[j-nsp] Looking for supplier of Juniper compatible Copper SFPs in UK
Hi all Am urgently looking for a supplier of Juniper compatible copper SFPs. The Juniper part code is below so if anyone has any recommendation for a decent (and by necessity quick) supplier it would be greatly appreciated. For info, this is for install in a pair of SRX550s. Thanks in advance Mark *Model #* *Model Description* EX-SFP-1GE-T SFP 1000Base-T 10/100/1000 Copper Transceiver Module for up to 100m transmission on Cat5 ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Junos SRX AppQos
I have had this deployed on my home SRX to test. I used it to rate limit p2p apps while I was working from home and it seemed to work perfectly. :) application-traffic-control { rate-limiters 1m { bandwidth-limit 1048576; burst-size-limit 1048576; } rule-sets torrent { rule 1 { match { application [ junos:BITTRACKER junos:BITTORRENT-APPLICATION junos:BITTORRENT-DHT junos:BITTORRENT-DHT4 junos:BITTORRENT-UDP junos:BITTORRENT-WEB-CLIENT ]; application-group [ junos:p2p junos:p2p:file-sharing ]; } then { rate-limit { client-to-server 1m; server-to-client 1m; loss-priority-high; } } } } } Then apply the rate limiter to a sec policy. show configuration security policies from-zone trust to-zone untrust policy scheduled-outbound match { source-address any; destination-address any; application any; } then { permit { application-services { idp; application-traffic-control { rule-set torrent; } } } log { session-close; } count; } scheduler-name office-hours; On 12 August 2014 10:02, James Baker ja...@jgbaker.co.nz wrote: Cheers Matt; that will get me going -Original Message- From: juniper-nsp [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Matt Bernstein via juniper-nsp Sent: Tuesday, 12 August 2014 4:59 p.m. To: juniper-nsp@puck.nether.net Subject: Re: [j-nsp] Junos SRX AppQos On 12/08/2014 05:51, James Baker wrote: Does anyone have any docs or links to docs/blogs which give some examples? Or an sanitized code snippet? The O'Reilly is pretty good. http://chimera.labs.oreilly.com/books/123401633/ch12.html#application_quality_of_service Matt ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] VLAN's on EX4300 with 13.2X50-D15.3
The VC cables in EX4200s are 32G half duplex. If we go full duplex we get to 64. Add another VC cable and we get 128. With the 40G interface, we get 80 full duplex and 160 with 2. HTH On 20 February 2014 22:31, ryanL ryan.lan...@gmail.com wrote: weren't the ex4200 VC connections 64/128 Gbps thru the ribbon cable? why is 40G which uses up actual ports all that exciting? maybe i don't see it because it doesn't apply to my architecture. :-/ ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Power adapter spec for AX411?
Same here. POE is the way to go. Mark Menzies sent via mobile device, please excuse errors On 12 Jan 2014 02:14, OBrien, Will obri...@missouri.edu wrote: I just used PoE. You can get a PoE injector pretty easily. On Jan 11, 2014, at 1:20 PM, Chris Woodfield rek...@semihuman.com wrote: Anyone know what type of power adapter (apart from ordering one directly from Juniper) I’d need to power an AX411 wireless AP? Or would I be better off simply getting an inline POE splitter? -C ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Comparison of Dynamic VPN on SRX vs MAG VPN
This is a tricky one and really depends on what you want to do with the users. If all you need is a L3 VPN that allows a full L3 connection to your network then dynamic VPN on SRX is attractive. If you want to offer more options to the user, ie some SSL based portal access, only encrypt some applications through the SSL tunnel then MAG is the way to go. From experience, the implementation of dynamic VPN on SRX has been problematic to set up initially but works fine for low number of users (I am talking of issues on 10.4 onwards for the set up of user profiles - was a bit untidy). We also need to take into account how many concurrent users you expect to see as approaching the max 50 users concurrently is likely to affect performance slightly. (performance was impacted in 11.x for me at least, not tested 12.1Xx yet). I haven't seen any proper comparison between the 2 but as its very subjective on what you need it for everyone's opinion can change. The basics that I follow in $DAY_JOB are if all you need is L3 VPN, no fancy portal or application security then go for dynamic VPN. IF you need anything other than L3 and you have more than 50 concurrent users then MAG is the way. HTH On 25 November 2013 10:00, Skeeve Stevens skeeve+juniper...@eintellegonetworks.com wrote: Hey all, I have a client with simple VPN needs. The price of the VPN simultaneous users for a MAG is four times the price of the simultaneous dynamic VPN users for an SRX. I am thinking of about 50 users. Does anyone have a solid comparison between the two. I do have to land the VPN user into a particular VRF... if that makes a difference. ...Skeeve *Skeeve Stevens - *eintellego Networks Pty Ltd ske...@eintellegonetworks.com ; www.eintellegonetworks.com Phone: 1300 239 038; Cell +61 (0)414 753 383 ; skype://skeeve facebook.com/eintellegonetworks ; http://twitter.com/networkceoau linkedin.com/in/skeeve twitter.com/theispguy ; blog: www.theispguy.com The Experts Who The Experts Call Juniper - Cisco - Cloud ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX's and Wireless
That seems to be the gist of it bud. To be honest the AX411s were not that stable an AP and basically needs resetting every so often (I use event scripts to reset every morning at 3am). With the purchase of Trapeze Juniper seems to be moving the AP mgmt off SRXs and onto dedicated kit. I agree that the price hike from the WLC2 to the WLC100 is steep but as I said above, it seems to be the way that Juniper are going. M On 18 November 2013 04:30, Skeeve Stevens skeeve+juniper...@eintellegonetworks.com wrote: Hey all, I'd like to get some clarification. I've been informed that the AX411 AP is being discontinued. While in itself this isn't an issue, it is the only AP that the SRX's can manage directly (afaik). I also see that the WLC2 (4 AP's) has been discontinued and replaced by the WLC100 (comes license to manage 4 - up to 32)... which essentially doubles the price of having a controller for a few AP's. (from $1000 to $2000) I have no problem with Juniper EOL'ing products, but at the moment, it looks like the AP management function of the SRX's is going to become useless with nothing to manage. ...Skeeve *Skeeve Stevens - *eintellego Networks Pty Ltd ske...@eintellegonetworks.com ; www.eintellegonetworks.com Phone: 1300 239 038; Cell +61 (0)414 753 383 ; skype://skeeve facebook.com/eintellegonetworks ; http://twitter.com/networkceoau linkedin.com/in/skeeve twitter.com/theispguy ; blog: www.theispguy.com The Experts Who The Experts Call Juniper - Cisco - Cloud ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX's and Wireless
Thats very interesting. :) $50 isnt too much tbh. All I need now is to find the download link for it. :) Thanks for letting us know. On 18 November 2013 12:28, Skeeve Stevens skeeve+juniper...@eintellegonetworks.com wrote: Actually... the product code has changed to JUNOSVWLC-BASE and is in the global price list at $50 which isn't bad. ...Skeeve *Skeeve Stevens - *eintellego Networks Pty Ltd ske...@eintellegonetworks.com ; www.eintellegonetworks.com Phone: 1300 239 038; Cell +61 (0)414 753 383 ; skype://skeeve facebook.com/eintellegonetworks ; http://twitter.com/networkceoau linkedin.com/in/skeeve twitter.com/theispguy ; blog: www.theispguy.com The Experts Who The Experts Call Juniper - Cisco - Cloud On Mon, Nov 18, 2013 at 7:50 PM, Maarten van der Hoek maar...@vanderhoek.nl wrote: Hi Guys, Don't forget the 'virtual-road' they're heading! Especially for deployments of 1 / 2 AP's (but far more scalable..till 100's! ) the VWLC is great (both price and performance - of course depending on your VMWare server). Listprice $320 for a VWLC-10 (for 10 Accesspoints...) Brgds, Maarten -Oorspronkelijk bericht- Van: juniper-nsp [mailto:juniper-nsp-boun...@puck.nether.net] Namens Mark Menzies Verzonden: maandag 18 november 2013 9:15 Aan: Skeeve Stevens CC: juniper-nsp@puck.nether.net Onderwerp: Re: [j-nsp] SRX's and Wireless That seems to be the gist of it bud. To be honest the AX411s were not that stable an AP and basically needs resetting every so often (I use event scripts to reset every morning at 3am). With the purchase of Trapeze Juniper seems to be moving the AP mgmt off SRXs and onto dedicated kit. I agree that the price hike from the WLC2 to the WLC100 is steep but as I said above, it seems to be the way that Juniper are going. M On 18 November 2013 04:30, Skeeve Stevens skeeve+juniper...@eintellegonetworks.com wrote: Hey all, I'd like to get some clarification. I've been informed that the AX411 AP is being discontinued. While in itself this isn't an issue, it is the only AP that the SRX's can manage directly (afaik). I also see that the WLC2 (4 AP's) has been discontinued and replaced by the WLC100 (comes license to manage 4 - up to 32)... which essentially doubles the price of having a controller for a few AP's. (from $1000 to $2000) I have no problem with Juniper EOL'ing products, but at the moment, it looks like the AP management function of the SRX's is going to become useless with nothing to manage. ...Skeeve *Skeeve Stevens - *eintellego Networks Pty Ltd ske...@eintellegonetworks.com ; www.eintellegonetworks.com Phone: 1300 239 038; Cell +61 (0)414 753 383 ; skype://skeeve facebook.com/eintellegonetworks ; http://twitter.com/networkceoau linkedin.com/in/skeeve twitter.com/theispguy ; blog: www.theispguy.com The Experts Who The Experts Call Juniper - Cisco - Cloud ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Internet access SRX
Check your nat rules to make sure that this self initiated traffic is being NATted. If you have a restrictive nat rule then the traffic from the firewall may not match the nat rules. Also check the flows for the pings to see if nat is taking place show security flow session protocol icmp On 23 October 2013 08:34, Mohammad Khalil eng.m...@gmail.com wrote: Hi all I have SRX and I have configured NAT on it with internet access with no issues My question is when you ping from the SRX itself using source {LAN} there is no response even though there is internet access from the LAN clients , in Cisco there is response when you ping from the router or the firewall itself ? BR, ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Screenos 2 Junos
It depends on the versions you are looking at. As far as I know there can be a few differences in timers and defaults. I got hit a few years ago with screen defaults where junos had a more strict set if values than the old screenos box. If you can load the junos image on another box and review the numbers. HTH Mark Menzies sent via mobile device, please excuse errors On 6 Aug 2013 07:27, R S dim0...@hotmail.com wrote: Does anybody knows any difference among Screenos and Junos in terms of default timeout for any kind of services/protocol ? Tks ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Screenos 2 Junos
Not necessarily changing in junos as the security line is still relatively new but there are definitely changes in major versions of screenos so its worth double checking. Not sure if there are documentation on the junos side but there was none for screenos. I found that particular issue when doing the work. Mark Menzies sent via mobile device, please excuse errors On 6 Aug 2013 07:50, R S dim0...@hotmail.com wrote: Are you telling me that can change from each different Junos version ? Are there any official statement by Juniper somewhere ? Tks -- Date: Tue, 6 Aug 2013 07:37:17 +0100 Subject: Re: [j-nsp] Screenos 2 Junos From: m...@deimark.net To: dim0...@hotmail.com CC: juniper-nsp@puck.nether.net It depends on the versions you are looking at. As far as I know there can be a few differences in timers and defaults. I got hit a few years ago with screen defaults where junos had a more strict set if values than the old screenos box. If you can load the junos image on another box and review the numbers. HTH Mark Menzies sent via mobile device, please excuse errors On 6 Aug 2013 07:27, R S dim0...@hotmail.com wrote: Does anybody knows any difference among Screenos and Junos in terms of default timeout for any kind of services/protocol ? Tks ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] JNCIS
ER certs are expired, it was for the old Enterprise Routing. ER is now replaced with the ENT track for ENterprise routing and switching, the SEC track deals with SRX On 27 January 2010 11:58, Scott Morris s...@emanon.com wrote: ** E is for the BRAS systems (ERX) M is for the SP systems (M7i, M10i, M320, etc.) ER is for the Enterprise systems (J series now, SRX to be included) Right now all written exams are $125. Shortly that will change. $100 for A-level, $200 for S-level. Right now, you can go direct to S-level. With a refresh, I believe you will be forced to go for A, then S. *Scott Morris*, CCIE*x4* (RS/ISP-Dial/Security/Service Provider) #4713, JNCIE-M #153, JNCIS-ER, CISSP, et al. CCSI #21903, JNCI-M, JNCI-ER s...@emanon.com Knowledge is power. Power corrupts. Study hard and be Eeeevl.. Taqdir Singh wrote: Hi All, could anyone please clear me what is the actual diff between JNCIS-E and JNCIS-M I know M stands for M series routers. which one is most latest ? what is the exam fee for JNCIS ? can we do it directly without giving JNCIA ? ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] TFTP Server on SRX100
TFTP is supported but deprecated as it says. I wouldn't necessarily use this regularly in production as its hidden for a reason :) On 22 October 2010 13:23, Bruce Buchanan bbuch...@nexicomgroup.net wrote: Hi Everyone, ** ** Does anyone know if the SRX100 can act as a local TFTP Server? ** ** I’ve got a small remote office site with some IP phones, and I would like to set option 66 on the dhcp server (dhcp server is the srx). This would allow a zero touch install of the IP phones (along with LLDP-MED), and tell the phone to go to the main provisioning server to download the full config. ** ** I tried a set system services tftp, and it took it, but it says that it is deprecated. ** ** Thanks, Bruce ** ** ** ** *Bruce Buchanan* Senior Network Technician Nexicom 5 King St. E., Millbrook, ON, LOA 1GO Phone: 705-932-4147 FAX: 705-932-3027 Cell: 705-750-7705 Web: http://www.nexicom.net *Nexicom – Connected. Naturally.* [image: Click to call me]http://messaging.nexicom.net/demo/callme.html?Token=%2BMG4FqUv2NeHeDa1hskfYtfJuno3cQZPLYABdYJ%2FSzqBopBqHiON5tp2gJxEFzvYJEVgFhguIyM94VT%2F5gSYKQPnNXfHtvtV4SL6WuBmtmrG9lu3W5DQJcNnjVetEwcMmynAZcsFspCj4zNyGZPVNQ9cD3MGYjzhJDuAztmmlY30X%2BInJFzGAIlxND9W0RghG63yJ4vYC%2BrYtAv33AYFzjqErh1nzDUutVR6cmGs%2BS9ymGDFRZ80IXTOm%2FRWr5AdjBr4L8EUO6tadfT3JSWBZdN1U9hDimBYYZgNaSPOUFLZBq5uwsyU%2Bf67gYm0NPIV6kggg%2B59ypWRWTDccFUF6ph3msB0k83cnY3FAWynyM5w2BYZZQmFIXVBCTMjkE01ulNAUnyyZh%2BMLmKXuci9RmrF1kq7tvNcCOtEFvYckpBHUjyH6%2FtX9wjXqATwcmgNU7ZVPdG5JvhdwS4m5tlusg%3D%3D ** ** ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp image001.png___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Juniper SRX 3400 Clustering
The CRM module is just to allow you to have 2 control links. ALl it is a long winded way of giving the control plane another interface We would use these for resiliency and redundancy on the control plane. We already have this resiliency in the data plane cos we have more than one member interface per fab link. You are right though, it is NOT needed but if the customer needs that level of redundancy then install it. We have one customer with the CRM modules installed in its 3600 clusters. However please note there was a PR raised last year regarding the firmware of the module I would suggest finding the PR and upgrading as per the KB article in it On 11 May 2011 12:17, Altaf Ahmad aah...@bmc.com.sa wrote: Hi Experts, ** ** I did configure the clustering of SRX 3400 chassis without installing SRX3K-CRM Module and it went successful. Could anyone please let tell me that then what is the purpose of CRM? Even in Juniper SRX3400 hardware guide I read that this module is necessary for the clustering. But I am achieving the clustering feature without installing the module. ** ** ** ** Kind Regards, ** ** [image: Description: cid:image005.png@01CBC300.A254E4C0] * Altaf Ahmad** * *|** **Senior Solutions Designer* * **CCIE # 28697 (RS), CCIE SP (Written), CCSP* *Business Management Company **(BMC)* Anouf Building, Ihsaa St. Malaz Dist., P.O. Box 25650, Riyadh 11476, KSA** ** )*:* +966 561 538336 *|** ** *(*: *+966 1 4793 247 Extension 594 *|** * *7**:* +966 1 4790 878 * * *Email:* aah...@bmc.com.sa wala...@bmc.com.sa | *URL:* www.bmc.com.sa ** ** ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp image001.png___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] SRX Logical Systems and CPU control
Anyone had any experience on this especially with regards to setting the cpu-contol-target and individual cpu-reserved for each LSYS. At present I have an SRX 3600 running LSYS and am likely to have around 10-15 LSYS in total. I have cpu-control-target set to 80 am looking for suggestiins for the cpu-reserved in the LSYS security profile. Is 5% a reasonable start for the reserved CPU? I am happy with limiting the sessions, zones, policies etc but just looking to make sure I am in the right ball park for the CPU stuff. TIA Mark ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] DDoS protection for J-series and SRX
Have a look at the screen options on both kits, we can apply basic DDoS protection there and limit stuff like max connections over a short period etc On 11 April 2013 09:57, James Howlett jim.howl...@outlook.com wrote: Hello, I have a small network with J6350 as a border router (BGP) and two SRX240H in a cluster. Since few days my network is a victim of DDoS attacks. Majority of them are high pps count attacks. Are there any methods to protect my network against such attacks. My J-series can handle quite a lot of pps, but my SRX die after getting more than 8000 new sessions per second. Is there anything i can do here? Regards, jim ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] DDoS protection for J-series and SRX
The SRX definitely supports screen options and you can upgrade the J series to something newer. I think it was in 9.4 that Juniper got rid of the 2 versions of software for J series, ie the router and enhanced services versions, so all newer versions have the security stuff built in. Upgrading the J series to use screen is fairly straightforward but if you are just looking to run the J series as a router we can turn off the main security features but you may be better off with just having all interfaces in same zone and allow intra zone traffic. Your SRX running as the firewall should be able to cater as the only screen device but it does make sense to apply DDoS protection as close to your perimeter if you can to reduce the load on the upstream boxes. On 11 April 2013 11:15, James Howlett jim.howl...@outlook.com wrote: Hello, I think I can't use screen on my J-series in 9.x software / router context. Will SRX be able to handle it alone? all best, jim -- Date: Thu, 11 Apr 2013 10:10:18 +0100 Subject: Re: [j-nsp] DDoS protection for J-series and SRX From: m...@deimark.net To: jim.howl...@outlook.com CC: juniper-nsp@puck.nether.net Have a look at the screen options on both kits, we can apply basic DDoS protection there and limit stuff like max connections over a short period etc On 11 April 2013 09:57, James Howlett jim.howl...@outlook.com wrote: Hello, I have a small network with J6350 as a border router (BGP) and two SRX240H in a cluster. Since few days my network is a victim of DDoS attacks. Majority of them are high pps count attacks. Are there any methods to protect my network against such attacks. My J-series can handle quite a lot of pps, but my SRX die after getting more than 8000 new sessions per second. Is there anything i can do here? Regards, jim ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Clustering J-series across a switch
It works on 11.4 (several versions) with running dual control and dual fabric links between 2 SRX3600 using cisco VSS switches in between. As long as control and data planes have different VLANs and you enable jumbo frames on the fabric it just works. Not tried to Q in Q the traffic though, just vanilla vlans for now. On 2 April 2013 17:57, OBrien, Will obri...@missouri.edu wrote: I've heard that it works. I have avoided it so far, however. Will O'Brien On Apr 2, 2013, at 11:48 AM, Mike Williams mike.willi...@comodo.com wrote: Hey all, So I've been reading the clustering docs, and they make it pretty clear that the (at least) control link should connect the devices back-to-back. I don't have the page to hand but there is an option to configure the control link in the old way, using (a?) VLAN (4094 IIRC), otherwise new clusters will use a special ether-type. Now if Junos is going to use a new ether-type for control link communication it's pretty certain the devices would have to be connected back-to-back, but if control link traffic is within a specific VLAN switching it shouldn't be a problem, right? I'd q-in-q the traffic anyway. The health of the control and fabric links is determined by heartbeats only, not link state, so a switch wouldn't hurt that. I accept that clustering across a switch isn't necessarily advisable, I'm just wondering if it's fundamentally possible. Has anyone ever even tried to put a switch between a J-series, or SRX-series, cluster? Thanks Currently we've 2 J6350s on different floors of a building, with different providers. Around that building we have a 10Gbps VC ring of EX3300s. We want to cluster the J-series' but don't want the hassle or cost of running copper between the providers (if that's even possible) when the VC is way more than fast enough. Traffic levels are way way below 10Gbps, and it's highly unlikely they'll ever get that high. -- Mike Williams ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] 3750 and 4200
We had issues before with LAGs between cisco and SRX. The links were showing as up and then intermittently went down. We fixed it by setting the LACP periodic interval to slow and it corrected it all. Seems that cisco defaults to slow and Juniper to fast. Just a mismatch in LACP packets. HTH On 14 March 2013 07:53, Bjørn Tore b...@paulen.net wrote: Might it be that the EX can't link to FE, but only to GE? I know the -F only takes gig, unless you use a certain SFP. Bjørn Tore @ mobil Den 13. mars 2013 kl. 23:40 skrev snort bsd snort...@yahoo.com.au: hi all: i have a cisco 3750 fastethernet switch connecting to a juniper 4200, with portchannel on cisco side and aggregated interface juniper side. the cisco side shows as connected but juniper side remain down. could anyone give me some ideas? no lacp activated on both side. for cisco: cisco-3750#sh int fast1/0/9 FastEthernet1/0/9 is up, line protocol is up (connected) Hardware is Fast Ethernet, address is 0018.b99f.5d8b (bia 0018.b99f.5d8b) MTU 1500 bytes, BW 10 Kbit, DLY 100 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set cisco-3750#sh interfaces por10 Port-channel10 is up, line protocol is up (connected) Hardware is EtherChannel, address is 0018.b99f.5d8c (bia 0018.b99f.5d8c) MTU 1500 bytes, BW 20 Kbit, DLY 100 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Full-duplex, 100Mb/s, link type is auto, media type is unknown input flow-control is off, output flow-control is unsupported Members in this channel: Fa1/0/9 Fa1/0/10 interface Port-channel10 switchport access vlan 100 switchport mode access interface FastEthernet1/0/9 switchport access vlan 100 switchport mode access switchport nonegotiate channel-group 10 mode on for juniper: user@4200-1# run show interfaces terse ge-0/0/9 Interface Admin Link ProtoLocal Remote ge-0/0/9updown ge-0/0/9.0 updown aenet-- ae1.0 user@4200-1# run show interfaces ae1 terse Interface Admin Link ProtoLocal Remote ae1 updown ae1.0 updown eth-switch user@4200-1# show interfaces ge-0/0/9 ether-options { no-auto-negotiation; link-mode full-duplex; speed { 100m; } 802.3ad ae1; } user@4200-1# show interfaces ae1 ae1 { aggregated-ether-options { minimum-links 1; link-speed 100m; } unit 0 { family ethernet-switching { port-mode access; } } } _dave ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX upgrade procedure -ready for enterprise?
Yes the upgrade process is not the best. The link above puts names on tasks to do do effectively split the cluster in such a way that you can reconnect it without loss of connectivity. The best approach, which does NOT include minimal downtime is to upgrade both nodes and then reboot them both at the same time. Its less complicated, less prone to error but it does mean that the services are down for the time it takes for the boxes to boot and bring up all interfaces. Its something that I hope Juniper are looking at. On 8 March 2013 17:50, Andy Litzinger andy.litzin...@theplatform.comwrote: We're evaluating SRX clusters as replacements for our aging ASAs FO pairs in various places in our network including the Datacenter Edge. I was reading the upgrade procedure KB: http://kb.juniper.net/InfoCenter/index?page=contentid=KB17947 and started to have some heart palpitations. It seems a complicated procedure fraught with peril. Anyone out there have any thoughts (positive/negative) on their experience on upgrading an SRX cluster with minimal downtime? thanks! -andy ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] 11.4R6-S2 feedback ?
We dont have it running yet, but its due to be deployed shortly to fix some bugs on high end SRX. I can provide more feedback later but that may still take a few weeks sadly. On 27 February 2013 16:33, david@orange.com wrote: Hi all Does anybody use this version in production ? if yes, did you experience some SW issues with it? Many thanks for your feedback David David Roy IP/MPLS Support engineer - Orange France Ph. +33 2 99 87 64 72 - Mob. +33 6 85 52 22 13 david@orange.commailto:david@orange.com JNCIE-MT/SP #703 - JNCIE-ENT #305 - JNCIP-SEC _ Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, France Telecom - Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, France Telecom - Orange is not liable for messages that have been modified, changed or falsified. Thank you. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] PFE of EX4200 stack
We can run specific commands to get the virtual chassis topology *show virtual-chassis active-topology * *show virtual-chassis device-topology * *These show the members and associated links etc. * *If this doesnt do what you need have a look at **show virtual-chassis vc-path * *DO these help? I dont have a VC accessible to me at the moment to double check. * On 21 February 2013 17:35, Rachid DHOU rachid.d...@gmail.com wrote: Hi Experts, I know that in EX4200 switch 48T, we have 3 PFE. If we have two EX4200 Stacked : 1. is the number become 6 PFE ? 2. how can we locate them ? 3. how they are numbered ? mpfe0 to mpfe5 ? (because i have an alarm message in the log showing mpfe2 and i want to know wich PFE is it impacted ? in SW1 or SW2) *Kind Regards,* *Rachid DHOU* ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] SRX cluster and route failover
Hi all I hope someone here can help. I have an SRX cluster with 3 reth interfaces, 2 for WAN and one for LAN. I want to have static routes used to send traffic over the primary WAN reth when the next hop is available and then fail over to the secondary WAN. We have some restraints here. * We cannot use dynamic routing, the 3rd party devices we are connecting to wont use dynamic routing, so we are left with static routes. * We cannot use BFD as the 3rd party next hops are not managed by us, nor can we get them to implement BFD * We have multiple logical interfaces on the primary WAN reth and we dont want to fail over the entire the reth, just the specific static route for the specific customer that has failed. * We have asked for pingable hosts from each customer from which we are going to base our testing of the next hop. I have looked at using event scripts and also ip-monitoring. I am looking for any guidance or experience in doing this for customers and any likely gotchas or things to look out for. I have found KB25052 which does tend to imply that ip-moniting using RPMs should do the deed and allow me to set a new route for a specific destination so this seems to fit the bill and a quick test seems to confirm that. However would I benefit from any junoscript stuff? Does anyone have any experiences or comments on above mechanisms? Thanks in advance Mark ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX cluster and route failover
Hi Nick That looks good but in this case its all in one master routing-instance. There are no clever configs on this box as yet, simply static routes for customer nets to be sent over the leased line reth and a default route on the main WAN connection. As we already have a static route set to the leased line reth its all good and if the reth goes down, all customers will fail over to the default route. I have quickly tested KB25052 and this seems to do what I need in that using the ip-monitoring policy, we get a new static route for the customer net added sending the traffic over the WAN. I also now need to alert on the route failover, so will likely set a trap for the srx100 rmopd[1283]: PING_PROBE_FAILED log and forward onto some NMS server. Is there a better way to do this? On 18 February 2013 13:44, Nick Ryce n...@fluency.net.uk wrote: Hi Mark, Maybe something like http://kb.juniper.net/InfoCenter/index?page=contentid=KB22052pmv=print is what you are looking for? Nick On 18/02/2013 13:34, Mark Menzies m...@deimark.net wrote: Hi all I hope someone here can help. I have an SRX cluster with 3 reth interfaces, 2 for WAN and one for LAN. I want to have static routes used to send traffic over the primary WAN reth when the next hop is available and then fail over to the secondary WAN. We have some restraints here. * We cannot use dynamic routing, the 3rd party devices we are connecting to wont use dynamic routing, so we are left with static routes. * We cannot use BFD as the 3rd party next hops are not managed by us, nor can we get them to implement BFD * We have multiple logical interfaces on the primary WAN reth and we dont want to fail over the entire the reth, just the specific static route for the specific customer that has failed. * We have asked for pingable hosts from each customer from which we are going to base our testing of the next hop. I have looked at using event scripts and also ip-monitoring. I am looking for any guidance or experience in doing this for customers and any likely gotchas or things to look out for. I have found KB25052 which does tend to imply that ip-moniting using RPMs should do the deed and allow me to set a new route for a specific destination so this seems to fit the bill and a quick test seems to confirm that. However would I benefit from any junoscript stuff? Does anyone have any experiences or comments on above mechanisms? Thanks in advance Mark ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] EX4200-48PX/PoE+
4200s can be given a 900 watt power supply (cant recall the exact wattage) however form my understanding is that the current EX range can support POE+ but as you pointed out, the PSUs cant provide a full 30W to all ports. So in essence, as I understand it we can have POE+ but not on all ports at same time. On 7 February 2013 09:33, Nikolay Abromov nabro...@gmail.com wrote: Hello Group, You might be able to help on that question: It is written on this table (table 1), that EX4200-48PX does support PoE+ (802.3at/30W per port). However, the PoE budget is equal to 740 W, which means PoE (740/48 = 15.4). I am really confused. Does this platform support full PoE+ on all 48 ports or it does support it only as protocol, but doesn't have enough power to provide 30W on each port (which means 1440 W for PoE budget). Best Regards, Nikolay Abromov ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Quick way to delete multiple licenses on SRX
Well thats a great bit of code there. Works a treat Thanks bud :) On 2 February 2013 15:45, Gojko Vujovic go...@gojkovujovic.com wrote: On 30-Jan-13 16:34, Mark Menzies wrote: Is there any way other than the very slow request system license delete license ID command, to get rid of multiple licenses all at once? start shell user root cli show system license | grep ident | awk '{print $3}' | xargs -n 1 cli request system license delete __**_ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/**mailman/listinfo/juniper-nsphttps://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Quick way to delete multiple licenses on SRX
If we park the fact that this is for training courses here, I still need an answer to how I would do this on an SRX. :) So the problem exists and am just looking to see if we can find an answer. On 1 February 2013 11:31, Eugeniu Patrascu eu...@imacandi.net wrote: On Thu, Jan 31, 2013 at 9:00 PM, Mark Menzies m...@deimark.net wrote: If I enforced that, I would be training an empty room. :) I wouldn't bet on it and you might go ahead and try it. I also do training and have licenses for every feature (not on Juniper, by the way) on the equipment and if the students ask, I tell them that since it is training equipment they have all the licenses and that's that. No confusion, no nothing. I might be wrong, but I think you're trying to solve a non-existing problem :) Cheers, Eugeniu ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Quick way to delete multiple licenses on SRX
That could potentially work but is a mighty big hammer to solve a small problem. :). I do t have a problem putting the licenses on the boxes, it's just the removal that's a pain. I suspect I am asking for the impossible and not sure I want to bother with an ER. Sent from my mobile device On 1 Feb 2013, at 16:59, Tom Storey t...@snnap.net wrote: Is it feasible to make multiple copies of the CF card for each router (dd style), customise each copy with the licenses required for a given class, then swap CFs depending on the class? Whats more expensive or valuable, your time, or a bunch of CF cards? :-) On 1 February 2013 13:03, Mark Menzies m...@deimark.net wrote: If we park the fact that this is for training courses here, I still need an answer to how I would do this on an SRX. :) So the problem exists and am just looking to see if we can find an answer. On 1 February 2013 11:31, Eugeniu Patrascu eu...@imacandi.net wrote: On Thu, Jan 31, 2013 at 9:00 PM, Mark Menzies m...@deimark.net wrote: If I enforced that, I would be training an empty room. :) I wouldn't bet on it and you might go ahead and try it. I also do training and have licenses for every feature (not on Juniper, by the way) on the equipment and if the students ask, I tell them that since it is training equipment they have all the licenses and that's that. No confusion, no nothing. I might be wrong, but I think you're trying to solve a non-existing problem :) Cheers, Eugeniu ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] MAG2600 versus 4610 and above
MAG2600 is only SSL or Enterprise guest access. It doesn't do UAC. Its only from the MAG4600 and up do we see the full blown UAC personality switching there. On 31 January 2013 12:06, David Gee d...@infiltr8.com wrote: Hi group, I was hoping if one of you could answer me the following question. When it comes to base functionality, are the features on the MAG2600 identical to the MAG4610 and above? I appreciate scalability is massively different, but it’s more the configuration and base features I am worried about. Is the MAG2600 missing anything barring guts? I want to be able to lab out as many of the SSL/UAC features without spending £4k on a box and I’m hoping the 2600 covers everything I need. My intention is to run the lab license for the twelve months whilst under a service contract. Will this be ok? Does anyone know any different? Thanks David ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] MAG2600 versus 4610 and above
Ahh, nice one. I didnt realise that the 2600 was upgraded :) This is the kind of thing that Juniper need to be making more noise about as some of our customers would definitely like this. :) On 31 January 2013 13:06, Eric Van Tol e...@atlantech.net wrote: -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp- boun...@puck.nether.net] On Behalf Of Mark Menzies Sent: Thursday, January 31, 2013 7:14 AM To: David Gee Cc: juniper-nsp@puck.nether.net Subject: Re: [j-nsp] MAG2600 versus 4610 and above MAG2600 is only SSL or Enterprise guest access. It doesn't do UAC. Its only from the MAG4600 and up do we see the full blown UAC personality switching there. The MAG2600 does support UAC: http://www.juniper.net/techpubs/software/ive/releasenotes/j-sa-sslvpn-7.2R1-whatsnew.pdf -evt ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] MAG2600 versus 4610 and above
Hehe, sorry bud. I missed this when I had a quick look at the release notes myself. On 31 January 2013 14:45, Eric Van Tol e...@atlantech.net wrote: Your post almost gave me a heart attack, as we just purchased two of these specifically for UAC. Our Juniper reps were about to get an earful from me. :-) ** ** -evt ** ** *From:* Mark Menzies [mailto:m...@deimark.net] *Sent:* Thursday, January 31, 2013 9:09 AM *To:* Eric Van Tol *Cc:* juniper-nsp@puck.nether.net *Subject:* Re: [j-nsp] MAG2600 versus 4610 and above ** ** Ahh, nice one. I didnt realise that the 2600 was upgraded :) This is the kind of thing that Juniper need to be making more noise about as some of our customers would definitely like this. :) ** ** On 31 January 2013 13:06, Eric Van Tol e...@atlantech.net wrote: -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp- boun...@puck.nether.net] On Behalf Of Mark Menzies Sent: Thursday, January 31, 2013 7:14 AM To: David Gee Cc: juniper-nsp@puck.nether.net Subject: Re: [j-nsp] MAG2600 versus 4610 and above MAG2600 is only SSL or Enterprise guest access. It doesn't do UAC. Its only from the MAG4600 and up do we see the full blown UAC personality switching there. The MAG2600 does support UAC: http://www.juniper.net/techpubs/software/ive/releasenotes/j-sa-sslvpn-7.2R1-whatsnew.pdf -evt ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ** ** ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Quick way to delete multiple licenses on SRX
Thanks bud, but I still want to remove them. Cos we run different classes we can easily confuse the students if they have a gazillion licenses and they only expect to see 1. I might end up trying to chin someone at Juniper to see if there is any way that we can play with license files etc. On 31 January 2013 16:34, Eugeniu Patrascu eu...@imacandi.net wrote: On Wed, Jan 30, 2013 at 5:34 PM, Mark Menzies m...@deimark.net wrote: Hi folks I have a quick question here. Is there any way other than the very slow request system license delete license ID command, to get rid of multiple licenses all at once? Basically we have several SRX units for training purposes and each of them has around 10 licenses each for various UTM and VPN features etc. As not all of the courses require these licenses we need to add and remove them for each course when required. I am just a bit tired of the original command and was wondering if there is a quicker shortcut for this. Maybe not an answer to your question, but since they are for training, why not just leave the licenses there and use whatever features you need for a certain class ? I see no reason in why you feel like deleting and adding licenses all day. Eugeniu ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Quick way to delete multiple licenses on SRX
If I enforced that, I would be training an empty room. :) On 31 January 2013 17:05, Michael Loftis mlof...@wgops.com wrote: On Jan 31, 2013, at 8:40, Mark Menzies m...@deimark.net wrote: Thanks bud, but I still want to remove them. Cos we run different classes we can easily confuse the students if they have a gazillion licenses and they only expect to see 1. I might end up trying to chin someone at Juniper to see if there is any way that we can play with license files etc. If they're confused by extra licenses then they need to go back to working at McDonalds or Wal-Mart and save us all the pain of cleaning up after them. On 31 January 2013 16:34, Eugeniu Patrascu eu...@imacandi.net wrote: On Wed, Jan 30, 2013 at 5:34 PM, Mark Menzies m...@deimark.net wrote: Hi folks I have a quick question here. Is there any way other than the very slow request system license delete license ID command, to get rid of multiple licenses all at once? Basically we have several SRX units for training purposes and each of them has around 10 licenses each for various UTM and VPN features etc. As not all of the courses require these licenses we need to add and remove them for each course when required. I am just a bit tired of the original command and was wondering if there is a quicker shortcut for this. Maybe not an answer to your question, but since they are for training, why not just leave the licenses there and use whatever features you need for a certain class ? I see no reason in why you feel like deleting and adding licenses all day. Eugeniu ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Quick way to delete multiple licenses on SRX
Hi folks I have a quick question here. Is there any way other than the very slow request system license delete license ID command, to get rid of multiple licenses all at once? Basically we have several SRX units for training purposes and each of them has around 10 licenses each for various UTM and VPN features etc. As not all of the courses require these licenses we need to add and remove them for each course when required. I am just a bit tired of the original command and was wondering if there is a quicker shortcut for this. So, can anyone help? Thanks in advance Mark ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] IP SLA + Tracking on JunOS
On SRX, its a bit different from MX Have a look at http://www.juniper.net/techpubs/en_US/junos12.1/topics/example/ip-monitoring-security-configuring.html Basically we use RPM probes and configure IP-monitoring HTH On 7 January 2013 07:17, Robert Hass robh...@gmail.com wrote: Hi On Cisco I used IP SLA + Tracking feature to ping remote host and inject static route if I've got response from remote host. Ping was send each minute. Can I have same configuration doing the same on JunOS ? (10.4 or 11.4 - SRX and MX series) My goal: Ping 10.0.0.4 with source-ip 10.0.1.1 If I have response inject static route 192.168.0.0/24 via 10.0.1.2, if no ping response then static route shouldn't be injected Rob ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Embedded VPN JunOS Pulse client
Hi bud. As far as I know there is no way to upgrade the embedded pulse client. Using later pulse clients should work fine. Upgrading junos does upgrade the pulse client but it still won't be the latest sadly. HTH Sent from my mobile device. Please excuse errors. On 29 Dec 2012, at 19:54, Robert Hass robh...@gmail.com wrote: Hi I'm using SRX as VPN gateway. It's running JunOS 11.4R6.5. When new user downloads VPN client from SRX then JunOS Pulse Client version 2.0.3.11013 is provided. But we occurring some problems (no communications over GSM) with this old version. This issue which was resolved in latest JunOS Pulse - eg. version 3.1R2. Is any way to upgrade Embedded JunOS Pulse client to version 3.1 ? I would like to new users fetch 3.1 instead of 2.0. Rob ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Embedded VPN JunOS Pulse client
Thats something I didnt know. :) Thanks bud On 29 December 2012 23:59, Michael Loftis mlof...@wgops.com wrote: The client installer executables are stored in the jail area...you can start shell from the CLI with appropriate permissions, but you'll probably have to be root to replace them - /jail/html/dynamic-vpn/client On Sat, Dec 29, 2012 at 11:54 AM, Robert Hass robh...@gmail.com wrote: Hi I'm using SRX as VPN gateway. It's running JunOS 11.4R6.5. When new user downloads VPN client from SRX then JunOS Pulse Client version 2.0.3.11013 is provided. But we occurring some problems (no communications over GSM) with this old version. This issue which was resolved in latest JunOS Pulse - eg. version 3.1R2. Is any way to upgrade Embedded JunOS Pulse client to version 3.1 ? I would like to new users fetch 3.1 instead of 2.0. Rob ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp -- Genius might be described as a supreme capacity for getting its possessors into trouble of all kinds. -- Samuel Butler ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] system syslog host in another routing instance
Hit this issue when logging to STRM for SRX data plane traffic Have a look at this for more details; http://kb.juniper.net/InfoCenter/index?page=contentid=KB22692 Seems that the initial packet originates in inet.0 even when we have a specific source address to send the traffic from. We need to route the traffic to the correct routing instance for it to work HTH On 19 December 2012 10:51, Uriel Segal ur...@bynet.co.il wrote: Due to SYSLOG's UDP/one-way nature, you can add a static route in the global routing-table, route destination 10.14.140.125/32 to next-table .inet.0 This will do the job BR, Uriel Colleagues, It seems possible to send SNMP traps to a host in a non-default routing instance, like this: snmp { community { routing-instance { } } } Is it possible to send syslog messages to a host in a non-default routing instance? I can ping this host like this: ping 10.14.140.125 routing-instance Running JUNOS 10.4R8.5 on an M120. Thank you in advance for any input: -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:suda...@sibptus.tomsk.ru ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX3600 - Session Logs
Yup there is. As the high end boxes do all the processing for the firewalling/VPN/IDP etc on the SPCs, we can set the logs to be sent from teh SPC instead of being passed across to the RE. Basically a high end SRX can create more logs than the RE can handle so we send logs via stream mode to the syslog/STRM box. Basic config is below mark@vodkila show configuration security log mode stream; format sd-syslog; source-address 10.1.1.1; stream securitylog { category all; host { 10.1.1.26; port 514; } } Where the host is the syslog server and the source-address is to ensure that the traffic leaves from correct interface/routing-instance On 1 December 2012 14:58, Giuliano Medalha giuli...@wztech.com.br wrote: People, Does anyone could set log information about sessions using SRX36xx boxes ? Could you please send this information for me ? We have tried to use the following syslog config: user@host# *set system syslog file traffic-log any any* user@host# *set system syslog file traffic-log match RT_FLOW_SESSION But it is not working. There is some special way to do it using high end boxex ? Thanks a lot, Giuliano * ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] EX2200 na VirtualChassis
Have a look at http://www.juniper.net/techpubs/en_US/junos12.2/topics/concept/virtual-chassis-ex4200-overview.htmlfor supported VC installs On 28 October 2012 18:14, Sascha Luck li...@c4inet.net wrote: On Sun, Oct 28, 2012 at 06:45:12PM +0100, Robert Hass wrote: HI Can I interconnect few EX2200 and form bigger virtual-switch using virtual-chassis feature ? Yes. https://www.juniper.net/**techpubs/en_US/junos/topics/** task/configuration/virtual-**chassis-ex2200-cli.htmlhttps://www.juniper.net/techpubs/en_US/junos/topics/task/configuration/virtual-chassis-ex2200-cli.html If yes do you have to use SFP ports for this Yes, copper ports are not supported. Can it also be interconnected with other EX models like EX3200 in virtual-chassis mode That I don't know... rgds, Sascha Luck __**_ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/**mailman/listinfo/juniper-nsphttps://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX - multipoint st0 tunnel interface and static route
Have you set up NHTB? As the other side is non junos, you will need to set this up manually. NHTB allows the SRX to decide which VPN to send the remote traffic down. I will need to check but I am fairly sure that we will still need to set up routes for the remote nets to send them to st0. I take it the other side is just set up as a normal policy type VPN and as such should be looking for the proxy-IDs you have set? On 13 September 2012 21:48, pkc_mls pkc_...@yahoo.fr wrote: Hi all, I'm running junos 11.4r5 on an SRX210 device. I configured a multipoint tunnel interface to bind two IPSEC tunnels to the same gateway (as multiple proxy IDs are not supported yet). The remote gateway is an old sonicwall, and is not capable of route based VPNs. I tried to setup a static route to the remote network, but the route doesn't show up. I found some threads on juniper forums indicating I was not the nly one to experience this. Did anyone find a solution to add a static route via a multipoint tunnel interface ? Is this working on 12.1 ? (I'd like to keep the 11.4, but if 12.1 could help ...). my interface configuration : root@SRX240# show interfaces st0 unit 0 multipoint; family inet; my vpn configurations : root@SRX240# show security ipsec vpn vpn1 bind-interface st0.0; ike { gateway gw1 proxy-identity { local 10.1.1.0/24; remote 192.168.1.0/28; } ipsec-policy policy1; } root@SRX240# show security ipsec vpn vpn2 bind-interface st0.0; ike { gateway gw1 proxy-identity { local 10.1.2.0/24; remote 192.168.1.0/28; } ipsec-policy policy1; } does anyone know how to configure multiple proxy id or have a static route with a multipoint tunnel interface ? thanks. __**_ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/**mailman/listinfo/juniper-nsphttps://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX - multipoint st0 tunnel interface and static route
On 14 September 2012 10:10, pkc_mls pkc_...@yahoo.fr wrote: Le 14/09/2012 10:10, Mark Menzies a écrit : Have you set up NHTB? As the other side is non junos, you will need to set this up manually. NHTB allows the SRX to decide which VPN to send the remote traffic down. I will need to check but I am fairly sure that we will still need to set up routes for the remote nets to send them to st0. NHTB has not been set, both tunnels go to the same gateway and same network. There are two local subnets involved. I take it the other side is just set up as a normal policy type VPN and as such should be looking for the proxy-IDs you have set? sonicwall with this release can only be configured as policy type VPN. proxy IDs are fine and both tunnels comes up, but the traffic is dropped with a re-route error message. How do you route to the remote nets? Do you have the 2 routes set up on the SRX to send it to the st0 interface? If you do, then we do need NHTB set up to dictate which VPN the traffic goes down when it arrives at st0. Alternatively, set up 2 tunnel interfaces, ie st0.0 and st0.1 and bind each VPN to its own tunnel interface. Also, can you let us know what this reroute error message is? __**_ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/**mailman/listinfo/juniper-nsphttps://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX - multipoint st0 tunnel interface and static route
Yup, what he said :) It will mean though that you will need 2 tunnel interfaces to place into 2 different routing instances. This can be a little complicated but we dont really have many options if the 2 remote sites have the same addressing scheme. HTH On 14 September 2012 15:59, Per Westerlund p...@westerlund.se wrote: Yes, static routes work. What happens is that you put the two tunnels in different routing instances. The static route/routes used in each routing instance are completely independent of each other. /Per 14 sep 2012 kl. 15:55 skrev pkc_mls: Le 14/09/2012 2:55, Per Westerlund a écrit : The only way to handle this that I know of is FBF, in this case to implement source-based-routing. You have to pick a different tunnel depending on which source address you see. I don't have access to my systems right now so I can't send an example, but there are plenty of examples on either in Juniper KB or Juniper forums. The common use case is with 2 default routes to 2 different ISPs, and having to chose one or the other based on what local IP address is used. /Per Westerlund Do you know if the static nat will work in such a scenario, because I have a lot of static nat rules configured for traffic through this tunnel ? It becomes complicated for a simple multi proxy ID configuration. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Selective packet mode local traffic
Yup, we can do selective packet mode using firewall filters. Its normally applied in the input direction however, note, it needs to be on all interfaces where we will see packets that we dont want to send to the flow module, ie the reply packets as well As for a script, sadly dont have one, however if you do get one, I would like to have a copy. :) On 9 August 2012 15:13, Phil Mayers p.may...@imperial.ac.uk wrote: All, On the J-series and branch SRX, if you want to use selective packet mode (because you want to do IPSec at the same time as MPLS, for example) then, as I understand it, you need to exclude traffic *to* the box itself from packet mode. Is this correct? Does anyone have a handy op-script that will build a prefix list of all local IPs, to help with automating this? __**_ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/**mailman/listinfo/juniper-nsphttps://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Asymmetric flow, session reset, breaking SSH
We can go about this in one of 2 ways here. 1. Remove the cisco SVI and force all the traffic to be passed through the J series 2. Add interface NAT to the initial SSH session when passing the SYN through to ge-0/0/2.10. This achieves the same aim as 1 by forcing the reply traffic back through the J series as the source address of the SSH connection seems to be the J series. If we do the no-syn-check, we are basically negating any benefit we get from the J series as a firewall and I would not normally recommend that. The nat solution in 2 is common place for traffic that the firewall needs to see for some local network traffic (ie switched rather than routed) HTH On 8 August 2012 15:00, Tom Storey t...@snnap.net wrote: Hi all, hoping there is someone familiar with J Series flow handling that can help me out with this. I have a network situation (deliberate by design, not accidental in any sense) that results in asymmetric data flow. There are 3 devices involved, a PC, J2320, and a Cisco 1811. The PC is plugged into a switch port on the 1811 configured as an access port in VLAN10. This VLAN is trunked via a second switch port on the 1811 to ge-0/0/2 (configured for VLAN tagging) on the J2320 where the default gateway for the PC lives. The J2320 is also connected via ge-0/0/1 to Fa0 on the 1811, and this is used for pure routing. Initiating an SSH session from the PC results in IP packets being switched through the 1811 and into the J2320 where they then exit via ge-0/0/1 and into port Fa0 on the 1811. There is an SVI configured on the 1811 in the same subnet that the PC lives in (along with ge-0/0/2.10), so when the 1811 sends packets back to the PC they go straight out and into the PC rather than back through the J2320. This results in a session on the J2320 which has data flow in one direction, but not the other. After about 10 or so seconds, the J2320 clears this session and sends an RST back to the PC, dropping the SSH session, but not the 1811 it seems (which ties up VTY lines - but this is ok, they clear themselves up after exec-timeout is reached.) If I set security flow tcp-session no-syn-check on the J2320 the problem seems to disappear, and it no longer seems to care about one way data flow. But the session doesnt clear away after I end the SSH session (via ~. or exit), not at least for 40 minutes or so anyway. Does anyone know how to properly handle situations like this? At the moment the configuration is just in a lab, pre-deployment. Otherwise the only practical way I can see to get around this is to remove the SVI from the 1811 so that it doesnt have a direct route back to the PC. This will just require a slight modification to the design, and I'll need to acquire additional IPs to assign to the 1811 (e.g. a /32 assigned to a loopback interface) in place of sitting it in what will be a DMZ subnet via the SVI. Thanks. Tom ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Asymmetric flow, session reset, breaking SSH
NAT isnt evil, its just misunderstood. :) On 8 August 2012 16:06, Tom Storey t...@snnap.net wrote: NAT is evil. :-) Removing the SVI from the Cisco seems the cleanest solution to me, allowing packets to just route naturally. Thanks. On 8 August 2012 15:08, Mark Menzies m...@deimark.net wrote: We can go about this in one of 2 ways here. 1. Remove the cisco SVI and force all the traffic to be passed through the J series 2. Add interface NAT to the initial SSH session when passing the SYN through to ge-0/0/2.10. This achieves the same aim as 1 by forcing the reply traffic back through the J series as the source address of the SSH connection seems to be the J series. If we do the no-syn-check, we are basically negating any benefit we get from the J series as a firewall and I would not normally recommend that. The nat solution in 2 is common place for traffic that the firewall needs to see for some local network traffic (ie switched rather than routed) HTH On 8 August 2012 15:00, Tom Storey t...@snnap.net wrote: Hi all, hoping there is someone familiar with J Series flow handling that can help me out with this. I have a network situation (deliberate by design, not accidental in any sense) that results in asymmetric data flow. There are 3 devices involved, a PC, J2320, and a Cisco 1811. The PC is plugged into a switch port on the 1811 configured as an access port in VLAN10. This VLAN is trunked via a second switch port on the 1811 to ge-0/0/2 (configured for VLAN tagging) on the J2320 where the default gateway for the PC lives. The J2320 is also connected via ge-0/0/1 to Fa0 on the 1811, and this is used for pure routing. Initiating an SSH session from the PC results in IP packets being switched through the 1811 and into the J2320 where they then exit via ge-0/0/1 and into port Fa0 on the 1811. There is an SVI configured on the 1811 in the same subnet that the PC lives in (along with ge-0/0/2.10), so when the 1811 sends packets back to the PC they go straight out and into the PC rather than back through the J2320. This results in a session on the J2320 which has data flow in one direction, but not the other. After about 10 or so seconds, the J2320 clears this session and sends an RST back to the PC, dropping the SSH session, but not the 1811 it seems (which ties up VTY lines - but this is ok, they clear themselves up after exec-timeout is reached.) If I set security flow tcp-session no-syn-check on the J2320 the problem seems to disappear, and it no longer seems to care about one way data flow. But the session doesnt clear away after I end the SSH session (via ~. or exit), not at least for 40 minutes or so anyway. Does anyone know how to properly handle situations like this? At the moment the configuration is just in a lab, pre-deployment. Otherwise the only practical way I can see to get around this is to remove the SVI from the 1811 so that it doesnt have a direct route back to the PC. This will just require a slight modification to the design, and I'll need to acquire additional IPs to assign to the 1811 (e.g. a /32 assigned to a loopback interface) in place of sitting it in what will be a DMZ subnet via the SVI. Thanks. Tom ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Quick Question About HA Setup
Hiya bud Yes that can work here. Just make sure that the SRXs are less than 100ms apart and each sync connection, both fabric and control, is on separate VLANs. HTH On 16 July 2012 10:04, Spam spam...@fioseurope.net wrote: Is it possible to connect 2 SRX devices together into a HA Cluster by connecting the Control Fabric Interlinks via switches or must they be directly connected. My planned setup is as follows: SRX-Switch-10GB Xconnect-Switch-SRX I can also give each connection is own dedicated VLAN if that would help. Spammy ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Quick Question About HA Setup
Good point. Basically if we use a single switch to connect 2 SRXs in a cluster we introduce the switch as a single point of failure here. If you are dead set on separating your cluster nodes with switches, use 2 separate switches, one for control, one for data and keep the traffic on different vlans. Although technically this DOES work and is indeed supported, for all the reasons below, I would consider using this option carefully. HTH On 16 July 2012 11:20, Mike Devlin gossa...@meeksnet.ca wrote: Although it can work, its recommended that you dont. Any latency spikes between the switches can cause clustering to split, and you will suddenly be in a split brain scenario. I had a short talk with A-TAC about it a while back and they highly recommended against it for our build out. On Mon, Jul 16, 2012 at 5:16 AM, Mark Menzies m...@deimark.net wrote: Hiya bud Yes that can work here. Just make sure that the SRXs are less than 100ms apart and each sync connection, both fabric and control, is on separate VLANs. HTH On 16 July 2012 10:04, Spam spam...@fioseurope.net wrote: Is it possible to connect 2 SRX devices together into a HA Cluster by connecting the Control Fabric Interlinks via switches or must they be directly connected. My planned setup is as follows: SRX-Switch-10GB Xconnect-Switch-SRX I can also give each connection is own dedicated VLAN if that would help. Spammy ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp