Re: [j-nsp] VPN over ADSL With 4G Backup

2015-06-13 Thread Nc Aji 
Appreciated your inputs.

To make it bit more clear.

We will have a non RFC1918 IP address at the hub and the spokes will get a
dynamic IP from the provider through ADSl 2+.

the spokes should have a 4G as backup  for the ADSL2+.

How the backup link should be configured.

I assume at the hub st0.x multipoint will be configured.

do you have any suggestions regarding the configurations.

Thx



On Fri, Jun 12, 2015 at 8:15 PM, Hugo Slabbert h...@slabnet.com wrote:

 On Thu 2015-Jun-11 23:27:22 +0300, Nc Aji aji14...@gmail.com wrote:

  Need to connect 250 Outlets by using ADSL Over internet


 Static or DHCP at the outlets?

  At the Head end We have public address need to have 4G as backup.


 I can't parse this sentence.  I get that you have a non-RFC1918 IP at the
 hub, by need to have 4G as backup do you mean that the hub site has/needs
 4G backup or that the outlets/spokes will have/need 4G connections as
 backup to their primary ADSL connection?

  Which VPN technologies to be used


 We stick with routed IPSEC tunnels (stx.x).  Scales better; simpler
 management of routing policy; and policy VPNs are just too opaque for my
 liking.  That assumes that you have statics at the spokes, though, as doing
 routed ipsec tunnels with dynamic endpoints is a PITA.

  Please suggest the juniper device model at spokes and HUB.


 Probably best to talk to your SE.  The suggestions below are just
 approximations based on some assumptions of your setup, and requisite
 grains of salt are suggested.

 Spokes:
 SRX100 or 110 for the spokes.  I'm assuming since you said ADSL it's
 e.g.  ADSL2+ or similar, so lower speeds (-le 15 mbps down) rather than
 higher rate VDSL2?  An SRX100 can handle crypto  stateful firewalling on
 that throughput without issue, so you don't have to step up to anything
 bigger like e.g. SRX210 or SRX240 unless you need GigE on the LAN or
 something.

 You could also go for the SRX110H-VA with built-in ADSL/VDSL if you need
 to bring your own modem rather than the ADSL provider putting one in.


 Hub:

 Question of scale, really.  Size for throughput and site count and throw
 in your oversubscription ratio of choice, then go from there.  E.g. if
 you're doing 15 mbps ADSL per site @ 250 sites, that's a theoretical peak
 of ~3.7 Gbps.  That said, I have my doubts about all of your sites
 simultaneously pinning their download, hence factoring in an oversub ratio.

 At-a-glance SRX range comparo:
 http://www.juniper.net/us/en/products-services/security/srx-series/compare/

 For crypto on the hub site, you could pair that up with an SRX as well.
 For the throughput you're looking at, something like a larger branch
 (SRX550/650) would probably be fine.  You're still looking at a software
 router in those, so just be aware that pinning the control plane can hit
 your forwarding unless you step up to something in the high end / DC SRX
 range (1400 or higher).  Some people do MX's with encryption services PICs
 [1], which gets you a proper routing platform, but that's obviously a
 different price point.

 If you're doing backup connections of some sort, a fairly clean way to
 handle that in a routed IPSEC tunnel solution would be 2x crypto tunnel
 interfaces (st) per site.  If you mean 4G at the branch, the two tunnels
 would have different external-interface settings defined.  If the 4G was at
 the head office (which would be interesting from a bandwidth perspective),
 there would be two different ike-gateway addresses defined, pointing at the
 two different H/O IPs.

 You'd then want to check for liveness across those two tunnels, so run a
 protocol with appropriate metrics defined for the crypto interfaces.

 Beware that if you don't do anything about it on the hub or spokes,
 asymmetric routing across the two different tunnels could cause you some
 grief as the SRX caches ingress/egress interfaces for flows and will by
 default drop traffic ingressing on diff interface than it expects (e.g.
 ADSL fails and traffic now comes in over the 4G tunnel).

 You may need to either disable tcp syn-check and sequence check to deal
 with that [2][3][4][5], forgo flow processing  stateful firewalling and
 chuck everything coming in over the tunnels into selective packet mode, or
 separate routing from the IPSEC termination and use some tunneling to land
 traffic on a proper, external router.

  Does anyone uses this setup and have success. SRX or J Series suites this
 requirement?


 Yes.

  Thx


 No problem.

 --
 Hugo

 h...@slabnet.com: email, xmpp/jabber
 PGP fingerprint (B178313E):
 CF18 15FA 9FE4 0CD1 2319
 1D77 9AB1 0FFD B178 313E
 (also on textsecure  redphone)

 [1] http://kb.juniper.net/InfoCenter/index?page=contentid=KB19733
 [2]
 http://forums.juniper.net/t5/SRX-Services-Gateway/asymmetry-problem/td-p/250084
 [3]
 http://www.juniper.net/techpubs/en_US/junos12.1/topics/example/session-tcp-packet-security-check-for-srx-series-disabling-cli.html
 [4] http://kb.juniper.net/InfoCenter/index?page

[j-nsp] VPN over ADSL

2015-06-12 Thread Nc Aji 
Hi folks,

Need to connect 250 Outlets by using ADSL Over internet , At the Head end
We have public address need to have 4G as backup.

Which VPN technologies to be used, Please suggest the juniper device model
at spokes and HUB.

Does anyone uses this setup and have success. SRX or J Series suites this
requirement?

Thx
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] VPN over ADSL With 4G Backup

2015-06-11 Thread Nc Aji 
Need to connect 250 Outlets by using ADSL Over internet , At the Head end
We have public address need to have 4G as backup.

Which VPN technologies to be used, Please suggest the juniper device model
at spokes and HUB.

Does anyone uses this setup and have success. SRX or J Series suites this
requirement?

Thx
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] Junos Space Spotlight Connector VM

2015-01-18 Thread Nc Aji 
Junos Spotlight connector supports in ESXi and ESX platforms only.  What is
the option for a customer environment with Microsoft Hyper-V as a
virtualization platform.

Is there any other free virtual platforms support Spotlight connector ? or
Can I install this in Physical machine ?

Unfortunately Many of our customers have Hyper-V as a virtual platform and
we are unable to propose the Anti Malware Protection in SRX platforms as it
requires Spotlight Secure Connector

Other vendors have gone a way ahead on this ,  Also even if we buy the
Junos Space Appliance ( Which is costly) still we need the VM for Spotlight
Connector which is not a good idea in my opinion.

Thanks Aji
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] User Role Firewall in SRX

2014-09-09 Thread Nc Aji 
Does the Juniper SRX with Latest version 12.1x47 Support User Firewall
roles without using MAG.

I wasn't able to see that in the release notes also in the feature explorer.

Thank you all..
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] EX-SFP-10GE-USR : Tranceiver can be used with OM4 Cabling ?

2014-08-31 Thread Nc Aji 
Hi Team,

Can we use the EX-SFP-10GE-USR tranceivers with OM4 cabling. it works out
quite cheap as compared to EX-SFP-10GE-SR and in my case the distance below
100 meters.

I am trying to propose this with EX4450 switches.

Thanks in Advance

ANC
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Srx 240 ipsec site to site

2013-05-13 Thread Nc Aji 
Yes the issue is dyn-dns support , does any one have working scripts and
procedures for getting this work ?


On Mon, May 13, 2013 at 10:22 AM, Nick Kritsky nick.krit...@gmail.comwrote:

 I guess you can achieve this functionality using event-scripts.

 Nick


 On Mon, May 13, 2013 at 10:30 AM, Klaus Groeger kla...@gmail.com wrote:

  Hi
 
 
  you may not resolve the issue with auto vpn, because the main problem is:
  both sites are assigned the IPs dynamically - via dhcp or whatever. If
  both sites do not know the peer's IP address, they cannot establish a
  tunnel.
 
 
  In ScreenOS, one has the option to use hostname instead of an IP address,
  the system makes a name lookup and connects to the resolved address. This
  isn't possible with SRX, because the hostname is resolved during
  configuration and the IP address will be naild down in the config.
 
 
  Even if you use aggressive mode, one site has to be a fixed IP address!
 
 
  Regards
 
 
  Klaus
 
 
 
  —
  Sent from Mailbox for iPhone
 
 
  On So., Mai 12, 2013 at 20:58, Misha Gzirishvili 
  misha.gzirishv...@gmail.com=mailto:misha.gzirishv...@gmail.com;
 wrote:
  Hi Aji,
  Take a look at AutoVPN.
  Some links about it:
  ___
  juniper-nsp mailing list juniper-nsp@puck.nether.net
  https://puck.nether.net/mailman/listinfo/juniper-nsp
 
 ___
 juniper-nsp mailing list juniper-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/juniper-nsp

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] SRX 240 Site to Site Vpn Question

2013-05-06 Thread Nc Aji 
I have a small customer requiring a VPN between two of the sites, One site
is so remote where in we have only 3g internet connection available. other
site which is considered to be the main site is having  internet over an
ADSL link . In essence both sides are getting dynamic IP address , can i
have a site to site vpn in this situation ?

Does SRX support dyndns feature ? can I use it for establishing site to
site vpn  ?

if not what is the other option to suggest to customer ?

Regards,
Aji N C
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] Srx 240 ipsec site to site

2013-05-06 Thread Nc Aji 
Dear Group,

I have a small customer requiring a VPN between two of the sites, One site
is so remote where in we have only 3g internet connection available. other
site which is considered to be the main site is having  internet over an
ADSL link . In essence both sides are getting dynamic IP address , can i
have a site to site vpn in this situation ?

Does SRX support dyndns feature ? can I use it for establishing site to
site vpn  ?

if not what is the other option to suggest to customer ?
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] Not logging the interface status logs

2012-12-23 Thread Nc Aji 
Is there a possibility of stopping interface status logs being sent to the
syslog server.

Like in cisco  *no logging event link-status *
*
*
I know we can match the strings and send the logs towards the syslog
server. Can we match a string and donot send the log message that contains
the string?

Thanking you,

Regards,

Aji
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Not logging the interface status logs

2012-12-23 Thread Nc Aji 
Thanks for that shot .. is there a way we can do this globally ?

Thx,
Aji


On Sun, Dec 23, 2012 at 12:09 PM, Kurt Bales kwba...@kwbales.net wrote:

 If you set no-traps at the IFD level you should be fine.


 On Sunday, December 23, 2012, Nc Aji wrote:

 Is there a possibility of stopping interface status logs being sent to the
 syslog server.

 Like in cisco  *no logging event link-status *
 *
 *

 I know we can match the strings and send the logs towards the syslog
 server. Can we match a string and donot send the log message that contains
 the string?

 Thanking you,

 Regards,

 Aji
 ___
 juniper-nsp mailing list juniper-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/juniper-nsp


___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp