Re: [j-nsp] Junos recommendation for EX8216
we have here 2 x EX8208 working in virtual chassis mode using 12.3R5.7 without problems Sent from my iPhone On 04/09/2014, at 06:35, Victor Nagoryanskii vic...@gmail.com wrote: Hello, recently we upgraded our EX8216 to current JTAC recommended Junos version (12.3R6.6), and now we have two big problems - first, switch spontaneously stops forward traffic for some hosts, terminated locally. Second - we unable to commit. Each time we try to commit, we get message: error: session failure: unexpected termination error: remote side unexpectedly closed connection For both issues we have an opened JTAC tickets. P.S. We tried to use another spare RE, with Junos installed from scratch (install --format). So, guys, what version do you use for EX8216? Any flaws you noticed? Thanks ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Viability of EX4300 in a primarily l3 environment?
we are using ex4300 with the last release available the setup is pretty simple using virtual chassis, lag, L3 and poe it works pretty fine and we do not have any serious problems sometimes the poe controller goes down but we have a case oppened in jtac to try solve it Sent from my iPhone On 06/08/2014, at 07:15, Sebastian Wiesinger juniper-...@ml.karotte.org wrote: * Paul S. cont...@winterei.se [2014-08-02 05:18]: Hi folks, We're considering the EX4300 to run routing (l3) for a few hypervisors of ours that are connected via l2. Primarily interested due to the rather massive arp limit (64, 000) on the switch, but we've been told (and searched for ourselves to find out) that the 4300 platform has been plagued by random issues since launch. I don't have hands-on experience but I looked at the EX4300 platform for a new deployment. If you look at the current release notes: http://www.juniper.net/techpubs/en_US/junos13.2/information-products/topic-collections/ex-qfx-series/release-notes/ex-qfx-series-junos-release-notes-13.2X51-D25.pdf There are a lot of (serious) bugs still getting fixed so I'm not sure how mature this platform is. One big reason for that is probably because EX4300 uses other chips than the rest of the 4xxx series (Broadcom). Regards Sebastian -- GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A 9D82 58A2 D94A 93A0 B9CE) 'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE. -- Terry Pratchett, The Fifth Elephant ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] MX5 first supported JunOS
11.4R7.5 is a very good version Sent from my iPhone On 25/05/2014, at 18:31, Robert Hass robh...@gmail.com wrote: Hi We waiting for ordered MX5 routers. Currently we're using MX80 in core running JunOS 11.4R software. My question is which first supported JunOS version is usable on MX5 ? Rob ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] dhcpv6 mx
Good day! Please, I wonder if anyone on the list has been successful in implementing the solution [1] Juniper or similar. Can you help me? I'm trying for days and all I did was using the Framed-IPv6-Prefix attribute and that does not help much, because with this attribute we have to previously select a single IPv6 address to each client. I need to use the Framed-IPv6-Pool attribute for WAN addressing dynamically. I opened a call on J-Tac, but not yet brought any progress in implementation. Thank you very much. [1]http://www.juniper.net/techpubs/en_US/junos13.3/topics/example/dual-stack-dhcpv6-pd-iana.html ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Opinions on the QFX 3500 in regards to linerate L3 performance?
but I think they have the same price for a bundle with 2 AC/DC Power supply the 5100 price is better and do not forget to buy the managment module for qfx3500 Sent from my iPhone On 16/03/2014, at 13:40, Paul S. cont...@winterei.se wrote: Budget concerns, mostly. The client can apparently source the 3500s for rather affordable pricing, while the 5100 is a bit too new to be available via those mediums. On 3/16/2014 午前 01:41, Giuliano Cardozo Medalha wrote: why not using qfx5100 platform ? much better low latency 0,6 us and new hardware from juniper Sent from my iPhone On 15/03/2014, at 13:02, Paul S. cont...@winterei.se wrote: Hi guys, I've got a client who's interested in deploying the 3500 as TORs. He'll need to evenly distribute around 20/30g of bandwidth (via aggregated ethernet links) to multitudes of virtualized systems with individual vlans all located in singular racks. Would the QFX be an okay solution in this scenario? There's an heavy preference towards Juniper gear due to most of the connected networks being run on Juniper gear as well. And if not, what would the community suggest? Thanks. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Opinions on the QFX 3500 in regards to linerate L3 performance?
why not using qfx5100 platform ? much better low latency 0,6 us and new hardware from juniper Sent from my iPhone On 15/03/2014, at 13:02, Paul S. cont...@winterei.se wrote: Hi guys, I've got a client who's interested in deploying the 3500 as TORs. He'll need to evenly distribute around 20/30g of bandwidth (via aggregated ethernet links) to multitudes of virtualized systems with individual vlans all located in singular racks. Would the QFX be an okay solution in this scenario? There's an heavy preference towards Juniper gear due to most of the connected networks being run on Juniper gear as well. And if not, what would the community suggest? Thanks. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Disable STP on a port with ELS?
yes on new ELS you need to declare each port you can use the wildcard wildcard range protocols rstp interfaces ge-0/0/[0-47] Sent from my iPhone On 08/03/2014, at 20:44, Ben Dale bd...@comlinx.com.au wrote: I seem to recall reading that at least on the 4300 ELS, spanning-tree is now no longer implicitly enabled on every port, so disable is no longer required because it is the default state unless you have explicitly referenced the interface. Would love to confirm this with someone who has access to either 4300, 9200 or QFX5100 in front of them Ben On 9 Mar 2014, at 1:49 am, Chuck Anderson c...@wpi.edu wrote: Here is another Enhanced Layer 2 Software question. Is it possible to disable STP participation on a port? The disable command seems to be missing from these hierarchies, at least on 13.2X51 for QFX5100: protocols stp interface disable protocols rstp interface disable protocols mstp interface disable protocols vstp interface disable ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] VLAN's on EX4300 with 13.2X50-D15.3
we have a lot of ex4300 working well with D18 ... dont worry about it it has 4 sfp+ and 4 qsfp+ it is a better choice juniper development is very fast about ex4300 code ... a lot of corrections in some much fast way Sent from my iPhone On 19/02/2014, at 17:36, ryanL ryan.lan...@gmail.com wrote: welp, i was about to pull the trigger and order the ex4300's for a new rack, but i think i'll stick to the ex4200 for now. appreciative of people pointing out current issues (even tho i'm not the original poster). ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Juniper Product against DDoS
yes junos-ddos Sent from my iPhone On 18/02/2014, at 11:46, Samol molas...@gmail.com wrote: Hi Experts, Does Juniper provide any DDoS solution ? would you please recommend the product line for this solution if there is? thanks, -- Samol Khoeurn (855) 077 55 64 02 / (855) 067 41 88 66 Network Engineer Cisco: CCNA/CCNP SP/CCIP/ Juniper: JNCIA/JNCIS-ENT,SP,SEC/JNCIP-ENT www.linkedin.com/in/samolkhoeurn ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Format of SHA1 Passwords
set system password format sha-1 Sent from my iPhone On 03/12/2013, at 15:16, Mark Felder f...@feld.me wrote: On Tue, Dec 3, 2013, at 10:46, Chip Marshall wrote: On 2013-12-03, Chris Morrow morr...@ops-netman.net sent: I get things like $sha1$19418$aoTClyGU$cix8MhZsXwG6OrwUgeHAoOA8f.AX where it appears to have the format, some number, what I think is the salt, and then the hash. Anyone know how these things are calculated? we do this calculation I believe your intended format is: $1$salt$hash or that seems to be what our code does. That's for MD5 passwords. I have a requirement to use SHA-1. JunOS is based on FreeBSD, and FreeBSD doesn't support SHA-1 password hashes. Your choices are: DES: (no identifier) MD5: $1$ Blowfish: $2$ NTHASH: $3$ SHA256: $5$ SHA512: $6$ (likely not supported as it's recent to FreeBSD) And how to generate a hash (just change the identifier; it will create the right hash): python -c import crypt, getpass, pwd; print crypt.crypt('password', '\$1\$SALTsalt\$') Just make sure you use a different salt for each password. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Juniper replacement for Microsoft ISA/TMG?
authentication and policy user based mag on this case means UAC module Sent from my iPhone On 21/10/2013, at 03:50, Kirill Bychkov kirill.bych...@gmail.com wrote: MAG series? For what? 21.10.2013 0:36 пользователь Giuliano Cardozo Medalha giuli...@wztech.com.br написал: take care about windows AD authentication and policy integration last check we did you will need mag series togheter Sent from my iPhone On 20/10/2013, at 17:57, Ge Moua moua0...@umn.edu wrote: This comes as standard feature on the SRX firewall; albeit with at the expense of cutting throughput by half per platform. https://www.juniper.net/techpubs/en_US/junos12.1/topics/reference/general/security-feature-utm-support.html -- Regards, Ge Moua Univ of Minn Alumnus -- On 10/20/2013 08:04 AM, Skeeve Stevens wrote: Hey all, Microsoft has EOL'd their TMG product (new ISA). I have a customer asking if Juniper has a simple product that can control outbound access on a user by user basis, and also provide URL (per user) logging/tracking, etc. They want to be able to authenticate users when they access the net - maybe tie back into Microsoft AD or something. Looking at the STRM and a few other things, I was getting quite muddled on what could do what. Thoughts? ...Skeeve *Skeeve Stevens - *eintellego Networks Pty Ltd ske...@eintellegonetworks.com ; www.eintellegonetworks.com Phone: 1300 239 038; Cell +61 (0)414 753 383 ; skype://skeeve facebook.com/eintellegonetworks ; http://twitter.com/networkceoau linkedin.com/in/skeeve twitter.com/theispguy ; blog: www.theispguy.com The Experts Who The Experts Call Juniper - Cisco - Cloud ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Juniper replacement for Microsoft ISA/TMG?
take care about windows AD authentication and policy integration last check we did you will need mag series togheter Sent from my iPhone On 20/10/2013, at 17:57, Ge Moua moua0...@umn.edu wrote: This comes as standard feature on the SRX firewall; albeit with at the expense of cutting throughput by half per platform. https://www.juniper.net/techpubs/en_US/junos12.1/topics/reference/general/security-feature-utm-support.html -- Regards, Ge Moua Univ of Minn Alumnus -- On 10/20/2013 08:04 AM, Skeeve Stevens wrote: Hey all, Microsoft has EOL'd their TMG product (new ISA). I have a customer asking if Juniper has a simple product that can control outbound access on a user by user basis, and also provide URL (per user) logging/tracking, etc. They want to be able to authenticate users when they access the net - maybe tie back into Microsoft AD or something. Looking at the STRM and a few other things, I was getting quite muddled on what could do what. Thoughts? ...Skeeve *Skeeve Stevens - *eintellego Networks Pty Ltd ske...@eintellegonetworks.com ; www.eintellegonetworks.com Phone: 1300 239 038; Cell +61 (0)414 753 383 ; skype://skeeve facebook.com/eintellegonetworks ; http://twitter.com/networkceoau linkedin.com/in/skeeve twitter.com/theispguy ; blog: www.theispguy.com The Experts Who The Experts Call Juniper - Cisco - Cloud ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Inserting security policies on SRX
before using insert i think you need to create the policy !!! insert is an entry more related to moving policy objects or firewall terms and not creation (set) Sent from my iPhone On 18/07/2011, at 17:07, James S. Smith jsm...@windmobile.ca wrote: I have an SRX240 running 11.1R2.3, and occasionally I have to add new policies. The obvious choice would seem to be use the insert command but I’m getting some weird errors. For example, I have a number of policies for the different protocols going between the IT staff and the untrust zone. When trying to insert a new policy the SRX complains the policy does not exist. jsmith@fw01# insert security policies from-zone it_staff to-zone untrust policy it_staff-untrust-windows-rdp before policy it_staff-untrust-default error: statement 'it_staff-untrust-windows-rdp' not found James S. Smith Network Architect WIND Mobile 207 Queen's Quay West, Suite 710 Toronto, ON M5J 1A7 Email: jsm...@windmobile.ca Direct: 416-640-9792 Fax: 416-987-1203 image001.pngimage002.pngimage003.png image004.png ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] MX80 BGP performance after reboot
is not possible to run junos 64 bits on mx80 ? PPC dual core supports it ? why not to use 8 GB dram instead of 2 only ? Sent from my iPhone On 19/02/2013, at 12:59, David Miller dmil...@tiggee.com wrote: On 2/19/2013 6:22 AM, Robert Hass wrote: On Tue, Feb 19, 2013 at 10:54 AM, Sebastian Wiesinger juniper-...@ml.karotte.org wrote: This is really frustrating and limits the scope where we can put the MX80 platform. Would it have been so much more expensive to put a faster CPU/RE into that thing? Or is this just a case of diversifying the product line? It's not about slow CPU. MX80 has very fast PPC (fastest from it's like) processor but RPD code sucks. Same family was used eg. in RSP720 in Cisco 7600 which is much faster - but it's probably becouse IOS preforms better than JunOS in terms of performance/scheduling on PPC platform. Last I checked, MX80 was only using a single core of the dual core PPC CPU - because JUNOS (32 bit) cannot gracefully handle SMP. -DMM ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] pim sparse mode
people we did a setup lab for ipv6 multicast routing using juniper srx210 boxea and 12.1R4 release 3 routers connected by a switch (ex2200) basically we did the configurarion with mld and pim using static rp configuration the unicast routes were dynamic learning using is-is ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] pim sparse mode - part 2
people we did a setup lab for ipv6 multicast routing using juniper srx210 boxea and 12.1R4 release 3 routers connected by a switch (ex2200) - star topology basically we did the configurarion with mld and pim using static rp configuration using loopback of one of the routers the unicast routes were dynamic learning using is-is after create a streaming using vlc in one of the lan interface of router a other clients could not be able to join the multicast v6 group using the same software is there some special config to be able to do it work fine ? the ssm mode must be a better config ? using ipv4 it works ok if we connect one host directly to another it is possible to join the group and see multicast streaming does anyone has some similar config that works on this kind of environment ? thanks a lot giuliano ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Regarding icmp on interface in SRX
set secutiy zones security-zone Trust host-inbound-traffic system-services (?) Hi experts, In junos how to enable icmp on interface. Firewall(SRX) is the gateway. Hosts behind that security zone should be able to ping the gateway. Should the ping access be enabled on the security zone, or in the physical interface. Thanks, SiVa ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] configure bandwidth limitation on EX3200
Is It possible to do such policer using vlans instead of interfaces ? I think that class-of-service does not support shaping rate for vlans or RVI. Even with junos 11.1 http://www.juniper.net/techpubs/en_US/junos11.1/topics/reference/requirements/firewall-filter-ex-series-match-conditions.html You may want to consider the shaping-rate statement. Look at the example below for 20 Mbps throttling. ge-0/0/0 { unit 0 { family ethernet-switching { filter { input filter-20m; } } } } class-of-service { interfaces { ge-0/0/0 { shaping-rate 20m; } } firewall { family ethernet-switching { filter filter-20m { interface-specific; term 1 { then policer policer-20m; } } } policer policer-20m { filter-specific; if-exceeding { bandwidth-limit 20m; burst-size-limit 1m; } then discard; } } ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Q-in-Q btw Juniper and Cisco
People, Does anyone here on this list can confirm to me the correct use of JUNIPER EX3, EX4 and EX8 (JUNOS 11.1) platforms, configured with q-in-q vlans in a mixed environment together with cisco catalyst 3750G ? It works without any problems ? its possible to send to list or for me in pvt some essential points related to the configuration of both ? Thanks a lot, Giuliano ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] M7i
MX80-5G-AC-ADV-B MX80 Promotional 5G Bundle for channels, Includes MX80 Modular AC, spare AC Power supply, 20x1G MIC including L3-ADV license, Queuing, Inline Jflow, Junos WW. (4x10G fixed ports and 1x front empty MIC slot restricted) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] MX80 Bundles
People, The new JUNIPER MX80 is available this year in some special prices bundles: MX80-5 MX80-10 MX80-40 MX80 Does anyone knows if the bandwidth specification is full or half duplex ? MX80-5 is 5 Gbps full ou half duplex ? Because MX80 has 40 Gbps full duplex of capacity but bundles do not have any type of specification about it. Could you please help me with this ? Thanks a lot, Giuliano ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Unidirectional Ping on the J6350
Are you working in flow mode or packet mode ? Have you ever tried to work using packet mode only ? Thanks a lot, Giuliano Hi i'm sort of stuck ... One end is a J6350 router and the other end a Cisco router... the built up between these two devices is L2 and on a VLAN 10. From J6350 to the Cisco Router you are able to ping reverse you are not able to ping ,in the middle of the circuit there is a switch on which we tore the circuit into two segments and did a ping to the J6350 router and Cisco Router , both were ok. When the circuit is made through you are able to ping only from J6350 to Cisco Router the other way its not working. On the J6350 all protocols and services are allowed on the cisco no restrictions, its a /30 with a single IP's on either end any suggestions regards On Fri, Sep 3, 2010 at 10:56 AM, Jonathan Lassoff j...@thejof.com wrote: On Thu, Sep 2, 2010 at 9:21 PM, Harris Hui harris@hk1.ibm.com wrote: Hi all, The J-6350 in JUNOS 10.0R3.1 can disable the security context (flow-based forwarding) and use it as a Router Context (IPv4 Packet-based forwarding). I had tested this on a single J-6350 box. Did anyone tested to disable the security context and enable the router context in a chassis cluster configuration? If yes, could you share the experience with me? Thanks a lot! I would imagine that this can be done, but admittedly, I've never run router mode in a chassis cluster. Check out the factory-included /etc/config/jsr-series-routermode-factory.conf file. It sets some other things under security { } as well, like disabling TCP SYN and sequence checking. Cheers, jof ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] EX series ipv6
EX2200, EX3200 and EX4200 does support IPv6 direct and static configurations. OSPFv3 and ISIS will need advanced license support. Att, Anyone know if Juniper plan to allow IPV6 routing without the extortionate advanced license? Nick -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender. Any offers or quotation of service are subject to formal specification. Errors and omissions excepted. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of Lumison. Finally, the recipient should check this email and any attachments for the presence of viruses. Lumison accept no liability for any damage caused by any virus transmitted by this email. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] OSPF IMPORT POLICIES
People, Hi, We are trying to filter OSPF Internal Routers from being installed into the RIB (Routing Table). JUNIPER has the correct command to filter input routes. set protocols ospf import policy name But when we create an import policy on our environment ... all the internal routes are not filtered and are installed onto the RIB. Is there any way to use policy routing to block the internal ospf routes to be installed onto the RIB ? it is possible to use rib-groups to redirect the ospf internal routes to another routing table ? Can you please give to me some guide ? Thanks a lot, Giuliano ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] OSPF IMPORT POLICIES
Is it possible to put the internal LSA routes pointing to discard next-hop ? We need to invalidate some routes ... Or is not possible to process it ? Is it only possible to set priority to the route ? Thanks a lot, Only external LSA can be prevented from entering the RIB via ospf import policy. On Thu, Dec 2, 2010 at 12:10 AM, Giuliano Cardozo Medalha giulian...@uol.com.br wrote: People, Hi, We are trying to filter OSPF Internal Routers from being installed into the RIB (Routing Table). JUNIPER has the correct command to filter input routes. set protocols ospf importpolicy name But when we create an import policy on our environment ... all the internal routes are not filtered and are installed onto the RIB. Is there any way to use policy routing to block the internal ospf routes to be installed onto the RIB ? it is possible to use rib-groups to redirect the ospf internal routes to another routing table ? Can you please give to me some guide ? Thanks a lot, Giuliano ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] OSPF IMPORT POLICIES
I have tested here. It does not work. I have tried to install a REJECT or DISCARD next-hop for OSPF Internal Routes. It does not work too. JUNOS does not support this features for OSPF Internal Routes, only IOS I was thinking trying to put some of the OSPF Internal routes in another routing table using rib-groups Does anyone think that it is possible ? Or some other thing to filter or to null some OSPF internal routes ? Thanks a lot is there a chance to use policy-statements here to accomplish this? say for example: from { protocol ospf route-type internal ... } then { reject; } ? -Payam Phill Jolliffe wrote: Only external LSA can be prevented from entering the RIB via ospf import policy. On Thu, Dec 2, 2010 at 12:10 AM, Giuliano Cardozo Medalha giulian...@uol.com.br wrote: People, Hi, We are trying to filter OSPF Internal Routers from being installed into the RIB (Routing Table). JUNIPER has the correct command to filter input routes. set protocols ospf import policy name But when we create an import policy on our environment ... all the internal routes are not filtered and are installed onto the RIB. Is there any way to use policy routing to block the internal ospf routes to be installed onto the RIB ? it is possible to use rib-groups to redirect the ospf internal routes to another routing table ? Can you please give to me some guide ? Thanks a lot, Giuliano ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] disable utm service on Junos 10.x
Some things we do using J-Series or SRX in packet-based: set security forwarding-options family inet6 mode packet-based set security forwarding-options family mpls mode packet-based set system processes web-management disable set system processes bootp disable set system processes idp-policy disable set system processes dhcp disable set system processes mobile-ip disable set system processes uac-service disable set system processes 802.1x-protocol-daemon disable set system processes ilmi disable set system processes simple-mail-client-service disable set system processes dialer-services disable set system processes isdn-signaling disable set system processes wan-acceleration disable set system processes smtpd-service disable set system processes wireless-lan-service disable ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Problems with EX4200
People, We have here one EX4200 running BGP and virtual routers. It is logging to me the following error. J-TAC said this is a software error. We have been tried a lot of versions: 10.0S10, 10.1, 10.2, 10.3 Nothing happens Do you know this problems ? Do you think could be a hardware error ? Thanks a lot, Giuliano r...@amplitude-core# run show log messages Nov 18 22:08:18 AMPLITUDE-CORE clear-log[1556]: logfile cleared Nov 18 22:08:21 AMPLITUDE-CORE fpc0 RT-HAL,rt_msg_handler,439: route check fail ed Nov 18 22:08:21 AMPLITUDE-CORE /kernel: RT_PFE: RT msg op 2 (PREFIX DELETE) fai led, err 5 (Invalid) Nov 18 22:08:22 AMPLITUDE-CORE mgd[688]: UI_COMMIT: User 'root' requested 'comm it' operation (comment: none) Nov 18 22:08:36 AMPLITUDE-CORE mgd[688]: UI_COMMIT: User 'root' requested 'comm it' operation (comment: none) Nov 18 22:08:37 AMPLITUDE-CORE fpc0 RT-HAL,rt_msg_handler,439: route check fail ed Nov 18 22:08:37 AMPLITUDE-CORE /kernel: RT_PFE: RT msg op 2 (PREFIX DELETE) fai led, err 5 (Invalid) Nov 18 22:08:41 AMPLITUDE-CORE fpc0 Failed to Add prefix (cstatus: 65565) Nov 18 22:08:41 AMPLITUDE-CORE /kernel: RT_PFE: RT msg op 1 (PREFIX ADD) failed , err 5 (Invalid) Nov 18 22:08:41 AMPLITUDE-CORE fpc0 Failed to h/w update ip uc route entry (sta tus: 22) Nov 18 22:08:41 AMPLITUDE-CORE fpc0 Failed to install the RT entry (status: 22) Nov 18 22:08:41 AMPLITUDE-CORE fpc0 RT-HAL,rt_entry_add_msg_proc,1965: rt_halp_ vectors-rt_create failed Nov 18 22:08:41 AMPLITUDE-CORE fpc0 RT-HAL,rt_msg_handler,453: route process fa iled Nov 18 22:08:51 AMPLITUDE-CORE fpc0 RT-HAL,rt_msg_handler,439: route check fail ed Nov 18 22:08:51 AMPLITUDE-CORE /kernel: RT_PFE: RT msg op 2 (PREFIX DELETE) fai led, err 5 (Invalid) Nov 18 22:08:56 AMPLITUDE-CORE fpc0 Failed to Add prefix (cstatus: 65565) Nov 18 22:08:56 AMPLITUDE-CORE /kernel: RT_PFE: RT msg op 1 (PREFIX ADD) failed , err 5 (Invalid) Nov 18 22:08:56 AMPLITUDE-CORE fpc0 Failed to h/w update ip uc route entry (sta tus: 22) Nov 18 22:08:56 AMPLITUDE-CORE fpc0 Failed to install the RT entry (status: 22) Nov 18 22:08:56 AMPLITUDE-CORE fpc0 RT-HAL,rt_entry_add_msg_proc,1965: rt_halp_ vectors-rt_create failed Nov 18 22:08:56 AMPLITUDE-CORE fpc0 RT-HAL,rt_msg_handler,453: route process fa iled Nov 18 22:09:03 AMPLITUDE-CORE fpc0 Failed to Add prefix (cstatus: 65565) Nov 18 22:09:03 AMPLITUDE-CORE /kernel: RT_PFE: RT msg op 1 (PREFIX ADD) failed , err 5 (Invalid) Nov 18 22:09:03 AMPLITUDE-CORE fpc0 Failed to h/w update ip uc route entry (sta tus: 22) Nov 18 22:09:03 AMPLITUDE-CORE fpc0 Failed to install the RT entry (status: 22) Nov 18 22:09:03 AMPLITUDE-CORE fpc0 RT-HAL,rt_entry_add_msg_proc,1965: rt_halp_ vectors-rt_create failed Nov 18 22:09:03 AMPLITUDE-CORE fpc0 RT-HAL,rt_msg_handler,453: route process fa iled ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] SRX3600 or SRX5600 ?
People, Hi, We are looking for a JUNIPER Solution for High End Firewalls. We are searching for: - SRX3600 - SRX5600 Is it possible to configure SRX3600 chassis bundle with complete redundancy ? JUNOS supports for cluster configuration is good ? Does SRX3600 supports the following ? - 2 x RE - 2 x SCB - 2 x NPC - 2 x SPC - 2 x AC PEM Or ... its not supporting it ? Only 5600 will support total redundancy of components at a single chassis ? Any experience with SRX3600 and SRX5600 ... good or bad ? Can you please share it with me ? Thanks a lot, Giuliano ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] GRE Tunnel bet JUNIPER and CISCO
People, We are trying to close a GRE tunnel between juniper and Cisco routers without success. We have tried a lot of MTU configurations but the traffic is suffering a lot ... sometimes slow, sometimes do not open some pages. Have you ever configured something like this before ? Any tip ou configuration related to best practices ? Thanks a lot, Giuliano ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Block Skype and Ultrasurf using ScreenOS
People, Does anyone knows how to block ultrasurf and skype applications using only a SSG140 Box with DI license ? Is it possible to configure ? Where can I find the detailed signatures of this both applications ? Thanks a lot, Giuliano ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX for MPLS
We are studying it: * J Series or SRX Series devices do not support aggregated Ethernet interfaces. Therefore, aggregated Ethernet interfaces between CE devices and PE routers are not supported for VPLS routing instances on J Series or SRX Series devices. * VPLS routing instances on J Series or SRX Series devices use BGP to send signals to other PE routers. LDP signaling is not supported. * VPLS multihoming, which allows connecting a CE device to multiple PE routers to provide redundant connectivity, is not supported on J Series or SRX Series devices. * J Series or SRX Series devices do not support BGP mesh groups. * J Series or SRX Series devices support only the following encapsulation types on VPLS interfaces that face CE devices: extended VLAN VPLS, Ethernet VPLS, and VLAN VPLS. Ethernet VPLS over ATM LLC encapsulation is not supported. * Virtual ports are generated dynamically on a Tunnel Services PIC on some Juniper Networks routing platforms. J Series or SRX Series devices do not support Tunnel Services modules or virtual ports. * The VPLS implementation on J Series or SRX Series devices does not support dual-tagged frames. Therefore, VLAN rewrite operations are not supported on dual-tagged frames. VLAN rewrite operations such as pop-pop, pop-swap, push-push, swap-push, and swap-swap, which are supported on M Series and T Series routing platforms, are not supported on J Series or SRX Series devices. * Firewall filters for VPLS are not supported. BGP Signaling must be a big limitation, because of address space of this boxes. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX for MPLS
We are studying it: * J Series or SRX Series devices do not support aggregated Ethernet interfaces. Therefore, aggregated Ethernet interfaces between CE devices and PE routers are not supported for VPLS routing instances on J Series or SRX Series devices. * VPLS routing instances on J Series or SRX Series devices use BGP to send signals to other PE routers. LDP signaling is not supported. * VPLS multihoming, which allows connecting a CE device to multiple PE routers to provide redundant connectivity, is not supported on J Series or SRX Series devices. * J Series or SRX Series devices do not support BGP mesh groups. * J Series or SRX Series devices support only the following encapsulation types on VPLS interfaces that face CE devices: extended VLAN VPLS, Ethernet VPLS, and VLAN VPLS. Ethernet VPLS over ATM LLC encapsulation is not supported. * Virtual ports are generated dynamically on a Tunnel Services PIC on some Juniper Networks routing platforms. J Series or SRX Series devices do not support Tunnel Services modules or virtual ports. * The VPLS implementation on J Series or SRX Series devices does not support dual-tagged frames. Therefore, VLAN rewrite operations are not supported on dual-tagged frames. VLAN rewrite operations such as pop-pop, pop-swap, push-push, swap-push, and swap-swap, which are supported on M Series and T Series routing platforms, are not supported on J Series or SRX Series devices. * Firewall filters for VPLS are not supported. BGP Signaling must be a big limitation, because of address space of this boxes. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX for MPLS
On 22/10/2010 11:46, Chris Evans wrote: My question is what is the purpose of using a security device for pure routing purposes??? Why not just buy a router? On Oct 22, 2010 9:34 AM, Will McLendonwimcl...@gmail.com wrote: Price and size of the box. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX for MPLS
Now we need to understand the limits for L2 VPNs e how can we use it integrated with JUNOS Space and Network Activator. Ahhh the cost reason. That is a huge reason we aren't buying much juniper gear at this point in time. We only use m or mx devices along with the full Cisco product catalog. Every solution we are doing lately costs 2 to 5 times using juniper versus cisco.. I just can't justify juniper at this point in time for most contexts due to cost alone. This is something I've been yelling at my account team about. On Oct 22, 2010 11:22 AM, Giuliano Cardozo Medalha giulian...@uol.com.br mailto:giulian...@uol.com.br wrote: On 22/10/2010 11:46, Chris Evans wrote: My question is what is the purpose of using a security device for pure routing purposes??? Why not just buy a router? On Oct 22, 2010 9:34 AM, Will McLendonwimcl...@gmail.com mailto:wimcl...@gmail.com wrote: Price and size of the box. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net mailto:juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] m10 Hard Disk Crashed
What are the commands you need to use to upgrade the hard disk ? Somethin like: request system snapshot media ... ? Anyone knows how to do that ? Thanks a lot, Thank you Jonas !! Fernando Atilano| Transtelco| Networking Support MX 52.656.257.1114 US1.915.217.2286 On Oct 21, 2010, at 3:59 PM, Jonas Frey (Probe Networks)j...@probe-networks.de wrote: See cluepon: http://juniper.cluepon.net/index.php/Replacing_the_harddisk_with_solid_state_flash Am Mittwoch, den 20.10.2010, 17:19 -0400 schrieb Fernando Atilano: Anybody that can provide as to how to replace a m10 hard disk? one of them failed. any feedback is greatly appreciated. Fernando Atilano| Transtelco| Networking Support MX 52.656.257.1114 US1.915.217.2286 ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] SRX for MPLS
People, Does anyone uses SRX routers for MPLS (VPLS) Transport ? We are thinking about the use of SRX220 under some conditions: - Use it in a not a good environment without air conditioning and a lot of dust ... external box temperature rises from 35 to 42 Celsius. - Be the point to interconnect POPs using point to point radios (100~1000 Mbps) - Using it to provide a VPLS infrastructure for L2 transport and client isolation until the start of the backbone (M7i and MX80 Routers) - SRX220 to provide OSPFv2 and OSPFv3 L3 gateway for some routed clients. The figure showed at the following link tries to resume it at all: http://www.wztech.com.br/JUNIPER/Topology.png It is possible to use this box in a such project ? Do you have any experience using it to do this type of topology ? Is is possible that SRX220 can work fine under so strength environment conditions ? Could it blow up or goes down ? If someone has implemented this kind of environment can please share the experiences ? Thanks a lot, Giuliano ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] SRX for MPLS
People, Does anyone uses SRX routers for MPLS (VPLS) Transport ? We are thinking about the use of SRX220 under some conditions: - Use it in a not a good environment without air conditioning and a lot of dust ... external box temperature rises from 35 to 42 Celsius. - Be the point to interconnect POPs using point to point radios (100~1000 Mbps) - Using it to provide a VPLS infrastructure for L2 transport and client isolation until the start of the backbone (M7i and MX80 Routers) - SRX220 to provide OSPFv2 and OSPFv3 L3 gateway for some routed clients. The figure showed at the following link tries to resume it at all: http://www.wztech.com.br/JUNIPER/Topology.png It is possible to use this box in a such project ? Do you have any experience using it to do this type of topology ? Is is possible that SRX220 can work fine under so strength environment conditions ? Could it blow up or goes down ? If someone has implemented this kind of environment can please share the experiences ? Thanks a lot, Giuliano ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Interconection of Logical Systems or Routing Instances
People, We have a M7i with built in Tunnel interface - 800 Mbps. We need to create a logical interface to interconnect the default logical system and a created one ... called R1. Router# set logical-systems R1 We need to establish a BGP connection between the two logical systems using the logical interface. What is the best solution ? Use gr-1/2/0 interface or Use lt-1/2/0 interface ? When we try to use lt-1/2/0 ... the ip address does not appear in table inet.0 (stays with protocol down status) Can someone help me with this configuration ? Is it possible ? Thanks a lot, Giuliano ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Interconection of Logical Systems or Routing Instances
Thanks a lot Dave. It works for me. Hi, You could do this... set logical-systems R1 interfaces lt-1/2/0 unit 1 encapsulation ethernet set logical-systems R1 interfaces lt-1/2/0 unit 1 peer-unit 2 set logical-systems R1 interfaces lt-1/2/0 unit 1 family inet address 100.100.100.1/24 and then set logical-systems R2 interfaces lt-1/2/0 unit 2 encapsulation ethernet set logical-systems R2 interfaces lt-1/2/0 unit 2 peer-unit 1 set logical-systems R2 interfaces lt-1/2/0 unit 2 family inet address 100.100.100.2/24 the secret sauce is in that peer-unit statement, which connects to two logical interfaces together. You can set the encapsulation to a few different types, which is kind of fun. Here is a pointer so some (older) documentation, it's what came up in a google search: http://www.juniper.net/techpubs/software/junos/junos70/swconfig70-interfaces/html/interfaces-tunnel-config4.html Disclaimer: I work for Juniper. HTHs, Dave On Oct 20, 2010, at 10:36 AM, Giuliano Cardozo Medalha wrote: People, We have a M7i with built in Tunnel interface - 800 Mbps. We need to create a logical interface to interconnect the default logical system and a created one ... called R1. Router# set logical-systems R1 We need to establish a BGP connection between the two logical systems using the logical interface. What is the best solution ? Use gr-1/2/0 interface or Use lt-1/2/0 interface ? When we try to use lt-1/2/0 ... the ip address does not appear in table inet.0 (stays with protocol down status) Can someone help me with this configuration ? Is it possible ? Thanks a lot, Giuliano ___ juniper-nsp mailing list juniper-nsp@puck.nether.net mailto:juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] EX4200 MPLS Limits
Hi, Does anyone knows the MPLS Limits for the EX4200 series switches ? Considering the configuration showed bellow: http://www.juniper.net/techpubs/en_US/junos10.3/topics/example/mpls-ex-series-configuring.html How many mpls ccc circuits a EX4200 switch supports ? When you use EX4200 in a virtual chassis configuration, it is possible to sum the mpls capacities ? Can you provide me some information related to that ? Thanks a lot, Giuliano ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] router recommendation
MX80 - 40 Gbps (48 x 10/100/1000 + 4 x 10G XFP) 65 Mpps ... don´t forget to buy routing license. M7i - 5 Gbps Full Duplex (with 4 Ethernet PIC and 1 FIC) - 16 Mpps ... there is a special bundle in list price M7i-5GE-RE850-US-B ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] RED Setup SRX240
People, I am trying to setup (in lab) a RED configuration using a SRX240 box (flow mode). We need to demonstrate the Junos ability to discard packets using RED drop profiles instead of Tail Drop routing with 2 Gigabit Interfaces. The gigabit interfaces used to this test are ge-0/0/0 (wan) and ge-0/0/1 (lan) and best effort std queue. We are trying to pass a routed traffic of 2 Mbps across these two interfaces. After we start traffic across this interfaces ... it pass exactly 2 Mbps and not 1 Mbps (?!?!?!) When we try to see RED traffic on interfaces ... it only shows up TAIL DROP Statistics and not RED Statistics ... Router show interfaces queue ge-0/0/0 Router show interfaces queue ge-0/0/1 I really do not know what is wrong with the configuration, to test and demonstrate RED capabilities of JUNOS. Could you help me with that ? Thanks a lot, Giuliano Basically we have configured: set interfaces ge-0/0/0 per-unit-scheduler set interfaces ge-0/0/1 per-unit-scheduler drop-profiles { RED-1 { fill-level 50 drop-probability 50; } } interfaces { ge-0/0/0 { unit 0 { scheduler-map qos-red; } } ge-0/0/1 { unit 0 { scheduler-map qos-red; } } } scheduler-maps { qos-red { forwarding-class best-effort scheduler be; } } schedulers { be { transmit-rate 1m exact; drop-profile-map loss-priority any protocol any drop-profile RED-1; } } ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] MX80 ADV-R License
People, Does anyone know how to install the following license into the box: 1 x S-MX80-ADV-RLicense to support full scale L3 route and L3 VPN on MX80 We have received a paper describing the license and a pen drive. Does anyone bought a MX80-48T and have the license to install ? How can we check if the license is correctly installed ? Thanks a lot, Giuliano ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] JUNOS POLICER
People, We are trying to configure policers to logical interfaces created under IQ2E PIC. All policers are using firewall filters. One of them is a different situation ... we cannot rate all interface but only 3 IPs that pass thought the interface. But the policer is not worlink correctly: set firewall policer teste if-exceeding bandwidth limit 10m burst size 1000 set firewall policer teste then discar set firewall family inet filter policer term 10 from source-address 192.168.10.35/32 set firewall family inet filter policer term 10 then accept set firewall family inet filter policer term 10 then policer teste set firewall family inet filter policer term 20 from source-address 192.168.10.36/32 set firewall family inet filter policer term 20 then accept set firewall family inet filter policer term 20 then policer teste set firewall family inet filter policer term 30 from source-address 192.168.10.37/32 set firewall family inet filter policer term 30 then accept set firewall family inet filter policer term 30 then policer teste set firewall family inet filter policer term 40 then accept set interface ge-0/0/0 unit 100 vlan-id 100 family inet filter input policer The problem is ... the 3 chosen IPs are exceeding 10m. Sometimes 12, sometimes 18 Mbps. We need to use some special command for it ? Like - logical interface under policer ? What is the correct manner to use it ? Or we need to put it all in the same term ? Thanks a lot, Giuliano ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] JUNOS POLICER
Derick, And about the following options: filter-specific logical-bandwidth-policer logical-interface-policer Can we to use them ? When you configure the filter-specific statement, a single policer set is created for the entire filter. All traffic matching the terms of the firewall filter with the action policer goes through that single policer. The default is a term-specific policer in which a single policer set is created for each term within the filter. All traffic matching the terms of the firewall filter with the action policer goes through the part of the policer that is specific to that term. Logical-interface-policer option is for use inside logical units (like vlan units) ? Thanks a lot, Giuliano You need to put it all in the same term. *From:* Giuliano Cardozo Medalha giulian...@uol.com.br *To:* juniper-nsp@puck.nether.net *Sent:* Thu, September 2, 2010 11:07:08 AM *Subject:* [j-nsp] JUNOS POLICER People, We are trying to configure policers to logical interfaces created under IQ2E PIC. All policers are using firewall filters. One of them is a different situation ... we cannot rate all interface but only 3 IPs that pass thought the interface. But the policer is not worlink correctly: set firewall policer teste if-exceeding bandwidth limit 10m burst size 1000 set firewall policer teste then discar set firewall family inet filter policer term 10 from source-address 192.168.10.35/32 set firewall family inet filter policer term 10 then accept set firewall family inet filter policer term 10 then policer teste set firewall family inet filter policer term 20 from source-address 192.168.10.36/32 set firewall family inet filter policer term 20 then accept set firewall family inet filter policer term 20 then policer teste set firewall family inet filter policer term 30 from source-address 192.168.10.37/32 set firewall family inet filter policer term 30 then accept set firewall family inet filter policer term 30 then policer teste set firewall family inet filter policer term 40 then accept set interface ge-0/0/0 unit 100 vlan-id 100 family inet filter input policer The problem is ... the 3 chosen IPs are exceeding 10m. Sometimes 12, sometimes 18 Mbps. We need to use some special command for it ? Like - logical interface under policer ? What is the correct manner to use it ? Or we need to put it all in the same term ? Thanks a lot, Giuliano ___ juniper-nsp mailing list juniper-nsp@puck.nether.net mailto:juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX100 reset
You can use: http://kb.juniper.net/index?page=contentid=KB15725smlogin=true After you reset the box: delete security set security forwarding-options family mpls mode packet-based set security forwarding-options family inet6 mode packet-based It will work like a common router without security zones or statefull firewall. You can disable some process that you do not use: set system process isdn disable Hi, had the same problem when I first unpacked my SRX100. It requested an IP address but was not reachable at all by that address. I don't remember the exact way i finally fixed it that night, but there was something wrong with the VLAN/port-assignments (and maybe even zones) in the factory default config. You might want to try another port first, as fe-0/0/0 is [supposed to be] in the untrust and fe-0/0/1-7 in trust zone. If this doesn't work, check the config via serial cable and put one specific port into trust and manually assign an IP address to it. I clearly remember that for 1 or 2 hours I thought the device was broken, as it did not work at all, even following the quickstart guide. best regards, Volker Stefan Schlesinger wrote: Hello Folks, I'm trying to reset my SRX100. When I press the Reset button the status light turns amber, the SRX requests an IP address from my DHCP server, I see an ARP entry, but I cannot ping it nor connect to it using telnet/ssh/http. What could be the reason for this and how can I do a factory reset? Thanks, Stefan. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Q-In-Q using M7i and CISCO Switch
We have a client with the following situation: Trunk v1, v2, v3 Trunk | Switch | | Switch || Switch| JUNIPER M7i IQ2E --- Trunk Carrier offers only 3 vlans to the client. But he wants to push/pop some more vlans inside these 3 ones. Is it possible to initiate and finish Q-In-Q vlans using a cisco ME (or EX Series) switches and a JUNIPER M7i with IQ2E interface ? The following link shows stack configuration. It can be used to do Q-In-Q with this situation ? http://www.juniper.com.lv/techpubs/en_US/junos10.0/information-products/topic-collections/config-guide-network-interfaces/id-12155750.html Someone tries to configure it any time ? Thanks a lot, Giuliano ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Q-In-Q using M7i and CISCO Switch
We need to pass 20 different vlans using only the 3 ones that carrier provide to us. First 10 vlans need to terminate in a L3 interface inside the router with an IP address. Other 10 we need to pop from the IQ2E interface and let it free using a L2 switch Carrier only transport 3 vlans in C-Switches (Carrier Switches). They can transport to us stacked vlans and open it in the last switch Is it possible ? We have a client with the following situation: 20TrunkTrunkTrunk | C-Switch | | C-Switch ||C-Switch|---M7i Last | Switch ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] M7i and M10i problems - TRACE ROUTE
People, We have a Juniper M10i border router. When we install this router on our network ... we are having problems with MTR and traceroute programs. Basically ... every trace that pass trough the router lose 70% of the packets. PING just works fine ... but TRACE and MTR not. Juniper saids in J-TAC that this is a default config (FACTORY DEFAULT) from the router. There is some command or way to change this behavior ? Thanks a lot, Giuliano ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] M7i and M10i problems - TRACE ROUTE
Alex, Is there some way to avoid or to change this default value ? It is possible to configure a firewall-filter to increase these values ? The problem is that when our customers start TRACES outside ... they think our network as problems. Thanks a lot, Giuliano Giuliano, On Juniper M-series, there is an ICMP TTL-exceeded rate-limit in place: 50 pps per logical interface and 500 pps per box. See http://puck.nether.net/pipermail/cisco-nsp/2006-June/031717.html Rgds Alex - Original Message - From: Giuliano Cardozo Medalha [EMAIL PROTECTED] To: juniper-nsp@puck.nether.net Sent: Saturday, April 21, 2007 8:51 PM Subject: [j-nsp] M7i and M10i problems - TRACE ROUTE People, We have a Juniper M10i border router. When we install this router on our network ... we are having problems with MTR and traceroute programs. Basically ... every trace that pass trough the router lose 70% of the packets. PING just works fine ... but TRACE and MTR not. Juniper saids in J-TAC that this is a default config (FACTORY DEFAULT) from the router. There is some command or way to change this behavior ? Thanks a lot, Giuliano ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp