Re: [j-nsp] NAT update commit script for SRX210

2014-08-27 Thread Mike Devlin 
Thanks Mike and Scott,

Im going to give those both a shot, however as Mike mentioned, neither are
ideal situations.  If anyone has anymore suggestions that will be a little
more secure i would appreciate it.

Thanks again guys,

Mike


On Wed, Aug 27, 2014 at 10:16 AM, Scott Granados 
wrote:

> Can you use the interface tag instead of the IP.
>
> So something like match interface or the inverse of how you build a source
> nat?
>
> On Aug 26, 2014, at 6:25 PM, Mike Devlin  wrote:
>
> > Hey Guys,
> >
> > Anyone know of a tested commit script that will update NAT config based
> on
> > a DHCP interface changing IP addresses?
> >
> > The scenario is this.  I have a location that the IP address is changing
> > roughly every month.  I have a CNAME created for the FQDN pointing to
> > dynamic DNS name that allows the DNS to get updated fairly quickly when
> > this occurs, however im still stuck manually updating static NATs after
> > this happens.
> >
> > Im looking for a commit script that will look at the IP address of
> external
> > interface (fe-0/0/7.0) and essentially do a "replace pattern  > address> with "
> >
> > any suggestions?
> >
> >
> > Thanks,
> >
> > Mike
> > ___
> > juniper-nsp mailing list juniper-nsp@puck.nether.net
> > https://puck.nether.net/mailman/listinfo/juniper-nsp
>
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] NAT update commit script for SRX210

2014-08-26 Thread Mike Devlin 
Hey Guys,

Anyone know of a tested commit script that will update NAT config based on
a DHCP interface changing IP addresses?

The scenario is this.  I have a location that the IP address is changing
roughly every month.  I have a CNAME created for the FQDN pointing to
dynamic DNS name that allows the DNS to get updated fairly quickly when
this occurs, however im still stuck manually updating static NATs after
this happens.

Im looking for a commit script that will look at the IP address of external
interface (fe-0/0/7.0) and essentially do a "replace pattern  with "

any suggestions?


Thanks,

Mike
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Site-To-Site VPN woes again

2014-05-06 Thread Mike Devlin 
also extremely helpful in high traffic profile tunnels on higher end srx's
with multiple SPCs

combined with the shell command "kmd -T source_add:dest_add" you can load
balance your ipsec traffic against lower usage SPCs and improve overall
performance and throughput :)


On Tue, May 6, 2014 at 9:10 AM, Per Westerlund  wrote:

> I think Mike was hinting at the hidden property  ’local-address’ to help
> select source address from an interface that has more than on address
> configured.
>
> You won’t see it in the help, but if you enter this:
>
> set security ike gateway GATE local-address x.y.z.w
>
> it will work.
>
> This way you can use several addresses with one interface. (Extremely
> helpful if you migrate IPsec VPNs to an existing setup.)
>
> /Per
>
> 6 maj 2014 kl. 14:56 skrev Mattias Gyllenvarg :
>
> A little vague question but I will try.
>
> The Hub is dynamic (PKI + Distinguished names).
> Spokes connect to the external IF of the HUB.
>
> Jeff, regarding Loopbacks. Would you configure an IP from the extrenal
> scope (have a /29) as Loopback to run the VPN via?
>
> Never though of having a loopback in the untrusted side.  :)
>
> //Mattias
>
>
> On Tue, May 6, 2014 at 2:35 PM, Mike Devlin  wrote:
>
> are  using local-address config line under edit security ike gateway blah?
>
>
> On Tue, May 6, 2014 at 8:24 AM, Mattias Gyllenvarg  >wrote:
>
> Turns out the HUB node can not be on use a "secondary" IP as the Gateway
> IP for the IPsec termination.
> This workes on SRX240 in a very similar installation. But not on the
> SRX210HE2 in this installation.
>
> //Mattias Gyllenvarg
>
>
> On Fri, May 2, 2014 at 5:07 PM, Mike Devlin wrote:
>
> config please
>
>
> On Fri, May 2, 2014 at 9:33 AM, Mattias Gyllenvarg <
> matt...@gyllenvarg.se> wrote:
>
> Hi All
>
> I have been cracking my skull on this one for a while now and I am not
> getting anywhere I want to go. So, here is a nut for anyone proficient
> in
> Site-To-Site VPN with PKI and Distinguished names on SRX.
>
> TLDR; New installation of a setup I already have working on a global
> scale.
> Only difference in HW is a SRX210HE2 as HUB compared to a 240 in the
> working installation.
> Error is NO proposal chosen. I get this even if I try it with static IPs
> and PSK.
> Junos is  [12.1X44-D20.3]
> Waiting to try [12.1X44-D30.4] but I dont have it yet.
>
> So, I have double checked the proposals (they come from a template) many
> times.
> Removed and reapplied all security config. Reloaded and so on.
> st0.0 is in trusted and all policies are in place.
>
> Can't find a known bug or deeper troubleshooting help then check your
> proposals, for this error.
>
> --
> *Best Regards*
> *Mattias Gyllenvarg*
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
>
>
>
>
> --
> *Med Vänliga Hälsningar / Best Regards*
> *Mattias Gyllenvarg*
>
>
>
>
>
> --
> *Med Vänliga Hälsningar / Best Regards*
>
> *Mattias Gyllenvarg*
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
>
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Site-To-Site VPN woes again

2014-05-06 Thread Mike Devlin 
In the IKE gateway configuration there is a hidden command "local-address",

so assuming your hub is using 3 addresses and you want to use the 2nd
address for ipsec termination

edit interface ge-0/0/0.0 family inet
set address 1.1.1.1/29
set address 1.1.1.2/29
set address 1.1.1.3/29
top

in your security configuration you manually tell the srx which IP address
to use.

edit security ike gateway gw
set local-address 1.1.1.2
top
commit

Seeing a copy of your config would potentially help me a little, as
requested 4 days ago, dont need it all, just he relevant stuff



On Tue, May 6, 2014 at 8:56 AM, Mattias Gyllenvarg wrote:

> A little vague question but I will try.
>
> The Hub is dynamic (PKI + Distinguished names).
> Spokes connect to the external IF of the HUB.
>
> Jeff, regarding Loopbacks. Would you configure an IP from the extrenal
> scope (have a /29) as Loopback to run the VPN via?
>
> Never though of having a loopback in the untrusted side.  :)
>
> //Mattias
>
>
> On Tue, May 6, 2014 at 2:35 PM, Mike Devlin  wrote:
>
>> are  using local-address config line under edit security ike gateway blah?
>>
>>
>> On Tue, May 6, 2014 at 8:24 AM, Mattias Gyllenvarg > > wrote:
>>
>>> Turns out the HUB node can not be on use a "secondary" IP as the Gateway
>>> IP for the IPsec termination.
>>> This workes on SRX240 in a very similar installation. But not on the
>>> SRX210HE2 in this installation.
>>>
>>> //Mattias Gyllenvarg
>>>
>>>
>>> On Fri, May 2, 2014 at 5:07 PM, Mike Devlin wrote:
>>>
>>>> config please
>>>>
>>>>
>>>> On Fri, May 2, 2014 at 9:33 AM, Mattias Gyllenvarg <
>>>> matt...@gyllenvarg.se> wrote:
>>>>
>>>>> Hi All
>>>>>
>>>>> I have been cracking my skull on this one for a while now and I am not
>>>>> getting anywhere I want to go. So, here is a nut for anyone proficient
>>>>> in
>>>>> Site-To-Site VPN with PKI and Distinguished names on SRX.
>>>>>
>>>>> TLDR; New installation of a setup I already have working on a global
>>>>> scale.
>>>>> Only difference in HW is a SRX210HE2 as HUB compared to a 240 in the
>>>>> working installation.
>>>>> Error is NO proposal chosen. I get this even if I try it with static
>>>>> IPs
>>>>> and PSK.
>>>>> Junos is  [12.1X44-D20.3]
>>>>> Waiting to try [12.1X44-D30.4] but I dont have it yet.
>>>>>
>>>>> So, I have double checked the proposals (they come from a template)
>>>>> many
>>>>> times.
>>>>> Removed and reapplied all security config. Reloaded and so on.
>>>>> st0.0 is in trusted and all policies are in place.
>>>>>
>>>>> Can't find a known bug or deeper troubleshooting help then check your
>>>>> proposals, for this error.
>>>>>
>>>>> --
>>>>> *Best Regards*
>>>>> *Mattias Gyllenvarg*
>>>>> ___
>>>>> juniper-nsp mailing list juniper-nsp@puck.nether.net
>>>>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>>>>
>>>>
>>>>
>>>
>>>
>>> --
>>> *Med Vänliga Hälsningar / Best Regards*
>>> *Mattias Gyllenvarg*
>>>
>>
>>
>
>
> --
> *Med Vänliga Hälsningar / Best Regards*
> *Mattias Gyllenvarg*
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Site-To-Site VPN woes again

2014-05-06 Thread Mike Devlin 
are  using local-address config line under edit security ike gateway blah?


On Tue, May 6, 2014 at 8:24 AM, Mattias Gyllenvarg wrote:

> Turns out the HUB node can not be on use a "secondary" IP as the Gateway
> IP for the IPsec termination.
> This workes on SRX240 in a very similar installation. But not on the
> SRX210HE2 in this installation.
>
> //Mattias Gyllenvarg
>
>
> On Fri, May 2, 2014 at 5:07 PM, Mike Devlin  wrote:
>
>> config please
>>
>>
>> On Fri, May 2, 2014 at 9:33 AM, Mattias Gyllenvarg > > wrote:
>>
>>> Hi All
>>>
>>> I have been cracking my skull on this one for a while now and I am not
>>> getting anywhere I want to go. So, here is a nut for anyone proficient in
>>> Site-To-Site VPN with PKI and Distinguished names on SRX.
>>>
>>> TLDR; New installation of a setup I already have working on a global
>>> scale.
>>> Only difference in HW is a SRX210HE2 as HUB compared to a 240 in the
>>> working installation.
>>> Error is NO proposal chosen. I get this even if I try it with static IPs
>>> and PSK.
>>> Junos is  [12.1X44-D20.3]
>>> Waiting to try [12.1X44-D30.4] but I dont have it yet.
>>>
>>> So, I have double checked the proposals (they come from a template) many
>>> times.
>>> Removed and reapplied all security config. Reloaded and so on.
>>> st0.0 is in trusted and all policies are in place.
>>>
>>> Can't find a known bug or deeper troubleshooting help then check your
>>> proposals, for this error.
>>>
>>> --
>>> *Best Regards*
>>> *Mattias Gyllenvarg*
>>> ___
>>> juniper-nsp mailing list juniper-nsp@puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>>
>>
>>
>
>
> --
> *Med Vänliga Hälsningar / Best Regards*
> *Mattias Gyllenvarg*
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Site-To-Site VPN woes again

2014-05-02 Thread Mike Devlin 
config please


On Fri, May 2, 2014 at 9:33 AM, Mattias Gyllenvarg wrote:

> Hi All
>
> I have been cracking my skull on this one for a while now and I am not
> getting anywhere I want to go. So, here is a nut for anyone proficient in
> Site-To-Site VPN with PKI and Distinguished names on SRX.
>
> TLDR; New installation of a setup I already have working on a global scale.
> Only difference in HW is a SRX210HE2 as HUB compared to a 240 in the
> working installation.
> Error is NO proposal chosen. I get this even if I try it with static IPs
> and PSK.
> Junos is  [12.1X44-D20.3]
> Waiting to try [12.1X44-D30.4] but I dont have it yet.
>
> So, I have double checked the proposals (they come from a template) many
> times.
> Removed and reapplied all security config. Reloaded and so on.
> st0.0 is in trusted and all policies are in place.
>
> Can't find a known bug or deeper troubleshooting help then check your
> proposals, for this error.
>
> --
> *Best Regards*
> *Mattias Gyllenvarg*
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Loopback VPN termination High End SRX

2014-01-28 Thread Mike Devlin 
Ya,

The math works out the same on the 3000s as it does on the 5000s.  Keep in
mind the 5000 series SPC have dual SPU, so when you see SPU 9, its
referencing SPC in slot 5 pic 0.



On Tue, Jan 28, 2014 at 4:30 PM, Phil Fagan  wrote:

> Nice, so I"m looking at hash of IKE local:remote and what logical and
> physical SPU it gets mapped too.  Makes sense because your RG0 is only
> control and not data.
>
> On Mon, Jan 27, 2014 at 4:21 AM, Mike Devlin 
> wrote:
> > from the shell
> >
> > kmd -T source:destination
> >
> > the order doesnt matter,the hashing is the same if you reverse the IPs.
>  Use
> > your phase 1 addresses
> >
> >
> >
> >
> > On Sun, Jan 26, 2014 at 10:13 PM, Phil Fagan 
> wrote:
> >>
> >> Looks like the keywords here are anchoring VPN to an SPU. I think this
> >> involves the way RG mappings occur on SPU(s). Anyone with info/links on
> >> that mapping please share.
> >>
> >>
> >> On Wed, Jan 22, 2014 at 3:08 PM, Morgan McLean 
> wrote:
> >>
> >> > Hi all,
> >> >
> >> > Quick question regarding terminating IKE on a lo0 interface on a 3600
> >> > cluster.
> >> >
> >> >
> >> >
> >> >
> http://www.juniper.net/techpubs/en_US/junos12.1x44/topics/concept/security-loopback-interface-ha-for-vpn.html
> >> >
> >> > According to this, it mentions putting lo0 into an RG thats not 0,
> which
> >> > is
> >> > the one tied to RE and master node etc. Does anybody do this? Do you
> >> > just
> >> > assign lo0 to redundancy group say 2, and then it just works? Anything
> >> > else
> >> > we need to do? The VPN packets could come in over node 0 or node
> 1...so
> >> > I'm
> >> > not sure exactly how this helps.
> >> >
> >> > --
> >> > Thanks,
> >> > Morgan
> >> > ___
> >> > juniper-nsp mailing list juniper-nsp@puck.nether.net
> >> > https://puck.nether.net/mailman/listinfo/juniper-nsp
> >> >
> >>
> >>
> >>
> >> --
> >> Phil Fagan
> >> Denver, CO
> >> 970-480-7618
> >> ___
> >> juniper-nsp mailing list juniper-nsp@puck.nether.net
> >> https://puck.nether.net/mailman/listinfo/juniper-nsp
> >
> >
>
>
>
> --
> Phil Fagan
> Denver, CO
> 970-480-7618
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Loopback VPN termination High End SRX

2014-01-27 Thread Mike Devlin 
from the shell

kmd -T source:destination

the order doesnt matter,the hashing is the same if you reverse the IPs.
 Use your phase 1 addresses




On Sun, Jan 26, 2014 at 10:13 PM, Phil Fagan  wrote:

> Looks like the keywords here are anchoring VPN to an SPU. I think this
> involves the way RG mappings occur on SPU(s). Anyone with info/links on
> that mapping please share.
>
>
> On Wed, Jan 22, 2014 at 3:08 PM, Morgan McLean  wrote:
>
> > Hi all,
> >
> > Quick question regarding terminating IKE on a lo0 interface on a 3600
> > cluster.
> >
> >
> >
> http://www.juniper.net/techpubs/en_US/junos12.1x44/topics/concept/security-loopback-interface-ha-for-vpn.html
> >
> > According to this, it mentions putting lo0 into an RG thats not 0, which
> is
> > the one tied to RE and master node etc. Does anybody do this? Do you just
> > assign lo0 to redundancy group say 2, and then it just works? Anything
> else
> > we need to do? The VPN packets could come in over node 0 or node 1...so
> I'm
> > not sure exactly how this helps.
> >
> > --
> > Thanks,
> > Morgan
> > ___
> > juniper-nsp mailing list juniper-nsp@puck.nether.net
> > https://puck.nether.net/mailman/listinfo/juniper-nsp
> >
>
>
>
> --
> Phil Fagan
> Denver, CO
> 970-480-7618
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] SRX vs Checkpoint (4800)

2013-11-24 Thread Mike Devlin 
can you elaborate on your "no comparison" comment?


On Sun, Nov 24, 2013 at 9:19 AM, Jerry Jones  wrote:

> No comparison with checkpoint.
>
> But Space is a framework. Yes you can purchase an appliance to run it on
> or just download the vm. In fact you can download the vm and play with for
> 30 days free.
>
> To manage SRX you would use Security Director, a component of Space. You
> can download and try it also, but first must have a valid registered Space.
>
> Security Director itself has come a long way in the last year. We have
> deployed it to manage a large national customer with many chain locations
> and it is working well. Note we sell Juniper so…
>
> They have improved the GUI on SRX and added wizards to help make life
> nice, but it still is a long way from the cli.
>
>
> On Nov 24, 2013, at 1:51 AM, Skeeve Stevens <
> skeeve+juniper...@eintellegonetworks.com> wrote:
>
> Hey all,
>
> I have a customer where we have been slowly deploying Juniper (instead of
> Cisco) for their routing and switching, and that has been going well.
>
> But the other day they asked me about replacing their Checkpoint 4800's
> with Juniper SRX.  For their needs, I am thinking of a pair of SRX550's.
> But, I would like to justify my advice...  Does anyone have any
> comparisons, etc... for Checkpoint 4800's (or that family) against SRX's?
>
> Also, rather than just touching command-line to create/change rules...  is
> there any GUI management tool for SRX firewall rules? I've heard of Space,
> but the Juniper website only really talks about it in 'concept' and I can't
> even tell if its a physical, virtual or app platform, and what it would
> look like.
>
> I've also heard of JACL - a non-supported migration/management tool, but it
> seems to have disappeared from the net.
>
> Any advice is welcome thanks guys.
>
> ...Skeeve
>
> *Skeeve Stevens - *eintellego Networks Pty Ltd
> ske...@eintellegonetworks.com ; www.eintellegonetworks.com
>
> Phone: 1300 239 038; Cell +61 (0)414 753 383 ; skype://skeeve
>
> facebook.com/eintellegonetworks ;  
> linkedin.com/in/skeeve
>
> twitter.com/theispguy ; blog: www.theispguy.com
>
>
> The Experts Who The Experts Call
> Juniper - Cisco - Cloud
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
>
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] SRX cluster and VC Lags

2013-11-06 Thread Mike Devlin 
is the load distribution going to be in some fashion even on 12 interfaces?
 Or even 6?  Cisco i know has funky load-balancing across aggregated links
if its not 2, 4 or 8 interfaces.  Is Junipers load-balancing going to be
any different/better?


On Wed, Nov 6, 2013 at 4:19 AM, Fahad Khan  wrote:

> Yeah , you can do soYou don't need any explicit configuration on SRX
> Side, while you would need to enable LACP on Switch port level.
>
> All the 6 interfaces/Firewall will participate in one reth interface and
> then you can enable vlan-tagging to provision inter-vlan routing. You will
> be having interface like (e.g) reth1.100, reth1.110, reth1.120 as per your
> VLANs configuration.
>
> Muhammad Fahad Khan
> JNCIE-M # 756
> Lead Network and Security Consultant - IBM
> +92-301-8247638
> Skype: fahad-ibm
> http://pk.linkedin.com/in/muhammadfahadkhan
>
>
> On Mon, Oct 28, 2013 at 2:28 AM, Mohammed Shafi  wrote:
>
> > Dear experts, I have query regarding SRX (650)cluster lag between and
> > ex-4550 virtual chassis. I have 6 physical link from each member VC to
> > wards each node in the srx cluster .  I have multiple vlans in ex switch
> > and planing to host the L3 interface in srx cluster . Now the question is
> > can i build a lag between ex and srx with a SINGLE reth interface , say
> > reth 1 and associate all physical interfaces from ex switch ( 6
> interface ,
> > total 12 ) and enable vlan tagging under reth 1 with unit interfaces for
> l3
> > interfaces .
> >
> > Is there any limitation for reth interface such that it can only have a
> > pair of physical interfaces from each node ?
> >
> > Sent from my iPad
> > ___
> > juniper-nsp mailing list juniper-nsp@puck.nether.net
> > https://puck.nether.net/mailman/listinfo/juniper-nsp
> >
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Help needed with IPSEC VPN on J-Series

2013-03-21 Thread Mike Devlin 
Bill,

Maybe i missed it, but i havent seen your full ipsec vpn config, would you
mind sending it through?

Our company is switching from netscreen ssg's to junos srx's, so im going
to apologize that these are generic and in the full set command syntax, but
this is what i sent to my colleagues as a guideline.


set interfaces fe-0/0/0 description Outside
set interfaces fe-0/0/0 unit 0 family inet address X.X.X.X/XX

set interfaces fe-0/0/1 description Inside
set interfaces fe-0/0/1 vlan-tagging

set interfaces fe-0/0/1 unit 215 description VLAN-Name_215
set interfaces fe-0/0/1 unit 215 vlan-id 215
set interfaces fe-0/0/1 unit 215 family inet address 172.31.215.5/24

set interfaces fe-0/0/1 unit 219 description VLAN-Name_219
set interfaces fe-0/0/1 unit 219 vlan-id 219
set interfaces fe-0/0/1 unit 219 family inet address 172.31.219.5/24

set interfaces st0 unit 0
set interfaces st0 unit 1

set routing-options static route 0/0 next-hop X.X.X.X/XX
set routing-options static route 172.31.215.0/24 next-hop 172.31.215.1/24
set routing-options static route 172.31.219.0/24 next-hop 172.31.219.1/24

set routing-options static route 10.8.0.0/16 next-hop st0.0
set routing-options static route 10.25.0.0/16 next-hop st0.1

set security ike proposal ike-phase1-proposal authentication-method
pre-shared-keys
set security ike proposal ike-phase1-proposal dh-group group5
set security ike proposal ike-phase1-proposal authentication-algorithm sha1
set security ike proposal ike-phase1-proposal encryption-algorithm 3des-cbc

set security ike policy ike-phase1-policy mode main
set security ike policy ike-phase1-policy proposals ike-phase1-proposal
set security ike policy ike-phase1-policy pre-shared-key ascii-text
some_psk_text_here

set security ike gateway DSG_Wloo ike-policy ike-phase1-policy
set security ike gateway DSG_Wloo address X.X.X.X/XX
set security ike gateway DSG_Wloo external-interface fe-0/0/0

set security ike gateway DSG_Q9 ike-policy ike-phase1-policy
set security ike gateway DSG_Q9 address X.X.X.X/XX
set security ike gateway DSG_Q9 external-interface fe-0/0/0

set security ipsec proposal ipsec-phase2-proposal protocol esp
set security ipsec proposal ipsec-phase2-proposal authentication-algorithm
hmac-md5-96
set security ipsec proposal ipsec-phase2-proposal encryption-algorithm
3des-cbc
set security ipsec proposal ipsec-phase2-proposal lifetime-seconds 3600
set security ipsec proposal ipsec-phase2-proposal lifetime-kilobytes
2147483647

set security ipsec policy ipsec-phase2-policy perfect-forward-secrecy keys
group5
set security ipsec policy ipsec-phase2-policy proposals
ipsec-phase2-proposal

set security ipsec vpn DSG_Wloo_P2-0 bind-interface st0.0
set security ipsec vpn DSG_Wloo_P2-0 ike gateway DSG_Wloo
set security ipsec vpn DSG_Wloo_P2-0 ike proxy-identity local 172.31.0.0/16
set security ipsec vpn DSG_Wloo_P2-0 ike proxy-identity remote 10.8.0.0/16
set security ipsec vpn DSG_Wloo_P2-0 ike ipsec-policy ipsec-phase2-policy

set security ipsec vpn DSG_Q9_P2-0 bind-interface st0.1
set security ipsec vpn DSG_Q9_P2-0 ike gateway DSG_Q9
set security ipsec vpn DSG_Q9_P2-0 ike proxy-identity local 172.31.0.0/16
set security ipsec vpn DSG_Q9_P2-0 ike proxy-identity remote 10.25.0.0/16
set security ipsec vpn DSG_Q9_P2-0 ike ipsec-policy ipsec-phase2-policy

set security zones security-zone outside host-inbound-traffic
system-services ike
set security zones security-zone outside host-inbound-traffic
system-services ping
set security zones security-zone outside interfaces fe-0/0/0.0


set security zones security-zone ipsec-dsg-wloo address-book address
DSG_WLOO-01 10.8.0.0/16
set security zones security-zone ipsec-dsg-wloo address-book address-set
DSG_WLOO_Net address DSG_WLOO-01
set security zones security-zone ipsec-dsg-wloo interfaces st0.0


set security zones security-zone ipsec-dsg-q9 address-book address
DSG_Q9-01 10.25.0.0/16
set security zones security-zone ipsec-dsg-q9 address-book address-set
DSG_Q9_Net address DSG_Q9-01
set security zones security-zone ipsec-dsg-q9 interfaces st0.1


set security zones security-zone inside address-book address Office-Name-01
172.31.215.0/24
set security zones security-zone inside address-book address Office-Name-02
172.31.219.0/24
set security zones security-zone inside address-book address-set Office_Net
address Office-Name-01
set security zones security-zone inside address-book address-set Office_Net
address Office-Name-02
set security zones security-zone inside interfaces fe-0/0/1.215
set security zones security-zone inside interfaces fe-0/0/1.219
set security zones security-zone inside host-inbound-traffic
system-services all



set security policies from-zone inside to-zone ipsec-dsg-wloo policy
inside-dsg_wloo match source-address Office_Net
set security policies from-zone inside to-zone ipsec-dsg-wloo policy
inside-dsg_wloo match destination-address DSG_WLOO_Net
set security policies from-zone inside to-zone ipsec-dsg-wloo policy
inside-dsg_wloo match application

Re: [j-nsp] SRX upgrade procedure -ready for enterprise?

2013-03-08 Thread Mike Devlin 
Mark/Andy,

thanks for the input, i have a cluster of 100s in my lab im going to test
this out on.  Been a nightmare doing it in the past.

looking forward to testing this out now :)



On Fri, Mar 8, 2013 at 6:13 PM, Andy Litzinger <
andy.litzin...@theplatform.com> wrote:

> ICU sounds interesting.  Any idea why it's not supported on the 550? or is
> that just documentation lag?
>
> > -Original Message-
> > From: Clay Haynes [mailto:chay...@centracomm.net]
> > Sent: Friday, March 08, 2013 3:08 PM
> > To: Andy Litzinger; juniper-nsp@puck.nether.net
> > Subject: Re: [j-nsp] SRX upgrade procedure -ready for enterprise?
> >
> > I've had really good luck with the ICU Upgrade for branch series. You
> upload
> > the software package to the active SRX, run the commands, and it handles
> > copying the package to the backup unit and all reboots. There is still a
> drop in
> > traffic for up to 30 seconds, but for the most part it's much safer than
> > upgrading/rebooting both units simultaneously and praying they come up
> > properly. Again, ICU is supported on branch-series only, and you have run
> > 11.2r2 or later for it to be available.
> >
> > http://www.juniper.net/techpubs/en_US/junos12.1/topics/task/operationa
> > l/cha
> > ssis-cluster-upgrading-and-aborting-backup-and-primary-device-with-
> > icu.html
> >
> >
> >
> > I haven't had great luck on ISSU, but then again I don't have many
> > datacenter-series boxes to play with (300+ SRX650 and below, about 10
> > SRX1400 and above). I would follow this URL, and if you're running any of
> > these services in the respective code do not proceed with the ISSU:
> >
> > http://kb.juniper.net/InfoCenter/index?page=content&id=KB17946&actp=R
> > SS
> >
> >
> >
> > - Clay
> >
> >
> >
> >
> > On 3/8/13 12:50 PM, "Andy Litzinger" 
> > wrote:
> >
> > >We're evaluating SRX clusters as replacements for our aging ASAs FO
> > >pairs in various places in our network including the Datacenter Edge.
> > >I  was reading the upgrade procedure KB:
> > >http://kb.juniper.net/InfoCenter/index?page=content&id=KB17947  and
> > >started to have some heart palpitations.  It seems a complicated
> > >procedure fraught with peril.  Anyone out there have any thoughts
> > >(positive/negative) on their experience on upgrading an SRX cluster
> > >with minimal downtime?
> > >
> > >thanks!
> > >-andy
> > >___
> > >juniper-nsp mailing list juniper-nsp@puck.nether.net
> > >https://puck.nether.net/mailman/listinfo/juniper-nsp
>
>
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] single ip on two interfaces

2013-03-05 Thread Mike Devlin 
what device(s)?

reth interfaces on SRX's or AE interfaces on EX's sounds like what you are
looking for.

virtual chassis between a couple EX switches, and LACP on the ae interface
which has its physical interfaces across 2 physically separated switches
connected to a server that is using LACP as well should work.  I know
people have done it, i just cant personally speak from experience



On Tue, Mar 5, 2013 at 7:23 PM, Morgan McLean  wrote:

> I think Mark is referring to bonding under linux...right? Typically bonding
> has an active / passive pair, and it can also round robin sending the
> packets out individual interfaces. Obviously all returning traffic will be
> destined to one mac, which is the active slave at the time.
>
> Bonding also supports LACP though.
>
> Morgan
>
>
> On Tue, Mar 5, 2013 at 2:44 PM, Dale Shaw 
> wrote:
>
> > Hi Mark,
> >
> > On Wed, Mar 6, 2013 at 8:09 AM, Mark Jones  wrote:
> > > Is it possible to have the same ip accessible via two interfaces the
> same
> > > way you would on a server.  This is on an mx series router.
> >
> > What do you mean when you say "..the same way you would on a server" ?
> >
> > Assigning the same IP address to separate interfaces (logical or
> > physical) is usually "wrong", unless each interface is in a separate
> > routing instance/VRF.
> >
> > Can you describe your scenario?
> >
> > Cheers,
> > Dale
> > ___
> > juniper-nsp mailing list juniper-nsp@puck.nether.net
> > https://puck.nether.net/mailman/listinfo/juniper-nsp
> >
>
>
>
> --
> Thanks,
> Morgan
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] SRX Remote log denied traffic

2013-02-26 Thread Mike Devlin 
actually, i retract that statement.

i saw a deny come through, and it was logged, but under testing and further
review, it seems that the only thing this is logging is UDP to port 44082.
Any telnet testing to random ports do not generate logs, neither does using
internet sites to test port connectivity.


And now im reading from Andrew and this really doesnt make any sense at all.

- If the traffic you are testing is direct to the firewall, it won't be
logged because it never hits a policy. It only works for transit traffic

what you are saying is that, from untrust to trust, i open up 5 ports, and
have some destination NAT in place, and everything is fine.  Now i want to
log the remaining 65530 TCP ports, to see if im being hit on any port for
any reason, and because i dont have a policy, and i dont have a destination
nat, that this traffic is destine for the firewall, and can not be logged?

Please tell me im misunderstanding this statement


On Tue, Feb 26, 2013 at 9:15 AM, Mike Devlin  wrote:

> that got it working it seems :)
>
> Thanks guys!!!
>
>
> On Tue, Feb 26, 2013 at 12:06 AM, Gordon Smith wrote:
>
>> This (remote syslog) works for me on SRX550's running 12.1R1.9
>> This will apply a default deny & log to the end of your security
>> policies, so you don't need to reorder policies after adding a new one.
>>
>> I have had issues logging locally where the box will stop logging after a
>> while. Not a big issue, since it all gets piped off to a syslog server, but
>> still annoying.
>> Syntax for that was:
>> file traffic-log {
>> any any;
>> match RT_FLOW_SESSION;
>> structured-data;
>> }
>>
>>
>>
>> groups {
>> global-policy {
>> security {
>> policies {
>> from-zone <*> to-zone <*> {
>> policy default-logdrop {
>>
>> match {
>> source-address any;
>> destination-address any;
>> application any;
>> }
>> then {
>> deny;
>> log {
>> session-init;
>> }
>> }
>> }
>> }
>> }
>>     }
>> }
>> }
>> system {
>> syslog {
>> host x.x.x.x {
>> any any;
>> }
>> }
>> }
>> security {
>> apply-groups global-policy;
>>
>> }
>>
>>
>>
>> On Mon, 25 Feb 2013 16:10:49 -0500, Mike Devlin wrote:
>>
>>> nope, that didnt work either :(
>>>
>>> meeks@MeeksNet-SRX210# run show log TEST-DENY
>>>
>>> [edit]
>>>
>>> meeks@MeeksNet-SRX210# show system syslog file TEST-DENY
>>> any any;
>>> match RT_FLOW;
>>>
>>> [edit]
>>>
>>> On Sat, Feb 23, 2013 at 2:35 AM, Farrukh Haroon
>>> **wrote:
>>>
>>>  Hello Mike
>>>>
>>>> Was wondering if you can get the deny logs  while doing local logging?
>>>>
>>>> set system syslog file TEST-DENY any any
>>>> set system syslog file TEST-DENY match RT_FLOW
>>>>
>>>> Regards
>>>> Farrukh
>>>>
>>>>
>>>> On Fri, Feb 22, 2013 at 4:39 AM, Mike Devlin 
>>>> wrote:
>>>>
>>>>  So fingers crossed that this is an easy one for you guys,
>>>>>
>>>>> Device is an SRX210BE running 11.4R5.5 code.
>>>>>
>>>>> ive added the syslog host to the config
>>>>>
>>>>> meeks@MeeksNet-SRX210> show configuration system syslog
>>>>> archive size 100k files 3;
>>>>> user * {
>>>>> any emergency;
>>>>> }
>>>>> host 192.168.1.12 {
>>>>> any any;
>>>>> }
>>>>> file messages {
>>>>> any critical;
>>>>> authorization info;
>>>>> }
>>>>> file interactive-commands {
>>>>> interactive-commands error;
>>>>> }
>>>>> file security {
>>>>> security any;
>>>>> }
>>>>> file default-log-messages {
>>>>> any any

Re: [j-nsp] SRX Remote log denied traffic

2013-02-26 Thread Mike Devlin 
that got it working it seems :)

Thanks guys!!!


On Tue, Feb 26, 2013 at 12:06 AM, Gordon Smith wrote:

> This (remote syslog) works for me on SRX550's running 12.1R1.9
> This will apply a default deny & log to the end of your security policies,
> so you don't need to reorder policies after adding a new one.
>
> I have had issues logging locally where the box will stop logging after a
> while. Not a big issue, since it all gets piped off to a syslog server, but
> still annoying.
> Syntax for that was:
> file traffic-log {
> any any;
> match RT_FLOW_SESSION;
> structured-data;
> }
>
>
>
> groups {
> global-policy {
> security {
> policies {
> from-zone <*> to-zone <*> {
> policy default-logdrop {
>
> match {
> source-address any;
> destination-address any;
> application any;
> }
> then {
> deny;
> log {
> session-init;
> }
> }
> }
> }
> }
> }
> }
> }
> system {
> syslog {
> host x.x.x.x {
>     any any;
> }
> }
> }
> security {
> apply-groups global-policy;
>
> }
>
>
>
> On Mon, 25 Feb 2013 16:10:49 -0500, Mike Devlin wrote:
>
>> nope, that didnt work either :(
>>
>> meeks@MeeksNet-SRX210# run show log TEST-DENY
>>
>> [edit]
>>
>> meeks@MeeksNet-SRX210# show system syslog file TEST-DENY
>> any any;
>> match RT_FLOW;
>>
>> [edit]
>>
>> On Sat, Feb 23, 2013 at 2:35 AM, Farrukh Haroon
>> **wrote:
>>
>>  Hello Mike
>>>
>>> Was wondering if you can get the deny logs  while doing local logging?
>>>
>>> set system syslog file TEST-DENY any any
>>> set system syslog file TEST-DENY match RT_FLOW
>>>
>>> Regards
>>> Farrukh
>>>
>>>
>>> On Fri, Feb 22, 2013 at 4:39 AM, Mike Devlin 
>>> wrote:
>>>
>>>  So fingers crossed that this is an easy one for you guys,
>>>>
>>>> Device is an SRX210BE running 11.4R5.5 code.
>>>>
>>>> ive added the syslog host to the config
>>>>
>>>> meeks@MeeksNet-SRX210> show configuration system syslog
>>>> archive size 100k files 3;
>>>> user * {
>>>> any emergency;
>>>> }
>>>> host 192.168.1.12 {
>>>> any any;
>>>> }
>>>> file messages {
>>>> any critical;
>>>> authorization info;
>>>> }
>>>> file interactive-commands {
>>>> interactive-commands error;
>>>> }
>>>> file security {
>>>> security any;
>>>> }
>>>> file default-log-messages {
>>>> any any;
>>>> match "(requested 'commit' operation)|(copying configuration to
>>>> juniper.save)|(commit complete)|ifAdminStatus|(FRU power)|(FRU
>>>> removal)|(FRU insertion)|(link UP)|(vc add)|(vc
>>>>
>>>>
>>>> delete)|transitioned|**Transferred|transfer-file|**
>>>> QFABRIC_NETWORK_NODE_GROUP|**QFABRIC_SERVER_NODE_GROUP|**
>>>> QFABRIC_NODE|(license
>>>> add)|(license delete)|(package -X update)|(package -X
>>>>
>>>> delete)|GRES|CFMD_CCM_DEFECT|**LFMD_3AH|MEDIA_FLOW_ERROR|RPD_**
>>>> MPLS_PATH_BFD";
>>>> structured-data;
>>>> }
>>>>
>>>>
>>>>
>>>> and implemented the default deny template i found here:
>>>>
>>>>
>>>> http://kb.juniper.net/**InfoCenter/index?page=content&**
>>>> id=KB20778&actp=RSS<http://kb.juniper.net/InfoCenter/index?page=content&id=KB20778&actp=RSS>
>>>>
>>>>
>>>> meeks@MeeksNet-SRX210> show configuration groups
>>>> default-deny-template {
>>>> security {
>>>> policies {
>>>> from-zone untrust to-zone trust {
>>>> policy default-deny {
>>>> match {
>>>>

Re: [j-nsp] SRX Remote log denied traffic

2013-02-25 Thread Mike Devlin 
nope, that didnt work either :(

meeks@MeeksNet-SRX210# run show log TEST-DENY

[edit]

meeks@MeeksNet-SRX210# show system syslog file TEST-DENY
any any;
match RT_FLOW;

[edit]

On Sat, Feb 23, 2013 at 2:35 AM, Farrukh Haroon wrote:

> Hello Mike
>
> Was wondering if you can get the deny logs  while doing local logging?
>
> set system syslog file TEST-DENY any any
> set system syslog file TEST-DENY match RT_FLOW
>
> Regards
> Farrukh
>
>
> On Fri, Feb 22, 2013 at 4:39 AM, Mike Devlin  wrote:
>
>> So fingers crossed that this is an easy one for you guys,
>>
>> Device is an SRX210BE running 11.4R5.5 code.
>>
>> ive added the syslog host to the config
>>
>> meeks@MeeksNet-SRX210> show configuration system syslog
>> archive size 100k files 3;
>> user * {
>> any emergency;
>> }
>> host 192.168.1.12 {
>> any any;
>> }
>> file messages {
>> any critical;
>> authorization info;
>> }
>> file interactive-commands {
>> interactive-commands error;
>> }
>> file security {
>> security any;
>> }
>> file default-log-messages {
>> any any;
>> match "(requested 'commit' operation)|(copying configuration to
>> juniper.save)|(commit complete)|ifAdminStatus|(FRU power)|(FRU
>> removal)|(FRU insertion)|(link UP)|(vc add)|(vc
>>
>> delete)|transitioned|Transferred|transfer-file|QFABRIC_NETWORK_NODE_GROUP|QFABRIC_SERVER_NODE_GROUP|QFABRIC_NODE|(license
>> add)|(license delete)|(package -X update)|(package -X
>> delete)|GRES|CFMD_CCM_DEFECT|LFMD_3AH|MEDIA_FLOW_ERROR|RPD_MPLS_PATH_BFD";
>> structured-data;
>> }
>>
>>
>>
>> and implemented the default deny template i found here:
>>
>> http://kb.juniper.net/InfoCenter/index?page=content&id=KB20778&actp=RSS
>>
>>
>> meeks@MeeksNet-SRX210> show configuration groups
>> default-deny-template {
>> security {
>> policies {
>> from-zone untrust to-zone trust {
>> policy default-deny {
>> match {
>> source-address any;
>> destination-address any;
>> application any;
>> }
>> then {
>> deny;
>> log {
>> session-init;
>> }
>> }
>> }
>> }
>> }
>> }
>> }
>>
>> meeks@MeeksNet-SRX210> show configuration apply-groups
>> ## Last commit: 2013-02-21 16:05:36 EST by meeks
>> apply-groups default-deny-template;
>>
>> however, when i log on to the syslog host, and tail the syslog file i do
>> not see denies being logged remotely.
>>
>> if i apply the session-init and session-close options to permitted
>> traffic,
>> it does get logged remotely.
>>
>> Alternatively,
>>
>> creating a new policy has the same result, regardless if i use reject or
>> deny
>>
>> meeks@MeeksNet-SRX210# show security policies from-zone untrust to-zone
>> trust policy deny-all
>> match {
>> source-address any;
>> destination-address any;
>> application any;
>> }
>> then {
>> deny;
>> log {
>> session-init;
>> }
>> }
>>
>> my google-foo is failing, so i hope you guys can help.
>>
>> Looking forward to hearing back from you,
>>
>> Mike
>> ___
>> juniper-nsp mailing list juniper-nsp@puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>
>
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] SRX Remote log denied traffic

2013-02-21 Thread Mike Devlin 
So fingers crossed that this is an easy one for you guys,

Device is an SRX210BE running 11.4R5.5 code.

ive added the syslog host to the config

meeks@MeeksNet-SRX210> show configuration system syslog
archive size 100k files 3;
user * {
any emergency;
}
host 192.168.1.12 {
any any;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
file security {
security any;
}
file default-log-messages {
any any;
match "(requested 'commit' operation)|(copying configuration to
juniper.save)|(commit complete)|ifAdminStatus|(FRU power)|(FRU
removal)|(FRU insertion)|(link UP)|(vc add)|(vc
delete)|transitioned|Transferred|transfer-file|QFABRIC_NETWORK_NODE_GROUP|QFABRIC_SERVER_NODE_GROUP|QFABRIC_NODE|(license
add)|(license delete)|(package -X update)|(package -X
delete)|GRES|CFMD_CCM_DEFECT|LFMD_3AH|MEDIA_FLOW_ERROR|RPD_MPLS_PATH_BFD";
structured-data;
}



and implemented the default deny template i found here:

http://kb.juniper.net/InfoCenter/index?page=content&id=KB20778&actp=RSS


meeks@MeeksNet-SRX210> show configuration groups
default-deny-template {
security {
policies {
from-zone untrust to-zone trust {
policy default-deny {
match {
source-address any;
destination-address any;
application any;
}
then {
deny;
log {
session-init;
}
}
}
}
}
}
}

meeks@MeeksNet-SRX210> show configuration apply-groups
## Last commit: 2013-02-21 16:05:36 EST by meeks
apply-groups default-deny-template;

however, when i log on to the syslog host, and tail the syslog file i do
not see denies being logged remotely.

if i apply the session-init and session-close options to permitted traffic,
it does get logged remotely.

Alternatively,

creating a new policy has the same result, regardless if i use reject or
deny

meeks@MeeksNet-SRX210# show security policies from-zone untrust to-zone
trust policy deny-all
match {
source-address any;
destination-address any;
application any;
}
then {
deny;
log {
session-init;
}
}

my google-foo is failing, so i hope you guys can help.

Looking forward to hearing back from you,

Mike
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] switch idea.?

2012-12-06 Thread Mike Devlin 
Thanks for your Response Michael, i guess i should have provided a little
more information.

We are looking to get rid of spanning-tree in as many places as possible,
and we were originally looking at fabric solutions.  They just seem like
overkill for our traffic requirements.  We are looking to separate RVI/SVI
into a few VRF instances as well.  The implementation of a collapsed P/PE
device is to follow very shortly afterwards.  Both technologies seem to
offer these abilities (and if we can fit everything into a single VChassis
or IRF instance, no STP at all, from how i understand them).

Given these requirements, we were able to eliminate certain vendors since
they just werent able to offer what we need.  Im slightly worried about HP
as well, given that they have gone through 3 different OS's in the past few
years, and none of them are they same as the others.  Little frustrating if
you ask me.

But that alone isnt a deal breaker.

Again, thanks Michael.

If anyone else has touched these platforms i would love to hear more.

Mike

On Thu, Dec 6, 2012 at 12:00 PM, Michael Loftis  wrote:

>
>
>
> On Thu, Dec 6, 2012 at 8:35 AM, Mike Devlin  wrote:
>
>> Its ironic this thread has started, since my company is in the process of
>> replacing the core infrastructure, and we have it narrowed down to HP IRF
>> on 5900 and 5800 platform vs Juniper EX4550 and EX4200 VChassis.
>>
>> I was considering asking the list about any experiences they have had
>> comparing the 2 platforms.
>>
>
> The biggest thing I miss over Cisco is VTP.  Managing VLAN's is a huge
> pain without it when you've got dozens of switches that all need the same
> VLAN config. The pros on both HP and Juniper though tend to outweigh Cisco
> anymore.  HP was (is?) giving lifetime software updates, and the out the
> door prices are better than Cisco or Juniper.  When deploying a HP 5406 ZL
> some years back at a previous job I was having some pretty painful issues
> with 802.1x that they were able to debug with engineers and get us a
> non-released build with fixes. HP Procurve Tech support was pretty
> responsive at the time for those units, but that has been quite a few years
> ago now, though from what I've heard they're still pretty on the ball.
>
> At my current day job we just turned up the first EX4500 (the 4550 wasn't
> available in our timeframe since they'd JUST started shipping at the time)
> and so far so good.  We're not using the VC and might not end up using it,
> but it's nice to have if we decide to go that route/need to.  So don't
> really have much experience with those yet.  Majority of the switches at
> the current day job are PowerConnect 6248's - they mostly work pretty well
> as a plain switch, we're not doing L3 on them at all.
>
>
> I have a series of 3rd party test results related to both technologies that
>> ive been reviewing, but that can only give me so much info.  1st hand
>> experience is really what im looking to hear about here.
>>
>> Does anyone have any experience with both technologies they wouldnt mind
>> sharing with the group?
>>
>> Thanks,
>>
>> Mike
>>
>> On Thu, Dec 6, 2012 at 5:06 AM, Jonathan Lassoff  wrote:
>>
>> > If you want to stick with Juniper, maybe check out the EX4500.
>> >
>> > If you're looking for inexpensive, maybe check out the Arista 7100s or
>> > Accton's offerings.
>> >
>> >
>> > On Thu, Dec 6, 2012 at 1:48 AM, hasan alperen selçuk <
>> > h.a.sel...@hotmail.com
>> > > wrote:
>> >
>> > > Hi all,
>> > > We will change our Back Bone switch and i need some advice.
>> > > our topology
>> > > http://b1212.hizliresim.com/14/6/gml93.png
>> > > we need min. 4x10g fiber and min 1x1g fiber port (should be 12x1g sfp)
>> > > any idea?
>> > > thanks
>> > >
>> > > H.Alperen SELÇUK
>> > >
>> > >
>> > > GSM : +90 (544) 880
>> > > 98 80
>> > >
>> > >
>> > >
>> > >
>> > >
>> > >
>> > >
>> > >
>> > >
>> > >
>> > > ___
>> > > juniper-nsp mailing list juniper-nsp@puck.nether.net
>> > > https://puck.nether.net/mailman/listinfo/juniper-nsp
>> > ___
>> > juniper-nsp mailing list juniper-nsp@puck.nether.net
>> > https://puck.nether.net/mailman/listinfo/juniper-nsp
>> >
>> ___
>> juniper-nsp mailing list juniper-nsp@puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>
>
>
>
> --
>
> "Genius might be described as a supreme capacity for getting its possessors
> into trouble of all kinds."
> -- Samuel Butler
>
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] switch idea.?

2012-12-06 Thread Mike Devlin 
Its ironic this thread has started, since my company is in the process of
replacing the core infrastructure, and we have it narrowed down to HP IRF
on 5900 and 5800 platform vs Juniper EX4550 and EX4200 VChassis.

I was considering asking the list about any experiences they have had
comparing the 2 platforms.

I have a series of 3rd party test results related to both technologies that
ive been reviewing, but that can only give me so much info.  1st hand
experience is really what im looking to hear about here.

Does anyone have any experience with both technologies they wouldnt mind
sharing with the group?

Thanks,

Mike

On Thu, Dec 6, 2012 at 5:06 AM, Jonathan Lassoff  wrote:

> If you want to stick with Juniper, maybe check out the EX4500.
>
> If you're looking for inexpensive, maybe check out the Arista 7100s or
> Accton's offerings.
>
>
> On Thu, Dec 6, 2012 at 1:48 AM, hasan alperen selçuk <
> h.a.sel...@hotmail.com
> > wrote:
>
> > Hi all,
> > We will change our Back Bone switch and i need some advice.
> > our topology
> > http://b1212.hizliresim.com/14/6/gml93.png
> > we need min. 4x10g fiber and min 1x1g fiber port (should be 12x1g sfp)
> > any idea?
> > thanks
> >
> > H.Alperen SELÇUK
> >
> >
> > GSM : +90 (544) 880
> > 98 80
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > ___
> > juniper-nsp mailing list juniper-nsp@puck.nether.net
> > https://puck.nether.net/mailman/listinfo/juniper-nsp
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Layer 2 circuit - Traffic not flowing between Cisco and Juniper with mismatched VLAN ID

2012-11-01 Thread Mike Devlin 
troubleshooting is troubleshooting.  If this isnt working, making the
slight change on one end, is going to hurt anything, and may or may not
result in the resolution or the identification of a bug in the code line,
on either side of the equation.

There no point in negating the validity of the suggestion, without testing
it first in this exact scenario.  If that is your approach, then you have
never worked in a five 9's service provider before.  Complete disregard
because "it should work this" is not accepted.

On Thu, Nov 1, 2012 at 3:34 PM,  wrote:

> > i would still say, its worth the effort of swapping the vlan tags, and
> > seeing if the issue continues.  Wouldnt be the first Cisco <-> Juniper
> > "disagreement" and likely wont be the last.
>
> Well now - pseudowires between Cisco and Juniper routers have been
> working for years.
>
> Steinar Haug, Nethelp consulting, sth...@nethelp.no
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Layer 2 circuit - Traffic not flowing between Cisco and Juniper with mismatched VLAN ID

2012-11-01 Thread Mike Devlin 
i would still say, its worth the effort of swapping the vlan tags, and
seeing if the issue continues.  Wouldnt be the first Cisco <-> Juniper
"disagreement" and likely wont be the last.

On Thu, Nov 1, 2012 at 2:52 PM, Saku Ytti  wrote:

> On (2012-11-01 19:07 +0100), sth...@nethelp.no wrote:
>
> > In port mode the routers will happily transport whatever they are
> > given, including VLAN tags.
>
> Quite, but they would be CVLANs technically, not SVLAN. If you are
> transporting SVLAN it's VLAN mode.
>
> --
>   ++ytti
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Layer 2 circuit - Traffic not flowing between Cisco and Juniper with mismatched VLAN ID

2012-11-01 Thread Mike Devlin 
vlan 610 on Cisco side, VS vlan 601 on Juniper side?

Is that my dyslexia, or yours?

On Thu, Nov 1, 2012 at 8:49 AM, Mihai Gabriel wrote:

> I configured something similar (vpls instead vlan-ccc) with something like
> this on Juniper:
>
> Interfaces {
> ge-1/1/6 {
>  unit 901 {
> description "C-PE2 to S-CE2";
> encapsulation vlan-vpls;
> vlan-id 901;
> input-vlan-map {
> swap;
> vlan-id 801;
> }
> output-vlan-map swap;
> }
> }
>
>
>
> On Thu, Nov 1, 2012 at 2:26 PM, Arun Kumar  wrote:
>
> > i m trying to do VLAN mode.
> >
> > below is the previous config that I tried,
> >
> > nieg@LAB-MX-PE5# show interfaces ge-1/1/0.601
> > encapsulation vlan-ccc;
> > vlan-id 601
> > input-vlan-map pop;
> > output-vlan-map push;
> >
> > [edit]
> > nieg@LAB-MX-PE5# show protocols l2circuit
> > neighbor 10.20.0.2 {
> > interface ge-1/1/0.601 {
> > virtual-circuit-id 6012;
> > }
> > }
> >
> > Cisco side:
> >
> > interface GigabitEthernet0/1.610
> >  encapsulation dot1Q 610
> >  xconnect 10.20.0.5 6012 encapsulation mpls
> > end
> >
> > even tried as per the config you asked for but still the same result, VC
> > stays up but no data flowing
> >
> > nieg@LAB-MX-PE5# run show l2circuit connections extensive
> >
> > Neighbor: 10.20.0.2
> > Interface Type  St Time last up  # Up
> trans
> > ge-1/1/0.601(vc 6012) rmt   Up Nov  1 17:50:20 2012
>   1
> >   Remote PE: 10.20.0.2, Negotiated control-word: Yes (Null)
> >   Incoming label: 299792, Outgoing label: 40
> >   Negotiated PW status TLV: No
> >   Local interface: ge-1/1/0.601, Status: Up, Encapsulation: VLAN
> > Connection History:
> > Nov  1 17:50:20 2012  status update timer
> > Nov  1 17:50:20 2012  PE route changed
> > Nov  1 17:50:20 2012  Out lbl Update40
> > Nov  1 17:50:20 2012  In lbl Update 299792
> > Nov  1 17:50:20 2012  loc intf up ge-1/1/0.601
> > ___
> > juniper-nsp mailing list juniper-nsp@puck.nether.net
> > https://puck.nether.net/mailman/listinfo/juniper-nsp
> >
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] EX and SRX code selection

2012-10-19 Thread Mike Devlin 
Thanks Marco

On Fri, Oct 19, 2012 at 11:28 AM, Marco Nesler  wrote:

>
> http://kb.juniper.net/InfoCenter/index?page=content&id=KB21476&actp=RSS
>
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] EX and SRX code selection

2012-10-19 Thread Mike Devlin 
Hey Guys,

Im wondering what code recommendation the list would make for the following
platforms:

EX2200-C-PWR
SRX210BE

I am currently running 10.4R9.2 on the SRX, as this was the code previously
certified by my former employer for SRX3600 and SRX5800 deployments in our
infrastructure.  EX was never evaluated before I was laid off, so im simply
running whatever it was shipped with (11.4 something).

Although this is simply a home setup, i am looking to run code that has
been through a testing team and had a proper bug scrub wherever possible.

I appreciate the feedback.

Thanks,

Mike
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Juniper OAC Home Settings

2012-10-03 Thread Mike Devlin 
Hi Rehan,

If my memory serves me right, this is a Windows restriction, where it will
only allow one service to manage the wireless connections.  I remember
trying to get OAC working for the office, and Windows for home on both
Windows XP Pro, and Windows 7, where I eventually just gave up, and used
OAC for everything.  I was actively switching between the 2 services at one
point in this effort, but it did require local admin privileges on the
laptop, and it was not something the average user would find simple.

Given that this was over a year ago that i gave up the effort, i wouldnt be
able to tell you off the top of my head what exactly i was doing, but it
did involve accessing the "Services" under Administrative Tools in the
Control Panel of Windows every time i wanted to switch between OAC and
Windows.

Hope that helps,

Mike

On Wed, Oct 3, 2012 at 8:24 AM, Rehan Rafi  wrote:

> Dear All,
>
> Hopefully you all are doing fine.
>
> One of our customer has a wearied requirement related to Juniper Odyssey
> Access Client that he don't want to use OAC at home wireless network and
> want to use Widows wireless settings to connect.
>
> If above is do able, knowing client does not have permission to change OAC
> settings. Can we force windows settings to take preference over OAC?
>
> --
>
> Regards,
>
> Rehan Rafi
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] SRX IPSEC performance

2012-09-16 Thread Mike Devlin 
Unfortunately, no forcing the traffic of a tunnel an SPU just isnt capable.

The hashing of tunnels to SPCs also changes depending on the number of SPC,
and the slots they are located in.  Code also plays a factor.  there was a
more recent code 11.4 something release in May that did more a round robin
distribution of the tunnels, instead of the hashing.  It was designed to
take into account, "what if, an SPC failed"

I was running the SPC in combo mode, since it was a 3600, and my company
didnt want to pay the additional fee to have it flipped into dedicated
mode.  5800s, you just need 2 SPCs (3SPUs for flows, 1 for control) to
achieve dedicated mode, 3600 needs a license.

We were however configured in a fashion that the combo mode spc had nothing
landing on it.

reth0 interface was not configured with vlan tagging, but had 2 ips signed
to reth0.0 interface in the same /28 IP space.
in the ike config, where you specified the remote peer address (pretty sure
its the gateway config, not logged into a box at the moment to verify)
there is a hidden config you can use which is local-address, which allowed
us to specify which of the 2 assigned to reth0.0 that association would
use.

I dont remember exactly what i used for an mtu, but i did do up all my
math, so that i could minimize any fragmentation at any stage, since it
will obviously reduce performance and throughput.  i think it was 1450 on
the reth interface, then subtracted the IPSEC headers, and all the other
headers, and set the st0 mtu to that value.

the process was a painful learning experience, and was sadly with
production traffic.  Took weeks of troubleshooting with A-TAC.

On Sat, Sep 15, 2012 at 11:10 PM, ashish verma wrote:

> Hi Mike, Devin
>
> Thanks for your replies.
>
> Mike, Do you have the CP running in dedicated mode ? What packet size did
> you use for testing?
>
> kmd is quite useful in identifying which SPC will be used for the specific
> tunnel. Is there a way we can force an IPSEC to terminate on a required SPC
> to load balance better?
>
> Thanks again.
>
>
> On Sun, Sep 16, 2012 at 12:49 PM, Mike Devlin wrote:
>
>> So i have personally achieved 1.6G throughput per SPC on and SRX3600 on
>> 10.4R9.2 code line.
>>
>> I was required to push 3.5G from a single source, which required the use
>> of a hidden command in what i remember being the gateway config.
>>
>> i also had to pop out to the shell, and use "kmd -T ip1:ip2"
>>
>> The ips required here are those of the IKE association.  We in the end,
>> needed 2 IPs on both sides to split the traffic across 3 SPCs, and it
>> required substantial planning to get these numbers.
>>
>> Going to 12 code, which i never got to test, i had an elaborate plan to
>> attempt equal cost load balancing across multiple IPSEC VPNs on 5800s, but
>> was unfortunately laid off before i got to work out the finer details of it.
>>
>>
>>
>>
>> On Fri, Sep 14, 2012 at 8:49 AM, Devin Kennedy <
>> devinkennedy...@hotmail.com> wrote:
>>
>>> Hi Ashish:
>>>
>>> I recently tested the SRX3400 for IPsec tunnel setup rates and was able
>>> to
>>> setup 3600 tunnels using IxVPN testing tool.  I only sent traffic across
>>> the
>>> tunnels for 1 minute but the testing was successful.  We were running 4x
>>> SPC
>>> and 2xNPC in our configuration.  We were using one GE WAN interface as
>>> well.
>>> Our primary purpose was just to test that number of IPsec tunnels that we
>>> needed for a future implementation.
>>>
>>>
>>> Devin
>>>
>>>
>>> -Original Message-
>>> From: juniper-nsp-boun...@puck.nether.net
>>> [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of ashish verma
>>> Sent: Thursday, September 13, 2012 5:35 PM
>>> To: juniper-nsp
>>> Subject: [j-nsp] SRX IPSEC performance
>>>
>>> Hi All,
>>>
>>> Has anyone here done IPSEC performance tests for SRX3k and share your
>>> results?
>>> Juniper claims that with 1400bytes of packet with 2SPC and 1NPC VPN
>>> throughput is 3Gbps. How much have you achieved?
>>>
>>> Ashish
>>> ___
>>> juniper-nsp mailing list juniper-nsp@puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>>
>>> ___
>>> juniper-nsp mailing list juniper-nsp@puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>>
>>
>>
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] SRX IPSEC performance

2012-09-15 Thread Mike Devlin 
So i have personally achieved 1.6G throughput per SPC on and SRX3600 on
10.4R9.2 code line.

I was required to push 3.5G from a single source, which required the use of
a hidden command in what i remember being the gateway config.

i also had to pop out to the shell, and use "kmd -T ip1:ip2"

The ips required here are those of the IKE association.  We in the end,
needed 2 IPs on both sides to split the traffic across 3 SPCs, and it
required substantial planning to get these numbers.

Going to 12 code, which i never got to test, i had an elaborate plan to
attempt equal cost load balancing across multiple IPSEC VPNs on 5800s, but
was unfortunately laid off before i got to work out the finer details of it.



On Fri, Sep 14, 2012 at 8:49 AM, Devin Kennedy
wrote:

> Hi Ashish:
>
> I recently tested the SRX3400 for IPsec tunnel setup rates and was able to
> setup 3600 tunnels using IxVPN testing tool.  I only sent traffic across
> the
> tunnels for 1 minute but the testing was successful.  We were running 4x
> SPC
> and 2xNPC in our configuration.  We were using one GE WAN interface as
> well.
> Our primary purpose was just to test that number of IPsec tunnels that we
> needed for a future implementation.
>
>
> Devin
>
>
> -Original Message-
> From: juniper-nsp-boun...@puck.nether.net
> [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of ashish verma
> Sent: Thursday, September 13, 2012 5:35 PM
> To: juniper-nsp
> Subject: [j-nsp] SRX IPSEC performance
>
> Hi All,
>
> Has anyone here done IPSEC performance tests for SRX3k and share your
> results?
> Juniper claims that with 1400bytes of packet with 2SPC and 1NPC VPN
> throughput is 3Gbps. How much have you achieved?
>
> Ashish
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Quick Question About HA Setup

2012-07-16 Thread Mike Devlin 
Although it can work, its recommended that you dont.

Any latency spikes between the switches can cause clustering to split, and
you will suddenly be in a split brain scenario.

I had a short talk with A-TAC about it a while back and they highly
recommended against it for our build out.

On Mon, Jul 16, 2012 at 5:16 AM, Mark Menzies  wrote:

> Hiya bud
>
> Yes that can work here.
>
> Just make sure that the SRXs are less than 100ms apart and each sync
> connection, both fabric and control, is on separate VLANs.
>
> HTH
>
>
>
> On 16 July 2012 10:04, Spam  wrote:
>
> > Is it possible to connect 2 SRX devices together into a HA Cluster by
> > connecting
> > the Control & Fabric Interlinks via switches or must they be directly
> > connected.
> >
> > My planned setup is as follows:
> >
> > SRX<->Switch<->10GB Xconnect<->Switch<->SRX
> >
> > I can also give each connection is own dedicated VLAN if that would help.
> >
> > Spammy
> >
> >
> > ___
> > juniper-nsp mailing list juniper-nsp@puck.nether.net
> > https://puck.nether.net/mailman/listinfo/juniper-nsp
> >
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp