Re: [j-nsp] EX-series automation, NETCONF woes

2009-01-28 Thread Ross Vandegrift
On Wed, Jan 28, 2009 at 11:17:11AM -0800, Derick Winkworth wrote: > xpath notation can help you find "junos-interface:interfaces" no > matter where its located. Can you do that without providing a map that maps the abbreviated namespace back to the fully-qualified namespace? If so, I'd love to kn

Re: [j-nsp] EX-series automation, NETCONF woes

2009-01-28 Thread Derick Winkworth
xpath notation can help you find "junos-interface:interfaces" no matter where its located. xpath notation should be supported by virtually any XML parsing tool. "should" be. From: Ross Vandegrift To: Joe Abley Cc: juniper-nsp@puck.nether.net Sent: Wednesda

Re: [j-nsp] Firewall filter on IPSec tunnel

2009-01-28 Thread Matt Stevens
That's in the services ipsec-vpn rule: rule ashburn2 { term one { from { ipsec-inside-interface sp-0/0/0.13; } then { remote-gateway 10.11.12.14; dynamic { ike-policy hq-ashburn2;

Re: [j-nsp] Firewall filter on IPSec tunnel

2009-01-28 Thread Matt Stevens
I have no flows showing with stateful-firewall - although these tunnels are fine, and carrying traffic. -- matt Nan Li wrote: Find all the flowing inbound or outbound by command: Show services stateful-firewall flows Using interface service you need manually allowed inbound and outbound tc

Re: [j-nsp] Firewall filter on IPSec tunnel

2009-01-28 Thread Nan Li
Find all the flowing inbound or outbound by command: Show services stateful-firewall flows Using interface service you need manually allowed inbound and outbound tcp or udp package by firewall matching . Make sure the package flowing is working on this interface, otherwise you can enable "estab

Re: [j-nsp] Firewall filter on IPSec tunnel

2009-01-28 Thread Matt Stevens
These are next-hop ipsec sets. For example: service-set ashburn2 { ipsec-vpn-options { local-gateway 10.11.12.13; } ipsec-vpn-rules ashburn2; next-hop-service { inside-service-interface sp-0/0/0.13; outside-service-interface sp-0/0/0.12; } } local-gate

Re: [j-nsp] Firewall filter on IPSec tunnel

2009-01-28 Thread Stefan Fouant
On Wed, Jan 28, 2009 at 1:17 PM, Matt Stevens wrote: > Well, the fact that I'm terminating the tunnel helps. :-) > > Basically, I want to apply an output filter on the tunnel interface to > filter packets leaving the tunnel towards a local subnet. > -- > matt What type of service set are you us

Re: [j-nsp] Firewall filter on IPSec tunnel

2009-01-28 Thread Matt Stevens
Well, the fact that I'm terminating the tunnel helps. :-) Basically, I want to apply an output filter on the tunnel interface to filter packets leaving the tunnel towards a local subnet. -- matt Stefan Fouant wrote: On Wed, Jan 28, 2009 at 1:06 PM, Matt Stevens > wrot

Re: [j-nsp] Firewall filter on IPSec tunnel

2009-01-28 Thread Stefan Fouant
On Wed, Jan 28, 2009 at 1:06 PM, Matt Stevens wrote: > Hello everyone. > > I'm trying to apply a filter to traffic that's entering a router via an > IPSec tunnel. It doesn't seem like applying the filter to the services > interfaces has any effect. I've thought about using the from interface > co

[j-nsp] Firewall filter on IPSec tunnel

2009-01-28 Thread Matt Stevens
Hello everyone. I'm trying to apply a filter to traffic that's entering a router via an IPSec tunnel. It doesn't seem like applying the filter to the services interfaces has any effect. I've thought about using the from interface condition in the filter, but I have a fair number of IPSec inter

Re: [j-nsp] EX-series automation, NETCONF woes

2009-01-28 Thread Ross Vandegrift
On Wed, Jan 28, 2009 at 11:00:27AM -0500, Joe Abley wrote: > On 27 Jan 2009, at 16:23, Ross Vandegrift wrote: > >3) XML is far more complicated than SNMP with marginal benefits to a > >switching environment. > > This whole message was a great read, and I'm glad you took the time to > write it. O

[j-nsp] REX RTR feature.

2009-01-28 Thread Flavio Schappo
Hi All, I´m tring to use RTR feature to test the routing of ip-pools in my B-ras. We are running about 100 /24 ip-pools and intend to run a test for each pool 1 time per hour and collect statistics (traps to netcool plataform) Anybody knows about a performance impact (CPU, Memory in Line card or

Re: [j-nsp] EX-series automation, NETCONF woes

2009-01-28 Thread Joe Abley
On 27 Jan 2009, at 16:23, Ross Vandegrift wrote: 3) XML is far more complicated than SNMP with marginal benefits to a switching environment. This whole message was a great read, and I'm glad you took the time to write it. On this particular point, though, I think you need to compare apple

Re: [j-nsp] looking for mx960 stable junos for peering issues

2009-01-28 Thread Kevin Oberman
> Date: Wed, 28 Jan 2009 09:07:46 -0600 > From: Richard A Steenbergen > Sender: juniper-nsp-boun...@puck.nether.net > > On Mon, Jan 26, 2009 at 11:34:53AM +0200, Arda Balkanay wrote: > > Hi List, > > We have several MX series which will be used for peering issues > > (upstream > peering, custome

Re: [j-nsp] looking for mx960 stable junos for peering issues

2009-01-28 Thread Richard A Steenbergen
On Mon, Jan 26, 2009 at 11:34:53AM +0200, Arda Balkanay wrote: > Hi List, > We have several MX series which will be used for peering issues (upstream > peering, customers, inter-as mpls peerings etc). > Which junos release do you think is the most stable one to use for this kind > of purpose ? I'm

Re: [j-nsp] RIPE script

2009-01-28 Thread Arda Balkanay
You can use RtConfig at irrtoolset. https://www.isc.org/sw/IRRToolSet/ HTH Arda On Wed, Jan 28, 2009 at 10:34 AM, Bit Gossip wrote: > Experts, > can you provide a reference to scripts for automatically generate > prefix-list out of the RIPE database > What would be the best option: using J

[j-nsp] RIPE script

2009-01-28 Thread Bit Gossip
Experts, can you provide a reference to scripts for automatically generate prefix-list out of the RIPE database What would be the best option: using Junos script or external script? Thanks, bit. ___ juniper-nsp mailing list juniper-nsp@puck.nether.n