[j-nsp] Juniper, añádeme a tu red de LinkedIn
Hola, Juniper: Me gustaría conectar contigo en LinkedIn. Muhammad Fahad Khan -- 2xJNCIE- (SP # 756, SEC # 164) Lead/Advisory Network and Security Consultant - ICS Services Hub MEA at IBM Aceptar: http://www.linkedin.com/blink?simpleRedirect=e30Qej0OczkRe3sNd3wQcP8VdjR4imVLqnhxt6BSrCACt4dptT94cS8Zumlbp6lOomxP9zwOnT9BoCRBrlZBt6BSrCAZqSkCpnhFtCVFtSlKbnhMpmdzoiRybmRSrCBvrmRLoORIrmkZpSVFqSdxsDgCtP5MolsQelFhinp7kk4ZrClHrRhAqmQCpnhFtCV9sClyrmlJfm4CqjoJs6UToCdPc6AJtnxKrSYZpjYOtyZBbSRLoOVKqmhBqSVFr2VTtTsLbPFMt7hE&msgID=I559357414_40&markAsRead= Ver el perfil de Muhammad Fahad Khan -- 2xJNCIE- (SP # 756, SEC # 164): http://www.linkedin.com/blink?simpleRedirect=dzwTcP4Ocj8Zh4BOpm9JpmQCgANQhjRKpmJLl6xQtm4CpmRxrzRBs7Bkq7hRoioMd5YQcjgTdjcVdjl9nPgRdj4Sd34QfnhMpmdzgmVLqnhxt6BSrCACe39vsClyrmlJnSlQqnpKqjRHpipBt6BSrCBTpmUJpmRxryRybmRSrCBvrmRLoORIrmkZpSVFqSdxsDgCtP5MolsQelFhinp7kk4ZrClHrRhAqmQCtD1KfngCqjoJs6UToCdPc6AJtnxKrSYZpjYOtyZBbSRLoOVKqmhBqSVFr2VTtTsLbPFMt7hE&msgID=I559357414_40&markAsRead= Estás recibiendo mensajes sobre Invitación. Date de baja aquí: http://www.linkedin.com/blink?simpleRedirect=qjoJs6UToCdPc6AJtnxKrSYZp6BB9B4Jilx7tThnjDhki6dJi79ir5YJhmVyjAdDckFytR8SdPtShT9np3hVhAxUij1Cp7Fkd4kJjm9xlntvlk9jhntCoPpFr7xiqBl1gk5hoklQckd6e7B8skphgjRAqmZI9zwOnT9BoCRBrlZBt6BSrCAZqSkCpnhFtCVFtSlKbm9RsSVRbmoJrnpKqlZJrmZzbmNJpjRDrCBHoS5Ot2pTcn1xlPgVmB59tAthgjRKpmJLl6hFripPtmkZt2pFdyRMrztyoTcMqiRRu6VLrPRBfP9SbSkLrmZzbCVFp6lHrCBIbDtTtOYLeDdMt7hE&msgID=I559357414_40&markAsRead= Este mensaje de correo electrónico estaba dirigido a Juniper List (soporte y capacitacion en iquall networks). Averigua por qué incluimos esto en este enlace: http://www.linkedin.com/blink?simpleRedirect=3wUdPgZp4BBr6dFt79x9zwOnT9BoCRBrlZBt6BSrCAZqSkCtP5MolsQelFhinp7kk4ZrClHrRhAqmQCr79lpmdFtD9BkT9BrmZQsTlzfm4CqjoJs6UToCdPc6AJtnxKrSYZpjYOtyZBbSRLoOVKqmhBqSVFr2VTtTsLbPFMt7hE&msgID=I559357414_40&markAsRead= ©2014 LinkedIn Ireland Limited, registrada en Irlanda como sociedad anónima, número de identificación 477441; oficina registradora: 70 Sir John Roberson’s Quay, Dublín 2 ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Plotting Junos Policer in SNMP
Hi Team, Is there a MIB available for a Policer (in Junos) to be plotted on SNMP server ? any idea (who has working experience of this)? regards, Muhammad Fahad Khan JNCIE-M # 756 Lead Network and Security Consultant - IBM +92-301-8247638 Skype: fahad-ibm http://pk.linkedin.com/in/muhammadfahadkhan ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX monitor-interface question
SRX (High end) by default keeps logs on data plane and they have to be forwarded to any external syslog http://kb.juniper.net/InfoCenter/index?page=content&id=KB16506 however from Junos 10 perhaps you can copy them from data plane to control plane if you want to see them on console. Muhammad Fahad Khan JNCIE-M # 756 Lead Network and Security Consultant - IBM +92-301-8247638 Skype: fahad-ibm http://pk.linkedin.com/in/muhammadfahadkhan On Fri, Dec 13, 2013 at 7:28 PM, R S wrote: > The only part missing will remain local control plane resources (ie logs, > snmp, etc) that remain on RG0 secondary. > > Am I right ? > > -- > Date: Fri, 13 Dec 2013 14:58:46 +0300 > > Subject: Re: [j-nsp] SRX monitor-interface question > From: asadgard...@gmail.com > To: dim0...@hotmail.com > CC: fahad.k...@gmail.com; juniper-nsp@puck.nether.net > > Reffer data plane on following: > > http://kb.juniper.net/InfoCenter/index?page=content&id=KB16224 > > Asad > > > > On Friday, December 13, 2013, R S wrote: > > how can I config syslog/traffic log directly from data plane ? > some config example ? > > tks > > -- > Date: Fri, 13 Dec 2013 14:51:58 +0300 > Subject: Re: [j-nsp] SRX monitor-interface question > From: asadgard...@gmail.com > To: dim0...@hotmail.com > CC: fahad.k...@gmail.com; juniper-nsp@puck.nether.net > > Its not recommended to use control plane for traffic logs, you can > configure sex to forward traffic logs directly from data plane > > RG0 aka control plane controls your rotuing engine, routing protocols and > chassis. Failing it over will cause your routing daemon to restart , > routing protocols to reconverge and so on... > > Asad > > On Friday, December 13, 2013, R S wrote: > > And what about syslog or firewall traffic logging flows on the RG1 Active > node if RG0 remain active on the Passive ? > > Date: Fri, 13 Dec 2013 16:34:53 +0500 > Subject: Re: [j-nsp] SRX monitor-interface question > From: fahad.k...@gmail.com > To: dim0...@hotmail.com > CC: juniper-nsp@puck.nether.net > > RG0 only contains Control Plane or REs. > In SRX failover, its not necessary to failover RG0 when there is a > failover in RG1 due to a link failure. So we only do interface-monitor in > RG1, RG2 ... not in RG0. RG0 already run in A/P mode. > > > It can be possible that SRX B is Primary in RG0 while Secondary in RG1 > (means SRX A is Primary in RG 1) > Muhammad Fahad Khan > JNCIE-M # 756 > Lead Network and Security Consultant - IBM > > +92-301-8247638 > Skype: fahad-ibm > http://pk.linkedin.com/in/muhammadfahadkhan > > > On Fri, Dec 13, 2013 at 2:07 PM, R S wrote: > > > > > > Hi > > > > In an SRX5800 cluster > > A/P deployment, does anybody recommend to monitor-interface also on RG0 or > not > > ? > > > > PRO ? CONS ? > > > > > > > > We did it but > > unfortunately during an SPU crash the RG0 didn’t switch properly and JTAC > told us it’s > > not recommended monitor-interface under RG0 in same corner case… > > > > > > > > Any experience to share > > is useful > > > > > > > > Tks > > > > > > ___ > > juniper-nsp mailing list juniper-nsp@puck.nether.net > > https://puck.nether.net/mailman/listinfo/juniper-nsp > > > > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX monitor-interface question
RG0 only contains Control Plane or REs. In SRX failover, its not necessary to failover RG0 when there is a failover in RG1 due to a link failure. So we only do interface-monitor in RG1, RG2 ... not in RG0. RG0 already run in A/P mode. It can be possible that SRX B is Primary in RG0 while Secondary in RG1 (means SRX A is Primary in RG 1) Muhammad Fahad Khan JNCIE-M # 756 Lead Network and Security Consultant - IBM +92-301-8247638 Skype: fahad-ibm http://pk.linkedin.com/in/muhammadfahadkhan On Fri, Dec 13, 2013 at 2:07 PM, R S wrote: > > > Hi > > In an SRX5800 cluster > A/P deployment, does anybody recommend to monitor-interface also on RG0 or > not > ? > > PRO ? CONS ? > > > > We did it but > unfortunately during an SPU crash the RG0 didn’t switch properly and JTAC > told us it’s > not recommended monitor-interface under RG0 in same corner case… > > > > Any experience to share > is useful > > > > Tks > > > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX cluster and VC Lags
Since your Primary SRX-firewall will be connecting with the switch through 6 interfaces hence the load balancing will done over this aggregate interface , perhaps per packet level by default. The other 6 interface of the other (secondary) firewall will be disabled in your A/P design. Muhammad Fahad Khan JNCIE-M # 756 Lead Network and Security Consultant - IBM +92-301-8247638 Skype: fahad-ibm http://pk.linkedin.com/in/muhammadfahadkhan On Thu, Nov 7, 2013 at 3:17 AM, Mike Devlin wrote: > is the load distribution going to be in some fashion even on 12 > interfaces? Or even 6? Cisco i know has funky load-balancing across > aggregated links if its not 2, 4 or 8 interfaces. Is Junipers > load-balancing going to be any different/better? > > > On Wed, Nov 6, 2013 at 4:19 AM, Fahad Khan wrote: > >> Yeah , you can do soYou don't need any explicit configuration on SRX >> Side, while you would need to enable LACP on Switch port level. >> >> All the 6 interfaces/Firewall will participate in one reth interface and >> then you can enable vlan-tagging to provision inter-vlan routing. You will >> be having interface like (e.g) reth1.100, reth1.110, reth1.120 as per your >> VLANs configuration. >> >> Muhammad Fahad Khan >> JNCIE-M # 756 >> Lead Network and Security Consultant - IBM >> +92-301-8247638 >> Skype: fahad-ibm >> http://pk.linkedin.com/in/muhammadfahadkhan >> >> >> On Mon, Oct 28, 2013 at 2:28 AM, Mohammed Shafi >> wrote: >> >> > Dear experts, I have query regarding SRX (650)cluster lag between and >> > ex-4550 virtual chassis. I have 6 physical link from each member VC to >> > wards each node in the srx cluster . I have multiple vlans in ex switch >> > and planing to host the L3 interface in srx cluster . Now the question >> is >> > can i build a lag between ex and srx with a SINGLE reth interface , say >> > reth 1 and associate all physical interfaces from ex switch ( 6 >> interface , >> > total 12 ) and enable vlan tagging under reth 1 with unit interfaces >> for l3 >> > interfaces . >> > >> > Is there any limitation for reth interface such that it can only have a >> > pair of physical interfaces from each node ? >> > >> > Sent from my iPad >> > ___ >> > juniper-nsp mailing list juniper-nsp@puck.nether.net >> > https://puck.nether.net/mailman/listinfo/juniper-nsp >> > >> ___ >> juniper-nsp mailing list juniper-nsp@puck.nether.net >> https://puck.nether.net/mailman/listinfo/juniper-nsp >> > > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX cluster and VC Lags
Yeah , you can do soYou don't need any explicit configuration on SRX Side, while you would need to enable LACP on Switch port level. All the 6 interfaces/Firewall will participate in one reth interface and then you can enable vlan-tagging to provision inter-vlan routing. You will be having interface like (e.g) reth1.100, reth1.110, reth1.120 as per your VLANs configuration. Muhammad Fahad Khan JNCIE-M # 756 Lead Network and Security Consultant - IBM +92-301-8247638 Skype: fahad-ibm http://pk.linkedin.com/in/muhammadfahadkhan On Mon, Oct 28, 2013 at 2:28 AM, Mohammed Shafi wrote: > Dear experts, I have query regarding SRX (650)cluster lag between and > ex-4550 virtual chassis. I have 6 physical link from each member VC to > wards each node in the srx cluster . I have multiple vlans in ex switch > and planing to host the L3 interface in srx cluster . Now the question is > can i build a lag between ex and srx with a SINGLE reth interface , say > reth 1 and associate all physical interfaces from ex switch ( 6 interface , > total 12 ) and enable vlan tagging under reth 1 with unit interfaces for l3 > interfaces . > > Is there any limitation for reth interface such that it can only have a > pair of physical interfaces from each node ? > > Sent from my iPad > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SSL/UAC in data center Env.
The admin guides from juniper support portal are fantasticwhat do you need to deploy and whats your design? regards, Muhammad Fahad Khan JNCIE-M # 756, 2xJNCIP-(M & SEC) # 834 Lead Network Consultant, Global Technology Services, IBM fa...@pk.ibm.com +92-301-8247638 Skype: fahad-ibm http://pk.linkedin.com/in/muhammadfahadkhan On Wed, May 30, 2012 at 5:22 AM, Charles Antrim wrote: > Nmci. 45 ic6500s and 40 sa6/6500s. > > On May 29, 2012, at 5:20 PM, "Dan Chevrie" wrote: > > > Experts, > > Am looking for SSL and UAC deployment document in data center > environment. > > > > Please share, if you have any document/reference guide available. > > > > -Dan > > ___ > > juniper-nsp mailing list juniper-nsp@puck.nether.net > > https://puck.nether.net/mailman/listinfo/juniper-nsp > > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Destination NAT - GRE
I hope the given below thread can help you. http://forums.juniper.net/t5/SRX-Services-Gateway/GRE-Outbound-Nat/td-p/34274 Regards, Muhammad Fahad Khan JNCIE-M # 756, 2xJNCIP-(M & SEC) # 834 IT Specialist Global Technology Services, IBM fa...@pk.ibm.com +92-301-8247638 Skype: fahad-ibm http://pk.linkedin.com/in/muhammadfahadkhan On Sat, Jul 30, 2011 at 1:31 AM, Paul Stewart wrote: > Does anyone know how to pass protocol 47 (GRE) through destination NAT in > JunOS? This is on an SRX100 running 10.4R4.5 currently. > > > > There is no match condition in the policies to permit it to pass... > > > > Thanks, > > > > Paul > > > > > > > > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] STRM query
And further, I have no issues if ping does not work. The main problem is I am unable to access it via web UI regards, Muhammad Fahad Khan JNCIP - M/T # 834 IT Specialist Global Technology Services, IBM fa...@pk.ibm.com +92-301-8247638 Skype: fahad-ibm http://pk.linkedin.com/in/muhammadfahadkhan On Thu, Feb 17, 2011 at 4:52 PM, Fahad Khan wrote: > what is the correct mode? I selected "STRM Console" > > Thanks for the quick reply > > > regards, > > Muhammad Fahad Khan > JNCIP - M/T # 834 > IT Specialist > Global Technology Services, IBM > fa...@pk.ibm.com > +92-301-8247638 > Skype: fahad-ibm > http://pk.linkedin.com/in/muhammadfahadkhan > > > On Thu, Feb 17, 2011 at 4:50 PM, Rafal Grzeskowiak > wrote: > >> Hi Fahad, >> >> In order to enable pings, you need to reconfigure iptables rules, >> according to the KB article: >> >> http://kb.juniper.net/InfoCenter/index?page=content&id=KB14001&actp=search&searchid=1278510708579 >> >> Are you sure that during installation process you selected the correct >> mode (i.e. not Qflow collector)? >> >> >> BR, >> Rafal >> >> Dear Folks, >>> >>> Any one who can let me know a simple thing, I have done the initial >>> configurations on STRM (2009.2) but I am unable to open it via Web UI >>> through Eth0 as management Interface. Even I am unable to ping that >>> device >>> from my laptop. Is there any tricky thing in it? >>> >>> awaiting for urgent response. >>> >>> Thanks in adv >>> >>> regards, >>> >>> Muhammad Fahad Khan >>> JNCIP - M/T # 834 >>> IT Specialist >>> Global Technology Services, IBM >>> fa...@pk.ibm.com >>> +92-301-8247638 >>> Skype: fahad-ibm >>> http://pk.linkedin.com/in/muhammadfahadkhan >>> ___ >>> juniper-nsp mailing list juniper-nsp@puck.nether.net >>> https://puck.nether.net/mailman/listinfo/juniper-nsp >>> >>> >>> >> > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] STRM query
Dear Folks, Any one who can let me know a simple thing, I have done the initial configurations on STRM (2009.2) but I am unable to open it via Web UI through Eth0 as management Interface. Even I am unable to ping that device from my laptop. Is there any tricky thing in it? awaiting for urgent response. Thanks in adv regards, Muhammad Fahad Khan JNCIP - M/T # 834 IT Specialist Global Technology Services, IBM fa...@pk.ibm.com +92-301-8247638 Skype: fahad-ibm http://pk.linkedin.com/in/muhammadfahadkhan ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] JunOS route-based VPN: multiple st interfaces
Hello Jonathan,
let me know which junos version are u using?
You should use two st0.x interfaces like st0.1 and st0.2, the primary route
should use st0.1 and the secondary route should use st0.2. It should be
straight forward. keep using VPN monitor. Use re-key and DPD for proper
tunnel failover.
Let me know if you find any difficulty.
regards,
Muhammad Fahad Khan
JNCIP - M/T # 834
IT Specialist
Global Technology Services, IBM
fa...@pk.ibm.com
+92-301-8247638
Skype: fahad-ibm
http://pk.linkedin.com/in/muhammadfahadkhan
On Tue, Nov 30, 2010 at 9:19 PM, Adam Leff wrote:
> On Tue, Nov 30, 2010 at 3:58 AM, Jonathan Lassoff wrote:
>
> > On Mon, Nov 29, 2010 at 6:49 PM, Adam Leff wrote:
> > > Also, for what it's worth, I do have multiple logical interfaces under
> > st0
> > > (i.e. st0.0 and st0.1) and it is working without requiring NHTB.
> >
> > Without NHTB? So the "security ipsec vpn XXX" hierarchy has a
> > "bind-interface" statement, but the iff hierarchy under st0 *doesn't*
> > have a "next-hop-tunnel" statement?
> >
>
> Yes. We run either BGP or OSPF over the tunnel links, so no
> next-hop-tunnel
> statements are required. Are you binding "st0" or the full "st0.1"
> interface to your VPN?
>
> Here's a snippet of our config. Feel free to contact me off-list with your
> config and I'm happy to give it a glance.
>
> in [edit security]:
> ike {
>policy phx1 {
>mode main;
>proposal-set compatible;
>pre-shared-key ascii-text "";
>}
>gateway phx1 {
>ike-policy phx1;
>address ;
>external-interface ge-4/0/0.0;
>}
> }
> ipsec {
>vpn phx1 {
>bind-interface st0.1;
>vpn-monitor;
>ike {
>gateway phx1;
>ipsec-policy compatible;
>}
>establish-tunnels immediately;
>}
> }
>
> in [edit interfaces]:
> st0 {
>unit 1 {
>description "VPN to PHX1";
>family inet {
>address 10.10.11.8/31;
> }
>}
> }
>
>
>
>
> > > Do you have all the pre-requisites set up? i.e. st0.1 in the proper
> > > security zone, a route pointed down st0.1 for the traffic to be
> tunneled,
> > > etc.?
> >
> > I'm pretty sure everything looks right (but just to me, so it's
> > certainly possible that there's a bug or two in my config). st0.1 is
> > in a security zone that has policies to permit vpn-monitor ICMP
> > traffic, and I'm not even routing over the st0.1 interface yet, just
> > pinging the remote end.
> >
> > Cheers,
> > jof
> >
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] STP in EX4200 Virtual Chassis
Dear Rehan EX4200 switches in VC is an implementation with ISIS protocol, so they internally control looping. Yes, You can use up-link ports (like in case of connecting two switches apart of more than 5 meters) of Fiber. regards, Muhammad Fahad Khan JNCIP - M/T # 834 IT Specialist Global Technology Services, IBM fa...@pk.ibm.com +92-301-8247638 Skype: fahad-ibm http://pk.linkedin.com/in/muhammadfahadkhan On Sun, Oct 17, 2010 at 11:03 AM, Muhammad Rehan wrote: > Hi Team, > > > Why Spanning tree is not requried , When we connect Ex4200 Swicthes in > Virtual Chassis? > > Can we connect Ex 4500 switches in Virtual Chassis using Uplink or Base SFP > modules? > > Regards > > Muhammad Rehan > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX5800 HA over 40 KM
Thank you all regards, Muhammad Fahad Khan JNCIP - M/T # 834 IT Specialist Global Technology Services, IBM fa...@pk.ibm.com +92-301-8247638 Skype: fahad-ibm http://pk.linkedin.com/in/muhammadfahadkhan On Fri, Oct 1, 2010 at 2:45 AM, sami ghourabi wrote: > google "SRX Series Services Gateways Cluster Deployment Across Layer 2 > Networks.pdf" > > I sent you the file. > > Regards > > 2010/9/30 Fahad Khan > > I am unable to access this link. Can you please attach the file or provide >> exact URL? >> >> Thanks and regards, >> >> >> Muhammad Fahad Khan >> JNCIP - M/T # 834 >> IT Specialist >> Global Technology Services, IBM >> fa...@pk.ibm.com >> +92-301-8247638 >> Skype: fahad-ibm >> http://pk.linkedin.com/in/muhammadfahadkhan >> >> >> On Thu, Sep 30, 2010 at 3:33 AM, sami ghourabi >> wrote: >> >>> Hi Muhammad, >>> >>> According to an application note from juniper latency should be under 100 >>> ms between two sites. >>> >>> This document may be interesting to read if not already done : >>> >>> http://kb.juniper.net/library/CUSTOMERSERVICE/GLOBAL_JTAC/technotes/3500165-EN.pdf >>> >>> Please keep us updated with your findings. >>> >>> Best regards >>> >>> >>> 2010/8/31 Fahad Khan >>> >>>> Hi folks, >>>> >>>> Can I place two SRX 5800 in separate DCs in HA and the distance in >>>> between >>>> these two Data centers is around 40 Km. >>>> >>>> has any body experienced it?? >>>> >>>> Thanks in adv >>>> >>>> regards, >>>> >>>> Muhammad Fahad Khan >>>> JNCIP - M/T # 834 >>>> IT Specialist >>>> Global Technology Services, IBM >>>> fa...@pk.ibm.com >>>> +92-301-8247638 >>>> Skype: fahad-ibm >>>> http://pk.linkedin.com/in/muhammadfahadkhan >>>> ___ >>>> juniper-nsp mailing list juniper-nsp@puck.nether.net >>>> https://puck.nether.net/mailman/listinfo/juniper-nsp >>>> >>> >>> >> > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX5800 HA over 40 KM
I am unable to access this link. Can you please attach the file or provide exact URL? Thanks and regards, Muhammad Fahad Khan JNCIP - M/T # 834 IT Specialist Global Technology Services, IBM fa...@pk.ibm.com +92-301-8247638 Skype: fahad-ibm http://pk.linkedin.com/in/muhammadfahadkhan On Thu, Sep 30, 2010 at 3:33 AM, sami ghourabi wrote: > Hi Muhammad, > > According to an application note from juniper latency should be under 100 > ms between two sites. > > This document may be interesting to read if not already done : > > http://kb.juniper.net/library/CUSTOMERSERVICE/GLOBAL_JTAC/technotes/3500165-EN.pdf > > Please keep us updated with your findings. > > Best regards > > > 2010/8/31 Fahad Khan > >> Hi folks, >> >> Can I place two SRX 5800 in separate DCs in HA and the distance in between >> these two Data centers is around 40 Km. >> >> has any body experienced it?? >> >> Thanks in adv >> >> regards, >> >> Muhammad Fahad Khan >> JNCIP - M/T # 834 >> IT Specialist >> Global Technology Services, IBM >> fa...@pk.ibm.com >> +92-301-8247638 >> Skype: fahad-ibm >> http://pk.linkedin.com/in/muhammadfahadkhan >> ___ >> juniper-nsp mailing list juniper-nsp@puck.nether.net >> https://puck.nether.net/mailman/listinfo/juniper-nsp >> > > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] COS went configured, made the SRX3600 interface down
BTW thanks Dale! Muhammad Fahad Khan JNCIP - M/T # 834 IT Specialist Global Technology Services, IBM fa...@pk.ibm.com +92-301-8247638 Skype: fahad-ibm http://pk.linkedin.com/in/muhammadfahadkhan On Fri, Sep 24, 2010 at 9:48 AM, Fahad Khan wrote: > David, > > People like "dale" can understand and have idea to give the better answer > of my question :). You dont have to go to the lower level every time. > > > regards, > > > Muhammad Fahad Khan > JNCIP - M/T # 834 > IT Specialist > Global Technology Services, IBM > fa...@pk.ibm.com > +92-301-8247638 > Skype: fahad-ibm > http://pk.linkedin.com/in/muhammadfahadkhan > > > On Fri, Sep 24, 2010 at 1:58 AM, Dale Shaw wrote: > >> Hi, >> >> In my experience, enabling or disabling per-unit-scheduler flaps the >> interface, yes. >> >> Definitely with 10.0R3, maybe with R2. I've seen it on J and SRX. >> >> Lucky you did it inside a maintenance window! ;-) >> >> Cheers >> Dale >> >> On Friday, September 24, 2010, Fahad Khan wrote: >> > Hi, >> > >> > I simply implemented per-unit-scheduler on reth0.x(egress interface), >> > committed the config, It made the whole network down. Using Junos >> 10.0R3.10 >> > in cluster >> > >> > has any body implemented COS on SRX3600 and saw this behaviour??? >> > >> > regards >> > Muhammad Fahad Khan >> > JNCIP - M/T # 834 >> > IT Specialist >> > Global Technology Services, IBM >> > fa...@pk.ibm.com >> > +92-301-8247638 >> > Skype: fahad-ibm >> > http://pk.linkedin.com/in/muhammadfahadkhan >> > ___ >> > juniper-nsp mailing list juniper-nsp@puck.nether.net >> > https://puck.nether.net/mailman/listinfo/juniper-nsp >> > >> > > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] COS went configured, made the SRX3600 interface down
David, People like "dale" can understand and have idea to give the better answer of my question :). You dont have to go to the lower level every time. regards, Muhammad Fahad Khan JNCIP - M/T # 834 IT Specialist Global Technology Services, IBM fa...@pk.ibm.com +92-301-8247638 Skype: fahad-ibm http://pk.linkedin.com/in/muhammadfahadkhan On Fri, Sep 24, 2010 at 1:58 AM, Dale Shaw wrote: > Hi, > > In my experience, enabling or disabling per-unit-scheduler flaps the > interface, yes. > > Definitely with 10.0R3, maybe with R2. I've seen it on J and SRX. > > Lucky you did it inside a maintenance window! ;-) > > Cheers > Dale > > On Friday, September 24, 2010, Fahad Khan wrote: > > Hi, > > > > I simply implemented per-unit-scheduler on reth0.x(egress interface), > > committed the config, It made the whole network down. Using Junos > 10.0R3.10 > > in cluster > > > > has any body implemented COS on SRX3600 and saw this behaviour??? > > > > regards > > Muhammad Fahad Khan > > JNCIP - M/T # 834 > > IT Specialist > > Global Technology Services, IBM > > fa...@pk.ibm.com > > +92-301-8247638 > > Skype: fahad-ibm > > http://pk.linkedin.com/in/muhammadfahadkhan > > ___ > > juniper-nsp mailing list juniper-nsp@puck.nether.net > > https://puck.nether.net/mailman/listinfo/juniper-nsp > > > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] COS went configured, made the SRX3600 interface down
Hi, I simply implemented per-unit-scheduler on reth0.x(egress interface), committed the config, It made the whole network down. Using Junos 10.0R3.10 in cluster has any body implemented COS on SRX3600 and saw this behaviour??? regards Muhammad Fahad Khan JNCIP - M/T # 834 IT Specialist Global Technology Services, IBM fa...@pk.ibm.com +92-301-8247638 Skype: fahad-ibm http://pk.linkedin.com/in/muhammadfahadkhan ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Automatic failover of IPSEC tunnels on SRX3600
Currently running static routing...cant implement dynamic VPN monitor is not working, Has any one tried DPD? regards, Muhammad Fahad Khan JNCIP - M/T # 834 IT Specialist Global Technology Services, IBM fa...@pk.ibm.com +92-301-8247638 Skype: fahad-ibm http://pk.linkedin.com/in/muhammadfahadkhan 2010/9/20 Pavel Lunin > Fahad, > > If i correctly understood you use p2mp tunnel ifaces at the central site, > right? > > If so, this absolutely normal for any version whether it is JUNOS > Voyajer or ScreenOS. st0.1 stills up because a lot of other active > tunnels are bound to it. You don't want the Srx to switch over all the > tunnels, do you? > > What you need is dynamic routing across the tunnels. Then when a spoke > experiences a primary link falure, and a correspondant tunnel goes > down, the hub won't receive the particular route through the st0.1 > iface. Instead it will get it through st0.2. > > Both SRX and SSG support such a scenario quite well. > > 2010/9/19, Fahad Khan : > > Hi Folks, > > > > SRX3600 in chassis cluster is running on core side and having 200 > branches > > (with SSG140) connected to it on IPSEC tunnels. Every branch has two link > > with different ISPs (primary and secondary) and the whole cloud (of ISPs) > is > > on MPLS. every branch is connected to core with primary and backup VPNs > and > > so primary and backup VPN are configured on Core SRX3600 with primary and > > backup ISPs > > > > On core side, let say I have two interface on SRX3600 > > > > first is reth3.1 for ISP1 > > second is reth3.2 for ISP2 > > > > st0.1 is bound to reth3.1 for primary IPSEC tunnel > > st0.2 is bound to reth3.2 for secondary IPSEC > > > > after upgrading to Junos 10.2R2.11, the issue that I am seeing is that, > when > > primary link on branch gets down, the st0.1 interface remains up on core > > SRX3600, that why the primary route (with lower preference), never flush > and > > hence traffic does not take secondary VPN. > > > > Can any body help me ASAP for having this automatic failover? > > > > thanks in adv, > > > > regards > > > > > > Muhammad Fahad Khan > > JNCIP - M/T # 834 > > IT Specialist > > Global Technology Services, IBM > > fa...@pk.ibm.com > > +92-301-8247638 > > Skype: fahad-ibm > > http://pk.linkedin.com/in/muhammadfahadkhan > > ___ > > juniper-nsp mailing list juniper-nsp@puck.nether.net > > https://puck.nether.net/mailman/listinfo/juniper-nsp > > > > -- > Отправлено с моего мобильного устройства > > Pavel Lunin > Senetsy, > Moscow > > +7 495 983-05-90, ext. 109 > http://www.senetsy.ru > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Automatic failover of IPSEC tunnels on SRX3600
Hi Folks, SRX3600 in chassis cluster is running on core side and having 200 branches (with SSG140) connected to it on IPSEC tunnels. Every branch has two link with different ISPs (primary and secondary) and the whole cloud (of ISPs) is on MPLS. every branch is connected to core with primary and backup VPNs and so primary and backup VPN are configured on Core SRX3600 with primary and backup ISPs On core side, let say I have two interface on SRX3600 first is reth3.1 for ISP1 second is reth3.2 for ISP2 st0.1 is bound to reth3.1 for primary IPSEC tunnel st0.2 is bound to reth3.2 for secondary IPSEC after upgrading to Junos 10.2R2.11, the issue that I am seeing is that, when primary link on branch gets down, the st0.1 interface remains up on core SRX3600, that why the primary route (with lower preference), never flush and hence traffic does not take secondary VPN. Can any body help me ASAP for having this automatic failover? thanks in adv, regards Muhammad Fahad Khan JNCIP - M/T # 834 IT Specialist Global Technology Services, IBM fa...@pk.ibm.com +92-301-8247638 Skype: fahad-ibm http://pk.linkedin.com/in/muhammadfahadkhan ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Chassis Cluster - Strange behavior
Yes I can understand, But i need to use the cluster and intend to add the secondary device again to the cluster. I hope it will set to the configured priorities after connecting both devices in the cluster as cold sync or flowd runs at the time of reboot to syc SPUs. regards, Muhammad Fahad Khan JNCIP - M/T # 834 IT Specialist Global Technology Services, IBM fa...@pk.ibm.com +92-301-8247638 Skype: fahad-ibm http://pk.linkedin.com/in/muhammadfahadkhan On Sat, Sep 18, 2010 at 5:14 AM, Harshit Kumar wrote: > On a single node cluster, priority has no significance. You > can safely ignore this. You can move to stand-alone mode if > you don't plan to use the cluster. > > > -Original Message- > From: juniper-nsp-boun...@puck.nether.net [mailto: > juniper-nsp-boun...@puck.nether.net] On Behalf Of Fahad Khan > Sent: Friday, September 17, 2010 8:05 AM > To: juniper-nsp@puck.nether.net > Subject: [j-nsp] Chassis Cluster - Strange behavior > > Hi Folks, > > I have been running SRX3600 In chassis cluster. > > At the moment, I have disconnected control link and fabric link and > Secondary device is isolated from the network. But on primary device, the > cluster configs are still there. The network is working fine with primary > device but when i see chassis cluster status, i find this > > SRX3600-A> show chassis cluster status > Cluster ID: 1 > Node Priority StatusPreempt Manual failover > > Redundancy group: 0 , Failover count: 1 >node0 254 primaryno no >node1 0 lost n/a n/a > > Redundancy group: 1 , Failover count: 1 >node0 0 primaryyes no >node1 0 lost n/a n/a > > why I am getting Node0 priority as 0 for red group 1, while i has been set > to 254??? > > have any body experienced? > > thanks and regards, > > > Muhammad Fahad Khan > JNCIP - M/T # 834 > IT Specialist > Global Technology Services, IBM > fa...@pk.ibm.com > +92-301-8247638 > Skype: fahad-ibm > http://pk.linkedin.com/in/muhammadfahadkhan > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Chassis Cluster - Strange behavior
No, I need to add the secondary device again to Chassis cluster, justing waiting for software upgradation Its due to Sync cold processes, i got it http://www.juniper.net/techpubs/software/junos-security/junos-security10.1/junos-security-swconfig-security/topic-43677.html#jd0e78556 i think if i add second device in cluster and reboot, It will get back to configured priorities. Thanks and regards, Muhammad Fahad Khan JNCIP - M/T # 834 IT Specialist Global Technology Services, IBM fa...@pk.ibm.com +92-301-8247638 Skype: fahad-ibm http://pk.linkedin.com/in/muhammadfahadkhan On Fri, Sep 17, 2010 at 9:39 PM, Scott T. Cameron wrote: > You disconnected the cables but didn't delete the chassis cluster config, > is > that right? > > Delete the chassis cluster. > > Scott > > On Fri, Sep 17, 2010 at 11:04 AM, Fahad Khan wrote: > > > Hi Folks, > > > > I have been running SRX3600 In chassis cluster. > > > > At the moment, I have disconnected control link and fabric link and > > Secondary device is isolated from the network. But on primary device, the > > cluster configs are still there. The network is working fine with primary > > device but when i see chassis cluster status, i find this > > > > SRX3600-A> show chassis cluster status > > Cluster ID: 1 > > Node Priority StatusPreempt Manual > failover > > > > Redundancy group: 0 , Failover count: 1 > >node0 254 primaryno no > >node1 0 lost n/a n/a > > > > Redundancy group: 1 , Failover count: 1 > >node0 0 primaryyes no > >node1 0 lost n/a n/a > > > > why I am getting Node0 priority as 0 for red group 1, while i has been > set > > to 254??? > > > > have any body experienced? > > > > thanks and regards, > > > > > > Muhammad Fahad Khan > > JNCIP - M/T # 834 > > IT Specialist > > Global Technology Services, IBM > > fa...@pk.ibm.com > > +92-301-8247638 > > Skype: fahad-ibm > > http://pk.linkedin.com/in/muhammadfahadkhan > > ___ > > juniper-nsp mailing list juniper-nsp@puck.nether.net > > https://puck.nether.net/mailman/listinfo/juniper-nsp > > > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Chassis Cluster - Strange behavior
Hi Folks, I have been running SRX3600 In chassis cluster. At the moment, I have disconnected control link and fabric link and Secondary device is isolated from the network. But on primary device, the cluster configs are still there. The network is working fine with primary device but when i see chassis cluster status, i find this SRX3600-A> show chassis cluster status Cluster ID: 1 Node Priority StatusPreempt Manual failover Redundancy group: 0 , Failover count: 1 node0 254 primaryno no node1 0 lost n/a n/a Redundancy group: 1 , Failover count: 1 node0 0 primaryyes no node1 0 lost n/a n/a why I am getting Node0 priority as 0 for red group 1, while i has been set to 254??? have any body experienced? thanks and regards, Muhammad Fahad Khan JNCIP - M/T # 834 IT Specialist Global Technology Services, IBM fa...@pk.ibm.com +92-301-8247638 Skype: fahad-ibm http://pk.linkedin.com/in/muhammadfahadkhan ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Upgrading SRX3600 chassis cluster by ISSU
Hi folks, has any one tried it with success?? how much estimated time do we need for this activity? regards, Muhammad Fahad Khan JNCIP - M/T # 834 IT Specialist Global Technology Services, IBM fa...@pk.ibm.com +92-301-8247638 Skype: fahad-ibm http://pk.linkedin.com/in/muhammadfahadkhan ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Feedback of Junos 10.1R3.7 on SRX3600
I donot have A/A in my env, and this is juniper's recommendation to upgrade to 10.1R3 also can u further elaborate "certain flow types" Thanks and regards, Muhammad Fahad Khan JNCIP - M/T # 834 IT Specialist Global Technology Services, IBM fa...@pk.ibm.com +92-301-8247638 Skype: fahad-ibm http://pk.linkedin.com/in/muhammadfahadkhan On Wed, Sep 15, 2010 at 6:08 PM, Michael Damkot wrote: > Don't. > > Breaks a bunch of A/A functionality as well as certain flow types. (at > least on the 5000s) > > I have tickets pending with Juniper. > > > On Sep 15, 2010, at 05:35 , Fahad Khan wrote: > > > Guys, > > > > Can somebody please provide feedback of Junos 10.1R3.7 on SRX3600 > (running > > in chassis cluster)? > > > > waiting for reply > > > > thanks > > Muhammad Fahad Khan > > JNCIP - M/T # 834 > > IT Specialist > > Global Technology Services, IBM > > fa...@pk.ibm.com > > +92-301-8247638 > > Skype: fahad-ibm > > http://pk.linkedin.com/in/muhammadfahadkhan > > ___ > > juniper-nsp mailing list juniper-nsp@puck.nether.net > > https://puck.nether.net/mailman/listinfo/juniper-nsp > > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX to SRX VPN
"mismatch between remote-net and local-net" can you elaborate ? regards Muhammad Fahad Khan JNCIP - M/T # 834 IT Specialist Global Technology Services, IBM fa...@pk.ibm.com +92-301-8247638 Skype: fahad-ibm http://pk.linkedin.com/in/muhammadfahadkhan On Wed, Sep 15, 2010 at 5:27 PM, Morten Isaksen wrote: > I had the same problem (between a SRX and a Cisco box). > > It is most likely a mismatch between remote-net and local-net > configurations on each router. > > Try to enable traceoptions. > > edit security ike traceoptions > [edit security ike traceoptions] > set file size 1m > set flag policy-manager > set flag ike > set flag routing-socket > commit > > And check the kmd log. > > /Morten > > On Wed, Sep 15, 2010 at 1:27 PM, Fahad Khan wrote: > > Hi folks, > > > > I am trying to establish route based VPN between SRX3600(in Ch cluster) > and > > SRX210, but stuck in phase 2 (no proposal chosen).. > > > > has any one experienced it?? > > > > thanks in adv > > > > regards, > > > > Muhammad Fahad Khan > > JNCIP - M/T # 834 > > IT Specialist > > Global Technology Services, IBM > > fa...@pk.ibm.com > > +92-301-8247638 > > Skype: fahad-ibm > > http://pk.linkedin.com/in/muhammadfahadkhan > > ___ > > juniper-nsp mailing list juniper-nsp@puck.nether.net > > https://puck.nether.net/mailman/listinfo/juniper-nsp > > > > > > -- > Morten Isaksen > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] SRX to SRX VPN
Hi folks, I am trying to establish route based VPN between SRX3600(in Ch cluster) and SRX210, but stuck in phase 2 (no proposal chosen).. has any one experienced it?? thanks in adv regards, Muhammad Fahad Khan JNCIP - M/T # 834 IT Specialist Global Technology Services, IBM fa...@pk.ibm.com +92-301-8247638 Skype: fahad-ibm http://pk.linkedin.com/in/muhammadfahadkhan ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Feedback of Junos 10.1R3.7 on SRX3600
Guys, Can somebody please provide feedback of Junos 10.1R3.7 on SRX3600 (running in chassis cluster)? waiting for reply thanks Muhammad Fahad Khan JNCIP - M/T # 834 IT Specialist Global Technology Services, IBM fa...@pk.ibm.com +92-301-8247638 Skype: fahad-ibm http://pk.linkedin.com/in/muhammadfahadkhan ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Screening logs on SRX
JTAC told me to see in messages files i have not tested it yet. is it so?? I am using 10.0R3.10. regards, Muhammad Fahad Khan JNCIP - M/T # 834 IT Specialist Global Technology Services, IBM fa...@pk.ibm.com +92-301-8247638 Skype: fahad-ibm http://pk.linkedin.com/in/muhammadfahadkhan On Wed, Sep 8, 2010 at 12:33 PM, Jérôme Fleury wrote: > Thanks Ben, > > eagerly waiting for it. But 10.4 seems so far away right now ;) > > On Wed, Sep 8, 2010 at 01:45, Ben Dale wrote: > > > > You aren't the only ones! > > > > Fortunately the "screen logs" feature is being introduced in JUNOS 10.4 > which will log when a screen threshold is reached: > > > > Sep 8 09:43:31 rtlogd: receives log RT_SCREEN_TCP from RT_IDS at > severity 3, miscellaneous string=Port scan! source: 172.16.10.23:54326, > destination: 172.16.10.254:712, zone name: LAN, interface name: vlan.10, > action: drop, attribute-list=attack-name 10 Port scan! source-address 12 > 172.16.10.23 source-port 5 54326 destination-address 13 172.16.10.254 > destination-port 3 712 source-zone-name 3 LAN interface-name 7 vlan.10 > action 4 drop > > > > > > > > On 08/09/2010, at 5:41 AM, Jérôme Fleury wrote: > > > >> Hi Fahad, > >> > >> that's a good question. I've been searching for a long time, and could > >> not find neither... I'm not even able to see them on my STRM, which > >> defeats completely the purpose of this appliance. > >> > >> On Tue, Sep 7, 2010 at 12:02, Fahad Khan wrote: > >>> Hi Folks, > >>> > >>> Can some body tell me that how can I see the logs of the attack packets > >>> generated by some source for let say "port scan", "IP spoof" etc > >>> > >>> Thanks in adv, > >>> > >>> regards, > >>> > >>> Muhammad Fahad Khan > >>> JNCIP - M/T # 834 > >>> IT Specialist > >>> Global Technology Services, IBM > >>> fa...@pk.ibm.com > >>> +92-301-8247638 > >>> Skype: fahad-ibm > >>> http://pk.linkedin.com/in/muhammadfahadkhan > >>> ___ > >>> juniper-nsp mailing list juniper-nsp@puck.nether.net > >>> https://puck.nether.net/mailman/listinfo/juniper-nsp > >>> > >> ___ > >> juniper-nsp mailing list juniper-nsp@puck.nether.net > >> https://puck.nether.net/mailman/listinfo/juniper-nsp > >> > > > > > > > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Screening logs on SRX
Hi Folks, Can some body tell me that how can I see the logs of the attack packets generated by some source for let say "port scan", "IP spoof" etc Thanks in adv, regards, Muhammad Fahad Khan JNCIP - M/T # 834 IT Specialist Global Technology Services, IBM fa...@pk.ibm.com +92-301-8247638 Skype: fahad-ibm http://pk.linkedin.com/in/muhammadfahadkhan ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] proxy.ini in SBR
Hi folks, I can not find proxy.ini file in my SBR directory ( in program files), can some body tell me why is it so? I have having windows based SBR for enterprise. I need to implements realms?? can i do so? regards, Muhammad Fahad Khan JNCIP - M/T # 834 IT Specialist Global Technology Services, IBM fa...@pk.ibm.com +92-301-8247638 Skype: fahad-ibm http://pk.linkedin.com/in/muhammadfahadkhan ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX5800 HA over 40 KM
Especially for private services but can be for public services as well. i want to keep them A/P. Will Control and Fabric links work on this distance? Actually we want geographical redundancy so simple making all master equipments in one DC and backup equipment in an other DC (Like master FW , Master EX8208 in one DC and respective backups are in another DC) how do you comment on that? regards, Muhammad Fahad Khan JNCIP - M/T # 834 IT Specialist Global Technology Services, IBM fa...@pk.ibm.com +92-301-8247638 Skype: fahad-ibm http://pk.linkedin.com/in/muhammadfahadkhan On Tue, Aug 31, 2010 at 10:08 PM, Stefan Fouant < sfou...@shortestpathfirst.net> wrote: > > -Original Message- > > From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp- > > boun...@puck.nether.net] On Behalf Of Fahad Khan > > Sent: Tuesday, August 31, 2010 10:55 AM > > To: juniper-nsp@puck.nether.net > > Subject: [j-nsp] SRX5800 HA over 40 KM > > > > Hi folks, > > > > Can I place two SRX 5800 in separate DCs in HA and the distance in > > between > > these two Data centers is around 40 Km. > > > > has any body experienced it?? > > It can be done under certain circumstances but it bears getting additional > information before an answer can be given. > > Are these for private services or publicly available services. Are you > planning on doing A/A or A/P and from a routing perspective how to you > intend on failing respective flows from one data center to another, i.e. > Anycast, etc... > > Thanks, > > Stefan Fouant, CISSP, JNCIEx2 > www.shortestpathfirst.net > GPG Key ID: 0xB5E3803D > > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] SRX5800 HA over 40 KM
Hi folks, Can I place two SRX 5800 in separate DCs in HA and the distance in between these two Data centers is around 40 Km. has any body experienced it?? Thanks in adv regards, Muhammad Fahad Khan JNCIP - M/T # 834 IT Specialist Global Technology Services, IBM fa...@pk.ibm.com +92-301-8247638 Skype: fahad-ibm http://pk.linkedin.com/in/muhammadfahadkhan ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] COS on st0 interface
Hi Folks, I need to implement COS on tunnel interface on SRX3600 device . Bandwidth limit is done by policer called in filter (one options). A filter cannot be applied on st0 interface. any solution?? or work arround? regards, Muhammad Fahad Khan JNCIP - M/T # 834 IT Specialist Global Technology Services, IBM fa...@pk.ibm.com +92-301-8247638 Skype: fahad-ibm http://pk.linkedin.com/in/muhammadfahadkhan ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] QOS- BW limit on SRX3600
Hi Folks, Please share if any one has experienced QOS in terms of bandwidth limiting (CBWFQ) on SRX3600 and share the configurations as well. Thanks and regards, Muhammad Fahad Khan JNCIP - M/T # 834 IT Specialist Global Technology Services, IBM fa...@pk.ibm.com +92-301-8247638 Skype: fahad-ibm http://pk.linkedin.com/in/muhammadfahadkhan ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] IPSEC VPN Issues on SRX3600
Its SRX3600 running in cluster, with Junos version 10.0R3.10 (recommended one), route based VPN tunnel, remote end device is SSG140 Thanks and regards, Muhammad Fahad Khan JNCIP - M/T # 834 IT Specialist Global Technology Services, IBM fa...@pk.ibm.com +92-301-8247638 Skype: fahad-ibm http://pk.linkedin.com/in/muhammadfahadkhan On Wed, Aug 18, 2010 at 8:43 PM, Tim Eberhard wrote: > Muhammad, > > When asking for help it would be worth while to give as much information as > possible. What type of tunnel? What is the far end of the VPN? What code > version? Have to searched the PR's for this type of issue? > > I will say if it's pre 10.0 I have seen *lots* of ipsec issues and > behaviors like you are describing. In 10.0 Juniper did a revamp of the vpn > code/design and things are greatly improved (but by no means bug free). > > -Tim Eberhard > > On Wed, Aug 18, 2010 at 10:34 AM, Fahad Khan wrote: > >> Dear Folks, >> >> I am running various IPSEC VPN tunnels on SRX, but seeing a strange >> behavior >> with 1 or 2 tunnels suddenly, that is the tunnel remains up, but traffic >> stops passing. >> >> has any one experienced this ever?? please share >> >> regards, >> >> Muhammad Fahad Khan >> JNCIP - M/T # 834 >> IT Specialist >> Global Technology Services, IBM >> fa...@pk.ibm.com >> +92-301-8247638 >> Skype: fahad-ibm >> http://pk.linkedin.com/in/muhammadfahadkhan >> ___ >> juniper-nsp mailing list juniper-nsp@puck.nether.net >> https://puck.nether.net/mailman/listinfo/juniper-nsp >> > > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] IPSEC VPN Issues on SRX3600
Dear Folks, I am running various IPSEC VPN tunnels on SRX, but seeing a strange behavior with 1 or 2 tunnels suddenly, that is the tunnel remains up, but traffic stops passing. has any one experienced this ever?? please share regards, Muhammad Fahad Khan JNCIP - M/T # 834 IT Specialist Global Technology Services, IBM fa...@pk.ibm.com +92-301-8247638 Skype: fahad-ibm http://pk.linkedin.com/in/muhammadfahadkhan ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] SRX3600 to Cisco router IPSEC VPN
Dear Folks, If any body has experienced establishing IPSEC VPN between SRX3600 (running in Chassis cluster) and Cisco IOS, Please share I believe Policy based VPN will be more convenient. Please comment Thanks and regards, Muhammad Fahad Khan JNCIP - M/T # 834 IT Specialist Global Technology Services, IBM fa...@pk.ibm.com +92-301-8247638 Skype: fahad-ibm http://pk.linkedin.com/in/muhammadfahadkhan ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Dialup VPN on SRX
Can you please share the configs and steps did you follow using NCP?? regards, Muhammad Fahad Khan JNCIP - M/T # 834 IT Specialist Global Technology Services, IBM fa...@pk.ibm.com +92-301-8247638 Skype: fahad-ibm http://pk.linkedin.com/in/muhammadfahadkhan On Thu, Aug 5, 2010 at 6:25 AM, Rob Cameron wrote: > That is correct. However NetScreen Remote can work. There are several > alternative solutions out there. We have tested the NCP client and Shewnet. > Both work well with the SRX. We tend to focus on NCP as the preferred client > as its an official product with support mechanisms. > > Rob Cameron > Technical Marketing Engineer - HSS > http://easylink.juniper.net/fwidpwiki > SLT-HSS-TME - Team Alias > (408) 905-9651 > r...@juniper.net > www.juniper.net > > > > > On Aug 4, 2010, at 8:45 AM, Fahad Khan wrote: > > Dear Folks, > > Neither Netscreen Remote Client nor Junos Pulse is supported on SRX 3600 > > Please correct me if I am wrong > > thanks in adv > > regards, > > Muhammad Fahad Khan > JNCIP - M/T # 834 > IT Specialist > Global Technology Services, IBM > fa...@pk.ibm.com > +92-301-8247638 > Skype: fahad-ibm > http://pk.linkedin.com/in/muhammadfahadkhan > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > > > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] PBR needs to be applied on tunnel interface (st0)
Actually if a filter is applied on an interface, then in the packet processing, the very first thing that is done when a packet reaches an interface is application of filter, so in case of st0 interface, first filter is applied and then the decryption is done, hence FBF does not work here, Can you guys please elaborate your solutions? regards, Muhammad Fahad Khan JNCIP - M/T # 834 IT Specialist Global Technology Services, IBM fa...@pk.ibm.com +92-301-8247638 Skype: fahad-ibm http://pk.linkedin.com/in/muhammadfahadkhan On Thu, Aug 5, 2010 at 5:21 PM, Stefan Fouant wrote: > > -Original Message- > > From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp- > > boun...@puck.nether.net] On Behalf Of Tony Frank > > Sent: Thursday, August 05, 2010 7:35 AM > > To: Fahad Khan; juniper-nsp@puck.nether.net > > Subject: Re: [j-nsp] PBR needs to be applied on tunnel interface (st0) > > > > Hi, > > > > > I need policy based routing, but the packet receiving interface is > > st0. Now you can not apply filter on st0. so FBF is failed here > > > Can any body suggest the resolution? > > > > The good old trick of a loop link could do it. > > You could use logical tunnel, or pair of spare physical port with a > > hairpin/loop cable. > > > > Place st0 and one end of loop in own instance, routes either to st0 or > > loop as appropriate. > > Then apply PBR to other end of the loop. > > That's one option, but perhaps he could also simply apply the FBF function > to the traffic after it's been decrypted? I know this could be done with > the older next-hop style service sets... there should probably be an > equivalent method in Junos for Security Devices (aka Enhanced Services)... > > Stefan Fouant, CISSP, JNCIEx2 > www.shortestpathfirst.net > GPG Key ID: 0xB5E3803D > > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Dialup VPN on SRX
Dear Folks, Neither Netscreen Remote Client nor Junos Pulse is supported on SRX 3600 Please correct me if I am wrong thanks in adv regards, Muhammad Fahad Khan JNCIP - M/T # 834 IT Specialist Global Technology Services, IBM fa...@pk.ibm.com +92-301-8247638 Skype: fahad-ibm http://pk.linkedin.com/in/muhammadfahadkhan ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] PBR needs to be applied on tunnel interface (st0)
Hi Folks, I need policy based routing, but the packet receiving interface is st0. Now you can not apply filter on st0. so FBF is failed here Can any body suggest the resolution? regards, Muhammad Fahad Khan JNCIP - M/T # 834 IT Specialist Global Technology Services, IBM fa...@pk.ibm.com +92-301-8247638 Skype: fahad-ibm http://pk.linkedin.com/in/muhammadfahadkhan ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Traffic drops on IPSEC - SRX3600
Guys, The issues was related with Anti-replay errors that was causing stop decrypting packet. When we disable Anti-replay service, The VPN starts passing traffic with out any issues. Thanks to all of you regards, Muhammad Fahad Khan JNCIP - M/T # 834 IT Specialist Global Technology Services, IBM fa...@pk.ibm.com +92-301-8247638 Skype: fahad-ibm http://pk.linkedin.com/in/muhammadfahadkhan On Tue, Aug 3, 2010 at 9:51 PM, Fahad Khan wrote: > Mind it, this is SRX3600 in Chassis Cluster environment. > > > regards, > > Muhammad Fahad Khan > JNCIP - M/T # 834 > IT Specialist > Global Technology Services, IBM > fa...@pk.ibm.com > +92-301-8247638 > Skype: fahad-ibm > http://pk.linkedin.com/in/muhammadfahadkhan > > > On Tue, Aug 3, 2010 at 9:50 PM, Fahad Khan wrote: > >> The strange issue is that, the drop is not related with the amount of >> traffic, it relates with the number of user (hence with the number of >> sessions perhaps) , since there was no drop when 4 or 5 users choke the link >> upto 90 MB, but when there comes 100 to 150 users in the building with even >> 10 or 20 MB of traffic, the traffic starts droping, still out of mind from >> Adv JTAC. we are still on Junos 10.0R3.10 as there is no any recommendations >> from JTAC to upgrade the Junos yet. >> >> Can any body provide the solution?? >> >> Thanks and regards, >> >> >> Muhammad Fahad Khan >> JNCIP - M/T # 834 >> IT Specialist >> Global Technology Services, IBM >> fa...@pk.ibm.com >> +92-301-8247638 >> Skype: fahad-ibm >> http://pk.linkedin.com/in/muhammadfahadkhan >> >> >> 2010/8/3 Quoc Hoang >> >> Not sure what encryption algorithm is being used but we have noticed AES >>> and perhaps others as well on JunOS that it requires more overhead. >>> >>> Check your ipsec mss. JTAC has recommended mss 1350 (previously we had it >>> 1400 which was our default on the netscreens). It resolved one of our >>> performance issues. >>> >>> Hope that helps. >>> >>> quoc >>> >>> --- On Tue, 8/3/10, Fahad Khan wrote: >>> >>> > From: Fahad Khan >>> > Subject: Re: [j-nsp] Traffic drops on IPSEC - SRX3600 >>> > To: "Jérôme Fleury" >>> > Cc: "juniper-nsp@puck.nether.net" >>> > Date: Tuesday, August 3, 2010, 6:36 AM >>> > Hi Jerome, >>> > >>> > When are u gonna try that? >>> > >>> > Has any body got the solution??? >>> > >>> > regards, >>> > Muhammad Fahad Khan >>> > JNCIP - M/T # 834 >>> > IT Specialist >>> > Global Technology Services, IBM >>> > fa...@pk.ibm.com >>> > +92-301-8247638 >>> > Skype: fahad-ibm >>> > http://pk.linkedin.com/in/muhammadfahadkhan >>> > >>> > >>> > On Tue, Aug 3, 2010 at 3:18 PM, Jérôme Fleury >>> > wrote: >>> > >>> > > Hi there, >>> > > >>> > > I think I'm experiencing the same issue here: >>> > > >>> > > SRX 3600 in cluster mode, running 10.1R2.8 >>> > > 1 SPC / 1 NPC per chassis >>> > > VPN in policy based mode with a remote CheckPoint >>> > > >>> > > I can clearly see packet loss in the way SRX -> >>> > Checkpoint, resulting >>> > > in very poor performances in the tunnel >>> > > >>> > > We'll try to upgrade to 10.1R3.7 to see if it fixes >>> > the issue. >>> > > >>> > > On Tue, Aug 3, 2010 at 09:38, Fahad Khan >>> > wrote: >>> > > > Very scary!!! >>> > > > >>> > > > regards, >>> > > > >>> > > > Muhammad Fahad Khan >>> > > > JNCIP - M/T # 834 >>> > > > IT Specialist >>> > > > Global Technology Services, IBM >>> > > > fa...@pk.ibm.com >>> > > > +92-301-8247638 >>> > > > Skype: fahad-ibm >>> > > > http://pk.linkedin.com/in/muhammadfahadkhan >>> > > > >>> > > > >>> > > > On Tue, Aug 3, 2010 at 9:35 AM, Ivan Ivanov >>> > >>> > > wrote: >>> > > > >>> > > >> Hm, this sounds more than scary! >>> > > >> >>> > > >> Soon I will now if there is the same problem >>> > with 1
Re: [j-nsp] Traffic drops on IPSEC - SRX3600
Mind it, this is SRX3600 in Chassis Cluster environment. regards, Muhammad Fahad Khan JNCIP - M/T # 834 IT Specialist Global Technology Services, IBM fa...@pk.ibm.com +92-301-8247638 Skype: fahad-ibm http://pk.linkedin.com/in/muhammadfahadkhan On Tue, Aug 3, 2010 at 9:50 PM, Fahad Khan wrote: > The strange issue is that, the drop is not related with the amount of > traffic, it relates with the number of user (hence with the number of > sessions perhaps) , since there was no drop when 4 or 5 users choke the link > upto 90 MB, but when there comes 100 to 150 users in the building with even > 10 or 20 MB of traffic, the traffic starts droping, still out of mind from > Adv JTAC. we are still on Junos 10.0R3.10 as there is no any recommendations > from JTAC to upgrade the Junos yet. > > Can any body provide the solution?? > > Thanks and regards, > > > Muhammad Fahad Khan > JNCIP - M/T # 834 > IT Specialist > Global Technology Services, IBM > fa...@pk.ibm.com > +92-301-8247638 > Skype: fahad-ibm > http://pk.linkedin.com/in/muhammadfahadkhan > > > 2010/8/3 Quoc Hoang > > Not sure what encryption algorithm is being used but we have noticed AES >> and perhaps others as well on JunOS that it requires more overhead. >> >> Check your ipsec mss. JTAC has recommended mss 1350 (previously we had it >> 1400 which was our default on the netscreens). It resolved one of our >> performance issues. >> >> Hope that helps. >> >> quoc >> >> --- On Tue, 8/3/10, Fahad Khan wrote: >> >> > From: Fahad Khan >> > Subject: Re: [j-nsp] Traffic drops on IPSEC - SRX3600 >> > To: "Jérôme Fleury" >> > Cc: "juniper-nsp@puck.nether.net" >> > Date: Tuesday, August 3, 2010, 6:36 AM >> > Hi Jerome, >> > >> > When are u gonna try that? >> > >> > Has any body got the solution??? >> > >> > regards, >> > Muhammad Fahad Khan >> > JNCIP - M/T # 834 >> > IT Specialist >> > Global Technology Services, IBM >> > fa...@pk.ibm.com >> > +92-301-8247638 >> > Skype: fahad-ibm >> > http://pk.linkedin.com/in/muhammadfahadkhan >> > >> > >> > On Tue, Aug 3, 2010 at 3:18 PM, Jérôme Fleury >> > wrote: >> > >> > > Hi there, >> > > >> > > I think I'm experiencing the same issue here: >> > > >> > > SRX 3600 in cluster mode, running 10.1R2.8 >> > > 1 SPC / 1 NPC per chassis >> > > VPN in policy based mode with a remote CheckPoint >> > > >> > > I can clearly see packet loss in the way SRX -> >> > Checkpoint, resulting >> > > in very poor performances in the tunnel >> > > >> > > We'll try to upgrade to 10.1R3.7 to see if it fixes >> > the issue. >> > > >> > > On Tue, Aug 3, 2010 at 09:38, Fahad Khan >> > wrote: >> > > > Very scary!!! >> > > > >> > > > regards, >> > > > >> > > > Muhammad Fahad Khan >> > > > JNCIP - M/T # 834 >> > > > IT Specialist >> > > > Global Technology Services, IBM >> > > > fa...@pk.ibm.com >> > > > +92-301-8247638 >> > > > Skype: fahad-ibm >> > > > http://pk.linkedin.com/in/muhammadfahadkhan >> > > > >> > > > >> > > > On Tue, Aug 3, 2010 at 9:35 AM, Ivan Ivanov >> > >> > > wrote: >> > > > >> > > >> Hm, this sounds more than scary! >> > > >> >> > > >> Soon I will now if there is the same problem >> > with 10.0R3.10 on 3600 >> > > >> cluster. >> > > >> >> > > >> So now I have good experience with >> > router-based VPNs starting from >> > > >> routing-instance. Policy-based are working >> > also, but I found >> > > router-based >> > > >> more scalable. But no with real traffic >> > tested, until end of the week I >> > > will >> > > >> let you know. >> > > >> >> > > >> Ivan, >> > > >> >> > > >> On Mon, Aug 2, 2010 at 23:58, Amos Rosenboim >> > >> > > wrote: >> > > >> >> > > >>> As far as I know the code you are running >> > is the recommended version by >> > > >>> Juniper. >> > > >>> However
Re: [j-nsp] Traffic drops on IPSEC - SRX3600
The strange issue is that, the drop is not related with the amount of traffic, it relates with the number of user (hence with the number of sessions perhaps) , since there was no drop when 4 or 5 users choke the link upto 90 MB, but when there comes 100 to 150 users in the building with even 10 or 20 MB of traffic, the traffic starts droping, still out of mind from Adv JTAC. we are still on Junos 10.0R3.10 as there is no any recommendations from JTAC to upgrade the Junos yet. Can any body provide the solution?? Thanks and regards, Muhammad Fahad Khan JNCIP - M/T # 834 IT Specialist Global Technology Services, IBM fa...@pk.ibm.com +92-301-8247638 Skype: fahad-ibm http://pk.linkedin.com/in/muhammadfahadkhan 2010/8/3 Quoc Hoang > Not sure what encryption algorithm is being used but we have noticed AES > and perhaps others as well on JunOS that it requires more overhead. > > Check your ipsec mss. JTAC has recommended mss 1350 (previously we had it > 1400 which was our default on the netscreens). It resolved one of our > performance issues. > > Hope that helps. > > quoc > > --- On Tue, 8/3/10, Fahad Khan wrote: > > > From: Fahad Khan > > Subject: Re: [j-nsp] Traffic drops on IPSEC - SRX3600 > > To: "Jérôme Fleury" > > Cc: "juniper-nsp@puck.nether.net" > > Date: Tuesday, August 3, 2010, 6:36 AM > > Hi Jerome, > > > > When are u gonna try that? > > > > Has any body got the solution??? > > > > regards, > > Muhammad Fahad Khan > > JNCIP - M/T # 834 > > IT Specialist > > Global Technology Services, IBM > > fa...@pk.ibm.com > > +92-301-8247638 > > Skype: fahad-ibm > > http://pk.linkedin.com/in/muhammadfahadkhan > > > > > > On Tue, Aug 3, 2010 at 3:18 PM, Jérôme Fleury > > wrote: > > > > > Hi there, > > > > > > I think I'm experiencing the same issue here: > > > > > > SRX 3600 in cluster mode, running 10.1R2.8 > > > 1 SPC / 1 NPC per chassis > > > VPN in policy based mode with a remote CheckPoint > > > > > > I can clearly see packet loss in the way SRX -> > > Checkpoint, resulting > > > in very poor performances in the tunnel > > > > > > We'll try to upgrade to 10.1R3.7 to see if it fixes > > the issue. > > > > > > On Tue, Aug 3, 2010 at 09:38, Fahad Khan > > wrote: > > > > Very scary!!! > > > > > > > > regards, > > > > > > > > Muhammad Fahad Khan > > > > JNCIP - M/T # 834 > > > > IT Specialist > > > > Global Technology Services, IBM > > > > fa...@pk.ibm.com > > > > +92-301-8247638 > > > > Skype: fahad-ibm > > > > http://pk.linkedin.com/in/muhammadfahadkhan > > > > > > > > > > > > On Tue, Aug 3, 2010 at 9:35 AM, Ivan Ivanov > > > > > wrote: > > > > > > > >> Hm, this sounds more than scary! > > > >> > > > >> Soon I will now if there is the same problem > > with 10.0R3.10 on 3600 > > > >> cluster. > > > >> > > > >> So now I have good experience with > > router-based VPNs starting from > > > >> routing-instance. Policy-based are working > > also, but I found > > > router-based > > > >> more scalable. But no with real traffic > > tested, until end of the week I > > > will > > > >> let you know. > > > >> > > > >> Ivan, > > > >> > > > >> On Mon, Aug 2, 2010 at 23:58, Amos Rosenboim > > > > > wrote: > > > >> > > > >>> As far as I know the code you are running > > is the recommended version by > > > >>> Juniper. > > > >>> However it's important to mention that I > > have no experience with the > > > high > > > >>> end SRX boxes. > > > >>> The stuff mentioned below by quoc sounds > > a little scary to me. > > > >>> > > > >>> Amos > > > >>> > > > >>> Sent from my iPhone > > > >>> > > > >>> On 2 Aug 2010, at 23:44, "Fahad Khan" > > > > >>> fahad.k...@gmail.com>> > > wrote: > > > >>> > > > >>> I have 3 SPCs and 3 NPCs and running > > Junos 10.0R3.10, should I need to > > > >>> upgrade junos? > > > >>> > > > >>> regards, >
Re: [j-nsp] Traffic drops on IPSEC - SRX3600
Hi Jerome, When are u gonna try that? Has any body got the solution??? regards, Muhammad Fahad Khan JNCIP - M/T # 834 IT Specialist Global Technology Services, IBM fa...@pk.ibm.com +92-301-8247638 Skype: fahad-ibm http://pk.linkedin.com/in/muhammadfahadkhan On Tue, Aug 3, 2010 at 3:18 PM, Jérôme Fleury wrote: > Hi there, > > I think I'm experiencing the same issue here: > > SRX 3600 in cluster mode, running 10.1R2.8 > 1 SPC / 1 NPC per chassis > VPN in policy based mode with a remote CheckPoint > > I can clearly see packet loss in the way SRX -> Checkpoint, resulting > in very poor performances in the tunnel > > We'll try to upgrade to 10.1R3.7 to see if it fixes the issue. > > On Tue, Aug 3, 2010 at 09:38, Fahad Khan wrote: > > Very scary!!! > > > > regards, > > > > Muhammad Fahad Khan > > JNCIP - M/T # 834 > > IT Specialist > > Global Technology Services, IBM > > fa...@pk.ibm.com > > +92-301-8247638 > > Skype: fahad-ibm > > http://pk.linkedin.com/in/muhammadfahadkhan > > > > > > On Tue, Aug 3, 2010 at 9:35 AM, Ivan Ivanov > wrote: > > > >> Hm, this sounds more than scary! > >> > >> Soon I will now if there is the same problem with 10.0R3.10 on 3600 > >> cluster. > >> > >> So now I have good experience with router-based VPNs starting from > >> routing-instance. Policy-based are working also, but I found > router-based > >> more scalable. But no with real traffic tested, until end of the week I > will > >> let you know. > >> > >> Ivan, > >> > >> On Mon, Aug 2, 2010 at 23:58, Amos Rosenboim > wrote: > >> > >>> As far as I know the code you are running is the recommended version by > >>> Juniper. > >>> However it's important to mention that I have no experience with the > high > >>> end SRX boxes. > >>> The stuff mentioned below by quoc sounds a little scary to me. > >>> > >>> Amos > >>> > >>> Sent from my iPhone > >>> > >>> On 2 Aug 2010, at 23:44, "Fahad Khan" >>> fahad.k...@gmail.com>> wrote: > >>> > >>> I have 3 SPCs and 3 NPCs and running Junos 10.0R3.10, should I need to > >>> upgrade junos? > >>> > >>> regards, > >>> > >>> > >>> Muhammad Fahad Khan > >>> JNCIP - M/T # 834 > >>> IT Specialist > >>> Global Technology Services, IBM > >>> fa...@pk.ibm.com<mailto:fa...@pk.ibm.com> > >>> > >>> +92-301-8247638 > >>> Skype: fahad-ibm > >>> http://pk.linkedin.com/in/muhammadfahadkhan > >>> > >>> > >>> On Tue, Aug 3, 2010 at 12:02 AM, Quoc Hoang >>> quocho...@yahoo.com>> wrote: > >>> > >>> I've deployed IPSEC VPNs between a pair of SRX3600 and NS5400 without > >>> issue. SRX was running Junos 9.5r3. Performance wasn't great then. > >>> > >>> We recently ran into another vpn performance issue on more recent code, > >>> 10.0r2. Avoid running ipsec vpns on the high end SRX till Juniper > resolves > >>> the issue unless you are planning to run with a single SPC. The fix > will > >>> require an architectural change. > >>> > >>> Problem description: > >>> Low throughput is experienced on the Juniper high-end SRX line with > >>> systems > >>> that have multiple SPC’s. The issue occurs when a tunnel anchor SPU and > >>> the > >>> clear text session SPU are different. The problem exists because hash > and > >>> SEQ bit values in the switch header are not accounted for properly when > >>> forwarding the packet to alternative SPU’s. > >>> > >>> > >>> Quoc > >>> > >>> --- On Mon, 8/2/10, Fahad Khan >>> fahad.k...@gmail.com>> wrote: > >>> > >>> From: Fahad Khan mailto:fahad.k...@gmail.com>> > >>> > >>> Subject: [j-nsp] Traffic drops on IPSEC - SRX3600 > >>> To: <mailto:juniper-nsp@puck.nether.net> juniper-nsp@puck.nether.net > >>> <mailto:juniper-nsp@puck.nether.net> > >>> > >>> Date: Monday, August 2, 2010, 4:48 AM > >>> Hi folks, > >>> > >>> I am seeing very strange issue on SRX3600 when the traffic > >>> is flown through > >>> an IPSEC VPN tunn
Re: [j-nsp] Traffic drops on IPSEC - SRX3600
Very scary!!! regards, Muhammad Fahad Khan JNCIP - M/T # 834 IT Specialist Global Technology Services, IBM fa...@pk.ibm.com +92-301-8247638 Skype: fahad-ibm http://pk.linkedin.com/in/muhammadfahadkhan On Tue, Aug 3, 2010 at 9:35 AM, Ivan Ivanov wrote: > Hm, this sounds more than scary! > > Soon I will now if there is the same problem with 10.0R3.10 on 3600 > cluster. > > So now I have good experience with router-based VPNs starting from > routing-instance. Policy-based are working also, but I found router-based > more scalable. But no with real traffic tested, until end of the week I will > let you know. > > Ivan, > > On Mon, Aug 2, 2010 at 23:58, Amos Rosenboim wrote: > >> As far as I know the code you are running is the recommended version by >> Juniper. >> However it's important to mention that I have no experience with the high >> end SRX boxes. >> The stuff mentioned below by quoc sounds a little scary to me. >> >> Amos >> >> Sent from my iPhone >> >> On 2 Aug 2010, at 23:44, "Fahad Khan" > fahad.k...@gmail.com>> wrote: >> >> I have 3 SPCs and 3 NPCs and running Junos 10.0R3.10, should I need to >> upgrade junos? >> >> regards, >> >> >> Muhammad Fahad Khan >> JNCIP - M/T # 834 >> IT Specialist >> Global Technology Services, IBM >> fa...@pk.ibm.com<mailto:fa...@pk.ibm.com> >> >> +92-301-8247638 >> Skype: fahad-ibm >> http://pk.linkedin.com/in/muhammadfahadkhan >> >> >> On Tue, Aug 3, 2010 at 12:02 AM, Quoc Hoang > quocho...@yahoo.com>> wrote: >> >> I've deployed IPSEC VPNs between a pair of SRX3600 and NS5400 without >> issue. SRX was running Junos 9.5r3. Performance wasn't great then. >> >> We recently ran into another vpn performance issue on more recent code, >> 10.0r2. Avoid running ipsec vpns on the high end SRX till Juniper resolves >> the issue unless you are planning to run with a single SPC. The fix will >> require an architectural change. >> >> Problem description: >> Low throughput is experienced on the Juniper high-end SRX line with >> systems >> that have multiple SPC’s. The issue occurs when a tunnel anchor SPU and >> the >> clear text session SPU are different. The problem exists because hash and >> SEQ bit values in the switch header are not accounted for properly when >> forwarding the packet to alternative SPU’s. >> >> >> Quoc >> >> --- On Mon, 8/2/10, Fahad Khan > fahad.k...@gmail.com>> wrote: >> >> From: Fahad Khan mailto:fahad.k...@gmail.com>> >> >> Subject: [j-nsp] Traffic drops on IPSEC - SRX3600 >> To: <mailto:juniper-nsp@puck.nether.net> juniper-nsp@puck.nether.net >> <mailto:juniper-nsp@puck.nether.net> >> >> Date: Monday, August 2, 2010, 4:48 AM >> Hi folks, >> >> I am seeing very strange issue on SRX3600 when the traffic >> is flown through >> an IPSEC VPN tunnel (established with ISG2000), the tunnel >> gets up and the >> traffic flows properly, but suddenly traffic drops, while >> the tunnel remains >> up. >> >> And it continues to flow after 15 to 20 time out but again >> it starts >> droping. I am sure that there is no issue at physical >> layer. >> >> Has any body faced it yet?? >> >> Please reply ASAP. >> >> Thanks in adv >> >> regards >> Muhammad Fahad Khan >> JNCIP - M/T # 834 >> IT Specialist >> Global Technology Services, IBM >> fa...@pk.ibm.com<mailto:fa...@pk.ibm.com> >> >> +92-301-8247638 >> Skype: fahad-ibm >> http://pk.linkedin.com/in/muhammadfahadkhan >> ___ >> juniper-nsp mailing list <mailto:juniper-nsp@puck.nether.net> >> juniper-nsp@puck.nether.net<mailto:juniper-nsp@puck.nether.net> >> >> https://puck.nether.net/mailman/listinfo/juniper-nsp >> >> >> ___ >> juniper-nsp mailing list <mailto:juniper-nsp@puck.nether.net> >> juniper-nsp@puck.nether.net<mailto:juniper-nsp@puck.nether.net> >> >> https://puck.nether.net/mailman/listinfo/juniper-nsp >> ___ >> juniper-nsp mailing list juniper-nsp@puck.nether.net >> https://puck.nether.net/mailman/listinfo/juniper-nsp >> > > > > -- > Best Regards! > > Ivan Ivanov > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Traffic drops on IPSEC - SRX3600
I have 3 SPCs and 3 NPCs and running Junos 10.0R3.10, should I need to upgrade junos? regards, Muhammad Fahad Khan JNCIP - M/T # 834 IT Specialist Global Technology Services, IBM fa...@pk.ibm.com +92-301-8247638 Skype: fahad-ibm http://pk.linkedin.com/in/muhammadfahadkhan On Tue, Aug 3, 2010 at 12:02 AM, Quoc Hoang wrote: > I've deployed IPSEC VPNs between a pair of SRX3600 and NS5400 without > issue. SRX was running Junos 9.5r3. Performance wasn't great then. > > We recently ran into another vpn performance issue on more recent code, > 10.0r2. Avoid running ipsec vpns on the high end SRX till Juniper resolves > the issue unless you are planning to run with a single SPC. The fix will > require an architectural change. > > Problem description: > Low throughput is experienced on the Juniper high-end SRX line with systems > that have multiple SPC’s. The issue occurs when a tunnel anchor SPU and the > clear text session SPU are different. The problem exists because hash and > SEQ bit values in the switch header are not accounted for properly when > forwarding the packet to alternative SPU’s. > > > Quoc > > --- On Mon, 8/2/10, Fahad Khan wrote: > > > From: Fahad Khan > > Subject: [j-nsp] Traffic drops on IPSEC - SRX3600 > > To: juniper-nsp@puck.nether.net > > Date: Monday, August 2, 2010, 4:48 AM > > Hi folks, > > > > I am seeing very strange issue on SRX3600 when the traffic > > is flown through > > an IPSEC VPN tunnel (established with ISG2000), the tunnel > > gets up and the > > traffic flows properly, but suddenly traffic drops, while > > the tunnel remains > > up. > > > > And it continues to flow after 15 to 20 time out but again > > it starts > > droping. I am sure that there is no issue at physical > > layer. > > > > Has any body faced it yet?? > > > > Please reply ASAP. > > > > Thanks in adv > > > > regards > > Muhammad Fahad Khan > > JNCIP - M/T # 834 > > IT Specialist > > Global Technology Services, IBM > > fa...@pk.ibm.com > > +92-301-8247638 > > Skype: fahad-ibm > > http://pk.linkedin.com/in/muhammadfahadkhan > > ___ > > juniper-nsp mailing list juniper-nsp@puck.nether.net > > https://puck.nether.net/mailman/listinfo/juniper-nsp > > > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Traffic drops on IPSEC - SRX3600
You mean although you were using recommended Junos but u had the same issue and you upgraded to latest junos? Can you tell me which Junos version are u using currently?? awaiting for urgent response. regards, Muhammad Fahad Khan JNCIP - M/T # 834 IT Specialist Global Technology Services, IBM fa...@pk.ibm.com +92-301-8247638 Skype: fahad-ibm http://pk.linkedin.com/in/muhammadfahadkhan On Mon, Aug 2, 2010 at 6:26 PM, Amos Rosenboim wrote: > We had a the exact same thing on the lower end SRX (240 if I remember > correctly). > This was resolved by a software upgrade to the latest SRX image at the > time. > > Amos > > On Aug 2, 2010, at 2:48 PM, Fahad Khan wrote: > > > Hi folks, > > > > I am seeing very strange issue on SRX3600 when the traffic is flown > through > > an IPSEC VPN tunnel (established with ISG2000), the tunnel gets up and > the > > traffic flows properly, but suddenly traffic drops, while the tunnel > remains > > up. > > > > And it continues to flow after 15 to 20 time out but again it starts > > droping. I am sure that there is no issue at physical layer. > > > > Has any body faced it yet?? > > > > Please reply ASAP. > > > > Thanks in adv > > > > regards > > Muhammad Fahad Khan > > JNCIP - M/T # 834 > > IT Specialist > > Global Technology Services, IBM > > fa...@pk.ibm.com > > +92-301-8247638 > > Skype: fahad-ibm > > http://pk.linkedin.com/in/muhammadfahadkhan > > ___ > > juniper-nsp mailing list juniper-nsp@puck.nether.net > > https://puck.nether.net/mailman/listinfo/juniper-nsp > > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Traffic drops on IPSEC - SRX3600
Hi folks, I am seeing very strange issue on SRX3600 when the traffic is flown through an IPSEC VPN tunnel (established with ISG2000), the tunnel gets up and the traffic flows properly, but suddenly traffic drops, while the tunnel remains up. And it continues to flow after 15 to 20 time out but again it starts droping. I am sure that there is no issue at physical layer. Has any body faced it yet?? Please reply ASAP. Thanks in adv regards Muhammad Fahad Khan JNCIP - M/T # 834 IT Specialist Global Technology Services, IBM fa...@pk.ibm.com +92-301-8247638 Skype: fahad-ibm http://pk.linkedin.com/in/muhammadfahadkhan ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] PBR in SRX
Dear Folks, I need to implement Policy Based Routing on SRX3600 using VPN tunnels. Although I have implemented it on J Series and M Series without VPN tunnel via FBF. I hope It will work with out any trouble. Has any body experienced it??? Thanks in adv regards, Muhammad Fahad Khan JNCIP - M/T # 834 IT Specialist Global Technology Services, IBM fa...@pk.ibm.com +92-301-8247638 Skype: fahad-ibm http://pk.linkedin.com/in/muhammadfahadkhan ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] NO traffic logs on JWEB - SRX3600
Dear Folks, I have enabled logs on a policy for session init, But on JWEB there are no logs shown for the traffic using that particular policy. But yes, on CLI they are shown. Is there any known issue or bug in the software?? I am using 10.0R3.10 on SRX3600 regards Muhammad Fahad Khan JNCIP - M/T # 834 IT Specialist Global Technology Services, IBM fa...@pk.ibm.com +92-301-8247638 Skype: fahad-ibm http://www.linkedin.com/in/muhammadfahadkhan ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX CPU utilization reaches 100%
Yes, it came back to normal with in this time and this is SRX3600 in chassis cluster. regards, Muhammad Fahad Khan JNCIP - M/T # 834 IT Specialist Global Technology Services, IBM fa...@pk.ibm.com +92-301-8247638 Skype: fahad-ibm http://www.linkedin.com/in/muhammadfahadkhan On Fri, Jul 16, 2010 at 5:44 PM, Stefan Fouant < sfou...@shortestpathfirst.net> wrote: > > -Original Message- > > From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp- > > boun...@puck.nether.net] On Behalf Of Fahad Khan > > Sent: Friday, July 16, 2010 7:52 AM > > To: juniper-nsp@puck.nether.net > > Subject: [j-nsp] SRX CPU utilization reaches 100% > > > > I faced that SRX CPU utilization reaches to 100% suddenly after > configuring > > three policies with address groups of 90 addresses. And then the telnet > > session was also broken for 2 mins approx but resume after that time. > > > > has any body experienced this? I am using junos 10.0R3.10 (recommended > > version) > > Does the CPU remain at 100%, or just for two minutes and then fall to a > more > acceptable level? Is this an SRX 100 by any chance? > > Stefan Fouant, CISSP, JNCIEx2 > www.shortestpathfirst.net > GPG Key ID: 0xB5E3803D > > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] SRX CPU utilization reaches 100%
Hi folks, I faced that SRX CPU utilization reaches to 100% suddenly after configuring three policies with address groups of 90 addresses. And then the telnet session was also broken for 2 mins approx but resume after that time. has any body experienced this? I am using junos 10.0R3.10 (recommended version) Please reply urgently thanks and regards, Muhammad Fahad Khan JNCIP - M/T # 834 IT Specialist Global Technology Services, IBM fa...@pk.ibm.com +92-301-8247638 Skype: fahad-ibm http://www.linkedin.com/in/muhammadfahadkhan ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Accounting with SBR for SRX and EX series
Dear Folks, I need to log all the commands that are being run by particular login user. How can I achieve that with SBR? Awaiting for urgent response. Thanks and regards, Muhammad Fahad Khan JNCIP - M/T # 834 IT Specialist Global Technology Services, IBM fa...@pk.ibm.com +92-301-8247638 Skype: fahad-ibm http://www.linkedin.com/in/muhammadfahadkhan ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] IPSEC VPN tunnel is not accepting only SMTP traffic
Yes, I tried disabling it. but did not work :( regards, Muhammad Fahad Khan JNCIP - M/T # 834 IT Specialist Global Technology Services, IBM fa...@pk.ibm.com +92-321-2370510 +92-301-8247638 Skype: fahad-ibm http://www.linkedin.com/in/muhammadfahadkhan On Fri, Jul 2, 2010 at 6:45 PM, Farrukh Haroon wrote: > Is this an ASA Firewall? > > Try turning off ESMTP fixup on the ASA side. > > Regards > > Farrukh > > On Fri, Jul 2, 2010 at 4:27 PM, Fahad Khan wrote: > >> Hi Folks, >> >> I am facing an issue regarding an IPSEC tunnel between ISG1000 and Cisco >> box, The VPN is up, all traffic is going through it but only SMTP traffic >> is >> some how not being flowing through the tunnel, no SMTP connection is being >> made with mail server. >> >> Can any one comment on it? >> >> regards, >> >> Muhammad Fahad Khan >> JNCIP - M/T # 834 >> IT Specialist >> Global Technology Services, IBM >> fa...@pk.ibm.com >> +92-321-2370510 >> +92-301-8247638 >> Skype: fahad-ibm >> http://www.linkedin.com/in/muhammadfahadkhan >> ___ >> juniper-nsp mailing list juniper-nsp@puck.nether.net >> https://puck.nether.net/mailman/listinfo/juniper-nsp >> > > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] IPSEC VPN tunnel is not accepting only SMTP traffic
Hi Folks, I am facing an issue regarding an IPSEC tunnel between ISG1000 and Cisco box, The VPN is up, all traffic is going through it but only SMTP traffic is some how not being flowing through the tunnel, no SMTP connection is being made with mail server. Can any one comment on it? regards, Muhammad Fahad Khan JNCIP - M/T # 834 IT Specialist Global Technology Services, IBM fa...@pk.ibm.com +92-321-2370510 +92-301-8247638 Skype: fahad-ibm http://www.linkedin.com/in/muhammadfahadkhan ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] MAC Sticky on EX
Dear Folks, Do we have any option like" MAC Sticky " in EX series as we have in IOS for in port security??/ I think we can only limit the number of MAC or we can bind static MAC addresses. any Inputs please?? thanks Muhammad Fahad Khan JNCIP - M/T # 834 IT Specialist Global Technology Services, IBM fa...@pk.ibm.com +92-321-2370510 +92-301-8247638 Skype: fahad-ibm http://www.linkedin.com/in/muhammadfahadkhan ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Sudden ping drops on EX4200 VC
I apologize for the delayed response. I started my deployment upgrading the Junos to 10.0S1.1 at the first place. My customer is in remote area, he reported me such issue while doing interVlan routing using SSG (EX are in L2). Well, It was not found to be the issue of EX, as we have tested the scenario with SRX in the proposed design. Actually I have been handling all this remotely, so there are some testing limitations. Apart from this, can any one share his experience of using 10.0R3.10 with SRX 3600 ?? regards, Muhammad Fahad Khan JNCIP - M/T # 834 IT Specialist Global Technology Services, IBM fa...@pk.ibm.com +92-321-2370510 +92-301-8247638 Skype: fahad-ibm http://www.linkedin.com/in/muhammadfahadkhan http://fahad-internetworker.blogspot.com http://www.visualcv.com/g46ptnd On Sat, Jun 26, 2010 at 2:18 AM, Dan Farrell wrote: > I think stating to a voluntary list that you need an 'urgent response' is > out of place. People here like sharing issues, helping others, and > expanding their knowledge and community. This is not a volunteer firefighter > team, however. > > Aside from that, you aren't providing the usuals, mainly the version of > JUNOS you're running, and if it's happening under any specific conditions or > just randomly. Have you pushed the configuration bounds of the platform > (aka, too many VLANs or RVI's, which can produce this issue?) > > You need to provide some information if you want faster and more useful > answers, as you seem to need by your call for an 'urgent response'. > > Just so you think I'm not being a jerk just to be a jerk, various 9.x > versions of JUNOS caused problems for the EX series (even when not in a VC > stack) and 10.x helped significantly, specifically 10.0S1.1. So it's > actually helpful to know this information ahead of time. > > If you don't want to provide useful information here, try upgrading to what > the Company itself recommends and see if you still experience problems. > > > > Dan > > -Original Message- > From: juniper-nsp-boun...@puck.nether.net [mailto: > juniper-nsp-boun...@puck.nether.net] On Behalf Of Fahad Khan > Sent: Thursday, June 24, 2010 7:14 AM > To: juniper-nsp@puck.nether.net > Subject: [j-nsp] Sudden ping drops on EX4200 VC > > Dear Folks, > > Has any one experienced sudden ping drops (network outage) and then resume > again in inter-valn routing on EX4200 VC?? > > Awaiting for urgent response > > regards, > > Muhammad Fahad Khan > JNCIP - M/T # 834 > IT Specialist > Global Technology Services, IBM > fa...@pk.ibm.com > +92-321-2370510 > +92-301-8247638 > Skype: fahad-ibm > http://www.linkedin.com/in/muhammadfahadkhan > http://fahad-internetworker.blogspot.com > http://www.visualcv.com/g46ptnd > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Sudden ping drops on EX4200 VC
Dear Folks, Has any one experienced sudden ping drops (network outage) and then resume again in inter-valn routing on EX4200 VC?? Awaiting for urgent response regards, Muhammad Fahad Khan JNCIP - M/T # 834 IT Specialist Global Technology Services, IBM fa...@pk.ibm.com +92-321-2370510 +92-301-8247638 Skype: fahad-ibm http://www.linkedin.com/in/muhammadfahadkhan http://fahad-internetworker.blogspot.com http://www.visualcv.com/g46ptnd ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX3600
I have recently deployed 10.0R3.10 as recommended by Juniper. Did not see any issue. let me know the issues you are facing in 10.1 regards, Muhammad Fahad Khan JNCIP - M/T # 834 IT Specialist Global Technology Services, IBM fa...@pk.ibm.com +92-321-2370510 +92-301-8247638 Skype: fahad-ibm http://www.linkedin.com/in/muhammadfahadkhan On Mon, Jun 14, 2010 at 2:08 PM, eddaibouni bilal wrote: > Hello all, > > Is there any reason to believe that 10.1R1 may have issues with JSRP that > > are resolved, or at least work better in other release? If yes, which > Software release whould you recommend? > > Best Regards > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] JNCIP/JNCIE new Tracks
Dear folks, Does any one know about new tracks gonna be launched by Juniper like JNCIP-Security etc Any one who has confirmed knowledge, please share regards, Muhammad Fahad Khan JNCIP - M/T # 834 IT Specialist Global Technology Services, IBM fa...@pk.ibm.com +92-321-2370510 +92-301-8247638 Skype: fahad-ibm http://www.linkedin.com/in/muhammadfahadkhan http://fahad-internetworker.blogspot.com http://www.visualcv.com/g46ptnd ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX3600: cluster problem
It looks like, first your primary device failed and then there was a disconnect of your Control link You should configure control-link recovery set chassis cluster control-link-recovery for re-enabling the disabled device automatically regards, Muhammad Fahad Khan JNCIP - M/T # 834 IT Specialist Global Technology Services, IBM fa...@pk.ibm.com +92-321-2370510 +92-301-8247638 Skype: fahad-ibm http://www.linkedin.com/in/muhammadfahadkhan On Fri, Jun 4, 2010 at 7:07 PM, eddaibouni bilal wrote: > hello, > > i have problem with SRX 3600 clusters . in fact i had configure SRX > cluster > in active passive configuration ,but the node 0 is down like shown with > show chassis cluster status command. > > > > ad...@fw2> show chassis cluster status > Cluster ID: 1 > Node Priority StatusPreempt Manual failover > > Redundancy group: 0 , Failover count: 3 >node0 200 disabled no no >node1 100 primaryno no > > Redundancy group: 1 , Failover count: 17 >node0 0 disabled yes no >node1 100 primaryyes no > > in fact we did suspect that it is an issue witch HA control link, we did > relace it but the problem persists. > and when i diplay the chassis alarms is what a have in node 0: > > node0: > -- > 1 alarms currently active > Alarm time Class Description > 2010-06-04 09:26:02 UTC Minor Check FPC 0 Fabric Chip > > > > Chassis Cluster Configuration > = > set chassis cluster cluster-id 1 node 0 reboot > set chassis cluster cluster-id 1 node 1 reboot > > Data Fabric Configuration > = > set interfaces fab0 fabric-options member-interfaces ge-0/0/7 > set interfaces fab1 fabric-options member-interfaces ge-13/0/7 > > > thanks , > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] NSR with SRX
Great, Thanks..Can you please send a SRX VSA for SBR??? I ll be very thankful to you regards, Muhammad Fahad Khan JNCIP - M/T # 834 IT Specialist Global Technology Services, IBM fa...@pk.ibm.com +92-321-2370510 On Tue, Jun 8, 2010 at 9:40 PM, Chen Jiang wrote: > Sure, I have tested it with SRX3K and SRX5K, should be no difference. > > But SRX can not support local authentication user databae with IP > assignment in VPN tunnel presently, you need a external RADIUS server to > authenticate remote dial-up users and response the ip address with RADIUS > frame-ip-address attribute. > > On Tue, Jun 8, 2010 at 3:50 PM, Fahad Khan wrote: > >> Please confirm , you have tested it with SRX3600 ?? I apologize for >> disturbing you >> >> >> regards, >> >> Muhammad Fahad Khan >> JNCIP - M/T # 834 >> IT Specialist >> Global Technology Services, IBM >> fa...@pk.ibm.com >> +92-321-2370510 >> +92-301-8247638 >> Skype: fahad-ibm >> http://www.linkedin.com/in/muhammadfahadkhan >> >> >> >> On Thu, Jun 3, 2010 at 6:03 PM, Chen Jiang wrote: >> >>> I have tested it and it wroks. >>> >>> >>> On Tue, Jun 1, 2010 at 4:44 PM, Fahad Khan wrote: >>> >>>> Has any one tested NSR (for Dialup VPN) with SRX 3600 ?? >>>> >>>> >>>> >>>> regards, >>>> >>>> Muhammad Fahad Khan >>>> JNCIP - M/T # 834 >>>> IT Specialist >>>> Global Technology Services, IBM >>>> fa...@pk.ibm.com >>>> +92-321-2370510 >>>> +92-301-8247638 >>>> Skype: fahad-ibm >>>> http://www.linkedin.com/in/muhammadfahadkhan >>>> >>>> >>>> >>>> On Sat, May 29, 2010 at 10:16 AM, Chen Jiang wrote: >>>> >>>>> NSR works but will not be officially supported by JNPR any more. >>>>> >>>>> On Wed, May 26, 2010 at 8:52 PM, Fahad Khan wrote: >>>>> >>>>>> Dear Folks, >>>>>> >>>>>> Has any one used Netscreen Remote Client for dialup VPN with SRX >>>>>> device?? I >>>>>> have seen in release notes of 10.1 that SRX does not support NSR. >>>>>> >>>>>> But in security guide, NSR is a dedicated chapter >>>>>> >>>>>> please respond quickly >>>>>> >>>>>> regards, >>>>>> >>>>>> Muhammad Fahad Khan >>>>>> JNCIP - M/T # 834 >>>>>> IT Specialist >>>>>> Global Technology Services, IBM >>>>>> fa...@pk.ibm.com >>>>>> +92-321-2370510 >>>>>> +92-301-8247638 >>>>>> Skype: fahad-ibm >>>>>> http://www.linkedin.com/in/muhammadfahadkhan >>>>>> http://fahad-internetworker.blogspot.com >>>>>> http://www.visualcv.com/g46ptnd >>>>>> ___ >>>>>> juniper-nsp mailing list juniper-nsp@puck.nether.net >>>>>> https://puck.nether.net/mailman/listinfo/juniper-nsp >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> BR! >>>>> >>>>> >>>>> >>>>> James Chen >>>>> >>>> >>>> >>> >>> >>> -- >>> BR! >>> >>> >>> >>> James Chen >>> >> >> > > > -- > BR! > > > > James Chen > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] NSR with SRX
Please confirm , you have tested it with SRX3600 ?? I apologize for disturbing you regards, Muhammad Fahad Khan JNCIP - M/T # 834 IT Specialist Global Technology Services, IBM fa...@pk.ibm.com +92-321-2370510 +92-301-8247638 Skype: fahad-ibm http://www.linkedin.com/in/muhammadfahadkhan On Thu, Jun 3, 2010 at 6:03 PM, Chen Jiang wrote: > I have tested it and it wroks. > > > On Tue, Jun 1, 2010 at 4:44 PM, Fahad Khan wrote: > >> Has any one tested NSR (for Dialup VPN) with SRX 3600 ?? >> >> >> >> regards, >> >> Muhammad Fahad Khan >> JNCIP - M/T # 834 >> IT Specialist >> Global Technology Services, IBM >> fa...@pk.ibm.com >> +92-321-2370510 >> +92-301-8247638 >> Skype: fahad-ibm >> http://www.linkedin.com/in/muhammadfahadkhan >> >> >> >> On Sat, May 29, 2010 at 10:16 AM, Chen Jiang wrote: >> >>> NSR works but will not be officially supported by JNPR any more. >>> >>> On Wed, May 26, 2010 at 8:52 PM, Fahad Khan wrote: >>> >>>> Dear Folks, >>>> >>>> Has any one used Netscreen Remote Client for dialup VPN with SRX >>>> device?? I >>>> have seen in release notes of 10.1 that SRX does not support NSR. >>>> >>>> But in security guide, NSR is a dedicated chapter >>>> >>>> please respond quickly >>>> >>>> regards, >>>> >>>> Muhammad Fahad Khan >>>> JNCIP - M/T # 834 >>>> IT Specialist >>>> Global Technology Services, IBM >>>> fa...@pk.ibm.com >>>> +92-321-2370510 >>>> +92-301-8247638 >>>> Skype: fahad-ibm >>>> http://www.linkedin.com/in/muhammadfahadkhan >>>> http://fahad-internetworker.blogspot.com >>>> http://www.visualcv.com/g46ptnd >>>> ___ >>>> juniper-nsp mailing list juniper-nsp@puck.nether.net >>>> https://puck.nether.net/mailman/listinfo/juniper-nsp >>>> >>> >>> >>> >>> -- >>> BR! >>> >>> >>> >>> James Chen >>> >> >> > > > -- > BR! > > > > James Chen > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] 3DES support on J2320
Dear Folks, I had an strange thing when i was creating IPsec tunnel between J2320 Junos-es (9.6r3.8) with SSG5, that 3des was not supported when defining ike proposals, I made it DES and tunnel got established. Can some body comment on it Thanks and regards, Muhammad Fahad Khan JNCIP - M/T # 834 IT Specialist Global Technology Services, IBM fa...@pk.ibm.com +92-321-2370510 +92-301-8247638 Skype: fahad-ibm http://www.linkedin.com/in/muhammadfahadkhan http://fahad-internetworker.blogspot.com http://www.visualcv.com/g46ptnd ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] NSR with SRX
Has any one tested NSR (for Dialup VPN) with SRX 3600 ?? regards, Muhammad Fahad Khan JNCIP - M/T # 834 IT Specialist Global Technology Services, IBM fa...@pk.ibm.com +92-321-2370510 +92-301-8247638 Skype: fahad-ibm http://www.linkedin.com/in/muhammadfahadkhan On Sat, May 29, 2010 at 10:16 AM, Chen Jiang wrote: > NSR works but will not be officially supported by JNPR any more. > > On Wed, May 26, 2010 at 8:52 PM, Fahad Khan wrote: > >> Dear Folks, >> >> Has any one used Netscreen Remote Client for dialup VPN with SRX device?? >> I >> have seen in release notes of 10.1 that SRX does not support NSR. >> >> But in security guide, NSR is a dedicated chapter >> >> please respond quickly >> >> regards, >> >> Muhammad Fahad Khan >> JNCIP - M/T # 834 >> IT Specialist >> Global Technology Services, IBM >> fa...@pk.ibm.com >> +92-321-2370510 >> +92-301-8247638 >> Skype: fahad-ibm >> http://www.linkedin.com/in/muhammadfahadkhan >> http://fahad-internetworker.blogspot.com >> http://www.visualcv.com/g46ptnd >> ___ >> juniper-nsp mailing list juniper-nsp@puck.nether.net >> https://puck.nether.net/mailman/listinfo/juniper-nsp >> > > > > -- > BR! > > > > James Chen > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] NSR with SRX
Any comments guys?? Thanks and Regards, Muhammad Fahad Khan JNCIP - M/T # 834 IT Specialist Global Technology Services, IBM fa...@pk.ibm.com +92-321-2370510 +92-301-8247638 Skype: fahad-ibm http://www.linkedin.com/in/muhammadfahadkhan http://fahad-internetworker.blogspot.com http://www.visualcv.com/g46ptnd On Wed, May 26, 2010 at 5:52 PM, Fahad Khan wrote: > Dear Folks, > > Has any one used Netscreen Remote Client for dialup VPN with SRX device?? I > have seen in release notes of 10.1 that SRX does not support NSR. > > But in security guide, NSR is a dedicated chapter > > please respond quickly > > regards, > > Muhammad Fahad Khan > JNCIP - M/T # 834 > IT Specialist > Global Technology Services, IBM > fa...@pk.ibm.com > +92-321-2370510 > +92-301-8247638 > Skype: fahad-ibm > http://www.linkedin.com/in/muhammadfahadkhan > http://fahad-internetworker.blogspot.com > http://www.visualcv.com/g46ptnd > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] NSR with SRX
Dear Folks, Has any one used Netscreen Remote Client for dialup VPN with SRX device?? I have seen in release notes of 10.1 that SRX does not support NSR. But in security guide, NSR is a dedicated chapter please respond quickly regards, Muhammad Fahad Khan JNCIP - M/T # 834 IT Specialist Global Technology Services, IBM fa...@pk.ibm.com +92-321-2370510 +92-301-8247638 Skype: fahad-ibm http://www.linkedin.com/in/muhammadfahadkhan http://fahad-internetworker.blogspot.com http://www.visualcv.com/g46ptnd ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] IDP in single leg
Dear Folks, Can I deploy IDP in single Leg even if I want to use it in inline mode?? Is there any kind of VLAN pairing? Any IDP master guy can help me in IDP design in my network awaiting for reply Muhammad Fahad Khan JNCIP - M/T # 834 IT Specialist Global Technology Services, IBM fa...@pk.ibm.com +92-321-2370510 +92-301-8247638 Skype: fahad-ibm http://www.linkedin.com/in/muhammadfahadkhan http://fahad-internetworker.blogspot.com http://www.visualcv.com/g46ptnd ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] IDP8200 Issue -
Ah! great... IP monitoring will work, I ll test it and see.. Thanks Scott. Tim, can you explain how can we do Track-IP on SRX?? or u meant the same thing as scott?? regards, Muhammad Fahad Khan JNCIP - M/T # 834 IT Specialist Global Technology Services, IBM fa...@pk.ibm.com +92-321-2370510 +92-301-8247638 Skype: fahad-ibm http://www.linkedin.com/in/muhammadfahadkhan http://fahad-internetworker.blogspot.com http://www.visualcv.com/g46ptnd On Wed, May 26, 2010 at 4:53 PM, Scott T. Cameron wrote: > set chassis cluster redundancy-group # ip-monitoring > > As with all things, YMMV. > > > On Wed, May 26, 2010 at 7:40 AM, Tim Eberhard wrote: > > > You could always run trackip on the SRX to monitor the path to the > switch. > > Pinging a L3 interface on the core switch itself. > > > > Hope this helps > > > > -Tim Eberhard > > > > > > On May 26, 2010, at 6:27 AM, Fahad Khan wrote: > > > > Dear Folks, > >> > >> I am just shocked to know that IDP8200 does not support Peer Port > >> Modulation > >> for 10 gig links. > >> > >> Does any one know, how can I failover my Firewall properly if the link > >> between Core Switch and IDP is down > >> > >> the diagram is > >> > >> SRX3600---HA---SRX3600 > >> | | > >>IDP8200IDP8200 > >> | | > >> --Core -Switch-- > >> > >> > >> Awaiting for quick response > >> > >> Muhammad Fahad Khan > >> JNCIP - M/T # 834 > >> IT Specialist > >> Global Technology Services, IBM > >> fa...@pk.ibm.com > >> +92-321-2370510 > >> +92-301-8247638 > >> Skype: fahad-ibm > >> http://www.linkedin.com/in/muhammadfahadkhan > >> http://fahad-internetworker.blogspot.com > >> http://www.visualcv.com/g46ptnd > >> ___ > >> juniper-nsp mailing list juniper-nsp@puck.nether.net > >> https://puck.nether.net/mailman/listinfo/juniper-nsp > >> > > ___ > > juniper-nsp mailing list juniper-nsp@puck.nether.net > > https://puck.nether.net/mailman/listinfo/juniper-nsp > > > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] IDP8200 Issue -
Dear Folks, I am just shocked to know that IDP8200 does not support Peer Port Modulation for 10 gig links. Does any one know, how can I failover my Firewall properly if the link between Core Switch and IDP is down the diagram is SRX3600---HA---SRX3600 | | IDP8200IDP8200 | | --Core -Switch-- Awaiting for quick response Muhammad Fahad Khan JNCIP - M/T # 834 IT Specialist Global Technology Services, IBM fa...@pk.ibm.com +92-321-2370510 +92-301-8247638 Skype: fahad-ibm http://www.linkedin.com/in/muhammadfahadkhan http://fahad-internetworker.blogspot.com http://www.visualcv.com/g46ptnd ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] FBF with SRX
Hi Folks, Has any one done Filter based Forwarding in SRX junos 10.1. Any issues?? regards, Muhammad Fahad Khan JNCIP - M/T # 834 IT Specialist Global Technology Services, IBM fa...@pk.ibm.com +92-321-2370510 +92-301-8247638 Skype: fahad-ibm http://www.linkedin.com/in/muhammadfahadkhan http://fahad-internetworker.blogspot.com http://www.visualcv.com/g46ptnd ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Difference in 9.6 and 10.1
Dear Folks, Is there any difference when configuring things on SRX using Junos 9.6 or Junos 10.1??? please reply soon thanks Muhammad Fahad Khan JNCIP - M/T # 834 IT Specialist Global Technology Services, IBM fa...@pk.ibm.com +92-321-2370510 +92-301-8247638 Skype: fahad-ibm http://www.linkedin.com/in/muhammadfahadkhan http://fahad-internetworker.blogspot.com http://www.visualcv.com/g46ptnd ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Fiber optic cables for SRX and 8200
Dear Folks, Are there any special Fiber optic cables used for 10 gig IOCs used in SRX and XFP line cards used in EX 8200. Waiting for urgent response. Thanks and regards, Muhammad Fahad Khan JNCIP - M/T # 834 IT Specialist Global Technology Services, IBM fa...@pk.ibm.com +92-321-2370510 +92-301-8247638 Skype: fahad-ibm http://www.linkedin.com/in/muhammadfahadkhan http://fahad-internetworker.blogspot.com http://www.visualcv.com/g46ptnd ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX vs. SSG
About which work around are u talking of IP tracking ??? thanks Muhammad Fahad Khan JNCIP - M/T # 834 IT Specialist Global Technology Services, IBM fa...@pk.ibm.com +92-321-2370510 +92-301-8247638 Skype: fahad-ibm http://www.linkedin.com/in/muhammadfahadkhan http://fahad-internetworker.blogspot.com http://www.visualcv.com/g46ptnd On Sun, May 9, 2010 at 2:57 AM, Pavel Lunin wrote: > Hi Eric, > > SSG should be available for another couple of years. Juniper likes to say > ScreenOS's roadmap is full of things do be done till the end of the next > year. > > However I wouldn't say SSG has so much better featureset. > > In routing SRX is far far beyond. You can even have packet-mode instances > with MPLS, reachable through a internal tunnel. Just like mature routers. > >From security point of view — embedded IPS, NAT pools not linked to any > direct networks, very granular per zone or interface stateful filters for > control plane destined traffic, some more FW things. > > And of course increased performance/price ratio. > > JUNOS itself. > > As for me, the major weaknesses are: > — NHRP, which allows auto-connect IPSec VPNs, is not supported. A > workaround > is possible here if you want an SRX to be a hub for SSG spokes. > — IP tracking is not supported for very basic dual-homing. Sure, > workarounds > are possible. > — Reverse path next-hop is always chosen with reverse route lookup. Not to > much important. An ER exists for this though no idea whether someone cares > of it. > > -- > Pavel > > 2010/5/8 Eric Helm > > > Hi, > > > > Has anyone heard what Juniper's plan is moving forward with the SSG > > platform? The SSG still has a much better feature set than the SRX, but > > is seems that marketing is pushing people to the SRX. I am looking to > > roll-out of approximately 200-300 VPN tunnels and trying to decide what > > platform to go with between the two. SSG is more appealing because of > > some of its feature set and proven stability. I just don't want to be > > buying equipment that is slated to be phased out sometime in the future. > > > > Thanks in advance, > > > > /Eric > > ___ > > juniper-nsp mailing list juniper-nsp@puck.nether.net > > https://puck.nether.net/mailman/listinfo/juniper-nsp > > > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Grouping on loopback interface in SRX
Hi folks, In ScreenOS, we can do some thing like grouping physical interfaces in a loopback interface and define MIPs on it according to our requirements. How can we do it on SRX (Junos-es)?? thanks in adv regards, Muhammad Fahad Khan JNCIP - M/T # 834 IT Specialist Global Technology Services, IBM fa...@pk.ibm.com +92-321-2370510 +92-301-8247638 Skype: fahad-ibm http://www.linkedin.com/in/muhammadfahadkhan http://fahad-internetworker.blogspot.com http://www.visualcv.com/g46ptnd ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] IDP one leg installation for transperent mode
Yes..Any one explain who can explain this and already implemented this? regards, Muhammad Fahad Khan JNCIP - M/T # 834 IT Specialist Global Technology Services, IBM fa...@pk.ibm.com +92-321-2370510 +92-301-8247638 Skype: fahad-ibm http://www.linkedin.com/in/muhammadfahadkhan http://fahad-internetworker.blogspot.com http://www.visualcv.com/g46ptnd On Mon, May 3, 2010 at 12:05 AM, Truman Boyes wrote: > Possibly vlans would work for you. A vlan in and a vlan out. > > On 2/05/2010, at 2:10 PM, Fahad Khan wrote: > > > Hi folks > > > > > > How can I install IDP device in transparent mode by using only one port?? > > > > please reply urgently > > > > thanks, > > Muhammad Fahad Khan > > JNCIP - M/T # 834 > > IT Specialist > > Global Technology Services, IBM > > fa...@pk.ibm.com > > +92-321-2370510 > > +92-301-8247638 > > Skype: fahad-ibm > > http://www.linkedin.com/in/muhammadfahadkhan > > http://fahad-internetworker.blogspot.com > > http://www.visualcv.com/g46ptnd > > ___ > > juniper-nsp mailing list juniper-nsp@puck.nether.net > > https://puck.nether.net/mailman/listinfo/juniper-nsp > > > > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Industrial Socket for EX8208??
In my case, I am going to get BS 1363/A standard. would it be normal 3 pin flat?? regards, Muhammad Fahad Khan JNCIP - M/T # 834 IT Specialist Global Technology Services, IBM fa...@pk.ibm.com +92-321-2370510 +92-301-8247638 Skype: fahad-ibm http://www.linkedin.com/in/muhammadfahadkhan http://fahad-internetworker.blogspot.com http://www.visualcv.com/g46ptnd On Sun, May 2, 2010 at 9:18 PM, wrote: > Both switches depend on the type of power supply ordered and the country > you install it in. For example you can have a 6500 with power supplies that > use the normal sockets. A fully populated 6509 will consume most of the > power on a 220/208V AC circuit so it is easier to order it with the > "industrial" (usually L6-30 for US 220/208 VAC) and connect the power > supplies directly to the power feed instead of wasting money on a outlet > strip. However, the same switch with one or two blades can easily share the > circuit with other equipment and maybe ordered with "normal" connectors and > plugged into an outlet strip/PDU. The easiest thing to do would be to get > the part number for the power supplies and look them up or get your power > requirements and make sure you order the correct part no. > > HTH, > > Keegan > > > > >*[j-nsp] Industrial Socket for EX8208??* > *Fahad Khan * to: juniper-nsp > 05/02/10 11:38 AM > >Sent by: ** > > > > -- > > > > Hi Folks, > > > Does EX 8208 require Industril Socket for Power , just like Cisco 6500 ?? > > Please reply urgently > > Thanks in adv > > Muhammad Fahad Khan > JNCIP - M/T # 834 > IT Specialist > Global Technology Services, IBM > fa...@pk.ibm.com > +92-321-2370510 > +92-301-8247638 > Skype: fahad-ibm > http://www.linkedin.com/in/muhammadfahadkhan > http://fahad-internetworker.blogspot.com > http://www.visualcv.com/g46ptnd > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > > > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] IDP one leg installation for transperent mode
Hi folks How can I install IDP device in transparent mode by using only one port?? please reply urgently thanks, Muhammad Fahad Khan JNCIP - M/T # 834 IT Specialist Global Technology Services, IBM fa...@pk.ibm.com +92-321-2370510 +92-301-8247638 Skype: fahad-ibm http://www.linkedin.com/in/muhammadfahadkhan http://fahad-internetworker.blogspot.com http://www.visualcv.com/g46ptnd ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Industrial Socket for EX8208??
Hi Folks, Does EX 8208 require Industril Socket for Power , just like Cisco 6500 ?? Please reply urgently Thanks in adv Muhammad Fahad Khan JNCIP - M/T # 834 IT Specialist Global Technology Services, IBM fa...@pk.ibm.com +92-321-2370510 +92-301-8247638 Skype: fahad-ibm http://www.linkedin.com/in/muhammadfahadkhan http://fahad-internetworker.blogspot.com http://www.visualcv.com/g46ptnd ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX deployment / issues
Seems to be looking some thing wrong with session table?? any one faced same thing with SRX650?? regards, Muhammad Fahad Khan JNCIP - M/T # 834 IT Specialist Global Technology Services, IBM fa...@pk.ibm.com +92-321-2370510 +92-301-8247638 Skype: fahad-ibm http://www.linkedin.com/in/muhammadfahadkhan http://fahad-internetworker.blogspot.com http://www.visualcv.com/g46ptnd On Tue, Mar 23, 2010 at 5:10 PM, Michael Dale wrote: > I've had some serious issues with both my SRX 210 and 2x240s. > > The SRX210 I have here at home was having all kinds of issues reconnecting > if there was an ADSL drop. A restart routing command would fix this. This > issue seems to have been mostly fixed in 10.0R2 and 10.1R1. > > The pair of SRX240s on the other hand are still having issues. I recently > setup a cluster with 10.1R1 which was all working fine in the lab, but after > 10 ours of production all traffic simply stopped. I've logged into the > devices via the console and cannot find any errors. No idea what is going on > here. Not to mention the issues with ethernet switching and clustering... > > Oh and no support for packet based traffic in clusters, so no IPv6 at all. > > The older SSG line will have to keep me going until juniper fix some of > these issues! > > Michael. > > - Original Message - > From: Hoogen [mailto:hooge...@gmail.com] > To: > juniper-nsp@puck.nether.net > Sent: Tue, 23 Mar 2010 04:05:46 +1100 > Subject: > [j-nsp] SRX deployment / issues > > > > I think the EX thread was really good and the feedback was awesome. I > would > > like hear about similar experiences while deploying SRX Series gateways, > I > > am assuming I would hear a lot on the branch boxes SRX 210,240,650 I > would > > also love to hear feedback on SRX 3000/5000 if people have been using it > in > > their setup, problems that their facing, improvements and general > deployment > > scenario that have been used. > > > > -Hoogen > > ___ > > juniper-nsp mailing list juniper-nsp@puck.nether.net > > https://puck.nether.net/mailman/listinfo/juniper-nsp > > > > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX deployment / issues
Means UTM has issues as well ?? How about the support of multicast ?? Has any one experienced running any multicast based application across this Firewall?? regards Muhammad Fahad Khan JNCIP - M/T # 834 IT Specialist Global Technology Services, IBM fa...@pk.ibm.com +92-321-2370510 +92-301-8247638 Skype: fahad-ibm http://www.linkedin.com/in/muhammadfahadkhan http://fahad-internetworker.blogspot.com http://www.visualcv.com/g46ptnd On Tue, Mar 23, 2010 at 2:16 PM, Cian Brennan wrote: > On Mon, Mar 22, 2010 at 10:05:46AM -0700, Hoogen wrote: > > I think the EX thread was really good and the feedback was awesome. I > would > > like hear about similar experiences while deploying SRX Series gateways, > I > > am assuming I would hear a lot on the branch boxes SRX 210,240,650 I > would > > also love to hear feedback on SRX 3000/5000 if people have been using it > in > > their setup, problems that their facing, improvements and general > deployment > > scenario that have been used. > > > > We've had rather a lot of difficulty with the URL filtering/Virus scanning > causing crashes on the 210. And with the URL filtering failing to recover > if > the websense server went down on the same platform. > > > -Hoogen > > ___ > > juniper-nsp mailing list juniper-nsp@puck.nether.net > > https://puck.nether.net/mailman/listinfo/juniper-nsp > > > > -- > > -- > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] EX 8200 deployment
I really appreciate all for their inputs. Thanks a lot.
Is there any caveat in RTG, Can we easily get rid of STP running?? do you
recommend it or not??
Is there any special socket required for powering this chassis up?? as we
need industrial sockets in case of Cisco 6500.
regards,
Muhammad Fahad Khan
JNCIP - M/T # 834
IT Specialist
Global Technology Services, IBM
fa...@pk.ibm.com
+92-321-2370510
+92-301-8247638
Skype: fahad-ibm
http://www.linkedin.com/in/muhammadfahadkhan
http://fahad-internetworker.blogspot.com
http://www.visualcv.com/g46ptnd
On Tue, Mar 23, 2010 at 4:16 AM, Richard A Steenbergen wrote:
> On Mon, Mar 22, 2010 at 11:35:19PM +0300, Alexandre Snarskii wrote:
> > EX-series (at least [34]200) has the same "local vlan significance"
> > principle that applies, for example, to OSM-equipped 6500/Sup2:
> > "you can create chassis-wide vlan, and it will be used on all LAN
> > cards, but you still can reuse the same vlan id on OSM subinterface",
> > and the idea is actually stolen from some old recipe on "how to run
> > 6500/sup2 Vlan as a part of VRF".
> > In case of ex-series it's even better - there are no 'internal vlan'
> > allocation that happens in case of 65xx/76xx.
>
> That is indeed a fair bit better than the 6500/7600 vlan model, I guess
> EX's vlan support isn't quite as bad as I thought. I swear I tested this
> on EX4200 when we first got one (2 years ago) and I have a very strong
> memory of this behavior not working this way, but damned if I can find
> the emails with the test results to prove it.
>
> On 6500, when you do something like this:
>
> interface TenGigabitEthernet1/1.101
> encapsulation dot1Q 101
> ip address 1.2.3.4 255.255.255.0
>
> It simply creates vlan 101 as an internal vlan, which consumes vlan 101
> across the entire chassis and blocks the creation of another vlan 101
> anywhere else. Of course if you didn't do a subinterface but simply
> slapped an IP directly on the physical interface, it would simply pick a
> pseudo-random vlan ID to use, like so:
>
> crisco6509#sh vlan internal usage
>
> VLAN Usage
>
> 901 TenGigabitEthernet8/2.901
> 910 TenGigabitEthernet4/2.910
> 1606 TenGigabitEthernet8/2.1606
> 2201 TenGigabitEthernet8/2.2201
> 4032 TenGigabitEthernet3/4
> 4033 TenGigabitEthernet3/3
> 4034 TenGigabitEthernet3/2
> 4035 TenGigabitEthernet3/1
> ...
>
>
> So... I'm wondering how much of this counter issue is really a hardware
> limitation, and how much is just design limitation. For example, would
> it be possible for Juniper to implement ethernet switching as
> essentially a multi-port ccc, like so:
>
> interfaces {
> xe-1/0/0 {
>vlan-tagging;
>unit 101 {
> family inet {
>address 1.2.3.1/24;
>}
>}
>unit 201 {
>vlan-id 201;
>family ethernet-switching;
>}
>}
>xe-2/0/0 {
>vlan-tagging;
>unit 101 {
>family inet {
>address 2.3.4.1/24;
>}
>}
>unit 201 {
>vlan-id 201;
>family ethernet-switching;
>}
>}
> }
> vlans {
>blah {
>interface {
>xe-1/0/0.201;
>xe-2/0/0.201;
>}
>}
> }
>
> To me this seems like a much more natural way of handling mixed L2 and
> L3 configs on a single port anyways, and it could potentially let you
> have everything on a port which could be properly counted. Extra bonus
> points if there was a way to strip the vlan tag before putting it into
> the "multi-port ccc" so you could do vlan translation, but I don't know
> if that is possible in hardware (there is certainly no input-vlan-map to
> pop the vlan like on MX/etc, but this will be a problem when they get
> around to implementing mpls l2circuits).
>
> The funny thing about the above configuration is that it doesn't seem to
> be complaining about the lack of a vlan-id under vlan "blah", only about
> the mixing vlan-tagging and family ethernet-switching. :)
>
> Now say I took the above scenario and made it:
>
> vlans {
>blah {
>interface {
>xe-1/0/0.201;
>xe-2/0/0.201;
>...
>}
>l3-interface vlan.201;
>}
> }
>
> Today they don't have working counters on vlan.201, and Juniper claims
> it is a hardware limitation they can't solve without some hackery like
> firewall filter counters applied to each interface, but... If I can get
> xe-1/0/0.101 counters today,
Re: [j-nsp] logical routers on M10i
But i can not see any lt interfaces in show interfaces terse ?? why?? regards, Muhammad Fahad Khan JNCIP - M/T # 834 IT Specialist Global Technology Services, IBM fa...@pk.ibm.com +92-321-2370510 +92-301-8247638 Skype: fahad-ibm http://www.linkedin.com/in/muhammadfahadkhan http://fahad-internetworker.blogspot.com http://www.visualcv.com/g46ptnd On Sun, Mar 21, 2010 at 1:26 AM, wrote: > > but now i got it, i need tunnel PIC , but not AS PIC II > > The AS PIC should be able to do anything the tunnel PIC can do (and > more). > > Steinar Haug, Nethelp consulting, sth...@nethelp.no > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] logical routers on M10i
yes stefan, but now i got it, i need tunnel PIC , but not AS PIC II regards, Muhammad Fahad Khan JNCIP - M/T # 834 IT Specialist Global Technology Services, IBM fa...@pk.ibm.com +92-321-2370510 +92-301-8247638 Skype: fahad-ibm http://www.linkedin.com/in/muhammadfahadkhan http://fahad-internetworker.blogspot.com http://www.visualcv.com/g46ptnd On Sat, Mar 20, 2010 at 11:52 PM, Stefan Fouant < sfou...@shortestpathfirst.net> wrote: > Do you mean you are trying to configure a logical-tunnel interface between > the logical routers? > > Stefan Fouant > --Original Message-- > From: Fahad Khan > Sender: juniper-nsp-boun...@puck.nether.net > To: juniper-nsp@puck.nether.net > Subject: [j-nsp] logical routers on M10i > Sent: Mar 20, 2010 8:18 AM > > Hi Experts, > > I need to know what do i require for running logical routers on M10i. I > have > AS II PIC. I have configured lt interfaces, but i cant see them in "sh > interfaces terse". > > please let me know about any thing else i need. Do i need to configure any > thing on PIC level??? > > > waiting for urgent response > > regards, > > Muhammad Fahad Khan > JNCIP - M/T # 834 > IT Specialist > Global Technology Services, IBM > fa...@pk.ibm.com > +92-321-2370510 > +92-301-8247638 > Skype: fahad-ibm > http://www.linkedin.com/in/muhammadfahadkhan > http://fahad-internetworker.blogspot.com > http://www.visualcv.com/g46ptnd > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > > > Sent from my Verizon Wireless BlackBerry ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] EX 8200 deployment
Hi Folks, Please share your experiences regarding the deployment of EX 8200, I need to deploy two chassis in VRRP. Please let shed some light on the following point - Any trick in power/power requirements?? - stability - best design( like Virtual routers are needed or not) - possible caveats - Best junos version Add any trick or issue which you have found out? waiting for ur inputs thanks and best regards, Muhammad Fahad Khan JNCIP - M/T # 834 IT Specialist Global Technology Services, IBM fa...@pk.ibm.com +92-321-2370510 +92-301-8247638 Skype: fahad-ibm http://www.linkedin.com/in/muhammadfahadkhan http://fahad-internetworker.blogspot.com http://www.visualcv.com/g46ptnd ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Content filtering/malware protection
Yeah IDP is great tool. You will have to manage it via NSM. The attack database is huge. This device can run in both promiscuous and inline mode aslo supports HA regards, Muhammad Fahad Khan JNCIP - M/T # 834 IT Specialist Global Technology Services, IBM fa...@pk.ibm.com +92-321-2370510 +92-301-8247638 Skype: fahad-ibm http://www.linkedin.com/in/muhammadfahadkhan http://fahad-internetworker.blogspot.com http://www.visualcv.com/g46ptnd On Thu, Mar 18, 2010 at 2:50 AM, Kevin Day wrote: > > Does anyone have any experience with Juniper's inline filtering appliances? > A client is looking for something to sit between their office LAN and > router, to filter out employees clicking on malware, as well as logging what > computer visits what sites. They're looking for something plug-and-play, > auto updating, etc. Does anyone have experience with Juniper's IDP line? The > online documentation is pretty light. Does it actually prevent access to the > bad stuff, or just log that it happened? What's their datasource for > filtering? > > -- Kevin > > > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] logical routers on M10i
Hi Experts, I need to know what do i require for running logical routers on M10i. I have AS II PIC. I have configured lt interfaces, but i cant see them in "sh interfaces terse". please let me know about any thing else i need. Do i need to configure any thing on PIC level??? waiting for urgent response regards, Muhammad Fahad Khan JNCIP - M/T # 834 IT Specialist Global Technology Services, IBM fa...@pk.ibm.com +92-321-2370510 +92-301-8247638 Skype: fahad-ibm http://www.linkedin.com/in/muhammadfahadkhan http://fahad-internetworker.blogspot.com http://www.visualcv.com/g46ptnd ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] ISG 1000
Yes, simply make sub-interfaces and relevant vlan tagging, then connect that port with your switch over trunk using dot1q. regards, Muhammad Fahad Khan JNCIP - M/T # 834 IT Specialist Global Technology Services, IBM fa...@pk.ibm.com +92-321-2370510 +92-301-8247638 Skype: fahad-ibm http://www.linkedin.com/in/muhammadfahadkhan http://fahad-internetworker.blogspot.com http://www.visualcv.com/g46ptnd On Sun, Mar 7, 2010 at 11:24 PM, Sidney Boumendil < sidney.boumen...@gmail.com> wrote: > On Sun, Mar 7, 2010 at 7:02 PM, networking alcatel > wrote: > > Hi > > > > I have got a ISG 1000 firewall which has the default 4 interfaces, i need > to > > configure 4 zones on a single interface and 1 zone which is the untrusted > > zone on another interface , the other 2 interfaces will be used for HA > and > > heartbeat as there are 2 ISG 1000 my point is > > > > - can i have 4 different zones on a single interface these are all > > trusted (inside) and require to communicate with one another and also > with > > the outside interface > > - can the DMZ zone and the trusted zone be binded with the same > interface > > (sub-interfaces are proposed using vlan tagging) > > > > will this type of solution work. > > Yes it works, juste use vlan tagged sub-interfaces. You can bind > sub-interfaces to any zone you want. > > Be sure to check your licence supports the number of zone you want to > create. > > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] AS-path
Dear Folks, what should be the As-path reg expression for getting the routes transiting AS 100 and not originating from AS 100 regards -- Muhammad Fahad Khan IT Specialist Global Technology Services, IBM fa...@pk.ibm.com +92-321-2370510 +92-301-8247638 http://www.linkedin.com/in/muhammadfahadkhan http://fahad-internetworker.blogspot.com ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] JNCIE-FWV
Dear Folks, Has this certification been launched??? can any one provide the outline/Info for this please. Thanks in advance, regards, -- Muhammad Fahad Khan IT Specialist Global Technology Services, IBM fa...@pk.ibm.com +92-321-2370510 +92-301-8247638 http://www.linkedin.com/in/muhammadfahadkhan http://fahad-internetworker.blogspot.com ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Stub Router in OSPF
Tarique, Thank you very much Exactly that behaviour is for ptp links and Loopbacks regards, On Tue, Aug 4, 2009 at 12:12 PM, Nalkhande Tarique Abbas < ntari...@juniper.net> wrote: > > > The following is from RFC 2328, page 15. > > "Interfaces to point-to-point networks need not be assigned IP > addresses. When interface addresses are assigned, they are modelled as > stub links, with each router advertising a stub connection to the other > router's interface address. Optionally, an IP subnet can be assigned to > the point-to-point network. In this case, both routers advertise a stub > link to the IP subnet, instead of advertising each others' IP interface > addresses." > > > > Thanks & Regards, > Tarique A. Nalkhande > > -Original Message- > From: juniper-nsp-boun...@puck.nether.net > [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Fahad Khan > Sent: Tuesday, August 04, 2009 12:24 PM > To: Nilesh Khambal > Cc: juniper-nsp@puck.nether.net > Subject: Re: [j-nsp] Stub Router in OSPF > > I have seen that all the networks that are directly connected between > neighbours are there as stub lsa in database, why is that so?? > > R1 ---10.0.0.1/30---10.0.0.2/30---R2 > > R1 has 10.0.0.2 as stub lsa in its databasewhy?? > > regards, > On Tue, Aug 4, 2009 at 11:44 AM, Nilesh Khambal > wrote: > > > I think it is becuase no adjacencies are formed on the loopback > > interface. > > > > Thanks, > > Nilesh > > > > > > -- > > Sent from my mobile handheld device > > > > On Aug 3, 2009, at 11:36 PM, "Fahad Khan" > wrote: > > > > > Dear All, > > > > > > Why in Junos, a Loopback Network is always advertised as a stub > > > route/LSA > > > (even if it is associated in the OSPF instance)??? > > > > > > Thanks in advance, > > > regards, > > > -- > > > Muhammad Fahad Khan > > > IT Specialist > > > Global Technology Services, IBM > > > fa...@pk.ibm.com > > > +92-321-2370510 > > > +92-301-8247638 > > > http://www.linkedin.com/in/muhammadfahadkhan > > > http://fahad-internetworker.blogspot.com > > > ___ > > > juniper-nsp mailing list juniper-nsp@puck.nether.net > > > https://puck.nether.net/mailman/listinfo/juniper-nsp > > > > > > -- > Muhammad Fahad Khan > IT Specialist > Global Technology Services, IBM > fa...@pk.ibm.com > +92-321-2370510 > +92-301-8247638 > http://www.linkedin.com/in/muhammadfahadkhan > http://fahad-internetworker.blogspot.com > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > -- Muhammad Fahad Khan IT Specialist Global Technology Services, IBM fa...@pk.ibm.com +92-321-2370510 +92-301-8247638 http://www.linkedin.com/in/muhammadfahadkhan http://fahad-internetworker.blogspot.com ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Stub Router in OSPF
I have seen that all the networks that are directly connected between neighbours are there as stub lsa in database, why is that so?? R1 ---10.0.0.1/30---10.0.0.2/30---R2 R1 has 10.0.0.2 as stub lsa in its databasewhy?? regards, On Tue, Aug 4, 2009 at 11:44 AM, Nilesh Khambal wrote: > I think it is becuase no adjacencies are formed on the loopback > interface. > > Thanks, > Nilesh > > > -- > Sent from my mobile handheld device > > On Aug 3, 2009, at 11:36 PM, "Fahad Khan" wrote: > > > Dear All, > > > > Why in Junos, a Loopback Network is always advertised as a stub > > route/LSA > > (even if it is associated in the OSPF instance)??? > > > > Thanks in advance, > > regards, > > -- > > Muhammad Fahad Khan > > IT Specialist > > Global Technology Services, IBM > > fa...@pk.ibm.com > > +92-321-2370510 > > +92-301-8247638 > > http://www.linkedin.com/in/muhammadfahadkhan > > http://fahad-internetworker.blogspot.com > > _______ > > juniper-nsp mailing list juniper-nsp@puck.nether.net > > https://puck.nether.net/mailman/listinfo/juniper-nsp > -- Muhammad Fahad Khan IT Specialist Global Technology Services, IBM fa...@pk.ibm.com +92-321-2370510 +92-301-8247638 http://www.linkedin.com/in/muhammadfahadkhan http://fahad-internetworker.blogspot.com ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Stub Router in OSPF
Dear All, Why in Junos, a Loopback Network is always advertised as a stub route/LSA (even if it is associated in the OSPF instance)??? Thanks in advance, regards, -- Muhammad Fahad Khan IT Specialist Global Technology Services, IBM fa...@pk.ibm.com +92-321-2370510 +92-301-8247638 http://www.linkedin.com/in/muhammadfahadkhan http://fahad-internetworker.blogspot.com ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
