Re: [j-nsp] SRX - tap mode?
Will,
Here is a config for using a port on a branch device as a packet capture
device. Port ge-0/0/1 is put into promiscuous mode (has to be a gig port
btw) and getting forwarded packets from a switch.
You need the:
forwarding-options {
packet-capture {
setting and the packet filter.
Interface does not need to be in a zone.
--Ben
On Wed, Sep 12, 2012 at 11:31 AM, Stefan Fouant
sfou...@shortestpathfirst.net wrote:
You can always create your own 'tap mode' by simply configuring Filter
Based Forwarding and shunting your selective traffic through your IDP. I
did this all the time in my previous life when dealing with security
devices that couldn't scale enough to place in-line.
Stefan Fouant
JNCIE-SEC, JNCIE-SP, JNCIE-ENT, JNCI
Technical Trainer, Juniper Networks
Follow us on Twitter @JuniperEducate
Sent from my iPad
On Sep 12, 2012, at 11:43 AM, William McLendon wimcl...@gmail.com wrote:
hi Tim,
thanks for the response - but reading the description that sounds like
the firewall itself still has to be inline, which i'm trying to avoid here.
I guess what does the rest of the config have to look like for it to
function correctly off a span port? ie there wouldn't be any routing or IP
interfaces involved.
Thanks,
Will
On Sep 12, 2012, at 11:35 AM, Tim Eberhard wrote:
High end SRX's support tap mode. Branch as far as I know do not.
http://www.juniper.net/techpubs/software/junos-security/junos-security10.2/junos-security-swconfig-security/topic-45272.html
Hope this helps,
-Tim Eberhard
On Wed, Sep 12, 2012 at 10:33 AM, William McLendon wimcl...@gmail.com
wrote:
hi everyone,
do SRX firewalls support a tap mode installation? Really just
looking at it for purposes of evaluation of IDP functionality where tap
mode would be the least intrusive method to see data vs having to put it
inline (and then deal with the inevitable you put a device inline and now
XYZ doesn't work!)
I seem to recall that they do not, and they have to be installed in L3
mode or in Transparent mode, but was hoping I may have missed the feature
in a release note somewhere.
Thanks,
Will
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] out of band management - real OOB
All, Juniper does allow you to use a specific route table for management, it's inet.0. You then create a VR, and place all your transit ports in the VR. Ideal would be to do the reverse of that, create a VR and put the mgmt ports in the VR, but it is not supported today. Still it is doable without Logical systems. -DP On Sat, Sep 17, 2011 at 7:14 AM, Chris Evans chrisccnpsp...@gmail.comwrote: Juniper devices have out of band ethernet ports, but have the HUGE HUGE downfall of being in the main routing table conflicting with every other route. This limits it usage, however a work around is to put the FXP interface into a logical system (on support devices). This has downfalls too, but its better than nothing. Unfortunately Juniper hasn't gotten this clue yes, every other vendor I've used recently has full vrf/logical system support for their OOB interfaces keeping them out of the main routing table. One main downfall I'm running into is that I cannot copy or install software using the FXP port as my source for traffic. Does anyone know of a command that will allow me to select the logical system? The current commands don't seem to allow routing instances or logical systems to be specified. Something like: file copy logical-system:MGMT:ftp://blah/blah.. Anyone have any other workarounds. Thanks! ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX-3600 Rate limit
Atif,
I put this together to limit itunes traffic to 1mb.
Use a firewall filter to police the traffic (I did specify www.apple.com but
it resolved the address automatically, this may be an issue when round robin
DNS happens). You can more specific (i.e. Port 80 etc..) but I was just
checking base functionality.
firewall {
policer Apple {
if-exceeding {
bandwidth-limit 1m;
burst-size-limit 50k;
}
then discard;
}
filter Apple-Rate-Limit {
term 1 {
from {
destination-address {
184.85.45.15/32;
}
}
then {
policer Apple;
accept;
}
}
term 2 {
then accept;
}
}
}
Then add the filter to an interface: (this is my trust interface)
fe-0/0/7 {
unit 0 {
family inet {
filter {
input-list Apple-Rate-Limit;
}
address 192.168.200.238/24;
}
}
}
--Ben
On Tue, Nov 30, 2010 at 10:11 AM, atif naeem col.a...@gmail.com wrote:
Hi folks ,
Can any one tell me how to implement rate limit on SRX-3600 .I have junos
version 10.0R2.10 . i want to restrict user on 1mb.
BR
Atif Naeem
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
