? ie there wouldn't be any routing or IP interfaces involved. Thanks, Will On Sep 12, 2012, at 11:35 AM, Tim Eberhard wrote: High end SRX's support tap mode. Branch as far as I know do not. http://www.juniper.net/techpubs/software/junos-security/junos-security10.2/junos-security-swconfig-security/topic-45272.html Hope this helps, -Tim Eberhard On Wed, Sep 12, 2012 at 10:33 AM, William McLendon wimcl...@gmail.com wrote: hi everyone, do SRX firewalls support a tap mode installation? Really just looking at it for purposes of evaluation of IDP functionality where tap mode would be the least intrusive method to see data vs having to put it inline (and then deal with the inevitable you put a device inline and now XYZ doesn't work!) I seem to recall that they do not, and they have to be installed in L3 mode or in Transparent mode, but was hoping I may have missed the feature in a release note somewhere. Thanks, Will ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] out of band management - real OOB
All, Juniper does allow you to use a specific route table for management, it's inet.0. You then create a VR, and place all your transit ports in the VR. Ideal would be to do the reverse of that, create a VR and put the mgmt ports in the VR, but it is not supported today. Still it is doable without Logical systems. -DP On Sat, Sep 17, 2011 at 7:14 AM, Chris Evans chrisccnpsp...@gmail.comwrote: Juniper devices have out of band ethernet ports, but have the HUGE HUGE downfall of being in the main routing table conflicting with every other route. This limits it usage, however a work around is to put the FXP interface into a logical system (on support devices). This has downfalls too, but its better than nothing. Unfortunately Juniper hasn't gotten this clue yes, every other vendor I've used recently has full vrf/logical system support for their OOB interfaces keeping them out of the main routing table. One main downfall I'm running into is that I cannot copy or install software using the FXP port as my source for traffic. Does anyone know of a command that will allow me to select the logical system? The current commands don't seem to allow routing instances or logical systems to be specified. Something like: file copy logical-system:MGMT:ftp://blah/blah.. Anyone have any other workarounds. Thanks! ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX-3600 Rate limit
Atif, I put this together to limit itunes traffic to 1mb. Use a firewall filter to police the traffic (I did specify www.apple.com but it resolved the address automatically, this may be an issue when round robin DNS happens). You can more specific (i.e. Port 80 etc..) but I was just checking base functionality. firewall { policer Apple { if-exceeding { bandwidth-limit 1m; burst-size-limit 50k; } then discard; } filter Apple-Rate-Limit { term 1 { from { destination-address { 184.85.45.15/32; } } then { policer Apple; accept; } } term 2 { then accept; } } } Then add the filter to an interface: (this is my trust interface) fe-0/0/7 { unit 0 { family inet { filter { input-list Apple-Rate-Limit; } address 192.168.200.238/24; } } } --Ben On Tue, Nov 30, 2010 at 10:11 AM, atif naeem col.a...@gmail.com wrote: Hi folks , Can any one tell me how to implement rate limit on SRX-3600 .I have junos version 10.0R2.10 . i want to restrict user on 1mb. BR Atif Naeem ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp