Re: [j-nsp] eve-ng - lab environment

2018-07-16 Thread Vincent Clement 
The new jcl (Juniper Cloud labs) looks like a lot to eve ng, hope to give
it a look soon.

Le lundi 16 juillet 2018, Christian Scholz  a écrit :

> Welcome to the world of EVE.
> I prepped my JNCIE purely with EVE ;)
>
>
>
>
> > Am 16.07.2018 um 14:16 schrieb Aaron Gould :
> >
> > Oh my gosh, Eve-ng is awesome!  If you didn't know about it, you gotta
> try
> > it.  It's so cool in its ability to run vSRX and vMX so far in my
> testing.
> > In only a short couple days I've been able to test the following.
> >
> > - mpls martini l2circuits using ldp
> > - mpls vpls bgp ad/ldp sig (rfc4762)
> > - mpls vpls bgp ad/bgp sig (rfc4761)
> > - mpls evpn (my first look ever!)
> > - mplsogre (my first look ever in junos!)
> >
> > I wanted to see it run L2 bridging technologies since I had so much
> > unsuccess in my previous GNS3 attempts over the last few years (I may
> have
> > never set up the virtual l2 fwd'ing plane in gns3 like I should have)
> >
> > incase you want to take a look.
> >
> > http://eve-ng.com
> >
> >
> >
> > I had to take a moment and share about this.  It's so clean and elegant
> in
> > how it runs and works.
> >
> >
> >
> > -Aaron
> >
> > ___
> > juniper-nsp mailing list juniper-nsp@puck.nether.net
> > https://puck.nether.net/mailman/listinfo/juniper-nsp
>
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>


-- 
Vincent Clément
+33 6 74 49 66 30
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] EX2300 issues

2016-11-14 Thread Vincent Clement 
Hello,

We have no probs with 2200, but we decided to go with 2300 for a new
building.
We made the purchase this summer, and the delivery is expected for
mid-december, in the best case.

Vincent

2016-11-15 1:33 GMT+01:00 Graham Brown :

> Hi Lucio,
>
> I have checked the EoL notices for the EX2200 and there is nothing there -
> so that means you have at least five years before it would become end of
> support.
>
> As for the supply issues, this should have been resolved for all affected
> EX series switches. Were you after a PoE model? You're local SE, or
> distributer should be able to provide a current shipping timeframe,
> including a delta against the target time.
>
> Hopefully you can get an EX2300, but if not the EX2200 has been a solid
> performer over the years.
>
> HTH,
> Graham
>
> Graham Brown
> Twitter - @mountainrescuer 
> LinkedIn 
>
> On 15 November 2016 at 05:01, Valentini, Lucio 
> wrote:
>
> > Hi folks,
> >
> > back in August there was a post about EX2300 supply delays; now we are in
> > November, but there seems to be still some issues with shipment. I called
> > Juniper a couple of weeks ago, to see if there are plans to phase out the
> > EX2200, which could be supplied instead, but I am still waiting for an
> > answer. Does any of you guys have some more info about the EX2300
> > availability?
> >
> > Thanks
> >
> > Best regards
> >
> > Lucio
> >
> > ___
> > juniper-nsp mailing list juniper-nsp@puck.nether.net
> > https://puck.nether.net/mailman/listinfo/juniper-nsp
> >
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>



-- 
Vincent Clément
+33 6 74 49 66 30
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] EX4600: Splitting up one QSFP+ port into four SFP+ ports?

2016-03-19 Thread Vincent Clement 
Hi
Have done it on qfx series no issues.
However you should go on 4600 over 45xx, soon eol.
Vincent
Le jeudi 17 mars 2016, v  a écrit :

> Hello,
>
> I am interested in buying an EX4600 and curious about the QSFP+ ports. My
> question is the following:
> Can the QSFP+ ports really be split up into four fully featured SFP+
> ports? Are there any caveats or disadvantagas to this approach?
>
> I'm asking because the EX4600 costs just as much as the EX4550 (which has
> 32 SFP+ ports). If we could split up the QSFP+ ports on the EX4600 to have
> 40 fully featured SFP+ ports that would be awesome.
>
> Regards,
> v
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>


-- 
Vincent Clément
+33 6 74 49 66 30
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] LACP on mixed virtual chassis QFX5100/EX4300

2015-11-05 Thread Vincent Clement 
Auto-correct: seems I was wrong, I thought that because no negocation
options on xe interfaces, but should be supported as you said.
I'll make more tests, but I had trouble trying to connect 1G/100M on
QFX5100-48T with old devices.

Vincent

2015-11-05 11:04 GMT+01:00 Vincent Clement :

> Hi Farid :)
>
> Yes, but was assuming we talk about 48T, so only 10G as far as I know, no
> way to negociate 1G.
>
> Vincent
>
> 2015-11-05 10:54 GMT+01:00 Bouzemarene, Farid (ATS) <
> farid.bouzemar...@avnet.com>:
>
>> Hi vincent ;)
>>
>> QFX support 1g also but you have to use 1g SFP !
>>
>> I had no luck with Cisco or other vendors optics but with juniper ( or
>> solidoptics / juniper ) there is no problem .
>>
>> Farid
>>
>> -Original Message-----
>> From: juniper-nsp [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf
>> Of Vincent Clement
>> Sent: mercredi 4 novembre 2015 19:12
>> To: Michael Loftis
>> Cc: juniper-nsp@puck.nether.net
>> Subject: Re: [j-nsp] LACP on mixed virtual chassis QFX5100/EX4300
>>
>> Hello,
>>
>> Pretty sure QFX in 10G only, so if you want to achieve that, you'll have
>> to use a uplink module to have 10G on 4300 side.
>>
>> Vincent
>>
>> 2015-11-04 2:23 GMT+01:00 Michael Loftis :
>>
>> > I'd take a closer look at show interfaces. When a link is 1gig QFX
>> > calls it ge-. So you can have an ex-0/0/1 and a ge-0/0/1 but only one
>> > is active as I do not believe tri rate SFP+ is supported.
>> >
>> > On Tuesday, November 3, 2015, ThienDuc Nguyen
>> > 
>> > wrote:
>> >
>> > > Hi
>> > >
>> > > I was trying to create a LACP bundle between two ports : one on a
>> > > EX4300, the other on a QFX5100.
>> > > Both link have their speed negotiated at 1GE (but the interface name
>> > > on
>> > the
>> > > QFX is xe-, I can't force it to ge-, and their are no way to force
>> > > the speed on the QFX).
>> > > if I set the lacp speed to 1ge, the configuration can't commit
>> > > because it sees the QFX interface as a 10G interface...
>> > >
>> > >
>> > > Is their a special knob to activate it, or I need to create LACP on
>> > > the same device family ?  (the version is  14.1X53-D30.3)
>> > >
>> > > Thanks,
>> > >
>> > > *Thien Duc Nguyen*
>> > > ___
>> > > juniper-nsp mailing list juniper-nsp@puck.nether.net 
>> > > https://puck.nether.net/mailman/listinfo/juniper-nsp
>> > >
>> >
>> >
>> > --
>> >
>> > "Genius might be described as a supreme capacity for getting its
>> > possessors into trouble of all kinds."
>> > -- Samuel Butler
>> > ___
>> > juniper-nsp mailing list juniper-nsp@puck.nether.net
>> > https://puck.nether.net/mailman/listinfo/juniper-nsp
>> >
>>
>>
>>
>> --
>> Vincent Clément
>> +33 6 74 49 66 30
>> ___
>> juniper-nsp mailing list juniper-nsp@puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>
>
>
>
> --
> Vincent Clément
> +33 6 74 49 66 30
>



-- 
Vincent Clément
+33 6 74 49 66 30
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] LACP on mixed virtual chassis QFX5100/EX4300

2015-11-05 Thread Vincent Clement 
Hi Farid :)

Yes, but was assuming we talk about 48T, so only 10G as far as I know, no
way to negociate 1G.

Vincent

2015-11-05 10:54 GMT+01:00 Bouzemarene, Farid (ATS) <
farid.bouzemar...@avnet.com>:

> Hi vincent ;)
>
> QFX support 1g also but you have to use 1g SFP !
>
> I had no luck with Cisco or other vendors optics but with juniper ( or
> solidoptics / juniper ) there is no problem .
>
> Farid
>
> -Original Message-
> From: juniper-nsp [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf
> Of Vincent Clement
> Sent: mercredi 4 novembre 2015 19:12
> To: Michael Loftis
> Cc: juniper-nsp@puck.nether.net
> Subject: Re: [j-nsp] LACP on mixed virtual chassis QFX5100/EX4300
>
> Hello,
>
> Pretty sure QFX in 10G only, so if you want to achieve that, you'll have
> to use a uplink module to have 10G on 4300 side.
>
> Vincent
>
> 2015-11-04 2:23 GMT+01:00 Michael Loftis :
>
> > I'd take a closer look at show interfaces. When a link is 1gig QFX
> > calls it ge-. So you can have an ex-0/0/1 and a ge-0/0/1 but only one
> > is active as I do not believe tri rate SFP+ is supported.
> >
> > On Tuesday, November 3, 2015, ThienDuc Nguyen
> > 
> > wrote:
> >
> > > Hi
> > >
> > > I was trying to create a LACP bundle between two ports : one on a
> > > EX4300, the other on a QFX5100.
> > > Both link have their speed negotiated at 1GE (but the interface name
> > > on
> > the
> > > QFX is xe-, I can't force it to ge-, and their are no way to force
> > > the speed on the QFX).
> > > if I set the lacp speed to 1ge, the configuration can't commit
> > > because it sees the QFX interface as a 10G interface...
> > >
> > >
> > > Is their a special knob to activate it, or I need to create LACP on
> > > the same device family ?  (the version is  14.1X53-D30.3)
> > >
> > > Thanks,
> > >
> > > *Thien Duc Nguyen*
> > > ___
> > > juniper-nsp mailing list juniper-nsp@puck.nether.net 
> > > https://puck.nether.net/mailman/listinfo/juniper-nsp
> > >
> >
> >
> > --
> >
> > "Genius might be described as a supreme capacity for getting its
> > possessors into trouble of all kinds."
> > -- Samuel Butler
> > ___
> > juniper-nsp mailing list juniper-nsp@puck.nether.net
> > https://puck.nether.net/mailman/listinfo/juniper-nsp
> >
>
>
>
> --
> Vincent Clément
> +33 6 74 49 66 30
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>



-- 
Vincent Clément
+33 6 74 49 66 30
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] LACP on mixed virtual chassis QFX5100/EX4300

2015-11-04 Thread Vincent Clement 
Hello,

Pretty sure QFX in 10G only, so if you want to achieve that, you'll have to
use a uplink module to have 10G on 4300 side.

Vincent

2015-11-04 2:23 GMT+01:00 Michael Loftis :

> I'd take a closer look at show interfaces. When a link is 1gig QFX calls it
> ge-. So you can have an ex-0/0/1 and a ge-0/0/1 but only one is active as I
> do not believe tri rate SFP+ is supported.
>
> On Tuesday, November 3, 2015, ThienDuc Nguyen 
> wrote:
>
> > Hi
> >
> > I was trying to create a LACP bundle between two ports : one on a EX4300,
> > the other on a QFX5100.
> > Both link have their speed negotiated at 1GE (but the interface name on
> the
> > QFX is xe-, I can't force it to ge-, and their are no way to force the
> > speed on the QFX).
> > if I set the lacp speed to 1ge, the configuration can't commit because it
> > sees the QFX interface as a 10G interface...
> >
> >
> > Is their a special knob to activate it, or I need to create LACP on the
> > same device family ?  (the version is  14.1X53-D30.3)
> >
> > Thanks,
> >
> > *Thien Duc Nguyen*
> > ___
> > juniper-nsp mailing list juniper-nsp@puck.nether.net 
> > https://puck.nether.net/mailman/listinfo/juniper-nsp
> >
>
>
> --
>
> "Genius might be described as a supreme capacity for getting its possessors
> into trouble of all kinds."
> -- Samuel Butler
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>



-- 
Vincent Clément
+33 6 74 49 66 30
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] SA SSL VPN vulnerable to Heartbleed?

2014-04-11 Thread Vincent Clement 
Thanks Chris, fixed almost all the customers already, was just curious :)


2014-04-11 20:04 GMT+02:00 Chris Jones :

> Configuration is irrelevant.
>
>
> On Fri, Apr 11, 2014 at 12:48 AM, Vincent Clement  > wrote:
>
>> Confirm too, and I answer to myself:
>> Made some tests with Heartbleed python scripts:
>> It seems that when your realm/port require a client certificate, the SSL
>> process stops if you have no certificate BEFORE the heartbleed issue can
>> be
>> exploited.
>>
>> Still need to upgrade, but depending on your configuration you may be less
>> critically exposed.
>>
>> Vincent
>>
>>
>> 2014-04-10 19:56 GMT+02:00 Dave Funk :
>>
>> >
>> >  Date: Thu, 10 Apr 2014 00:21:13 +0200
>> >> From: Vincent Clement 
>> >> To: Morgan McLean 
>> >> Cc: "juniper-nsp@puck.nether.net" 
>> >> Subject: Re: [j-nsp] SA SSL VPN vulnerable to Heartbleed?
>> >> Message-ID:
>> >> > >> mail.gmail.com>
>> >>
>> >>
>> >> Hello,
>> >> Anyone here to confirm me how it works?
>> >> I mean, i've looked after some heartbleed description, and i'm not sure
>> >> when the issue can occurs:
>> >> If i have certificate authentication on MAG, is this still vulnerable,
>> or
>> >> the attacker can't even start the SSL connection and go to the step
>> where
>> >> heartbeat occurs to have access to the issue?
>> >> In the SSL/TLS process, I think the SSL session starts with the MAG
>> server
>> >> certificate sent to client, then ask for customer one. Is this
>> sufficient
>> >> to "launch" heartbleed for an attacker?
>> >>
>> >> Thanks,
>> >> Vincent
>> >>
>> >>
>> >> 2014-04-09 21:25 GMT+02:00 Morgan McLean :
>> >>
>> >>  Just refer to their doc, our MAGs are vulnerable. All depends on the
>> >>> software.
>> >>>
>> >>> Thanks,
>> >>> Morgan
>> >>>
>> >>
>> > I don't know the answer to your question but you can find out
>> empirically
>> > by using one of the online SSL testers on your MAG. The testers actually
>> > try to
>> > exercise the flaw (send a heartbeat request asking for more than they
>> > should
>> > be allowed to get) and if they succeed then you're at risk.
>> > A good one is: https://www.ssllabs.com/ssltest/
>> >
>> > I can confirm that 7.4R9.1 fixed our SA4500s (thank you Juniper
>> engineers
>> > who
>> > worked thru the night to create that release).
>> >
>> >
>> >
>> > --
>> > Dave Funk  University of Iowa
>> > College of Engineering
>> > 319/335-5751   FAX: 319/384-0549   1256 Seamans Center
>> > Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
>> > #include 
>> > Better is not better, 'standard' is better. B{
>> > ___
>> > juniper-nsp mailing list juniper-nsp@puck.nether.net
>> > https://puck.nether.net/mailman/listinfo/juniper-nsp
>> >
>>
>>
>>
>> --
>> Vincent Clément
>> +33 6 74 49 66 30
>> ___
>> juniper-nsp mailing list juniper-nsp@puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>
>
>
>
> --
> Chris Jones
> JNCIE-ENT #272
> CCIE# 25655 (R&S)
>



-- 
Vincent Clément
+33 6 74 49 66 30
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] SA SSL VPN vulnerable to Heartbleed?

2014-04-11 Thread Vincent Clement 
Confirm too, and I answer to myself:
Made some tests with Heartbleed python scripts:
It seems that when your realm/port require a client certificate, the SSL
process stops if you have no certificate BEFORE the heartbleed issue can be
exploited.

Still need to upgrade, but depending on your configuration you may be less
critically exposed.

Vincent


2014-04-10 19:56 GMT+02:00 Dave Funk :

>
>  Date: Thu, 10 Apr 2014 00:21:13 +0200
>> From: Vincent Clement 
>> To: Morgan McLean 
>> Cc: "juniper-nsp@puck.nether.net" 
>> Subject: Re: [j-nsp] SA SSL VPN vulnerable to Heartbleed?
>> Message-ID:
>> > mail.gmail.com>
>>
>>
>> Hello,
>> Anyone here to confirm me how it works?
>> I mean, i've looked after some heartbleed description, and i'm not sure
>> when the issue can occurs:
>> If i have certificate authentication on MAG, is this still vulnerable, or
>> the attacker can't even start the SSL connection and go to the step where
>> heartbeat occurs to have access to the issue?
>> In the SSL/TLS process, I think the SSL session starts with the MAG server
>> certificate sent to client, then ask for customer one. Is this sufficient
>> to "launch" heartbleed for an attacker?
>>
>> Thanks,
>> Vincent
>>
>>
>> 2014-04-09 21:25 GMT+02:00 Morgan McLean :
>>
>>  Just refer to their doc, our MAGs are vulnerable. All depends on the
>>> software.
>>>
>>> Thanks,
>>> Morgan
>>>
>>
> I don't know the answer to your question but you can find out empirically
> by using one of the online SSL testers on your MAG. The testers actually
> try to
> exercise the flaw (send a heartbeat request asking for more than they
> should
> be allowed to get) and if they succeed then you're at risk.
> A good one is: https://www.ssllabs.com/ssltest/
>
> I can confirm that 7.4R9.1 fixed our SA4500s (thank you Juniper engineers
> who
> worked thru the night to create that release).
>
>
>
> --
> Dave Funk  University of Iowa
> College of Engineering
> 319/335-5751   FAX: 319/384-0549   1256 Seamans Center
> Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
> #include 
> Better is not better, 'standard' is better. B{
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>



-- 
Vincent Clément
+33 6 74 49 66 30
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] SA SSL VPN vulnerable to Heartbleed?

2014-04-09 Thread Vincent Clement 
Hello,
Anyone here to confirm me how it works?
I mean, i've looked after some heartbleed description, and i'm not sure
when the issue can occurs:
If i have certificate authentication on MAG, is this still vulnerable, or
the attacker can't even start the SSL connection and go to the step where
heartbeat occurs to have access to the issue?
In the SSL/TLS process, I think the SSL session starts with the MAG server
certificate sent to client, then ask for customer one. Is this sufficient
to "launch" heartbleed for an attacker?

Thanks,
Vincent


2014-04-09 21:25 GMT+02:00 Morgan McLean :

> Just refer to their doc, our MAGs are vulnerable. All depends on the
> software.
>
> Thanks,
> Morgan
>
>
> On Wed, Apr 9, 2014 at 12:17 PM, ML  wrote:
>
> > I scanned both my MAG2600s and they came back as not vulnerable.
> >
> >
> >
> > On 4/8/2014 6:06 PM, Ravi Pina wrote:
> >
> >> I have a case open for a MAG-2600 to say one way or another.  I don't
> >> recall seeing any
> >> advisory from Juniper about the CVE.  I'll update if I learn of
> anything.
> >>
> >> -r
> >> ___
> >> juniper-nsp mailing list juniper-nsp@puck.nether.net
> >> https://puck.nether.net/mailman/listinfo/juniper-nsp
> >>
> >
> > ___
> > juniper-nsp mailing list juniper-nsp@puck.nether.net
> > https://puck.nether.net/mailman/listinfo/juniper-nsp
> >
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>



-- 
Vincent Clément
+33 6 74 49 66 30
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp